Hello ujisakura@,
For setup -
SourceClientVM: 10.10.10.2
Internal TCP LB: 10.10.10.3
DestinationWEB: 10.10.11.2
Internal TCP/UDP load balancers are not proxies, they pass the traffic to backends on the same protocol and port. For your scenario, you would like to have a Firewall rule that allows incoming connections to the backend VM (DestinationWEB) from SourceClientVM using specified target tags [
0][
1].
Here, I would recommend creating a firewall rule applicable to specific instances by using target tags and source tags:
1. You can add tags to an existing VMs (Source & Target Tags) using gcloud command:
gcloud compute instances add-tags [INSTANCE-NAME] \
--zone [ZONE] \
--tags [TAGS]
2. Create a firewall rule with highest priority with the network tag using gcloud command:
gcloud compute --project=[Project_ID] firewall-rules create [Name] \
--network=[VPC_network] \
--priority=1000 \
--action=allow \
--direction=INGRESS \
--target-tags=[target-tag-name] \
--source-tags=[source-tag-name] \
--rules=tcp:80
Note: If DestinationWEB resides in the same default VPC network as SourceClientVM. By default, there are pre-populated rules in the default network for default-allow-internal (Allows ingress connections for all protocols and ports among instances in the network) [
2]. However, for a custom VPC network you would like to create a firewall rule with higher priority to permit incoming connections to ‘DestinationWEB’ from SourceClientVM.
Additionally, you would also need a firewall rule to allow health checks from the IP ranges of Google Cloud probe systems, so backends properly respond to traffic. More information can be found here [
3].