The requirement in the challenge lab was that outbound messages from the back-end are only allowed to the back-end .
But in the video (time 15:14) Mattias uses a firewall rule that allows egress from the back-end to the whole vpc (192.168.0.0/16).
This means the backend can connect with the frontend also.
He could have just allowed egress only to the backend using subnet range 192.168.20.0/24
Why didn’t he? Is this a mistake or is there some insight into his decision?
2 Answers
Ah, yes! Good! I’m glad you’re thinking this all through. 🙂
I recommend that you listen closely to what I say at 13:55 and 15:25, and then step through the process at 16:36. If you do this, I believe you will learn it well and it’ll all make sense to you. But if you still need more help, that’s ok, too! Just describe what you’ve tried and where you’re confused.
I hope this helps!
Mattias
(Posting another answer so you get notified. As I wrote in the comment, above…)
Ah, close. But what I mean is that because that egress is going to the VPC, that traffic will also need to pass the ingress rules on the destination instances–the FE, in this case–and it will get blocked. Go ahead and try it out for yourself! 😁
Thank you Mattias for your detailed answer. I now understand that since the IP addresses range of 192.168.0.0/16 are only private then there it is reasonable enough security for the BE to egress to FE on that connection.
Ah, close. But what I mean is that because that egress is going to the VPC, that traffic will also need to pass the ingress rules on the destination instances–the FE, in this case–and it will get blocked. Go ahead and try it out for yourself! 😁