Struggling/wondering a little bit with the desired result for backend instances as it’s said in the lecture it’s preferred to only use service account roles:
To keep the backend servers from communicating with google.com/any webpage or the frontend instances it seems to me I need a deny egress rule to overrule the default "allow all egress" rule banning traffic to 0.0.0.0/0 and then an additional egress rule with higher priority allowing egress traffic to other backend instance. And this works if I state destination as my two backend instances. However this is the issue, an egress rule only lets me pick an IP as a destination. Is there another way to do this where I could still use a service account as destination?
With some further thinking I guess it could be easier just to remove the external IP’s from them and then explicitly deny them with an ingress rule on the front end instances.
Ole, first let me apologize for not getting back to you about this sooner. I was in the middle of many things and then I misjudged how quickly I could answer you in the way I intended.
What I mean by that last statement is that I have recorded some new lectures about exactly your questions, because: 1) I think you offered some excellent questions and ideas deserving of a good response; 2) I thought it would be much easier to explain through video, rather than text; and 3) this way, all students can benefit. 🙂
I wanted to do it justice, so my explanation for this VPC challenge lab wound up being a two-parter:
Please do let me know both how you feel this answers your questions, and do also let me know if you have any further questions! Thanks!