Hello,
Struggling/wondering a little bit with the desired result for backend instances as it’s said in the lecture it’s preferred to only use service account roles:
To keep the backend servers from communicating with google.com/any webpage or the frontend instances it seems to me I need a deny egress rule to overrule the default "allow all egress" rule banning traffic to 0.0.0.0/0 and then an additional egress rule with higher priority allowing egress traffic to other backend instance. And this works if I state destination as my two backend instances. However this is the issue, an egress rule only lets me pick an IP as a destination. Is there another way to do this where I could still use a service account as destination?
Edit:
With some further thinking I guess it could be easier just to remove the external IP’s from them and then explicitly deny them with an ingress rule on the front end instances.
1 Answers
Ole, first let me apologize for not getting back to you about this sooner. I was in the middle of many things and then I misjudged how quickly I could answer you in the way I intended.
What I mean by that last statement is that I have recorded some new lectures about exactly your questions, because: 1) I think you offered some excellent questions and ideas deserving of a good response; 2) I thought it would be much easier to explain through video, rather than text; and 3) this way, all students can benefit. 🙂
I wanted to do it justice, so my explanation for this VPC challenge lab wound up being a two-parter:
* And here’s Part 2, where I continue the solution by explaining how I arrived at the firewall rules I did.
Please do let me know both how you feel this answers your questions, and do also let me know if you have any further questions! Thanks!
Mattias