I have done the following. But the solution doesn’t work completely (see below of what doesnt work)
1. Ingress Rules
a. Allow incoming only from IP ranges for west2 zone i.e. 192.168.20.0/24, protocol allowed icmp & targets service account is backendsa
b. Allow incoming only from IP ranges for west1 zone i.e 192.168.0.0/24, protocol allowed icmp & targets service account is backendsa
2. Egress Rules
a. Allow outgoing only from IP ranges for for west2 zone i.e. 192.168.20.0/24, protocol allowed icmp & targets service account is backendsa
b. Deny outgoing for IP ranges for west1 zone i.e. 192.168.0.0/2 & 0.0.0.0/0, protocol all & targets service account is backendsa
But below doesn’t work
1. When SSHed into frontend server, I cannot ping backend server
2. When SSed into backend server, I cannot ping other backend servers
my issue had to do with separating the front end and back end servers into different VPCs… In your case, you might want to check the priorities on the firewall rules.. lower is higher priority and gets executed before the higher numbered priority. If the priorities are tied, DENY gets chosen.
Also, target service account has to do with the instance sending (egressing) or receiving (ingressing) the traffic.. so in the Ingress case, the subnet you choose is the Source-IP of the traffic. In the Egress case, the subnet is the Destination-IP of the traffic.
Hope this helps.
I had same kind of problem … In my case i was using service account to filter out ingress request … And i couldn’t able to reach backend instance from front end … The problem was i was pinging to external ip address rather than internal ip address ..
I don’t know why its not working for external ip .. i think it might be services account are within internal network only … if any body know real answer … pls let me know …
Hope this helps..
Did you figure this? i too have the same issue. Below are the ones i found out.
1.Front end instances can connect to front end using both internal and external IPs
2.Back end instances cannot connect to front end using both
3.Back end instances can connect to back end using only internal IPs