After hours and hours testing many combinations of Firewall Rules, I cannot understand why my solution to the challenge does not work.
I created two instances groups, the first one with the service account frontend-sa and the second with the service account backend-sa.
No problem when allowing all the connections to frontend-sa target, I can ping the frontend VMs from everywhere.
However, when creating a firewall rule with service account backend-sa as target and service account frontend-sa as source, no way to ping from frontend instances to backend instances.
I tried to use a connectivity test (https://console.cloud.google.com/net-intelligence/connectivity/tests/) and the result is…reachable !
Moreover, if I put directly a rule allowing inbound traffic to backend-sa VM from the external IP addresses of the frontend machines, the ping is successful.
Has someone the same behavior ? Am I missing something ?