Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Deny Ingress Rule?

Given the default for ingress is deny, why was the deny-all (all targets, backend sources) ingress rule required? (Block-all-connections-from-backend-Fwr)

1 Answers

In the context of this challenge lab, that rule is pretty much redundant :). I guess it is there to "complete" the logic of what to be allowed and denied (refer to the table of 15 pairs of source & destination with check marks) rather than for effectiveness.

With the requirement to lock down the backend subnet, this block-all-connections-from-backend-fwr rule and the no-backend-egress-fwr is a pair, as all inbound and outbound traffic for backend subnet will be denied, except for those explicitly allowed by other "allow" rules. But like I mentioned earlier, it’s there just to complete the logic and to probably give a better visual of granular access control (you can quickly see the boundary of access scope even without seeing the implied rules).

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?