Given the default for ingress is deny, why was the deny-all (all targets, backend sources) ingress rule required? (Block-all-connections-from-backend-Fwr)
In the context of this challenge lab, that rule is pretty much redundant :). I guess it is there to "complete" the logic of what to be allowed and denied (refer to the table of 15 pairs of source & destination with check marks) rather than for effectiveness.
With the requirement to lock down the backend subnet, this
block-all-connections-from-backend-fwr rule and the
no-backend-egress-fwr is a pair, as all inbound and outbound traffic for backend subnet will be denied, except for those explicitly allowed by other "allow" rules. But like I mentioned earlier, it’s there just to complete the logic and to probably give a better visual of granular access control (you can quickly see the boundary of access scope even without seeing the implied rules).