I am able to do the setup and the backend servers can ping each other using local IP. However, they cannot do using public IP. If I allow egress using specific public IP then they can talk to each other. Is there a better way to configure a firewall rule to allow all servers in backend can ping each other using their public IO (instead of typing in each public IP address as egress source?
Great question, Srika! 😀 The answer is: Yes, I expect all communication between instances on the VPC to use the internal, private IP addresses and not any public IPs.
If you use the public IPs, the VPC Routing sees that traffic as destined externally for the Internet at large–and then that traffic tries to make its way back in. So with that understanding, that traffic should be blocked! 😁👍 This structure (of using private IPs and internal routing) helps strengthen network security.