Are we assuming extra instances are from coming from different SA account? Because if they are coming from same service account it will not blocked. Thats normal to assume in environement. System in same VLAN may able to access data. I still have question, why do we need "block all connection from backend" in ingress type. Doesnt it will be automatically blocked after "implied denied ingress".
Hi. Yes it does, however the requirment was "no outbound anywhere from backend exept other backend" without "block all connection from backend" you would allow connectivity from BE to FE by rule which follows allow-incoming-to-frontend-fwr.