The requirements in the challenge clearly stated that backend instances should not have any inbound or outbound connectivity to the internet. In that case, wouldn’t it be more effective to simply not assign External IP in the backend instance template rather than blocking traffic using ingress and egress rules for backend subnet or backend service accounts?
Yes it is :).
In reality, the best way to isolate backend instances from Internet is removing public IP from them.
But I assume that, in the context of this lesson, the instructor wants us to practice and understand various aspects of VPC firewall rules, so he sticks with whatever the default configuration is (ephemeral IP) ^^.
I think one of the requirement is also to block pinging front end VMs