Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

My network firewall for allowing icmp traffic from front to back machines doesn’t work

I started with the following rule for allowing traffic from the front machines to the back-end machines and it doesn’t work. Pings from the front machines to the back-end machines are unsuccessful.

Thank you

allow-icmp-from-front

Logs

Off

view in Logs Explorer

Networkmi-vpc

Priority1000

DirectionIngress

Action on matchAllow

Targets

Service account

mi-service-account-back@samplewebapplication-204313.iam.gserviceaccount.com

Source filters

Service account

mi-service-account-front@samplewebapplication-204313.iam.gserviceaccount.com

Protocols and ports

icmp

EnforcementEnabled

Insights

None

Hit count monitoring

2 Answers

Assuming your service accounts are correctly linked to the instances, this rule looks correct to me. Make sure you are pinging the internal IP address for the BE instance once you have SSH’d onto the FE instance as you are within the VPC at that point!

Billy Rotich

Ah yeah, you are right Robin.. We should actually ping the internal IP addresses. I was also facing the same issue posted by Jorge

I have the same setup. However, I do not understand why only the internal IP address is pingable , and not the external IP address ? Shouldn’t the ping goes thru external IP address, rather than Internal IP?

Ian Zdanowsky

I have the same question!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?