Google Certified Associate Cloud Engineer 2020
  1. Rooms
  2. Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Network lab challenge- with one vpc- followed the answer in the course but still not able to get it working.

I have followed the same way as was described in the solution. created 1 vpc, 2 service accounts. and added the rules as mentioned in the lab challenge solution. but still 2 requirements are  left out. front end ping to backend and backend to backend ping. below is my firewall rules. not sure where i made a mistake.

my subnets are 

10.0.1.0/24  front us -east 

and 

10.0.2.0/24 back- europe-west

Name Type Targets Filters Protocols / ports Action Priority

allow-icmp-in-internal

Ingress

back-svc@myuserproject-242916.iam.gserviceaccount.com

Service account: front-svc@myuserproject-242916.iam.gserviceaccount.com

icmp

Allow

800

back-to-back-icmp

Ingress

back-svc@myuserproject-242916.iam.gserviceaccount.com

Service account: back-svc@myuserproject-242916.iam.gserviceaccount.com

icmp

Allow

900

backto-back

Egress

back-svc@myuserproject-242916.iam.gserviceaccount.com

IP ranges: 10.0.2.0/24

icmp

Allow

1000

block-all-backend

Egress

back-svc@myuserproject-242916.iam.gserviceaccount.com

IP ranges: 0.0.0.0/0

all

Deny

65000

block-all-connections-from-back

Ingress

Apply to all

Service account: back-svc@myuserproject-242916.iam.gserviceaccount.com

all

Deny

1000

myfbvpc-front-icmp

Ingress

front-svc@myuserproject-242916.iam.gserviceaccount.com

IP ranges: 0.0.0.0/0

icmp

Allow

1100

myfbvpc-ssh-rule

Ingress

ssh-tag

IP ranges: 0.0.0.0/0

tcp:22

Allow

1000

1 Answers

Hello!  It’s a bit hard to read the rules you have with this formatting (markdown code blocks started and ended by three back-ticks could work to clean it up), but I think you have set your egress rule with the range 10.0.2.0/24, and you should not need (or use) any such rule.  Instead, allow egress to the whole VPC by using 10.0.0.0/16.  You should not need to restrict based on subnet, at all.  Everything should work the same regardless of where in your VPC the instances are.  Also, double-check that you have the service accounts set the right way around, as reversing something could throw it off.

Hope this helps!

Mattias

Steve L

I was running into this same issue, no matter what I tried. I think my problem was that I was only using external IP addresses… those never seem to work. Should I be using the internal IPs of the backend servers, when I’m trying to ping them?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization