After the VPC challenge lab, I realized the service account based firewall rules are only enforced while the traffic is heading to the private IP addresses in the subnets. It makes sense to me.
But, when I was doing VPC peering between two VPCs in different regions, things are a bit confused.
for example, under the same project:
VM1 under service_account1 in VPC1 at region 1
VM2 under service_account2 in VPC2 at region 2
I set VPC peering up between VPC1 and VPC2 , they can see each other’s private IP addresses. Then, I set up a firewall rule in VPC1: ingress, targets: service_account1@…., Filters: services_account2@…., protocols/ports: icmp, Action: Allow
Then, I ping from VM2 to VM1’s private IP address, it DOESN’T work. This rule is not enforced, even if they are in the same VPC peering group, and the two service accounts are under the same projects.
Then, I set up another firewall rule in VPC1: ingress, targets: service_account1@…., Filters: IP ranges: VPC2’s subnet range, protocols/ports: icmp, Action: Allow.
Then, I ping from VM2 to VM1’s private IP address, it DOES work.
Hereby, I am confused by the this example? What’s the enforcement scope of service accounts in VPC peering? Thanks.