Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

questions about VPC and service account scope

After the VPC challenge lab, I realized the service account based firewall rules are only enforced while the traffic is heading to the private IP addresses in the subnets. It makes sense to me. 

But, when I was doing VPC peering between two VPCs in different regions, things are a bit confused. 

for example, under the same project: 

VM1 under service_account1 in VPC1 at region 1

VM2 under service_account2 in VPC2 at region 2

I set VPC peering up between VPC1 and VPC2 , they can see each other’s private IP addresses. Then, I set up a firewall rule in VPC1: ingress, targets: service_account1@…., Filters: services_account2@…., protocols/ports: icmp, Action: Allow

Then, I ping from VM2 to VM1’s private IP address, it DOESN’T work. This rule is not enforced, even if they are in the same VPC peering group, and the two service accounts are under the same projects. 

Then, I set up another firewall rule in VPC1: ingress, targets: service_account1@…., Filters: IP ranges: VPC2’s subnet range, protocols/ports: icmp, Action: Allow. 

Then, I ping from VM2 to VM1’s private IP address, it DOES work. 

Hereby, I am confused by the this example? What’s the enforcement scope of service accounts in VPC peering? Thanks. 

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?