In the allow frontend to backend firewall rule, i used the target as the backend service account, but for the filter I used the front end IP address range instead of the front end service account. It works but I was wondering if one was preferrable to the other and why.
Hello! It is preferable to use the service account because that gives instances a better identity than what IP range they happen to currently be using. In particular, it helps prevent both potential false positives and potential false negatives.
For example, with the IP range, you would inadvertently grant access to additional unrelated machines if you accidentally put them into the same subnet as these. But you should be rather less likely to accidentally give them the wrong service account, right?
Also, let’s say that you eventually decide to spread your frontend machines across multiple regions. They will now need to use different subnets and different IP ranges, so you’ll have to update your rules. But the rules based on service accounts would already be able to handle that situation correctly.
I hope this helps!