I would like to share how I have done the challenge and looking forward for your feedback:
1. Created two subnets:
us-central1 iowa-subnet 192.168.2.0/24 192.168.2.1
us-west1 oregon-subnet 192.168.1.0/24 192.168.1.1
2. Two Instance Templates:
Name Machine type Image Disk type In use by Creation time backend-it 1 vCPU, 0.6 GB debian-9-stretch-v20190124 Standard persistent disk backend-group Feb 1, 2019, 7:33:53 PM frontend-it 1 vCPU, 0.6 GB debian-9-stretch-v20190124 Standard persistent disk frontend-group Feb 1, 2019, 6:19:14 PM
3. Two Instance Groups:
backend-group us-central1 (3/4 zones) 2 backend-it Feb 1, 2019, 7:38:07 PM Target CPU usage 60% frontend-group us-west1 (3/3 zones) 2 frontend-it Feb 1, 2019, 7:37:05 PM Target CPU usage 60%
4. Two Service Accounts:
Email Name Description Key ID Key creation date Actions email@example.com backend-sa Backend Servers No keys firstname.lastname@example.org frontend-sa Service Account for Frontend servers No keys
1. Added ssh tags to all the instances both frontend and backend. To allow ssh from everywhere.
2. Allow icmp to all frontend instances from 0.0.0.0/0 and target is email@example.com
3. Allow icmp to all backend instances from 192.168.1.0/24 subnet so that frontend can ping backend target is firstname.lastname@example.org
4. Deny icmp from backend to frontend (oregon-subnet (IP range: 192.168.1.0/24)) target is email@example.com
I am not sure if I have over complicated stuff 😛 looking forward for your feedback.
Alright! Good on you for working through this! 👍 All of your subnets, service accounts and instance groups look good to me.
Some questions/pointers about your Firewall Rules:
1. What you’ve done will work, and it’s fine for a learning lab. And IIRC from another post, you hit the issue of not being able to edit instances owned by a MIG so this makes a lot of sense. If you want to apply least privilege, you should either find a way to edit only the instance you need to SSH to (such as setting the network tag via the command line) or create a separate firewall rule just for that one specific instance (which avoids having to edit the instance).
2. Perfect! 😀
3. Did you have to set the rule to use the subnet CIDR block, or could you set it to apply to different service accounts at both ends? 🙂
4. In this case, instead of denying some specific traffic you don’t want (i.e. backend to frontend), try denying all outbound everything from the backend and then only opening up the specific data you do want to allow. This is more secure.
It does not look to me like you overcomplicated it. Good job, so far!