Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

VPC Challenge Lab

Hello Mattias,

I would like to share how I have done the challenge and looking forward for your feedback:

1.  Created two subnets:

us-central1    iowa-subnet
us-west1   oregon-subnet 

2. Two Instance Templates:

Name       Machine type      Image                 Disk type                   In use by                                           Creation time     
backend-it  1 vCPU, 0.6 GB debian-9-stretch-v20190124   Standard persistent disk    backend-group   Feb 1, 2019, 7:33:53 PM   
frontend-it 1 vCPU, 0.6 GB debian-9-stretch-v20190124   Standard persistent disk    frontend-group  Feb 1, 2019, 6:19:14 PM 

3. Two Instance Groups:

 backend-group us-central1 (3/4 zones) 2   backend-it Feb 1, 2019, 7:38:07 PM  Target CPU usage 60%          
 frontend-group us-west1 (3/3 zones)    2   frontend-it Feb 1, 2019, 7:37:05 PM Target CPU usage 60% 

4. Two Service Accounts:

Email                                                     Name           Description     Key ID Key creation date Actions  backend-sa  Backend Servers No keys frontend-sa Service Account for Frontend servers    No keys

Firewall Rules

1. Added ssh tags to all the instances both frontend and backend. To allow ssh from everywhere. 

2. Allow icmp to all frontend instances from and target is

3. Allow icmp to all backend instances from subnet so that frontend can ping backend target is

4. Deny icmp from backend to frontend (oregon-subnet (IP range: target is

I am not sure if I have over complicated stuff 😛 looking forward for your feedback.

Puppeteer It

I think there’s a very important piece of information missing here, about VPC peering being required to enable cross VPC network access.

1 Answers

Alright!  Good on you for working through this! 👍  All of your subnets, service accounts and instance groups look good to me.

Some questions/pointers about your Firewall Rules:

1. What you’ve done will work, and it’s fine for a learning lab.  And IIRC from another post, you hit the issue of not being able to edit instances owned by a MIG so this makes a lot of sense.  If you want to apply least privilege, you should either find a way to edit only the instance you need to SSH to (such as setting the network tag via the command line) or create a separate firewall rule just for that one specific instance (which avoids having to edit the instance).

2. Perfect! 😀

3. Did you have to set the rule to use the subnet CIDR block, or could you set it to apply to different service accounts at both ends? 🙂

4. In this case, instead of denying some specific traffic you don’t want (i.e. backend to frontend), try denying all outbound everything from the backend and then only opening up the specific data you do want to allow.  This is more secure.

It does not look to me like you overcomplicated it.  Good job, so far!



Thanks Mattias, I have completed all the course. I am looking forward to writing the exam.

Mattias Andersson


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?