2 Answers
This is impressive, Marek! Well done! I love that you took on the challenge of scripting everything. 👍
For your firewall rules, I notice that you decided to make separate subnets for the frontend and backend, so you could control the communication with IP address ranges. That’s a fair approach, and I’m glad you took it instead of being blocked. That said, I have another way in which you can structure things, so that the subnets and their IP ranges are not used as the basis for securing the communication. And because you and some other students have been asking about it, I took the opportunity to record new video explanations for you all. 😀 It wound up needing two videos:
As for the question you asked in your follow-up comment–about doing the challenge without tags–you should be able to set up the SSH rule however you’d like, really. If you would prefer, you could skip the tag and just have it apply to all instances–and maybe remove the rule to allow SSH at all, when you’re done with it. You could also scope it down by restricting the source IP range to only your own IP address you’re using, if you want. You could even use a curl
to http://api.ipify.org to get the address programmatically, if you plan to connect from the same machine that runs the script. 😁
All in all, nicely done. Please do let me know if you have more questions after you watch my new solution videos. Thanks!
Mattias
Hi Mattias, thank you for looking into it and providing your solution. I will try to run it again to see with what exactly I was struggling as it’s some time already I did it. Just far the follow up question, I meant to do the challenge with the one subnet only without tags. If I remember well, I had an issue with the fact you mentioned in the video, that Google doesn’t have a service accounts filter for the egress rules. You structure it differently, but you are still using 2 subnets. Would it be possible to do the challenge with one subnet without using tags(except ssh)? I’ll try to run mine and yours solution in a following days to compare. If I have more question, I will ask 🙂 Thanks, Marek
Hello, Marek! Please do try things out; that’s always a good idea! 😁 I did use two subnets, yes–but it should work just as well with only one. In retrospect, maybe I should have shown it with just one, instead, to avoid any confusion. But seeing how easy it is to connect cross-region also seemed valuable. Ah, well. Please do let us know what you see!
create an ingress Firewall rule to allow icmp to backend from frontend or backend gcloud compute firewall-rules create allow-icmp-to-backend-fwr –network app-vpc –allow icmp –source-ranges 192.168.1.0/24 –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com –target-service-accounts backend-sa@network-challenge-lab.iam.gserviceaccount.com How this will work from front end since the source ip ranges that was given is 192.168.1.0/24 (i.e was only of backend). Am I missing something here.?
Ok I got it since there was –source-service-accounts frontend-sa@network-challenge-lab.iam.gserviceaccount.com was also mentioned
This is really cool, thanks for sharing!
Can you make a challenge with the one network only without using tags?