I went with an approach where instead of having public addresses to the backend servers, I just gave them private addresses. With this approach, I was able to reduce the number of firewall rules and all external traffic can be easily blocked since they cannot connect to the backend servers and frontend servers where the only machines which could connect to the backend servers. I felt this is more of a realistic scenario where backend prod servers will never have public address and you usually have to log in to them using a jump server.
Just want your thoughts on this approach?
1 Answers
Ah, that’s not at all a bad way to do it, really–it’s just that doing it that way in the lab would show off different features of VPC than I wanted to demonstrate. 🙂 In particular, I want students to see that you don’t need to split instances into different subnets to be able to control them differently. (Also, involving a bastion host / jump box does complicate things, somewhat, for people who are still getting a handle on all this.)
So very much of how network security has been accomplished, in the past, has been wrapped up in subnet management–because that was the only level that could be controlled. But GCP’s software-defined networking lets you define rules at the level of instances, tags, and service accounts–in addition to subnets and IPs and stuff.
So it’s great that you’re thinking about other ways in which you could set things up–such as with non-publicly-routable backend instances and using a bastion/jump box to connect! Just also pay attention to the completely new ways in which you could set things up, now that you have the extra capabilities offered by these new tools. 🙂
Keep being awesome!
Mattias