GCE: Restricting VM network access to only Internal Load Balancer (of k8s cluster)

google-compute-engine google-kubernetes-engine

Solution 1:

You can define an egress firewall rules that will only affect this VM, you will need 2.

For both rules, define the target as your VM instance running the docker container and set the protocols and ports to all.

For the first rule:

  • define the action as allow
  • define the destination as the IP of your internal load balancer.
  • define the priority to 900

For the second rule:

  • define the action as deny
  • define the destination as 0.0.0.0/0
  • define the priority to 1100

This will ensure that the allow rule will take priority over deny all rule. It will also ensure the deny all rule takes precedence over the implied allow all egress rule.

The first rule will allow egress traffic to your load balancer IP only, while the deny all rule will block all other egress traffic. If you only want to restrict traffic internal to your VPC, replace 0.0.0.0/0 with the internal IP range you use for the VPC (default is 10.0.0.0/17).

Related

gcloud apps logs tail returns Internal Error. Logs GUI returns unknown error
How secure is a "root" password that's 26 alphanumeric characters long?
Original php mysql extension for php56
Upgrade image in a Deployment's pods
openssl keeps creating v1 certificate instead of v3
SSL invalid on Lightsail Bitnami Wordpress Multisites after new instance made from snapshot
cut backend subsite on proxy for accessing files as root path
Why does one usb flash drive have different serial numbers in different operating systems?
Can't write on FAT32 partition although having rw mount option?
What `apt` configuration file should the Never-Include-Phased-Updates flag be placed in?
Ubuntu 20.04 LTS on DELL laptop - no wireless internet connection
How to delay restart process in Ubuntu