VPC firewall rule between load balancer and vms

firewall google-cloud-platform

Solution 1:

You cannot use a VPC firewall to block access to the load balancer. When the load balancer connects to your VM, the VPC firewall sees the load balancer's IP address and not the client's IP address. The client's IP address is stored in the HTTP header X-Forwarded-For and VPC firewalls do not process HTTP headers.

You can restrict traffic at the VM instance to only allow traffic from the load balancer and health checks. However, that will not control traffic from the client to the load balancer. To control client traffic requires adding Cloud Armor to the HTTP(S) Load Balancer.

The backend instances must allow connections from the load balancer GFE/health check ranges. This means that you must create an ingress allow firewall rule for traffic from 130.211.0.0/22 and 35.191.0.0/16 to your backend instances or endpoints. These IP address ranges are used as sources for health check packets and for all load-balanced packets sent to your backends.

Firewall rules allowing load balancer traffic

Related

Debian LXC command not found
What fiber optic network interface card do I need for a WAN connection
Missing APR on apache2 ./configure
Copying SQL Server settings to new server
Can't set X-Forwarded-For to sourceIp in AWS API Gateway
TLS/SSL on http (80) with STARTTLS
Is it possible to append a div inside an SVG element?
Android Studio: Gradle: error: cannot find symbol variable
How to pass a value to razor variable from javascript variable?
How to get "raw" href contents in JavaScript
Perl 5.20 and the fate of smart matching and given-when
Is it possible to type hint more than one type?