Accept network traffic in one Instance from other Instances in a managed instance group in Google Cloud

I am stuck with this. I have a Managed Instance Group (MIG) hosting a single application (autoscaled) and I have another single instance which hosts the Database. I am trying to set a firewall rule that allows Database connections only from the MIG.

First, I created an ingress Firewall Rule that allows Database Traffic to the Database Instance on port 5432 with a specified Target Tag of allow-db-connections. I placed the tag into the Instance settings and it is able to receive database connections from that port. I am now trying to figure out what to put in the Source Filter so that it only accepts connections from instances in the MIG.

I would appreciate any ideas. Thank you!

Solution 1:

STEP 1:

VPC networks have a default rule default-allow-internal. This allows all traffic within a VPC. Click on that rule, scroll to the bottom and see which instances it applies to. That rule has a target of All instances in the network. Either disable or modify the rule.

STEP 2:

1. Assign a tag to the VM instance template. For example DBClient.
2. Assign a tag to the database server. For example DBServer.
3. Create a firewall rule with the name allow-db-connections.
4. Specify the Targets to be Specified target tags.
5. Specify the target tags with the value DBServer.
6. Specify the Source filter to be Source tags.
7. Specify the Source tags with the value DBClient.
8. Specify the other fields as you require.

This VPC rule will only allow traffic from the VM instances tagged DBClient to the VM instance tagged DBServer.