Score:0

firewall allow ingress rule for internal IP (NLB), exclude external IP?

in flag

I generally use private IP only instances, fronted by an external NLB. This setup makes use of Cloud NAT for any instance egress.

For one application, I run into this GCP documentation: "If a VM needs to rapidly open and close TCP connections to the same destination IP address and destination port by using the same protocol, you should assign an external IP address to the VM and use firewall rules to limit unsolicited ingress connections instead of using Cloud NAT."

So, I want my firewall allow ingress rule to apply only to the private IP (via NLB), & keep the [recommended] external IP locked for ingress. Or, perhaps an ingress deny rule for just the external IP.

I don't see how to accomplish this, though I would suspect others to have this same issue.

Thanks.

John Hanley avatar
cn flag
If you do not create a VPC firewall rule (or use a network tag), then by default ingress is **denied**. What is the problem that you are trying to solve? Show the exact configuration, the firewall rules, and the problem.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.