What is the significance of this section “Create and configure secure tags or service accounts” in the Set up authorization policy page of load balancers:
https://cloud.google.com/load-balancing/docs/auth-policy/set-up-auth-policy-app-lb#create_and_configure_secure_tags_or_service_accounts
This section seems disjointed and does not seem to have any connective tissue to the section that follows.
We are binding a tag to the instance group template. How does that help in creating an authorization policy that is specified in the next section of the doc.
Also, the doc says:
With internal Application Load Balancers, you can optionally apply authorization policies based on the secure tags and service accounts attached to the client VMs.
What does this mean exactly? Authorization policies are attached to the forwarding rule. So why do we need to optionally apply authorization policies based on the secure tags and service accounts attached to the client VMs.
1 Like
Hi,
Some great questions there.
An authorization policy defines rules specifying the source of incoming traffic and the operations permitted or restricted for that source. The question then is how do you identify a ‘source’ in this context.
If we look at the API: https://cloud.google.com/load-balancing/docs/reference/network-security/rest/v1beta1/projects.locations.authzPolicies#RequestSource
You can see we have two options, a ‘principals’, which looks at the client identity from their certificate, but there is also an option of ‘resources’, here we can apply a policy to allow or deny based on the Google Cloud resource, if you look at that object:
https://cloud.google.com/load-balancing/docs/reference/network-security/rest/v1beta1/projects.locations.authzPolicies#RequestResource
You can see we can set a policy that looks at source service accounts or secure tag values. i.e. you can allow/deny access based on the service account or the tag values attached to the client VM that is accessing the load balancer endpoint. So the documentation here is guiding through an example of setting up such a configuration. So this would allow you to set a policy for example that only allowed VMs with a specific secure tag and value assigned to access the load balanced service.
Hope that helps,
Alex
1 Like
@alexmoore this is brilliant. Thank you very much for breaking it down!
1 Like