Created instance group with 2 instances behind the Load Balancer. Configured forward rule and firewall to open port 80.
It is possible to access each instance by Load Balancer’s IP as by it’s own.
How to close access to the instance by own external IP which will left only access from Load Balancer?
Yes, that is the whole point of a Load Balancer. To close access to the instance’s external IP address, you can either restrict the access using a firewall rule, or just disable it.
That problem has been addressed in this Stack Overflow question.
Hi zaphod001; Are the instance groups VMs or a GKE cluster? Is there a VPN between components of the instance? A good starting point is to patch external IP address access with a firewall rule: create a firewall rule to DENY access to the external IP address of the instance: Go to VPC > Firewall console tab; Create & name a new firewall; Leave the VPC network as DEFAULT; Source filter set to IP ranges; Source IP: the external IP address of the instance; DENY Protocol TCP Port 80. This firewall rule should allow traffic on other internal IP addresses used by the load balancer. After deploying, paste the external IP address into your web browser to check firewall rule. I am a rank beginner in GCP, so carefully check my answer before deploying. Good luck clouding, pfrankwicz.
@zaphod001 I’d say that your design needs to be a bit amended.
There are two options here, 1st is basically what @pfrankwicz mentioned and the 2nd one it’s a bit more on the safe side of things.
I’d say go and edit both your VMs / Instances and remove the ephemeral public IPs. The LB will still be able to forward requests towards these. Even if you don’t have a VPN like solution in place you’d still be able to SSH into these using gcloud CLI by calling these through their names.
Example (with our without ephemeral public IP):
gcloud compute ssh [instance name]
Just make sure you have the following:
Using this method you’re basically protecting your instances from external “eyes” from a security standpoint and also you’ll be able to access these from you machine without a VPN like solution.