google-compute-engine"/>
  • 10
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I want to have a following setup on Google Compute Engine.

  • HTTPS load balancing which terminates HTTPS
  • Backend services are plain HTTP
  • Backend services are not visible to internet

My understanding is following.

  • Load balancing is a service outside compute engine networks
  • Firewall needs to be opened so that load balancer can forward requests to backend service instances.

Basically I want a setup where HTTP traffic is only allowed from load balancer and internet traffic is blocked. Does this make sense and is it possible?

Disclaimer: I know that having HTTPS all the way is a better option for security.

      • 1
    • You can remove the public IP from your instance which are behind the load balancer, that will make your instance inaccessible from the internet and your load balancer will still be able to send the traffic to your instance. One thing to keep in mind is that if you remove the Public IP from the instance you will have to use another instance with public IP to ssh to this instance. The steps to do that are documented here (cloud.google.com/compute/docs/instances/#sshbetweeninstances)

Yes, you can achieve that by using firewall rules.

I am assuming you currently have rules like default-allow-http and default-allow-https enabled.

Create another firewall rule, name it default-allow-http-from-lb, setup a source filter for the IP range 130.211.0.0/22. and use the target tag http-server-behind-lb.

Then edit your compute instance and remove the tags http-server and https-server. Add the http-server-behind-lb tag and save changes. After a few seconds, your server is not reachable on its ephemeral IP via HTTP but can be connected from via the load balancer.

Source: https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/

  • 2
Reply Report
      • 1
    • This approach will work. Traffic coming from the Load Balancer to the backend services has an IP range 130.211.0.0/22. For additional security you can also remove the external IPs from the VMs, but removing the default tags should be enough if you are using the default firewall rules.

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags