I have a few services deployed in one App Engine flexible environment project. The service instances are running in the same VPC network (not default) which is specified in their app.yaml
files and assigned IP addresses from the same subnetwork. By default both services are accessible from outside and I want to configure firewall rules to leave only the default service allowed for incoming traffic.
So as the first step I'm configuring a rule to deny all ingress for all instances in this VPC, with the idea of creating another rule with a higher priority to allow traffic to only one instance which is running the default service.
The problem is that when I create a firewall rule with priority 1001 to block all incoming traffic my default service still get requests. But if I specify the priority 1000 or bellow then the traffic is blocked and I get 502 Server Error.
The question is of course WHY? The VPC documentation states that there are only two default firewall rules used for all manually created VPC networks:
- A default "allow egress" rule.
Allows all egress connections. Rule has a priority of 65535.- A default "deny ingress" rule.
Deny all ingress connection. Rule has a priority of 65535
Then how come that my 1001 priority rule fails to block the ingress and the exactly the same rule with priority 1000 (or below) works as expected? Are there any other default firewall rules for Flex instances or am I missing something else here?
2147483647
. How those firewalls play together then? My main question to put it simply is why deny-all-ingress rule with priority 1001 doesn't block incoming http for AE Flex instances, but the same rule with priority 1000 and below does. This behaviour is undocumented and looks very strange. – All