GCP: connection only between VM's (do not allow external IP's)

Question

Currently: this is my GCP setup.

• 2 VM's (1 in US zone, 1 in EU zone) with nodejs server on it

• 1 VM (in same zone as redis) with haproxy on it

• 1 redis cloud memorystore (in same zone as previous VM)

Because you can only connect to a redis server (in GCP) through a VM that's in the same region as the redis server, I use a VM (in the same region as the redis server) as a reverse proxy. This works! I can connect with VM's/nodejs in other regions to the redis server.

The problem is: everybody now can connect (through the public ip address of the reverse proxy VM) to the redis server, and that's not what I want. I only want the VM's to be able to connect.

Note: I use VM groups, and those are dynamic. When the load is heavy, new VM's (with new public IP's) are created, so I cannot add the public IP's to a firewall rule, because they change (a lot). Is there a possibility to create a firewall rule (or something else) that only accepts ip-addresses from GCP VM's, so that ONLY VM's from GCP (my VM's) can connect to the reverse proxy?

Thanks in advance.

EDIT

If I add tags to the vm's, and only allow the VM's with these tags in a firewall rule, could that be an option?

Answer 1

Sure, you can add special tags to identify your reverse proxy (with tag reverse proxy for example) and your client VMs (with tag client_vm for example).

Then you can add a firewall rule which allow Inbound traffic, with source tags: client_vm, and target tags: reverse_proxy for example, for tcp:ssh port.

If there isn't any other firewall rule on SSH with ip source: 0.0.0.0/0, your VMs won't be accessible from a public IP.