Reputation: 952
Can peered VPCs use firewall rules that reference tags and service accounts?
I have 2 VPCs peered together, aaa and bbb.
In aaa I have a VM host-aaa with a network tag tag-aaa, and in bbb I have a VM host-bbb with a network tag tag-bbb.
Can I create a firewall rule in aaa that allows ingress into host-aaa from host-bbb based on network tags?
That is, a firewall rule like
network: aaa
direction: ingress
action: allow
target-tag: tag-aaa
source-tag: tag-bbb
protocols: allow-all
When I create this rule, I don't observe it working. Same thing if I use service accounts as the target & source filters. host-bbb cannot ping host-aaa. However when I create a firewall rule that filters the source based on IP Address, then it works. If I allow the IP range that host-bbb is in, then it allows ingress into host-aaa.
So, my question is:
Can I use service accounts and/or tags in firewall rules that are for cross-VPC traffic in a peered VPC setup?
Upvotes: 2
Views: 662
Answers (1)
Reputation: 1279
Tags and service accounts are not usable across peered networks as per the official documentation.
Upvotes: 3
Related Questions
- Shared VPC and VPC Peering mix
- Securing GCP compute instance
- Implementing Vpc peering in GCP
- VPC firewall rule for IPv6
- GCP: Can Functions that use Serverless VPC Access also enjoy Private Google Access
- Is there a way to access a cloud function using peered VPC
- VPC Service Control for GCR
- GCP Organization wide service
- Allow one VPC and deny others in a VPC Service Perimeter GCP
- VPC Network on GCP