GCP - No tags for Global Load Balancer

Question

In my GCP account, I have created a custom VPC and 1 Subnet. I am running 3 instances in the subnet.

• all instances have only private IP. No public IP
• all instances running nginx. expose port 80

How to update the Firewall rules in a way that ONLY requests from global loadbalancer should be allowed. ? Interestingly GCP LoadBalancer does not seem to support tags. So, I do not see an option to create firewall rule.

---

In AWS, LoadBalancers can be attached with SecurityGroups (say SG1). It enables us to update other Security Groups (say SG2) attached to the VMs to allow traffic from SG1.

Answer 1

Per @John Hanley's advise, you may create a VPC Firewall rule allowing traffic from Google's Front End (35.191.0.0/16 and 130.211.0.0/22) that is connected to the backend. But this may not be necessary since your instances does not have public IPs. At the moment, it is only possible to set labels on the Load Balancer's forwarding rule but this is still in its beta phase.

Example:

gcloud compute forwarding-rules update my-ilb --update-labels=key=value

A feature request for Network Tags in Load Balancers has been raised. Please refer to this link and hit the star icon from the upper left and the +1 button on the upper right hand side of the page so you can follow the developments of this feature request. Please feel free to edit this post if you'd like to add more information.