This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Filtering VM ingress by backend service account of API Gateway

Posted on 01-23-2025 10:34 PM
Raibek
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

A web service running on a GCP VM is accessible via an HTTPS address on port 443.
An allow firewall rule is enforced for HTTPS traffic on port 443.
An API config with the HTTPS address of the web service is deployed on API Gateway.
A service account is associated with the API config (https://cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account).

To restrict access to the web service on the VM and allow traffic only through API Gateway, the firewall rule was modified. The backend service account associated with the API config was set as the source filter for the firewall rule (https://cloud.google.com/firewall/docs/firewalls#sources_for_the_rule).

However, after implementing the source filter in the firewall rule, the web service is no longer accessible, either through API Gateway or directly via the HTTPS address. The web service was functioning correctly before the source filter was applied to the firewall rule.

Is this behavior expected, and how can it be resolved to allow API Gateway traffic to the web service running on the GCP VM while denying all other traffic?

 

 
0 2 177
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
jamespatrickm
Staff
Reply posted on --/--/---- --:-- AM

Hi @Raibek,

Welcome to Google Cloud Community!

Based on what you’ve described, this scenario appears to be working as intended. It is likely that your firewall rule restriction with the source filter set to the service account means that only traffic originating from the API Gateway is allowed. This restricts all other traffic such as direct access to the web service or the API Gateway itself.

Please make sure that your firewall rule allows traffic from IP ranges used by the API Gateway and not just the service account. I suggest using a more general range (e.g. specific subnet) or create a specific rule that permits API Gateway traffic.

Related docs that may help you with this issue:

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Posted on --/--/---- --:-- AM
Raibek
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi, @jamespatrickm !

Thank you so much for your response!

Sorry for a late reply!

I do not understand how to make my Firewall rule to allow BOTH source service account AND 0.0.0.0/0 IPv4 range:(

In the console, I've found only 'OR' option, but not 'AND'.

GCP Firewall rule TCP 443 Source service account.png

0 Likes
Top Labels in this Space
Top Solution Authors
View all