Google cloud filtered application on port 443 (firewall priority problem)

1
votes

to be more specific I need help understanding how to create a Google Cloud firewall rule in order to allow a specific environment to be accessed from a specific IP address and everything else from public internet access on the same port.

In my case, I have a GKE within there I have many pods which are accessed through specific services with their own static public IP address.

One of them is my primary production env, but the others are my staging env where I deploy my changes and test them before they go public.

The thing is when I try to add a firewall rule to match that env and to be accessed through specific IP (my static IP) on port 443 it doesn't take precedence even if my priority is lower then the firewall rule where it states that everyone 0.0.0.0/0 can access the production env on port 443.

What I changed is the priority to be lower than the default which is 1000 (my production firewall priority rule is 1000) but it doesn't work. the env can be accessed publicly.

firewall rule production: Ingress - priority 1000, allowed, tcp:443,80, 0.0.0.0/0

firewall rule env: Ingress - priority 900, allowed, tcp:443,80, x.x.x.x (my public IP)

What am I missing here? does anyone else have trouble dealing with this? Thanks.

1
cloudgoogle-compute-enginegoogle-kubernetes-enginefirewall

1 Answers

0
votes

I would like to give you another approach to achieve what you want.

You can use nginx-ingress to expose your applications and also restrict the access to your services using a whitelist annotation with IP CIDR you want.

But, to redirect non-whitelist ips to a default service, you should use another annotation named default-backend.

Example:

Supose you have 2 services: prod-svc and dev-svc In the ingress example below, you are allowing the ips in annotation nginx.ingress.kubernetes.io/whitelist-source-range to access the dev-svc. Otherwise, if the connection comes from a nother ip not listed in the annotation, the request will be redirected to prod-svc.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-app-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: "/"
    nginx.ingress.kubernetes.io/custom-http-errors: '403'
    nginx.ingress.kubernetes.io/default-backend: prod-svc
    nginx.ingress.kubernetes.io/whitelist-source-range: YOUR_PUBLIC_IP/32
spec:
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - path: "/"
        backend:
          serviceName: dev-svc
          servicePort: 80

In this way you can have control of your applications and also you gain more flexibility to work with.