可以将防火墙规则附加到实例模板。

huangapple go评论85阅读模式
英文:

Can you attach a firewall rule to a instance template

问题

可以使用这里的标签将防火墙策略附加到从模板创建的所有实例吗?

英文:

Lets say I have the following instance template:

resource "google_compute_instance_template" "label_studio_template" {
  name         = "label-studio-template"
  machine_type = "e2-micro"  # Free tier instance
  tags         = ["label-studio-server-template"]
  
  disk {
    auto_delete = false
    source_image = "debian-11-bullseye-v20230509"
  }

  network_interface {
    network = "default"
    access_config {
      // Public IP
      nat_ip = google_compute_address.standard.address
      network_tier = "STANDARD"
    }
  }
  metadata = {
    label_studio_username   = var.label_studio_username
    label_studio_password   = var.label_studio_password
    label_studio_user_token = var.label_studio_user_token
  }
  metadata_startup_script = file("${path.module}/compute_metadata.sh")
}

is it possible to use the tags here to attach firewall policies to all instances that are created from the template?

答案1

得分: 2

根据文档

> Google Cloud中的每个防火墙规则都必须有一个目标,该目标定义了适用于哪些实例。默认目标是网络中的所有实例,但您可以使用目标标签目标服务帐户指定实例作为目标。
>
> 目标标签定义了适用于规则的Google Cloud VM。规则适用于特定的VPC网络。它适用于连接到该VPC网络的任何实例的网络接口的主要内部IP地址,该实例具有匹配的网络标签。
>
> 入站和出站防火墙规则都有目标:
>
> 入站规则适用于进入您的VPC网络的流量。对于入站规则,目标是Google Cloud中的目标VM。
>
> 出站规则适用于离开您的VPC网络的流量。对于出站规则,目标是Google Cloud中的源VM。
>
考虑一个允许来自任何来源的TCP端口80流量的入站防火墙规则。该规则具有一个名为http-server的目标标签。这意味着该规则仅适用于具有http-server网络标签的实例,这意味着端口80上的传入流量将被允许到这些实例。

以下是来自文档的示例:

resource "google_compute_instance" "default" {
  project      = var.project_id # 用引号替换此处的项目ID
  zone         = "southamerica-east1-b"
  name         = "backend-instance"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    network = "default"
  }
  tags = ["health-check", "ssh"]
}
英文:

As per the documentation:

>Every firewall rule in Google Cloud must have a target which defines the instances to which it applies. The default target is all instances in the network, but you can specify instances as targets using either target tags or target service accounts.
>
>The target tag defines the Google Cloud VMs to which the rule applies. The rule is applied to a specific VPC network. It is made applicable to the primary internal IP address associated with the network interface of any instance attached to that VPC network that has a matching network tag.
>
>Both ingress and egress firewall rules have targets:
>
>Ingress rules apply to traffic entering your VPC network. For ingress rules, the targets are destination VMs in Google Cloud.
>
>Egress rules apply to traffic leaving your VPC network. For egress rules, the targets are source VMs in Google Cloud.
>
Consider an ingress firewall rule that allows traffic on TCP port 80 from any source. The rule has a target tag of http-server. This rule would apply only to instances that have the http-server network tag, which means that incoming traffic on port 80 would be allowed to those instances.

Here's a sample from the documentation:

resource "google_compute_instance" "default" {
  project      = var.project_id # Replace this with your project ID in quotes
  zone         = "southamerica-east1-b"
  name         = "backend-instance"
  machine_type = "e2-medium"
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }
  network_interface {
    network = "default"
  }
  tags = ["health-check", "ssh"]
}

huangapple
  • 本文由 发表于 2023年6月15日 05:15:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/76477587.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定