Why use a TCP firewall rule with an external http load balancer?
Question
I'm deploying an external HTTP load balancer for a Kubernetes cluster. What is the necessity for having a VPC firewall rule that allows TCP traffic on port 80?
Context
In preparation for the Google Cloud Platform Associate Cloud Engineer exam, I'm studying on CloudSkillsBoost. There is a challenge lab (https://www.cloudskillsboost.google/focuses/10258?parent=catalog) and Task 3 requires me to configure an External HTTP Load Balancer for a Kubernetes Cluster containing 2 Nginx web server containers (that's a mouthful, I know).
I don't fully understand why the solution requires a TCP firewall rule. What is the thought process behind this architectural choice?
Architecture
I'm trying to practice my architecture design skills. This is my interpretation of this cloud solution (image below).
I would love any constructive feedback on this diagram.
The load balancer does not need or support firewall rules. Listening ports are defined by frontends. Optionally, there is Cloud Armor that can act as a firewall.
A Kubernetes cluster starts as a collection of Compute Engine instances. That means you must allow traffic into the VPC to reach the instances. In your drawing, the load balancer is listening on port 80 and forwarding traffic to port 80. Therefore you need a firewall ingress rule to allow port 80 traffic.
- Unable to access my minikube cluster from the browser (❗ Because you are using a Docker driver on windows, the terminal needs to be open to run it.)
- Fastify not working on Docker / Kubernetes
- Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html"
- Kubernetes pull from insecure docker registry
- microk8s Connection to port 16443 was refused
- K3s pod container with root privileges
- redis-ha in kubernetes cannot failover back to master
- How to fix CSR denial by csr-auto-approver?
- How to identify the storage space left in a persistent volume claim?
- Can someone explain 'patchesStrategicMerge'
- How to fix disk-pressure on k8s node?
- Difference between PodDisruptionBudget and minimum replicas in HPA
- Configure Microk8s
- How do I get a certificate (public and private key) into a windows container in AKS?
- "The connection to the server localhost:8080 was refused - did you specify the right host or port?"
- 1 node(s) had taints that the pod didn't tolerate in kubernetes cluster
- --record has been deprecated, then what is the alternative
- Flink Kubernetes S3 state support
- How to count how many pods were started by namespace each day in PromQL?
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- access postgres in kubernetes from an application outside the cluster
- What will happen to evicted pods in kubernetes?
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- Flux not decrypting using SOPS
- Python Kubernetes Client: equivalent of kubectl api-resources --namespaced=false
- Not possible to use containers in Azure Pipelines self-hosted agents deployed as Azure K8s pods
- My kubernetes pods keep crashing with "CrashLoopBackOff" but I can't find any log
- GKE autoscaling
- how do I enable mount propagation in Rancher - Kubernetes feature gates?
- How to resolve unmet dependencies between containerd and runc?