--beta-no-external-ip does not prevent firewall rule creation

googledatalab / datalab

Interactive tools and developer experiences for Big Data on Google Cloud Platform.

Apache License 2.0

975 stars 249 forks source link

--beta-no-external-ip does not prevent firewall rule creation #2126

Closed mdhedley closed 5 years ago

mdhedley commented 5 years ago

Expected behavior for --beta-no-external-ip would be to prevent the use of an external IP address, and also to not make adjustments to the external firewall rules of the associated network.

However even though the flag does prevent the creation of an external IP address it still attempts to modify firewall rules to allow external access. This is not the desired behavior.

mdhedley commented 5 years ago

Misunderstood purpose of fireall rule.

mdhedley commented 5 years ago

The current system creates a firewall rule that allows port 22 from 0.0.0.0 on the network provided. In most cases where --no-public-ip is used these are secure environments where users want to limit the attack surface of the environment. So creating an open port 22 in this case does not make sense.

Additionally the existing firewall rule creation opens port 22 for all instances in the network which could create unexpected security issues for users.