Close Ports

[benofben]

Ports that should be only open internally are open globally because of external IP dependency.

Suggestion from Google ---

If the partner only wants certain ports to be accessible between instances in the deployment, they can use sourceTags and targetTags on the firewall (public docs, autogen example).

Autogen natively supports this type of configuration - see https://github.com/GoogleCloudPlatform/marketplace-tools/blob/master/docs/autogen-reference.md#firewallrulespectrafficsource. Perhaps the partner should consider using autogen.

[benofben]

Suggestion from Google ---

I checked the two issues we discussed last week and our team suggests the below.

Restricting traffic to deployment resources - we have two options.

• Use Autogen to generate the deployment package which has this feature built in.
• Use tags against the compute resources and use those tags here. We confirmed that tags do not consume any resources in the project. Looking at your current deployment package changes I feel this is the option to pursue.

[benofben]

I've tried to work this into the template but I'm struggling with the syntax. I've requested a live call to work through it with Google.

[benofben]

Per Google this is not possible. Ed and team are refactoring the template to use a load balancer and will make the change when they do that.

[ojhughes]

In the 5.1 release I configured the firewall so that internal ports such as 5000 are only available on the internal subnet