Only allow traffic from a GCP load balancer to a VM

Question

I am new to GCP and have set up a simple VM with a program listening on port:4000. I also set up an external HTTPS load balancer connected to a domain with an SSL cert. The load balancer routes traffic to the backend service on port:4000 of the VM and everything works fine.

The issue is that I want to restrict access to port 4000 on the VM so it would only accept traffic from the load balancer and not have it completely open, as it is now.

I changed the firewall rule filter from 0.0.0.0/0 to 35.208.137.235 which is the frontend IP of the load balancer.

But now the VM doesn't accept ingress traffic at all. how should I set it up to only accept traffic from the load balancer?

Answer 1

Allow these ranges 35.191.0.0/16 and 130.211.0.0/22 as "ingress" rule. It should work. https://cloud.google.com/load-balancing/docs/firewall-rules

Answer 2

Thanks to Guillaume I found the answer, although the ranges 35.191.0.0/16 and 130.211.0.0/22 are for health checks not for traffic between the load balancer and the VM.

The answer is that I am using a regional load balancer and it uses a specific proxy subnet to handle the traffic between the LB and the VM.

the solution I found here after following Guillaume's link.