How to fix GCP firewall rules are not working

Question

I have a network in GCP with configured firewall rules. I have couple of instances and two of them are as below.

instance 1 - with network tag "kube-master"
instance 2 - with network tag "kube-minion"

And I want to ping from kube-master to kube-minion So, I set up a firewall rule (master-to-node) for icmp as below.

But the problem is I can't still ping from kube-master to kube-minion. I logged into instance 1 (kube-master) and tried to ping the public ip address of instance 2 (kube-minion) but it doesn't ping

As above image, am I restricting this behaviour? But I have setup the priority as 2 so it will take the precedence.

When I set source as 0.0.0.0/0 instead of giving kube-master it works, but I need to only do this (send traffic to kube-minion) only from kube-master

Can someone tell me where am I doing the mistake? Thank you!

Answer 1

As you can see in the documentation

Thus, the network tags are still only meaningful in the network to which the instance's network interface is attached.

Therefore, if you access to the VM with the Public IP, you are going out of your network to reach it, and the tag information is lost. Use the private IP of the VM and it will work as expected.

Add 0.0.0.0/0 as source, or the public IP of the master in /32 (better) if you want to continue to use the instance 2 public IP

Answer 2

Source tags only apply to traffic sent from the network interface of another applicable instance in your VPC network. A source tag cannot control packets whose sources are external IP addresses, even if the external IP addresses belong to instances.

When you ping from instance-1 the external IP address of instance-2, the ICMP request is translated and therefore on the receiving side, the request appears to come from an IP address(external IP of instance-1) that is not associated with the network tag kube-master.

Edit: