In Google Cloud Virtual Private Cloud (VPC), network tags are used to apply firewall rules to specific instances. Scott can use these tags to control the traffic flow between the tiers of the web application. Here’s how he can configure the network:

Assign Network Tags: Assign unique network tags to the instances in each tier – for example, ‘ui-tag’ for the web interface, ‘api-tag’ for the API, and ‘db-tag’ for the database.

Create Firewall Rules: Create firewall rules that allow traffic from the API tier to the database tier by specifying the ‘api-tag’ as the source filter and ‘db-tag’ as the target filter.

Restrict Direct Access: Ensure that there are no rules allowing direct traffic from the ‘ui-tag’ to the ‘db-tag’, effectively blocking any direct requests from the web interface to the database.

Apply Rules: Apply the firewall rules to the respective instances based on their tags.

By using network tags and firewall rules, Scott can ensure that the database is only accessible via the API, and direct access from the UI is not permitted.

References:

Google Cloud documentation on setting up firewall rules and using network tags1.