Firewall Rules

GCP VPC firewall rules are the primary mechanism for controlling network traffic to and from your instances. They act as a distributed, stateful firewall evaluated at the instance level — not at a subnet boundary. Understanding how rules are structured, evaluated, and targeted is essential for building secure GCP environments.

---

How Firewall Rules Work

Firewall rules are defined at the VPC network level and enforced on every instance in that VPC. Each rule either allows or denies traffic based on:

• Direction — ingress (inbound) or egress (outbound).
• Priority — a number from 0 (highest) to 65535 (lowest). Lower numbers are evaluated first.
• Action — allow or deny.
• Target — which instances the rule applies to (all instances, instances with a network tag, or instances using a specific service account).
• Source/Destination — IP ranges, network tags, or service accounts.
• Protocol and ports — e.g. TCP port 443, UDP port 53, or ICMP.

Default Rules

Every VPC has two implied rules that cannot be deleted: