As previously mentioned, the GCP firewall rule is important for achieving network security. However, the GCP firewall is more simple and flexible than an AWS Security Group (SG). For example, in AWS, when you launch an EC2 instance, you have to assign at least one SG that is tightly coupled with EC2 and SG. On the other hand, in GCP, you can't assign any firewall rules directly. Instead, firewall rule and VM instance are loosely coupled via a network tag. Consequently, there's no direct association between the firewall rule and VM instance.

The following diagram is a comparison between AWS security groups and GCP firewall rules. EC2 requires a security group, while the GCP VM instance just sets a tag. This is irrespective of whether the corresponding firewall has the same tag or not:

For example, create a firewall rule for a public host (use the public network tag) and a private host (use the private network tag), as given in the following command:

//create ssh access for public host
$ gcloud compute firewall-rules create public-ssh --network=my-custom-network --allow="tcp:22" --source-ranges="0.0.0.0/0" --target-tags="public"

//create http access (80/tcp for public host)
$ gcloud compute firewall-rules create public-http --network=my-custom-network --allow="tcp:80" --source-ranges="0.0.0.0/0" --target-tags="public"

//create ssh access for private host (allow from host which has "public" tag)
$ gcloud compute firewall-rules create private-ssh --network=my-custom-network --allow="tcp:22" --source-tags="public" --target-tags="private"

//create icmp access for internal each other (allow from host which has either "public" or "private")
$ gcloud compute firewall-rules create internal-icmp --network=my-custom-network --allow="icmp" --source-tags="public,private"

This creates four firewall rules as shown in the following screenshot. Let's create VM instances to use either the public or private network tag to see how it works: