VPC firewall rule between load balancer and vms

Solution 1:

You cannot use a VPC firewall to block access to the load balancer. When the load balancer connects to your VM, the VPC firewall sees the load balancer's IP address and not the client's IP address. The client's IP address is stored in the HTTP header X-Forwarded-For and VPC firewalls do not process HTTP headers.

You can restrict traffic at the VM instance to only allow traffic from the load balancer and health checks. However, that will not control traffic from the client to the load balancer. To control client traffic requires adding Cloud Armor to the HTTP(S) Load Balancer.

The backend instances must allow connections from the load balancer GFE/health check ranges. This means that you must create an ingress allow firewall rule for traffic from 130.211.0.0/22 and 35.191.0.0/16 to your backend instances or endpoints. These IP address ranges are used as sources for health check packets and for all load-balanced packets sent to your backends.

Firewall rules allowing load balancer traffic