Firewall Rules in GCP – Service Accounts versus Tags
Both - network tags - and Service accounts - are viable options (for target instances) when defining firewall rules.
However, if both these exist for a certain VM, it is always recommended to use the service account. A VM can only have one service account, while it can have multiple network tags.
What about possible SOURCEs for target Service Account?
IP Ranges and Other Service accounts (either in the same project or another project) are valid Sources for the target service account Firewall rule.
However, tags (network tags) are not a valid source - as it is possible for the same VM to have the tag as well as the service account.
Leave a Reply