Health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16.

HTTP(S) Load Balancer uses health checks to determine if a particular backend instance should receive traffic. If all are unhealthy, clients receive message of “no healthy upstream”

Managed Instance Groups also use health checks, but for a different purpose. If an instance is reported an unhealthy, it will be removed and replaced with a healthy instance

gcloud compute firewall-rules create default-allow-health-check \
 --direction=INGRESS --priority=1000 --network=default \
 --action=ALLOW --rules=tcp:80 \
 --source-ranges=130.211.0.0/22,35.191.0.0/16 \
 --target-tags=allow-health-check