Similar to your data center’s DMZ (DeMilitarized Zone), each VPC network has a firewall that blocks by default all incoming traffic from outside a VPC network to all the instances (VMs) in your VPC. You can protect the perimeter of your VPC network by configuring firewall rules, which are a means to unambiguously control what traffic is allowed to enter (ingress) your VPC network and what traffic is allowed to exit (egress) your VPC network.

VPC scope: By default, firewall rules are applied to the whole VPC network, not its partitions, that is, its subnets.

Network tag target: However, you can restrict the scope of a firewall rule to a specific group of VMs in your VPC. This is where the concept of a target comes into play. You can configure the firewall rule to only target a set of VMs in your VPC by adding a network tag (also referred to as instance tag) to a specific group of VMs and then by applying the firewall rule to the VMs with that tag.

Service account target: You can also configure a firewall rule to only target specific VMs by selecting their attached service account. To do so, choose the specified service account, indicate whether the service account is in the current project or another one under Service account scope, and set the service account name in the Source/Target service account field.

VM-to-VM traffic control: You can also use firewall rules to control internal traffic between VMs by defining a set of permitted source VMs in the rule.