Firewall rules in GCP can be made more specific in nature by using service accounts for source and destination filtering. You can create new SE instances with provided service accounts.
Adding Service accounts to GCP instances
Service account can be added to an instance on its creation.
Service account can not be added to an already running instance. In such cases, the instance needs to be stopped before adding the service account, and restarted after adding the service account, for the change to take effect.
Service account is only added to newly created SEs, and not to existing SEs.
Reconcile does not happen for a service account. For making any changes related to service account, the SEs need to be stopped before aplying the changes and restarted after that.
For more details on assigning roles to service account, see Roles and Permissions (GCP Full Access).
