GCP Network Tags Explained: Firewall Rules, Routes, and Security
Network tags are how you connect firewall rules and custom routes to specific VMs rather than applying them to everything in the network. They are simple strings attached to Compute Engine instances, they take effect immediately, and they carry a security limitation worth understanding before you use them in anything sensitive.
The simple explanation
Imagine you have three groups of VMs inside a VPC network: web servers that face the internet, application servers in the middle tier, and database servers that should never be reachable from outside. You want firewall rules that match this structure without naming every individual VM.
Network tags solve this. You attach the string web-server to your web VMs, app-server to your application VMs, and database to your database VMs. Then you write firewall rules that say: allow HTTPS from the internet to VMs tagged web-server, allow port 8080 from web-server VMs to app-server VMs, allow port 5432 from app-server VMs to database VMs. Add a new web VM tomorrow, give it the web-server tag, and it immediately picks up all the right rules.
That is the whole model. Tags group VMs. Firewall rules and routes reference those groups. The tags themselves have no inherent meaning or effect until something references them.
Think of a network tag as a wristband at a concert venue. Getting a wristband does not let you through any door on its own. It only matters because security staff at certain doors are checking for that specific colour. Remove the wristband and you lose access. Add a new wristband and you gain it. The wristband is meaningless without the check at the door.
What network tags are
A network tag is an arbitrary string attached to a Compute Engine VM instance. The string has no inherent meaning and you define the convention. Common examples include web-server, database, app-tier, allow-ssh, and use-proxy.
Network tags serve two purposes in GCP:
- Firewall rules: a rule can target VMs with a specific tag. Only those VMs are affected by the rule, not all VMs in the network.
- Routes: custom routes can specify that they apply only to VMs with a given tag. This lets you route outbound traffic differently for a subset of VMs, for example sending certain VMs through a network appliance for inspection while others go directly to the internet.
Tags have no effect on billing, cost reporting, or resource organisation. A tag on a VM does nothing on its own. It only has an effect when a firewall rule or route explicitly references that tag.
Network tags are a Compute Engine concept. They only apply to VM instances. Cloud Run services, Cloud SQL instances, GKE pods, and other GCP resources are not targeted by network tags. For general-purpose resource tagging across all GCP services, see Labels and Tags in GCP.
How network tags work
The mechanism is straightforward once you see it step by step:
- Attach a tag to a VM. You add a string like
web-serverto a Compute Engine instance. The tag sits on the VM but has no effect yet. - Create a firewall rule or route that references the tag. The rule specifies either a target tag (which VMs the rule applies to) or a source tag (which VMs the traffic originates from). The route specifies a tag to limit which VMs use that route.
- GCP evaluates the rule against tagged VMs. When traffic arrives at or leaves a VM, GCP checks whether any firewall rule with a matching target tag applies. If the VM has the tag, the rule applies. If not, it does not.
Tags take effect within seconds of being added or removed from a running VM. No restart is needed. This makes tags useful for toggling temporary access during maintenance: add the tag, do the work, remove the tag. The firewall rules follow automatically.
A VM can have multiple tags at once. All firewall rules that match any of those tags apply simultaneously. You can attach web-server and allow-ssh to the same VM and get both the HTTPS rule and the SSH rule applied together.
When to use network tags
Tags are the right tool in several common situations:
- Tiered application architecture. Web, application, and database VMs in a subnet structure. Tags let you define exactly which tiers can talk to each other on which ports without managing individual IP addresses.
- Health check access. Load balancers send health checks from specific Google IP ranges. A rule targeting
allow-health-checkon your backend VMs opens health check access cleanly without touching other rules. - Selective routing through a proxy or appliance. If you need only certain VMs to route traffic through a network appliance or Cloud NAT gateway, a tagged route applies the custom path only to those VMs.
- Environment separation inside a VPC. If you run staging and production workloads in the same VPC, tags let you apply different firewall policies to each environment without requiring separate networks.
- Temporary access for operations. Adding an
allow-sshtag during maintenance and removing it afterwards is faster than creating and deleting a firewall rule each time.
Tags are not the right tool when you need a strong security guarantee. That case is covered in the service account comparison below.
Network tags vs resource labels
This is the most common source of confusion for people new to GCP. Network tags and resource labels both live on VM instances, but they do entirely different things and have no connection to each other.
| Network tags | Resource labels | |
|---|---|---|
| Format | Single string (web-server) | Key-value pair (env=production) |
| Purpose | Target firewall rules and routes | Cost attribution, billing reports, console filtering |
| Scope | Compute Engine VMs only | Most GCP resource types |
| Effect on networking | Controls which rules apply | None |
| Effect on billing | None | Used in cost breakdowns |
| Max per resource | 64 tags | 64 labels |
Adding a label role=web-server to a VM does not change which firewall rules apply to it. Adding a network tag web-server has no effect on your billing reports. If you want both network policy and cost tracking on the same VM, you need both. They are completely independent systems. See Labels and Tags in GCP for a full walkthrough of both.
Network tags are like a colour-coded security badge in an office building. The badge colour determines which doors you can open. Resource labels are the department code on your employee record, used for payroll and headcount reporting, not for building access. Both are attached to the same person, but changing one has zero effect on the other.
Network tags vs service account targeting
Firewall rules can target VMs in two ways: by network tag, or by service account. Both work, but they have very different security properties.
Tags are flexible and easy to use. Any user with the Compute Engine Instance Admin role can add or remove tags from a VM without restarting it. This is useful in practice because you can quickly adjust which rules apply to a VM. But it also means that anyone with VM edit access can add a tag to a VM and gain whatever network access that tag unlocks. In a large team or environment with broad Compute permissions, this is a meaningful risk.
Service account targeting is more rigid but more secure. The service account a VM uses is set at creation time. On a running VM, you cannot change the service account without stopping the instance. This makes it much harder to accidentally or maliciously grant access by manipulating a VM’s identity.
If a firewall rule grants access based on a network tag, anyone with Compute Engine Instance Admin access can add that tag to any VM and immediately gain the corresponding network access — no restart required. For sensitive rules protecting databases, internal APIs, or secrets endpoints, use service account targeting instead.
# Service account targeted rule — the service account cannot be changed on a running VM
gcloud compute firewall-rules create app-to-db-sa \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:5432 \
--source-service-accounts=app-server-sa@project.iam.gserviceaccount.com \
--target-service-accounts=database-sa@project.iam.gserviceaccount.comA practical rule of thumb: use tags for general traffic segmentation such as web/app/db tiers, health check access, and environment grouping. Use service account targeting for sensitive rules where unauthorized access would have serious consequences. See Network Security Best Practices for a fuller framework on this decision.
Adding tags to VMs
You can add network tags at VM creation time or update them on a running instance. Tags take effect immediately with no restart needed.
Create a new VM and attach tags at the same time:
gcloud compute instances create web-server-1 \
--zone=us-central1-a \
--machine-type=e2-medium \
--network=production-vpc \
--subnet=web-subnet \
--tags=web-server,allow-health-checkAdd tags to a VM that is already running:
gcloud compute instances add-tags web-server-1 \
--zone=us-central1-a \
--tags=monitoring-targetRemove a tag you no longer want:
gcloud compute instances remove-tags web-server-1 \
--zone=us-central1-a \
--tags=allow-health-checkCheck what tags a VM currently has:
gcloud compute instances describe web-server-1 \
--zone=us-central1-a \
--format="get(tags.items)"A VM can have up to 64 network tags. When creating VMs at scale using instance templates, tags defined in the template are applied to every VM in the group automatically.
Using tags in firewall rules
Firewall rules reference network tags in two distinct ways:
- Target tags: the rule applies to VMs carrying this tag. These are the VMs the rule acts on, controlling what traffic they can receive (ingress) or send (egress).
- Source tags: for ingress rules, traffic originating from VMs with this tag is matched as the source. This lets you say “allow traffic from web-server VMs” rather than specifying IP ranges.
Here is a complete three-tier worked example. Allow HTTPS from the internet to web servers:
gcloud compute firewall-rules create allow-https-to-web \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:443 \
--source-ranges=0.0.0.0/0 \
--target-tags=web-serverAllow web servers to reach application servers on port 8080:
gcloud compute firewall-rules create web-to-app \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:8080 \
--source-tags=web-server \
--target-tags=app-serverAllow application servers to reach databases on PostgreSQL port 5432:
gcloud compute firewall-rules create app-to-db \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:5432 \
--source-tags=app-server \
--target-tags=databaseThese three rules create a strict web → app → database traffic flow. GCP’s implicit deny blocks everything else by default, so you are only opening exactly what you intend. This three-tier pattern is the foundation of a well-segmented VPC and it scales cleanly: add more VMs to any tier, attach the right tag, and the rules follow automatically.
See Firewall Rules Explained for the full rule model including priority, statefulness, and implicit defaults.
Using tags in routes
Custom routes can also reference network tags. A route with a tag only applies to VMs that have that tag. All other VMs ignore it and use their default route. This is useful when you want selective outbound routing: send some VMs through a proxy or inspection appliance while others go directly to the internet.
Create a custom route that only applies to VMs tagged use-proxy:
gcloud compute routes create route-via-proxy \
--network=production-vpc \
--destination-range=0.0.0.0/0 \
--next-hop-instance=proxy-vm \
--next-hop-instance-zone=us-central1-a \
--tags=use-proxy \
--priority=100Only VMs tagged use-proxy will route their outbound traffic through proxy-vm. Other VMs continue using the default route to the internet gateway.
Tagged routes control outbound traffic from tagged VMs. They have no effect on inbound access to those VMs. Controlling what reaches your VMs from outside is always the job of firewall rules, not routes. If you are also routing traffic through Private Google Access or Cloud NAT, those paths are independent of custom route tags.
Common mistakes
- Confusing network tags with resource labels. Network tags affect firewall rules and routes. Resource labels affect billing reports and console filtering. They do not overlap in any way. Adding a label
role=web-serverdoes nothing for networking. Tagging a VMweb-serverdoes nothing for billing. - Adding a tag and expecting firewall behaviour to change without a matching rule. A network tag on its own does nothing. It only takes effect when a firewall rule or route explicitly references that tag. Tagging a VM
allow-sshwith no matching firewall rule changes absolutely nothing. - Using tags as a strong security boundary for sensitive rules. For production database access, management interfaces, or any rule where unauthorized access would be serious, use service account targeting instead. Tags can be added by anyone with VM edit rights, making them a weak boundary in environments with broad Compute permissions.
- Poor tag naming conventions. Tags like
web,app,db, andtempaccumulate informally. Without a consistent naming scheme, it becomes hard to tell which tags are still in use, what they mean, and whether a rule that references them is still needed. - Not documenting tags in infrastructure code. If your tags are defined informally or only visible in the console, they become a maintenance problem. Every tag should have a documented purpose in your Terraform, deployment config, or runbook. Undocumented tags tend to outlive the systems they were created for.
Best practices
- Use a consistent naming convention. Choose a scheme like
role-purpose(for example,backend-app,backend-db,ops-bastion) and apply it consistently. Tags that follow a pattern are easier to audit and harder to misuse. - Keep tags role-based, not person-based. Tags should reflect the function of the VM, not who created it or which team owns it. Role-based tags map cleanly to firewall rules. Person-based or team-based tags create sprawl.
- Avoid tag sprawl. Each tag you create is a potential firewall target. Review your tags periodically and remove ones that no longer correspond to active rules.
- Document tags in Terraform or deployment manifests. If you are managing infrastructure as code, every tag used in a firewall rule should be visible in the same codebase. A rule targeting
allow-health-checkis opaque if the tag itself only exists in the console. - Use service account targeting for sensitive rules. For rules that protect databases, secrets APIs, or internal management interfaces, prefer service account-based targeting over tags. The added rigidity is a feature, not a limitation.
- Review firewall rules regularly. Over time, tags accumulate and old rules persist. Use Connectivity Tests and firewall log analysis to find rules that are no longer matched or that allow more access than intended.
Tag sprawl is a real operational risk. A tag like temp-debug added during an incident and never removed becomes a permanent open door if a matching firewall rule still exists. Treat tag cleanup as part of your normal infrastructure review process.
Summary
- Network tags are strings attached to Compute Engine VMs that target firewall rules and custom routes at specific VMs
- A tag has no effect on its own. It only matters when a firewall rule or route explicitly references it
- Network tags are not the same as resource labels. Labels are for billing and reporting; tags are for networking only
- Firewall rules use target tags (which VMs the rule applies to) and source tags (traffic from which VMs is matched)
- Custom routes can reference tags to selectively change outbound routing for a subset of VMs
- Tags take effect immediately with no VM restart required
- Tags are a weaker security boundary than service account targeting. Anyone with VM edit rights can add or remove tags
- Use service account targeting for sensitive rules; use tags for general tiering, health checks, and environment separation
- Document your tagging convention in infrastructure code to prevent sprawl and ambiguity
Frequently asked questions
What are network tags in GCP?
Network tags are arbitrary strings attached to Compute Engine VM instances. They let you target firewall rules and custom routes at specific VMs instead of all VMs in the network. A tag by itself does nothing. It only takes effect when a firewall rule or route references it explicitly.
Are network tags the same as resource labels?
No. Network tags are single strings that control which firewall rules and routes apply to a VM. Resource labels are key-value pairs used for cost attribution and billing reports. Adding a label environment=production to a VM does not change which firewall rules apply. Adding a network tag web-server has no effect on billing. They are completely separate systems that happen to both live on VM instances.
Can one VM have multiple network tags?
Yes. A VM can have up to 64 network tags at the same time. All firewall rules and routes that match any of those tags apply to the VM. Tags take effect immediately after being added with no VM restart required.
Are network tags secure enough for production?
Tags are suitable for general traffic segmentation but are a weaker boundary for sensitive rules. Anyone with the Compute Engine Instance Admin role can add or remove tags from a running VM without restarting it. For controlling access to databases or internal management interfaces, use service account targeting instead. A VM service account cannot be changed while the VM is running.
Do network tags work outside Compute Engine?
No. Network tags are a Compute Engine concept and only apply to VM instances. Cloud Run services, Cloud SQL instances, GKE pods, and other GCP resources are not targeted by network tags. Those services use different mechanisms. Cloud Run uses Serverless VPC Access connectors, GKE uses node or pod CIDR ranges, and so on.