Welcome back. In this demonstration, we're going to walk through the process of creating an Ingress Firewall Rule for the VPC network that we created earlier. 

So, let's get started by going to the Firewall rules page in our Google Cloud Platform console. Now, to get there, what I need to do is, browse to VPC network, under the Networking section, and then from here, click on Firewall rules. 

Now, from here, what I need to do is, click on Create Firewall Rule, and this begins the process. Now, let's give our firewall rule a Name, and then specify the network where the firewall rule is going to be implemented. I'll call my firewall rule, rdp-in, and what I'm going to do is apply it to my testnetwork. 

What we need to do here is specify the priority of the rule that we're deploying. The lower the number, the higher the priority, the higher the number, the lower the priority. For this exercise, I'm going to leave it at the default setting of 1000. 

Now for this rule, I'm going to choose Ingress as the direction of traffic, because I want to allow rdp from my workstation IP. 

Obviously, we want to choose Allow as the action on match, and then we need to specify the Targets of our rule. 

Now what I'm going to do here, is select All instances in the network. Now what this does, is ensure that this rule applies to all instances that are eventually connected to this network. We'll deploy a VM later to this network, so I want this Ingress rule to apply to it when it's deployed. Now, with that said, what I could do here, if I wanted to, is instead, set the rule to apply to specific instances by target tag. This would allow me to specify which instances the rule would apply to. 

For this exercise, we're applying the rule to all instances, so there's no need to do this. What we need to do next here, is specify the Source filter. In the Source filter dropdown, I can specify an IP address range, source tags, or even in some cases, a service account. I'm going to leave this set to IP ranges, since I'm going to specifically allow traffic from the IP of my workstation that I'm working from. For this exercise, I'm going to browse to whatsmyip.org to check the public IP of my workstation. 

What we'll do here is, get my public IP address, and bounce back over to our portal here. We'll put my public IP in the Source IP ranges field. Now, when I do this, I need to use the CIDR notation. So what I had to do is append the /32 to my IP address. At this point, I need to define the protocols and ports to which my new rule is going to apply. In this case, I'm going to specify a destination port of TCP 3389, so I can allow rdp to any VM instances I deploy later. So we'll select tcp, and then we'll specify 3389. Now with that set, I can leave the rest of the options at their defaults, and then click Create to deploy my Ingress rule. 

So now that I have my Ingress rule deployed, when I spin up my VM later on and connect it to my subnet, the VM will be protected by my new rule.