Identity-based firewall rules are a specific feature in GCP that the Associate Cloud Engineer exam tests as a contrast against network-tag-based rules. This article covers what they are, why they are more secure than tags, the canonical diagram pattern, and the question framing on the ACE exam.
It does not cover the full set of attributes you can use in firewall rules or hierarchical firewall policies. The goal is the specific service-account-based pattern that the exam highlights.
Before identity-based rules, the way you applied a firewall rule to a group of VMs was network tags. You would tag your web VMs with "web-server", write a rule that targets that tag, and any VM with the tag inherits the rule.
That works. But it has a security weakness. Network tags are user-applied. Anyone with permission to edit a VM can add or remove a tag. If your firewall rule says "allow access to the database from VMs tagged db-client", an attacker with VM edit permissions can grant themselves database access by adding that tag to their own VM. The tag is not a strong identity.
Identity-based firewall rules target VMs by the service account they run as, not by a tag. Every VM in GCP runs as a service account (the default Compute Engine service account, or one you specify). That service account is the VM's identity. Changing it requires IAM permissions, which are usually held by a smaller group of people than VM-edit permissions.
So a rule like "allow ingress from VMs running as web-app-sa to VMs running as db-sa" is more robust. To get traffic from a new VM into the database tier, you have to give that VM the web-app-sa service account, which requires IAM permission, which is auditable and tied to your identity governance.
The Associate Cloud Engineer exam illustrates this with a specific scenario. There is a Cloud Run service running as Service Account A. There is VM Instance 1 running as Service Account B. There is VM Instance 2 running as Service Account C.
The firewall rule says. Deny traffic from Service Account B to Service Account C.
What happens. VM Instance 1 (running as Service Account B) tries to reach VM Instance 2 (running as Service Account C). The rule blocks it. Cloud Run (running as Service Account A) tries to reach VM Instance 2. The rule does not match (Service Account A is not Service Account B), so the traffic goes through.
That diagram is the canonical illustration of identity-based firewall rules and the exam scenarios are usually variations on it.
This is one of those topics where the security argument is easy to nod along to without internalizing it. Let me make it concrete.
In a real organization, the people who can spin up VMs (developers, ops engineers, automation) are typically a much larger set than the people who can mint and assign service accounts (a smaller security or platform team). If your network access policy depends on tags, your access boundary is "anyone who can edit a VM", which is a large surface. If your network access policy depends on service accounts, your access boundary is "anyone who can change a VM's service account", which is a much smaller surface.
That is the actual security improvement. It is not magic. It is just that service accounts are governed by IAM, and IAM gets better attention than tag management in most organizations.
The Associate Cloud Engineer exam pattern is consistent. A scenario describes a team that wants to control network access between workloads with stronger guarantees than tags provide, often in a "zero trust" or "least privilege" framing. The right answer is identity-based firewall rules using service accounts.
The wrong answer in these scenarios is usually network tags ("but tags are easier"). Tags are easier, but they are less secure, and the exam is specifically asking which is more secure.
The other variant. A scenario asks "why is this access control mechanism considered more secure than tags?" The answer involves the IAM-managed nature of service accounts and the fact that they cannot be reassigned without proper permissions.
If you see "more secure than tags", "zero trust", or "least privilege" together with firewall rules in a question, think service-account-based identity-based rules. If you see plain "tag a group of VMs to apply a rule", that is regular network tags.
gcloud compute firewall-rules create deny-b-to-c \
--network=my-vpc \
--direction=INGRESS \
--action=DENY \
--rules=all \
--source-service-accounts=service-account-b@my-project.iam.gserviceaccount.com \
--target-service-accounts=service-account-c@my-project.iam.gserviceaccount.comThe source-service-accounts and target-service-accounts flags are what make this rule identity-based. You can mix and match. A rule could use a service account on the source side and a tag on the target side, or vice versa. In practice, going all-in on service accounts gives you the cleanest security story.
Identity-based rules apply to traffic from VMs that have the specified service account attached. They do not apply to traffic from outside GCP, since external traffic does not have a GCP service account identity. For external ingress, you still rely on IP ranges or other criteria.
This is why a real security setup usually combines both. Identity-based rules for internal east-west traffic between workloads, and IP-range rules for external north-south traffic.
Identity-based firewall rules use service accounts instead of network tags to identify which VMs a rule applies to. They are more secure than tags because service accounts are governed by IAM and cannot be reassigned without proper permissions, while tags are just labels that anyone with VM edit access can change.
On the Associate Cloud Engineer exam, identity-based firewall rules are the right answer when a scenario emphasizes stronger security, least privilege, or zero-trust principles for east-west traffic between workloads. Tags are still fine for simpler scenarios where security strength is not the focus.
My Associate Cloud Engineer course covers identity-based firewall rules in the security and networking section alongside the broader Cloud Firewall framework that the exam tests.
