I need some clarification on an "implied allow egress rule" that is documented here https://cloud.google.com/firewall/docs/firewalls#default_firewall_rules
This egress rule states it allows "any instance send traffic to any destination". Given that Google Cloud firewall is stateful, does that also mean that the appropriate inbound should be allowed as well ? This clearly does not work this way and I am trying to understand what the purpose of this rule actually is.
When a connection is established successfully between source & destination, it sends the traffic(request) through the established connection and will receive the response from the same and this is termed as Stateful firewall but here Implied egress rule allows any instance to send traffic to any destination but it does not allow inbound traffic as per stateful firewall because there is another rule called implied deny ingress rule which does not allow inbound traffic. These implied rules are applicable by default and the main purpose of this rule is to segregate the inbound and outbound traffic. Inbound traffic must be explicitly allowed by separate firewall rules.
These defaults should not be considered appropriate or secure for sensitive environments. As John Hanley suggested, understanding what these defaults are is important when trying to level set the desired security posture you’re trying to achieve to align with technical requirements.