The firewall rules open all ports for TCP and UDP communication within the cluster (i.e., within the VPN). Additionally, we add a firewall rule that allows SSH communication with Google's identity-aware proxy (IAP). The IAP uses the IP range 126.96.36.199/20. With this firewall rule, you can connect to any machine within the VPN just by clicking "SSH" next to the VM's menu point in the cloud console. It will also enable us to connect Google’s web preview to the Ray dashboard on the cluster through an IAP tunnel.
Finally, add a CloudNAT to the network (in the same region where your subnetwork is located) to enable the machines to download software from the internet. The overall setup is shown in the figure on the left.