Troubleshooting dropped network traffic
Compute Engine only allows network traffic that is explicitly permitted by your project's Firewall rules to reach your instance. By default, all projects automatically come with a default network that allows certain kinds of connections. If you deny all traffic, by default, that also denies SSH connections and all internal traffic. For more information, see the Firewall rules page.
In addition, you may need to adjust TCP keep-alive settings to work around the default idle connection timeout of 10 minutes. For more information, see Communicating between your instances and the internet.
Troubleshooting firewall rules or routes on an instance
The Google Cloud Console provides network details for each network interface of an instance. You can view all of the firewall rules or routes that apply to an interface, or you can view just the rules and routes that the interface uses. Either view can help you troubleshoot which firewall rules and routes apply to the instance and which ones are actually being used (where priority and processing order override other rules or routes).
For more information, see the troubleshooting information in the Virtual Private Cloud documentation:
Troubleshooting protocol forwarding for private forwarding rules
Protocol forwarding for private forwarding rules is a regional product. All clients and target instance VMs must be in the same region.
Error message: "An internal target instance can only be the target of one forwarding rule"
If you see the error message
An internal target instance can only be the target
of one forwarding rule, you might be trying to configure two forwarding rules
pointing to the same target instance. You cannot point multiple forwarding
rules to the same target instance.