HipLocal is configuring their access controls. What firewall configuration should they implement to meet their security and scalability requirements while adhering to Google-recommended practices?

Key Context for Reference:

• Business Needs: Global expansion, compliance (e.g., GDPR), reduced management overhead.
• Technical Requirements:
  • Usage metrics/monitoring.
  • Strong API authentication/authorization.
  • Enhanced logging with cloud analytics.
  • Serverless architecture for elastic scaling.
  • Secure internal app access.
• Current GCP Setup:
  • APIs on Compute Engine VMs.
  • Single-instance MySQL DB.
  • No logging; basic uptime alerts.

(Note: The question focuses on firewall configuration, but the answer should align with the broader technical and compliance goals.)