Generally you're best using your cloud service firewalls, as that way traffic you want to reject never makes it to your server. If it makes it to your server it takes up resources to reject, and if you're not fully patched it increases the chance your server is compromised.
I don't know much about Google Cloud, but a search brings up Google Cloud VPC Firewall Rules.
Google Cloud firewall rules let you allow or deny traffic to and from
your virtual machine (VM) instances based on a configuration that you
specify. Enabled Google Cloud firewall rules are always enforced,
protecting your instances regardless of their configuration and
operating system, even if they have not started up.
Every Virtual Private Cloud (VPC) network functions as a distributed
firewall. While firewall rules are defined at the network level,
connections are allowed or denied on a per-instance basis. You can
think of the Google Cloud firewall rules as existing not only between
your instances and other networks, but also between individual
instances within the same network.