Incoming traffic requires an ingress rule.
Why this answer
Exam trap
Google Cloud often tests the misconception that a public IP address is required for internet traffic, but in Google Cloud, traffic can reach instances via Cloud NAT or load balancers without a public IP, and the firewall rule only needs to allow the traffic, not require the instance to have a public IP.