Trouble restricting access to app engine flexible service using VPC

[Taro Naoi]

I am trying to restrict access to a specific App Engine Flex service in a project with multiple services using VPC firewall rules. I created a VPC network called "vpc" using automatic subnet creation and global dynamic routing. Next, I deployed my App with the following yaml file (names slightly changed):

runtime: custom
env: flex
service: someservice
manual_scaling:
    instances: 1
resources:
    cpu: 1
    memory_gb: 4.0
    disk_size_gb: 10
network:
    name: vpc

As you can see, I specified a network in the yaml file to run the app in vpc. Then, I created two firewall rules in VPC to allow access to only specific IPs. I first created a firewall rule called "deny" to deny access to the vpc network for all IP ranges:

gcloud compute firewall-rules create deny \
    --network vpc \
    --action deny \
    --direction ingress \
    --rules tcp \
    --source-ranges 0.0.0.0/0 \
    --priority 5000

Finally, I created another rule named "allow" to allow a single IP address (e.g. 192.00.00.11):

gcloud compute firewall-rules create allow \
    --network vpc \
    --action allow \
    --direction ingress \
    --rules tcp \
    --source-ranges 192.00.00.11 \
    --priority 1000

However, after performing the above I am still able to access the app engine service from pretty much any IP I tested (used my phone's data and also asked friends for sanity check). What am I doing wrong? Any help is greatly appreciated!

[Jorge A (Google Cloud Support)]

Looking through the creation of the firewall rules [1] I can see that there's no port after tcp which you should specify. Please take a look at the documentation and the flags that you've used when creating the rules to compare the syntax as well as the flag should be followed by "=" and the value for that flag. 

[1] https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create