Thanks for your reply, Carlos.
The use case is to allow mobile team members to have a script or app on their laptops that would authenticate to some service on the instance, which will open a firewall port for their current IP exclusively, so a VPN can be established.
Previously I did this with iptables, but the advantage of the GCE firewall is it can be maintained from the Cloud Console, so there's less risk of locking oneself out.