In brief, yes, Google firewalls GCP instances use the Virtual personal Cloud (VPC) default firewall rules.
By default, the only externally originating traffic these rules allow is SSH to port 22, RDP to port 3389, and ICMP (ping). I
n particular, if you're running a web server, you're going to need to add a VPC firewall rule that allows inbound traffic on port 80 (for HTTP) and 443 (for HTTPS).
Note that this firewall is within the network between the web and your Google cipher Engine (GCE) instance; it's not software system running on your GCE instance.
It would most likely be prudent to alter a firewall like UFW on your GCE instance itself.
One reason for this is containment; if you start running two GCE instances on the same VPC, Google will freely allow traffic between them. This means if once of those instances is compromised, there would be no firewall between it and all of your other instances.