Hi,
this might be a very basic question, but i am pretty new to gcp and i am really struggling to find clear information on this. And i would like to avoid loosing more time on this.
I have a vault, deployed to a compute engine with debian-12 image and auto-unseal through kms.
The ce has a public ip and a firewallrule for port 8200, to allow incomming traffic.
When i ssh into my ce, i can see that the vault is running on 127.0.0.1:8200. I can do curls to my localhost, and get responses. auto-unseal seems to work as well.
But when i want to access it through my public-ip, i get connection refused.
I did a tcpdump in the vm, and can see, that traffic via port 8200 is reaching the vm. So i wouldnt expect any firewallsetup to be wrong here.

So the question: Do i really need to explicitely configure the vm, to move incomming traffic to localhost? Shouldnt that be default-behaviour, since this is the behaviour you want most of the time?
I already tried open port 8200 in the vm, and did also add according forward rules with iptables. But all that lead to was that i get a network timeout after a minute of nothing happening.
So maybe i have a conceptional missunderstanding here, or miss something in general.
If anyone could clarify for me the intended behaviour and maybe a few steps, whats left that i could try to have my vault somehow accessible from the outside, that'd be really great.

Thanks in advance.
R