VPC firewall rule between load balancer and vms

I've added some vpc firewall rules to prevent access to my load balancer - and allowed only specific ips. The rules seems to block traffic between the load balancer and the VMs. how can I set up a rule that allow all traffic between load balancer and vms ? I've tried with LB external ip but it doesn't work. Does the load balancer has internal ip ? where can I find it ? the "internal" default rule doesn't work here as well.

You cannot use a VPC firewall to block access to the load balancer. When the load balancer connects to your VM, the VPC firewall sees the load balancer's IP address and not the client's IP address. The client's IP address is stored in the HTTP header X-Forwarded-For and VPC firewalls do not process HTTP headers.

You can restrict traffic at the VM instance to only allow traffic from the load balancer and health checks. However, that will not control traffic from the client to the load balancer. To control client traffic requires adding Cloud Armor to the HTTP(S) Load Balancer.

The backend instances must allow connections from the load balancer GFE/health check ranges. This means that you must create an ingress allow firewall rule for traffic from 130.211.0.0/22 and 35.191.0.0/16 to your backend instances or endpoints. These IP address ranges are used as sources for health check packets and for all load-balanced packets sent to your backends.

Firewall rules allowing load balancer traffic