There was an accident in the Juju QA GCE account where many firewalls were indiscriminately deleted from the default network. ALL new juju deployments failed!
Juju bootstrap failed because the client could not ssh into the new machine. I cloud see firewall rules that permitted the api ports, but not 22. I created a universal firewall rule to permit 22. This permitted juju to bootstrap, and it believed all app were operational.
But tests the checked external availability of apps, such as wikimeda failed because its web ports were not opened. The charm does open ports and expose the app. I added a universal firewall rule for 80 and 443 to fix the test.
I expect juju to op 22 to all the machines it manages, and open-port to create firewall rules. I really do not know what rules were in place to have allows juju 1x and 2.x to create. I never created a firewall rules so I believe GCE had default rules in place that Juju takes for granted.
This bug has not been updated in 5 years, so we're marking it Expired. If you believe this is incorrect, please update the status.