diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-a-peering/data/firewall-rules/dev/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-a-peering/data/firewall-rules/landing/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-a-peering/data/firewall-rules/prod/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/dev/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/landing/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-b-vpn/data/firewall-rules/prod/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/dev/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml
new file mode 100644
index 00000000..e0d4ab60
--- /dev/null
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-trusted/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  trusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml
new file mode 100644
index 00000000..7116a78e
--- /dev/null
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/landing-untrusted/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  untrusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-c-nva/data/firewall-rules/prod/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/dev/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-d-separate-envs/data/firewall-rules/prod/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/dev/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml
new file mode 100644
index 00000000..e0d4ab60
--- /dev/null
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-trusted/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  trusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml
new file mode 100644
index 00000000..7116a78e
--- /dev/null
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/landing-untrusted/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  untrusted-ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml
new file mode 100644
index 00000000..946f350a
--- /dev/null
+++ b/fast/stages/2-networking-e-nva-bgp/data/firewall-rules/prod/default-ingress.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+
+ingress:
+  ingress-default-deny:
+    description: "Deny and log any unmatched ingress traffic."
+    deny: true
+    priority: 65535
+    enable_logging:
+      include_metadata: false
diff --git a/modules/net-vpc-firewall/main.tf b/modules/net-vpc-firewall/main.tf
index 6675cfa4..f2b9f0b7 100644
--- a/modules/net-vpc-firewall/main.tf
+++ b/modules/net-vpc-firewall/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,7 @@ locals {
         for name, rule in ruleset : {
           name                 = name
           deny                 = try(rule.deny, false)
-          rules                = try(rule.rules, [{ protocol = "all" }])
+          rules                = try(rule.rules, [{ protocol = "all", ports = null }])
           description          = try(rule.description, null)
           destination_ranges   = try(rule.destination_ranges, null)
           direction            = upper(direction)
diff --git a/tests/fast/stages/s2_networking_a_peering/stage.yaml b/tests/fast/stages/s2_networking_a_peering/stage.yaml
index 97c31a42..3ee8b990 100644
--- a/tests/fast/stages/s2_networking_a_peering/stage.yaml
+++ b/tests/fast/stages/s2_networking_a_peering/stage.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 28
-  resources: 148
+  modules: 29
+  resources: 151
diff --git a/tests/fast/stages/s2_networking_b_vpn/stage.yaml b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
index d864509a..af6e5cac 100644
--- a/tests/fast/stages/s2_networking_b_vpn/stage.yaml
+++ b/tests/fast/stages/s2_networking_b_vpn/stage.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 30
-  resources: 185
+  modules: 31
+  resources: 188
diff --git a/tests/fast/stages/s2_networking_c_nva/stage.yaml b/tests/fast/stages/s2_networking_c_nva/stage.yaml
index 1067758a..01527c99 100644
--- a/tests/fast/stages/s2_networking_c_nva/stage.yaml
+++ b/tests/fast/stages/s2_networking_c_nva/stage.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 42
-  resources: 195
+  modules: 43
+  resources: 199
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
index e2b6fe64..1c560f76 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
+++ b/tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 21
-  resources: 170
+  modules: 22
+  resources: 172
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
index c4e143d2..dad42420 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,5 +13,5 @@
 # limitations under the License.
 
 counts:
-  modules: 36
-  resources: 206
+  modules: 37
+  resources: 210