Google cloud firewall policy not working?

Trying to create a ingress firewall rule by geolocation in Google cloud firewall policy and found that it does not work?

Because cloud firewall policy is enacted after vpc firewall by default, and if anything is allowed by vpc firewall, it gets through and bypass any further checks. That means, if your allow https and http traffic when creating the vpc, your vpc firewall will have default rules that allow port 443 and 80 traffic, and ones they are allowed, they bypass firewall policy rules.

Use this to set firewall policy before vpc firewall (note that firewall policy has "go to next" in addition to "allow", "go to next" allow traffic to pass to next level of checks ):

gcloud compute networks update default \
    --network-firewall-policy-enforcement-order BEFORE_CLASSIC_FIREWALL

("default" is the name of the vpc network, not a keyword)

PS. Google Cloud is really not for beginners, you will have to navigate through their enormously long documents to find answers, and Google Cloud Gemini assistant give misleading answers (it says higher enforcement order means runing first, which costs me two days, in fact, enforcement order "1" means first, and "2" means after "1"), and if you're under DDoS attack, you bill will ballon (in order to prevent this, I have to follow another enormously long document to hand-make a service to monitor bill and cut off if exceeded, and not knowing if it really works, Google could have just give us an allowance in bill settings.)