You have a VPC network with several Compute Engine instances. You want to allow incoming HTTP (port 80) traffic ONLY to specific instances acting as web servers, while blocking it for database instances in the same subnet.

Which TWO steps should you take to implement this using GCP Firewall Rules? (Select TWO)

Create a new subnet specifically for the web servers.

Add a specific network tag (e.g., 'web-server') to the web server instances.

Create an ingress firewall rule allowing port 80 and set the 'Target tags' to the tag used on the web servers.

Configure the guest OS firewall (e.g., iptables) on the database instances to block port 80.

Create an egress firewall rule blocking port 80 from the database instances.