Istio port open in GCP private gke cluster

I have a question about service mesh (istio). If the pod and service of the gke cluster are created by specifying a separate secondary ip range within the private subnet, and a specific istio port is opened for internal communication between the private clusters, in the case of gcp, can only the secondary ip range be added to the firewall tag? In case of global cluster failure, as the node repeats automatic deletion/creation, the node itself is assigned a dynamic IP rather than a fixed IP, and in the case of gcp, the firewall tag is designated as a specific node or vm name. How to do it in this case I am curious and would like to ask for your advice. I would be grateful if any of you had any related experiences.