Description
When adjusting the firewall configuration on a GCE instance today, I was confused that I could toggle my new firewall rule and see the changes immediately affect my ability to telnet to the http server, but my browser continued to work fine, regardless of the firewall setting.
What I realized (too slowly) was happening was that once the keep-alive connection was open, the firewall permitted it forever, as designed and documented.
It would be nice of the google.golang.org/cloud/compute/metadata package or similar could listen for metadata changes (the GCE metadata service supports long polling on changes) to see when the firewall or tags change, and then call Server.SetKeepAlivesEnabled(false) to drop existing connections and force them to (try) to reconnect.
Currently Server.SetKeepAlivesEnabled only affects future connections and not active idle ones.