GCP network tags can be applied to VMs (and maybe GKE node_pools). Then firewall rules can target those resources. They have just a name, not a value.
tags, on the other hand, are more like labels, in that they have key names and values. E.g. [environment=production]
The official docs describe the difference between tags and labels.
Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of policies for fine-grained control across your resource hierarchy
But there is no specific mention of firewall rules.
If I apply a tag to resources, can I write a firewall rule to target those resources (assuming they are targetable network destinations)
With GKE from version 1.23.5-gke.150, clusters can have tags applied. Do these work as network_tags?
It's confusing, but Tag, Network_Tags and Labels are 3 different things. They work separately from each other.
Labels are pretty straight forward. They are a metadata key/value that can be assigned to pretty much any resources in Google Cloud. You CANNOT use them to enforce policies. They are useful for organizing resources and identifying what belongs to who (which resources belongs to which individual,team, business unit...). The most common use of labels is billing, when you export billing data, labels are exported as well and they can be used to figure out who consumed what for charge-back purposes.
Network_Tags are used with VM's for two main reasons. A) Enforce firewall rules and B) Routing. They are NOT a key/value but rather a string of characters that you can assign to a VM and create firewall rules based on those values. They make firewall and routing management easier.
Tag are different, they are a resource per-se. As in you can create/delete/update them, you can also assign IAM roles to allow people to manage tags. Their primary use is finegrain IAM controls, you can create a key/value tag, assign it to resources that support tagging and use IAM with conditions to implement complex IAM rules. Here is an example
I hope this clarifies it.