I've been searching on google and keep getting referred to the VPC documentation https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity but I don't think this will solve my problem. I'm trying to limit the IP address accessing my webhook function on GCP and I need to use API gateway (Apigee isn't an option at the moment for me). Any advice would be great!
If API Gateway isn't requirement, I propose you this solution:
internal_and_cloud_load_balancing to allow only traffic from your VPCs and the load balancers