A likely use case for a similar rule would be to restrict SSH access to anyone on your corporate network or your VPN. This works identically to our example below, but instead of a single IP address, you'd add one or more subnets -- and in the case of a VPN, you'd have to make sure the client is installed on the instance, and our template instance doesn't have a VPN client on it; but yours easily could.