Does Managed Instance Group with Health Check Require External IP?

I have successfully provisioned managed instance groups using terraform. Now I am turning my attention to health checks. I would like to confirm that the VM instances that are part of my MIG will need public IPs in order to accept health checks.

I gather that even under these conditions, I may use firewall rules to only allow traffic from the Google probers as described here: Health checks overview  |  Load Balancing  |  Google Cloud

The application running on these instances otherwise does not need to accept any HTTP requests.

I’m a bit confused because there seems to be some debate as to whether an external IP is required: load balancing - Do I need external IPs for Managed Instance Group instances serving as a GLB back-end? - Server Fault

I have found that VM instances associated with the managed instance group defined below do NOT need public IP addresses assigned to them. The health check “just works”.

module "node-genesis-mig" {
  source            = "terraform-google-modules/vm/google//modules/mig"
  version           = "~> 7.1"
  instance_template = module.mig_template_node_genesis_pipeline.self_link
  region            = var.gcp_region
  target_size       = 1
  # this is used as a prefix for the instance group
  hostname          = "node-genesis"

  health_check = {
    type = "http"
    initial_delay_sec = 120
    check_interval_sec  = 5
    healthy_threshold   = 2
    timeout_sec         = 5
    unhealthy_threshold = 2
    response            = ""
    proxy_header        = "NONE"
    port                = 8080
    request             = ""
    request_path        = "/"
    host                = "localhost"