Google Cloud creates a default VPC. The instance that you created is located in that VPC. You can create a new VPC but you cannot move that instance to the new VPC. You would need to create an image of the instance and then launch a new instance in the new VPC. However, why do you think that you need to create a new VPC? Answer you don't. Use the existing VPC unless you have specific technical reasons.
For your question about the external IP. You will need to move the external IP address to the new instance manually. Note: If the type of external IP address is ephemeral then you cannot manage this address. You must change the address to static which assign this address to your project.
Your question just have firewall rules to access the instances?. Firewall rules do not provide access to an instance in the same manner as an IP address. Firewall rules provide protocol and port access thru the firewall. You will still need an external IP address to access the instance from the public Internet.
Firewall rules are easy to setup and specify. I suggest that you read the documentation on firewall rules so that you understand what you are doing. Here is link.
Setting up a VPN is a good option that I recommend. This is another item where you need to know what you are doing. To make the process simpler, use a marketplace image with a VPN already setup. I recommend OpenVPN. That link will launch the OpenVPN page in Google Marketplace.