- NAME
-
- gcloud compute firewall-policies rules create - creates a Compute Engine firewall policy rule
- SYNOPSIS
-
-
gcloud compute firewall-policies rules createPRIORITY--action=ACTION--firewall-policy=FIREWALL_POLICY[--description=DESCRIPTION] [--dest-address-groups=[DEST_ADDRESS_GROUPS,…]] [--dest-fqdns=[DEST_FQDNS,…]] [--dest-ip-ranges=[DEST_IP_RANGE,…]] [--dest-region-codes=[DEST_REGION_CODES,…]] [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]] [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging] [--layer4-configs=[LAYER4_CONFIG,…]] [--organization=ORGANIZATION] [--security-profile-group=SECURITY_PROFILE_GROUP] [--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]] [--src-fqdns=[SOURCE_FQDNS,…]] [--src-ip-ranges=[SRC_IP_RANGE,…]] [--src-region-codes=[SOURCE_REGION_CODES,…]] [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]] [--target-resources=[TARGET_RESOURCES,…]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]] [--[no-]tls-inspect] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
gcloud compute firewall-policies rules createis used to create organization firewall policy rules. - EXAMPLES
-
To create a rule with priority ``10" in an organization firewall policy with ID
``123456789", run:
gcloud compute firewall-policies rules create 10 --firewall-policy=123456789 --action=allow --description=example-rule - POSITIONAL ARGUMENTS
-
PRIORITY- Priority of the firewall policy rule to create.
- REQUIRED FLAGS
-
--action=ACTION-
Action to take if the request matches the match condition.
ACTIONmust be one of:allow,deny,goto_next,apply_security_profile_group. --firewall-policy=FIREWALL_POLICY- Short name of the firewall policy into which the rule should be inserted.
- OPTIONAL FLAGS
-
--description=DESCRIPTION- An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,…]- Destination address groups to match for this rule. Can only be specified if DIRECTION is egress.
--dest-fqdns=[DEST_FQDNS,…]-
Destination FQDNs to match for this rule. Can only be specified if DIRECTION is
egress. --dest-ip-ranges=[DEST_IP_RANGE,…]- Destination IP ranges to match for this rule.
--dest-region-codes=[DEST_REGION_CODES,…]-
Destination Region Code to match for this rule. Can only be specified if
DIRECTION is
egress. --dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]-
Destination Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is
egress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. --direction=DIRECTION-
Direction of the traffic the rule is applied. The default is to apply on
incoming traffic.
DIRECTIONmust be one of:INGRESS,EGRESS. --[no-]disabled-
Use this flag to disable the rule. Disabled rules will not affect traffic. Use
--disabledto enable and--no-disabledto disable. --[no-]enable-logging-
Use this flag to enable logging of connections that allowed or denied by this
rule. Use
--enable-loggingto enable and--no-enable-loggingto disable. --layer4-configs=[LAYER4_CONFIG,…]- A list of destination protocols and ports to which the firewall rule will apply.
--organization=ORGANIZATION- Organization which the organization firewall policy belongs to. Must be set if FIREWALL_POLICY is short name.
--security-profile-group=SECURITY_PROFILE_GROUP- An org-based security profile group to be used with apply_security_profile_group action. Allowed formats are: a) http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile> b) (//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile> c) <profile>. In case "c" gCloud CLI will create a reference matching format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In order to set this property, please run the command gcloud config set api_endpoint_overrides/networksecurity https://<namespace>/.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]- Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,…]-
Source FQDNs to match for this rule. Can only be specified if DIRECTION is
ingress. --src-ip-ranges=[SRC_IP_RANGE,…]- Source IP ranges to match for this rule.
--src-region-codes=[SOURCE_REGION_CODES,…]-
Source Region Code to match for this rule. Can only be specified if DIRECTION is
ingress. --src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]-
Source Threat Intelligence lists to match for this rule. Can only be specified
if DIRECTION is
ingress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. --target-resources=[TARGET_RESOURCES,…]- List of URLs of target resources to which the rule is applied.
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]- List of target service accounts for the rule.
--[no-]tls-inspect-
Use this flag to indicate whether TLS traffic should be inspected using the TLS
inspection policy when the security profile group is applied. Default: no TLS
inspection. Use
--tls-inspectto enable and--no-tls-inspectto disable.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
-
These variants are also available:
gcloud alpha compute firewall-policies rules creategcloud beta compute firewall-policies rules create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-06-04 UTC.