gcloud alpha compute firewall-policies rules create - creates a Compute Engine firewall policy rule
gcloud alpha compute firewall-policies rules create PRIORITY --action=ACTION --firewall-policy=FIREWALL_POLICY [--description=DESCRIPTION] [--dest-address-groups=[DEST_ADDRESS_GROUPS,...]] [--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]] [--dest-region-codes=[DEST_REGION_CODES,...]] [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]] [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging] [--layer4-configs=[LAYER4_CONFIG,...]] [--organization=ORGANIZATION] [--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]] [--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]] [--src-region-codes=[SOURCE_REGION_CODES,...]] [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]] [--target-resources=[TARGET_RESOURCES,...]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha compute firewall-policies rules create is used to create organization firewall policy rules.
To create a rule with priority ``10" in an organization firewall policy with ID ``123456789", run:
$ gcloud alpha compute firewall-policies rules create 10 \ --firewall-policy=123456789 --action=allow \ --description=example-rule
- PRIORITY
Priority of the firewall policy rule to create.
- --action=ACTION
Action to take if the request matches the match condition. ACTION must be one of: allow, deny, goto_next, apply_security_profile_group.
- --firewall-policy=FIREWALL_POLICY
Short name of the firewall policy into which the rule should be inserted.
- --description=DESCRIPTION
An optional, textual description for the rule.
- --dest-address-groups=[DEST_ADDRESS_GROUPS,...]
Dest address groups to match for this rule. Can only be specified if DIRECTION is egress.
- --dest-fqdns=[DEST_FQDNS,...]
Dest FQDNs to match for this rule. Can only be specified if DIRECTION is egress.
- --dest-ip-ranges=[DEST_IP_RANGE,...]
Destination IP ranges to match for this rule.
- --dest-region-codes=[DEST_REGION_CODES,...]
Dest Region Code to match for this rule. Can only be specified if DIRECTION is egress.
- --dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
Destination Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is egress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
- --direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
- --[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect traffic. Use --disabled to enable and --no-disabled to disable.
- --[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied by this rule. Use --enable-logging to enable and --no-enable-logging to disable.
- --layer4-configs=[LAYER4_CONFIG,...]
A list of destination protocols and ports to which the firewall rule will apply.
- --organization=ORGANIZATION
Organization which the organization firewall policy belongs to. Must be set if FIREWALL_POLICY is short name.
- --src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
- --src-fqdns=[SOURCE_FQDNS,...]
Source FQDNs to match for this rule. Can only be specified if DIRECTION is ingress.
- --src-ip-ranges=[SRC_IP_RANGE,...]
Source IP ranges to match for this rule.
- --src-region-codes=[SOURCE_REGION_CODES,...]
Source Region Code to match for this rule. Can only be specified if DIRECTION is ingress.
- --src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
Source Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is ingress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
- --target-resources=[TARGET_RESOURCES,...]
List of URLs of target resources to which the rule is applied.
- --target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
List of target service accounts for the rule.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud compute firewall-policies rules create
$ gcloud beta compute firewall-policies rules create