gcloud alpha compute network-firewall-policies rules create
- NAME
- gcloud alpha compute network-firewall-policies rules create - creates a Compute Engine network firewall policy rule
- SYNOPSIS
gcloud alpha compute network-firewall-policies rules createPRIORITY--action=ACTION--firewall-policy=FIREWALL_POLICY--layer4-configs=[LAYER4_CONFIG,…][--description=DESCRIPTION][--dest-address-groups=[DEST_ADDRESS_GROUPS,…]][--dest-fqdns=[DEST_FQDNS,…]][--dest-ip-ranges=[DEST_IP_RANGE,…]][--dest-network-context=DEST_NETWORK_CONTEXT][--dest-network-type=DEST_NETWORK_TYPE][--dest-region-codes=[DEST_REGION_CODES,…]][--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]][--direction=DIRECTION][--[no-]disabled][--[no-]enable-logging][--security-profile-group=SECURITY_PROFILE_GROUP][--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]][--src-fqdns=[SOURCE_FQDNS,…]][--src-ip-ranges=[SRC_IP_RANGE,…]][--src-network-context=SRC_NETWORK_CONTEXT][--src-network-type=SRC_NETWORK_TYPE][--src-networks=[SRC_NETWORKS,…]][--src-region-codes=[SOURCE_REGION_CODES,…]][--src-secure-tags=[SOURCE_SECURE_TAGS,…]][--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]][--target-forwarding-rules=[TARGET_FORWARDING_RULES,…]][--target-secure-tags=[TARGET_SECURE_TAGS,…]][--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]][--target-type=TARGET_TYPE][--[no-]tls-inspect][--firewall-policy-region=FIREWALL_POLICY_REGION|--global-firewall-policy][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
(ALPHA)gcloud alpha compute network-firewall-policies rulescreateis used to create network firewall policy rules.- EXAMPLES
- To create a rule with priority
10my-policyexample rulegcloudalphacomputenetwork-firewall-policiesrulescreate10--firewall-policy=my-policy--action=allow--description="example rule"--global-firewall-policyTo create a rule with priority
10my-region-policyexample ruleregion-agcloudalphacomputenetwork-firewall-policiesrulescreate10--firewall-policy=my-policy--action=allow--description="example rule" - POSITIONAL ARGUMENTS
PRIORITY- Priority of the rule to be inserted. Valid in [0, 2147483547].
- REQUIRED FLAGS
--action=ACTION- Action to take if the request matches the match condition.
ACTIONmust be one of:allow,deny,goto_next,apply_security_profile_group. --firewall-policy=FIREWALL_POLICY- Firewall policy ID with which to create rule.
--layer4-configs=[LAYER4_CONFIG,…]- A list of destination protocols and ports to which the firewall rule will apply.
- OPTIONAL FLAGS
--description=DESCRIPTION- An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,…]- Destination address groups to match for this rule. Can only be specified ifDIRECTION is engress.
--dest-fqdns=[DEST_FQDNS,…]- Destination FQDNs to match for this rule. Can only be specified if DIRECTION is
egress. --dest-ip-ranges=[DEST_IP_RANGE,…]- Destination IP ranges to match for this rule.
--dest-network-context=DEST_NETWORK_CONTEXT- Use this flag to indicate that the rule should match internet or non-internettraffic. It applies to destination traffic for egress rules. Valid values areINTERNET and NON_INTERNET. Use empty string to clear the field.
--dest-network-type=DEST_NETWORK_TYPE- Use this flag to indicate that the rule should match internet or non-internettraffic. It applies to destination traffic for egress rules. Valid values areINTERNET and NON_INTERNET. Use empty string to clear the field.
--dest-region-codes=[DEST_REGION_CODES,…]- Destination Region Code to match for this rule. Can only be specified ifDIRECTION is
egress. Cannot be specified when the source networktype is NON_INTERNET. --dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]- Destination Threat Intelligence lists to match for this rule. Can only bespecified if DIRECTION is
egress. Cannot be specified when sourcenetwork type is NON_INTERNET. The available lists can be found here:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. --direction=DIRECTION- Direction of the traffic the rule is applied. The default is to apply onincoming traffic.
DIRECTIONmust be one of:INGRESS,EGRESS. --[no-]disabled- Use this flag to disable the rule. Disabled rules will not affect traffic. Use
--disabledto enable and--no-disabledto disable. --[no-]enable-logging- Use this flag to enable logging of connections that allowed or denied by thisrule. Use
--enable-loggingto enable and--no-enable-loggingto disable. --security-profile-group=SECURITY_PROFILE_GROUP- A security profile group to be used with apply_security_profile_group action.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]- Source address groups to match for this rule. Can only be specified if DIRECTIONis ingress.
--src-fqdns=[SOURCE_FQDNS,…]- Source FQDNs to match for this rule. Can only be specified if DIRECTION is
ingress. --src-ip-ranges=[SRC_IP_RANGE,…]- A list of IP address blocks that are allowed to make inbound connections thatmatch the firewall rule to the instances on the network. The IP address blocksmust be specified in CIDR format:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either--src-ip-ranges or --src-secure-tags must be specified for INGRESS traffic. Ifboth --src-ip-ranges and --src-secure-tags are specified, the rule matches ifeither the range of the source matches --src-ip-ranges or the secure tag of thesource matches --src-secure-tags.Multiple IP address blocks can be specified ifthey are separated by commas.
--src-network-context=SRC_NETWORK_CONTEXT- Use this flag to indicate that the rule should match internet, non-internettraffic or traffic coming from the network specified by --src-networks. Itapplies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKSand INTRA_VPC. Use empty string to clear the field.
--src-network-type=SRC_NETWORK_TYPE- Use this flag to indicate that the rule should match internet, non-internettraffic or traffic coming from the network specified by --src-networks. Itapplies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKSand INTRA_VPC. Use empty string to clear the field.
--src-networks=[SRC_NETWORKS,…]- The source VPC networks to match for this rule. It can only be specified when--src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts fullor partial URLs.
--src-region-codes=[SOURCE_REGION_CODES,…]- Source Region Code to match for this rule. Can only be specified if DIRECTION is
ingress. Cannot be specified when the source network type isNON_INTERNET, VPC_NETWORK or INTRA_VPC. --src-secure-tags=[SOURCE_SECURE_TAGS,…]- A list of instance secure tags indicating the set of instances on the network towhich the rule applies if all other fields match. Either --src-ip-ranges or--src-secure-tags must be specified for ingress traffic. If both --src-ip-rangesand --src-secure-tags are specified, an inbound connection is allowed if eitherthe range of the source matches --src-ip-ranges or the tag of the source matches--src-secure-tags. Secure Tags can be assigned to instances during instancecreation. Secure tags cannot be specified if source network type is INTERNET.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]- Source Threat Intelligence lists to match for this rule. Can only be specifiedif DIRECTION is
ingress. Cannot be specified when the sourcenetwork type is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available lists canbe found here:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy. --target-forwarding-rules=[TARGET_FORWARDING_RULES,…]- A list of forwarding rules to which this rule applies. This field allows you tocontrol which load balancers get this rule. If not specified, the rule appliesto all load balancers. This field is only applicable when --target-type isINTERNAL_MANAGED_LB. It accepts full or partial resource URLs.
--target-secure-tags=[TARGET_SECURE_TAGS,…]- An optional, list of target secure tags with a name of the format tagValues/ orfull namespaced name
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]- List of target service accounts for the rule.
--target-type=TARGET_TYPE- Target type of the rule. By default a rule applies to VM instances (target-type= INSTANCES). Use INTERNAL_MANAGED_LB value to apply the rule to load balancers.
TARGET_TYPEmust be one of:INSTANCES,INTERNAL_MANAGED_LB. --[no-]tls-inspect- Use this flag to indicate whether TLS traffic should be inspected using the TLSinspection policy when the security profile group is applied. Default: no TLSinspection. Use
--tls-inspectto enable and--no-tls-inspectto disable. - At most one of these can be specified:
--firewall-policy-region=FIREWALL_POLICY_REGION- Region of the firewall policy to create. Overrides the default
compute/regionproperty value for this command invocation. --global-firewall-policy- If set, the firewall policy is global.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudcomputenetwork-firewall-policiesrulescreategcloudbetacomputenetwork-firewall-policiesrulescreate
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-11-18 UTC.