gcloud alpha compute security-policies rules create - create a Compute Engine security policy rule

gcloud alpha compute security-policies rules createPRIORITY--action=ACTION(--expression=EXPRESSION--network-dest-ip-ranges=[DEST_IP_RANGE,…]--network-dest-ports=[DEST_PORT,…]--network-ip-protocols=[IP_PROTOCOL,…]--network-src-asns=[SRC_ASN,…]--network-src-ip-ranges=[SRC_IP_RANGE,…]--network-src-ports=[SRC_PORT,…]--network-src-region-codes=[SRC_REGION_CODE,…]--network-user-defined-fields=[NAME;VALUE:VALUE:…,…]--src-ip-ranges=[SRC_IP_RANGE,…])[--ban-duration-sec=BAN_DURATION_SEC][--ban-threshold-count=BAN_THRESHOLD_COUNT][--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC][--conform-action=CONFORM_ACTION][--description=DESCRIPTION][--enforce-on-key=ENFORCE_ON_KEY][--enforce-on-key-configs=[[all],[ip],[xff-ip],[http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],[region-code],[tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[…]][--enforce-on-key-name=ENFORCE_ON_KEY_NAME][--exceed-action=EXCEED_ACTION][--exceed-action-rpc-status-code=EXCEED_ACTION_RPC_STATUS_CODE][--exceed-action-rpc-status-message=EXCEED_ACTION_RPC_STATUS_MESSAGE][--exceed-redirect-target=EXCEED_REDIRECT_TARGET][--exceed-redirect-type=EXCEED_REDIRECT_TYPE][--preview][--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT][--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC][--recaptcha-action-site-keys=[SITE_KEY,…]][--recaptcha-session-site-keys=[SITE_KEY,…]][--redirect-target=REDIRECT_TARGET][--redirect-type=REDIRECT_TYPE][--region=REGION][--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,…]][--security-policy=SECURITY_POLICY][GCLOUD_WIDE_FLAG …]

PRIORITY

The priority of the rule to add. Rules are evaluated in order from highestpriority to lowest priority where 0 is the highest priority and 2147483647 isthe lowest priority.

--action=ACTION

The action to take if the request matches the match condition.ACTION must be one of:

allow

Allows the request from HTTP(S) Load Balancing.

deny

Denies the request from TCP/SSL Proxy and Network Load Balancing.

deny-403

Denies the request from HTTP(S) Load Balancing, with an HTTP response statuscode of 403.

deny-404

Denies the request from HTTP(S) Load Balancing, with an HTTP response statuscode of 404.

deny-502

Denies the request from HTTP(S) Load Balancing, with an HTTP response statuscode of 502.

fairshare

When traffic reaches the threshold limit, requests from the clients matchingthis rule begin to be rate-limited using the Fair Share algorithm.

rate-based-ban

Enforces rate-based ban action from HTTP(S) Load Balancing, based on rate limitoptions.

redirect

Redirects the request from HTTP(S) Load Balancing, based on redirect options.

redirect-to-recaptcha

(DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for reCAPTCHAEnterprise assessment. This flag choice is deprecated. Use --action=redirect and--redirect-type=google-recaptcha instead.

throttle

Enforces throttle action from HTTP(S) Load Balancing, based on rate limitoptions.

Security policy rule matcher.

At least one of these must be specified:

--expression=EXPRESSION

The Cloud Armor rules language expression to match for this rule.

--network-dest-ip-ranges=[DEST_IP_RANGE,…]

The destination IPs/IP ranges to match for this rule. To match all IPs specify*.

--network-dest-ports=[DEST_PORT,…]

The destination ports to match for this rule. Each element can be an 16-bitunsigned decimal number (e.g. "80") or range (e.g."0-1023"), To match alldestination ports specify *.

--network-ip-protocols=[IP_PROTOCOL,…]

The IP protocols to match for this rule. Each element can be an 8-bit unsigneddecimal number (e.g. "6"), range (e.g."253-254"), or one of the followingprotocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp". To matchall protocols specify *.

--network-src-asns=[SRC_ASN,…]

BGP Autonomous System Number associated with the source IP address to match forthis rule.

--network-src-ip-ranges=[SRC_IP_RANGE,…]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.

--network-src-ports=[SRC_PORT,…]

The source ports to match for this rule. Each element can be an 16-bit unsigneddecimal number (e.g. "80") or range (e.g."0-1023"), To match all source portsspecify *.

--network-src-region-codes=[SRC_REGION_CODE,…]

The two letter ISO 3166-1 alpha-2 country code associated with the source IPaddress to match for this rule. To match all region codes specify *.

--network-user-defined-fields=[NAME;VALUE:VALUE:…,…]

Each element names a defined field and lists the matching values for that field.

--src-ip-ranges=[SRC_IP_RANGE,…]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.

--ban-duration-sec=BAN_DURATION_SEC

Can only be specified if the action for the rule israte-based-ban. If specified, determinesthe time (in seconds) the traffic will continue to be banned by the rate limitafter the rate falls below the threshold.

--ban-threshold-count=BAN_THRESHOLD_COUNT

Number of HTTP(S) requests for calculating the threshold for banning requests.Can only be specified if the action for the rule israte-based-ban. If specified, the key willbe banned for the configuredBAN_DURATION_SEC when the number ofrequests that exceed theRATE_LIMIT_THRESHOLD_COUNT also exceed thisBAN_THRESHOLD_COUNT.

--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC

Interval over which the threshold for banning requests is computed. Can only bespecified if the action for the rule israte-based-ban. If specified, the key willbe banned for the configuredBAN_DURATION_SEC when the number ofrequests that exceed theRATE_LIMIT_THRESHOLD_COUNT also exceed thisBAN_THRESHOLD_COUNT.

--conform-action=CONFORM_ACTION

Action to take when requests are under the given threshold. When requests arethrottled, this is also the action for all requests which are not dropped.CONFORM_ACTION must be (only one value is supported):allow.

--description=DESCRIPTION

An optional, textual description for the rule.

--enforce-on-key=ENFORCE_ON_KEY

Different key types available to enforce the rate limit threshold limit on:

• ip: each client IP address has this limitenforced separately
• all: a single limit is applied to allrequests matching this rule
• http-header: key type takes the value ofthe HTTP header configured in enforce-on-key-name as the key value
• xff-ip: takes the original IP addressspecified in the X-Forwarded-For header as the key
• http-cookie: key type takes the value ofthe HTTP cookie configured in enforce-on-key-name as the key value
• http-path: key type takes the value of theURL path in the request
• sni: key type takes the value of the servername indication from the TLS session of the HTTPS request
• region-code: key type takes the value ofthe region code from which the request originates
• tls-ja3-fingerprint: key type takes thevalue of JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 orHTTP/3
• user-ip: key type takes the IP address ofthe originating client, which is resolved based on user-ip-request-headersconfigured with the security policy
• tls-ja4-fingerprint: key type takes thevalue of JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 orHTTP/3

ENFORCE_ON_KEY must be one of:ip,all,http-header,xff-ip,http-cookie,http-path,sni,region-code,tls-ja3-fingerprint,user-ip,tls-ja4-fingerprint.

--enforce-on-key-configs=[[all],[ip],[xff-ip],[http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],[region-code],[tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[…]

Specify up to 3 key type/name pairs to rate limit. Valid key types are:

• ip: each client IP address has this limitenforced separately
• all: a single limit is applied to allrequests matching this rule
• http-header: key type takes the value ofthe HTTP header configured in enforce-on-key-name as the key value
• xff-ip: takes the original IP addressspecified in the X-Forwarded-For header as the key
• http-cookie: key type takes the value ofthe HTTP cookie configured in enforce-on-key-name as the key value
• http-path: key type takes the value of theURL path in the request
• sni: key type takes the value of the servername indication from the TLS session of the HTTPS request
• region-code: key type takes the value ofthe region code from which the request originates
• tls-ja3-fingerprint: key type takes thevalue of JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 orHTTP/3
• user-ip: key type takes the IP address ofthe originating client, which is resolved based on user-ip-request-headersconfigured with the security policy
• tls-ja4-fingerprint: key type takes thevalue of JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 orHTTP/3

Key names are only applicable to the following key types:

• http-header: The name of the HTTP header whose value is taken as the key value.
• http-cookie: The name of the HTTP cookie whose value is taken as the key value.

--enforce-on-key-name=ENFORCE_ON_KEY_NAME

Determines the key name for the rate limit key. Applicable only for thefollowing rate limit key types:

• http-header: The name of the HTTP header whose value is taken as the key value.
• http-cookie: The name of the HTTP cookie whose value is taken as the key value.

--exceed-action=EXCEED_ACTION

Action to take when requests are above the given threshold. When a request isdenied, return the specified HTTP response code. When a request is redirected,use the redirect options based on --exceed-redirect-type and--exceed-redirect-target below.EXCEED_ACTION must beone of:deny-403,deny-404,deny-429,deny-502,deny,redirect.

--exceed-action-rpc-status-code=EXCEED_ACTION_RPC_STATUS_CODE

Status code, which should be an enum value of [google.rpc.Code]

--exceed-action-rpc-status-message=EXCEED_ACTION_RPC_STATUS_MESSAGE

Developer-facing error message, should be in English.

--exceed-redirect-target=EXCEED_REDIRECT_TARGET

URL target for the redirect action that is configured as the exceed action whenthe redirect type isexternal-302.

--exceed-redirect-type=EXCEED_REDIRECT_TYPE

Type for the redirect action that is configured as the exceed action.EXCEED_REDIRECT_TYPE must be one of:google-recaptcha,external-302.

--preview

If specified, the action will not be enforced.

--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT

Number of HTTP(S) requests for calculating the threshold for rate limitingrequests.

--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC

Interval over which the threshold for rate limiting requests is computed.

--recaptcha-action-site-keys=[SITE_KEY,…]

A comma-separated list of site keys to be used during the validation ofreCAPTCHA action-tokens. The provided site keys need to be created from thereCAPTCHA API under the same project where the security policy is created.

--recaptcha-session-site-keys=[SITE_KEY,…]

A comma-separated list of site keys to be used during the validation ofreCAPTCHA session-tokens. The provided site keys need to be created from thereCAPTCHA API under the same project where the security policy is created.

--redirect-target=REDIRECT_TARGET

URL target for the redirect action. Must be specified if the redirect type isexternal-302. Cannot be specified if theredirect type isgoogle-recaptcha.

--redirect-type=REDIRECT_TYPE

Type for the redirect action. Default toexternal-302 if unspecified while--redirect-target is given.REDIRECT_TYPE must be oneof:google-recaptcha,external-302.

--region=REGION

Region of the security policy to add. If not specified, you might be prompted toselect a region (interactive mode only).

A list of regions can be fetched by running:

gcloudcomputeregionslist

Overrides the defaultcompute/region property value for thiscommand invocation.

--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,…]

A comma-separated list of header names and header values to add to requests thatmatch this rule.

--security-policy=SECURITY_POLICY

The security policy that this rule belongs to.

Run$gcloud help for details.