gcloud alpha compute firewall-policies rules create - creates a Compute Engine firewall policy rule

gcloud alpha compute firewall-policies rules createPRIORITY--action=ACTION--firewall-policy=FIREWALL_POLICY--layer4-configs=[LAYER4_CONFIG,…][--description=DESCRIPTION][--dest-address-groups=[DEST_ADDRESS_GROUPS,…]][--dest-fqdns=[DEST_FQDNS,…]][--dest-ip-ranges=[DEST_IP_RANGE,…]][--dest-network-context=DEST_NETWORK_CONTEXT][--dest-network-type=DEST_NETWORK_TYPE][--dest-region-codes=[DEST_REGION_CODES,…]][--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]][--direction=DIRECTION][--[no-]disabled][--[no-]enable-logging][--organization=ORGANIZATION][--security-profile-group=SECURITY_PROFILE_GROUP][--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]][--src-fqdns=[SOURCE_FQDNS,…]][--src-ip-ranges=[SRC_IP_RANGE,…]][--src-network-context=SRC_NETWORK_CONTEXT][--src-network-type=SRC_NETWORK_TYPE][--src-networks=[SRC_NETWORKS,…]][--src-region-codes=[SOURCE_REGION_CODES,…]][--src-secure-tags=[SOURCE_SECURE_TAGS,…]][--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]][--target-resources=[TARGET_RESOURCES,…]][--target-secure-tags=[TARGET_SECURE_TAGS,…]][--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]][--[no-]tls-inspect][GCLOUD_WIDE_FLAG …]

PRIORITY

Priority of the firewall policy rule to create.

--action=ACTION

Action to take if the request matches the match condition.ACTION must be one of:allow,deny,goto_next,apply_security_profile_group.

--firewall-policy=FIREWALL_POLICY

Short name of the firewall policy into which the rule should be inserted.

--layer4-configs=[LAYER4_CONFIG,…]

A list of destination protocols and ports to which the firewall rule will apply.

--description=DESCRIPTION

An optional, textual description for the rule.

--dest-address-groups=[DEST_ADDRESS_GROUPS,…]

Destination address groups to match for this rule. Can only be specified ifDIRECTION is egress.

--dest-fqdns=[DEST_FQDNS,…]

Destination FQDNs to match for this rule. Can only be specified if DIRECTION isegress.

--dest-ip-ranges=[DEST_IP_RANGE,…]

Destination IP ranges to match for this rule.

--dest-network-context=DEST_NETWORK_CONTEXT

Use this flag to indicate that the rule should match internet or non-internettraffic. It applies to destination traffic for egress rules. Valid values areINTERNET and NON_INTERNET. Use empty string to clear the field.

--dest-network-type=DEST_NETWORK_TYPE

Use this flag to indicate that the rule should match internet or non-internettraffic. It applies to destination traffic for egress rules. Valid values areINTERNET and NON_INTERNET. Use empty string to clear the field.

--dest-region-codes=[DEST_REGION_CODES,…]

Destination Region Code to match for this rule. Can only be specified ifDIRECTION isegress. Cannot be specified when the source networktype is NON_INTERNET.

--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]

Destination Threat Intelligence lists to match for this rule. Can only bespecified if DIRECTION isegress. Cannot be specified when sourcenetwork type is NON_INTERNET. The available lists can be found here:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

--direction=DIRECTION

Direction of the traffic the rule is applied. The default is to apply onincoming traffic.DIRECTION must be one of:INGRESS,EGRESS.

--[no-]disabled

Use this flag to disable the rule. Disabled rules will not affect traffic. Use--disabled to enable and--no-disabled to disable.

--[no-]enable-logging

Use this flag to enable logging of connections that allowed or denied by thisrule. Use--enable-logging to enable and--no-enable-logging to disable.

--organization=ORGANIZATION

Organization which the organization firewall policy belongs to. Must be set ifFIREWALL_POLICY is short name.

--security-profile-group=SECURITY_PROFILE_GROUP

An org-based security profile group to be used with apply_security_profile_groupaction. Allowed formats are: a)http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>b)(//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>c) <profile>. In case "c"gcloud CLI will create a referencematching format "a", but to make it workCLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In orderto set this property, please run the commandgcloud config setapi_endpoint_overrides/networksecurity https://<namespace>/.

--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]

Source address groups to match for this rule. Can only be specified if DIRECTIONis ingress.

--src-fqdns=[SOURCE_FQDNS,…]

Source FQDNs to match for this rule. Can only be specified if DIRECTION isingress.

--src-ip-ranges=[SRC_IP_RANGE,…]

Source IP ranges to match for this rule.

--src-network-context=SRC_NETWORK_CONTEXT

Use this flag to indicate that the rule should match internet, non-internettraffic or traffic coming from the network specified by --src-network. Itapplies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKSand INTRA_VPC. Use empty string to clear the field.

--src-network-type=SRC_NETWORK_TYPE

Use this flag to indicate that the rule should match internet, non-internettraffic or traffic coming from the network specified by --src-network. Itapplies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKSand INTRA_VPC. Use empty string to clear the field.

--src-networks=[SRC_NETWORKS,…]

The source VPC networks to match for this rule. It can only be specified when--src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts fullor partial URLs.

--src-region-codes=[SOURCE_REGION_CODES,…]

Source Region Code to match for this rule. Can only be specified if DIRECTION isingress. Cannot be specified when the source network type isNON_INTERNET, VPC_NETWORK or INTRA_VPC.

--src-secure-tags=[SOURCE_SECURE_TAGS,…]

A list of instance secure tags indicating the set of instances on the network towhich the rule applies if all other fields match. Either --src-ip-ranges or--src-secure-tags must be specified for ingress traffic. If both --src-ip-rangesand --src-secure-tags are specified, an inbound connection is allowed if eitherthe range of the source matches --src-ip-ranges or the tag of the source matches--src-secure-tags. Secure Tags can be assigned to instances during instancecreation.

--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]

Source Threat Intelligence lists to match for this rule. Can only be specifiedif DIRECTION isingress. Cannot be specified when the sourcenetwork type is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available lists canbe found here:https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

--target-resources=[TARGET_RESOURCES,…]

List of URLs of target resources to which the rule is applied.

--target-secure-tags=[TARGET_SECURE_TAGS,…]

An optional, list of target secure tags with a name of the format tagValues/ orfull namespaced name

--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]

List of target service accounts for the rule.

--[no-]tls-inspect

Use this flag to indicate whether TLS traffic should be inspected using the TLSinspection policy when the security profile group is applied. Default: no TLSinspection. Use--tls-inspect to enable and--no-tls-inspect to disable.

Run$gcloud help for details.