HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/394/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/394/help/man/man1/gcloud_compute_security-policies_rules_create.1
.TH "GCLOUD_COMPUTE_SECURITY\-POLICIES_RULES_CREATE" 1



.SH "NAME"
.HP
gcloud compute security\-policies rules create \- create a Compute Engine security policy rule



.SH "SYNOPSIS"
.HP
\f5gcloud compute security\-policies rules create\fR \fIPRIORITY\fR \fB\-\-action\fR=\fIACTION\fR (\fB\-\-expression\fR=\fIEXPRESSION\fR\ \fB\-\-network\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]\ \fB\-\-network\-dest\-ports\fR=[\fIDEST_PORT\fR,...]\ \fB\-\-network\-ip\-protocols\fR=[\fIIP_PROTOCOL\fR,...]\ \fB\-\-network\-src\-asns\fR=[\fISRC_ASN\fR,...]\ \fB\-\-network\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]\ \fB\-\-network\-src\-ports\fR=[\fISRC_PORT\fR,...]\ \fB\-\-network\-src\-region\-codes\fR=[\fISRC_REGION_CODE\fR,...]\ \fB\-\-network\-user\-defined\-fields\fR=[\fINAME\fR;\fIVALUE\fR:\fIVALUE\fR:...,...]\ \fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]) [\fB\-\-ban\-duration\-sec\fR=\fIBAN_DURATION_SEC\fR] [\fB\-\-ban\-threshold\-count\fR=\fIBAN_THRESHOLD_COUNT\fR] [\fB\-\-ban\-threshold\-interval\-sec\fR=\fIBAN_THRESHOLD_INTERVAL_SEC\fR] [\fB\-\-conform\-action\fR=\fICONFORM_ACTION\fR] [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-enforce\-on\-key\fR=\fIENFORCE_ON_KEY\fR] [\fB\-\-enforce\-on\-key\-configs\fR=[[\fIall\fR],[\fIip\fR],[\fIxff\-ip\fR],[\fIhttp\-cookie\fR=\fIHTTP_COOKIE\fR],[\fIhttp\-header\fR=\fIHTTP_HEADER\fR],[\fIhttp\-path\fR],[\fIsni\fR],[\fIregion\-code\fR],[\fItls\-ja3\-fingerprint\fR],[\fIuser\-ip\fR],[\fItls\-ja4\-fingerprint\fR]],[...]] [\fB\-\-enforce\-on\-key\-name\fR=\fIENFORCE_ON_KEY_NAME\fR] [\fB\-\-exceed\-action\fR=\fIEXCEED_ACTION\fR] [\fB\-\-exceed\-redirect\-target\fR=\fIEXCEED_REDIRECT_TARGET\fR] [\fB\-\-exceed\-redirect\-type\fR=\fIEXCEED_REDIRECT_TYPE\fR] [\fB\-\-preview\fR] [\fB\-\-rate\-limit\-threshold\-count\fR=\fIRATE_LIMIT_THRESHOLD_COUNT\fR] [\fB\-\-rate\-limit\-threshold\-interval\-sec\fR=\fIRATE_LIMIT_THRESHOLD_INTERVAL_SEC\fR] [\fB\-\-recaptcha\-action\-site\-keys\fR=[\fISITE_KEY\fR,...]] [\fB\-\-recaptcha\-session\-site\-keys\fR=[\fISITE_KEY\fR,...]] [\fB\-\-redirect\-target\fR=\fIREDIRECT_TARGET\fR] [\fB\-\-redirect\-type\fR=\fIREDIRECT_TYPE\fR] [\fB\-\-region\fR=\fIREGION\fR] [\fB\-\-request\-headers\-to\-add\fR=[\fIREQUEST_HEADERS_TO_ADD\fR,...]] [\fB\-\-security\-policy\fR=\fISECURITY_POLICY\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fBgcloud compute security\-policies rules create\fR is used to create security
policy rules.



.SH "EXAMPLES"

To create a rule at priority 1000 to block the IP range 1.2.3.0/24, run:

.RS 2m
$ gcloud compute security\-policies rules create 1000 \e
    \-\-action=deny\-403 \-\-security\-policy=my\-policy \e
    \-\-description="block 1.2.3.0/24" \-\-src\-ip\-ranges=1.2.3.0/24
.RE



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fIPRIORITY\fR

The priority of the rule to add. Rules are evaluated in order from highest
priority to lowest priority where 0 is the highest priority and 2147483647 is
the lowest priority.


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-action\fR=\fIACTION\fR

The action to take if the request matches the match condition. \fIACTION\fR must
be one of:

.RS 2m
.TP 2m
\fBallow\fR
Allows the request from HTTP(S) Load Balancing.
.TP 2m
\fBdeny\fR
Denies the request from TCP/SSL Proxy and Network Load Balancing.
.TP 2m
\fBdeny\-403\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 403.
.TP 2m
\fBdeny\-404\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 404.
.TP 2m
\fBdeny\-502\fR
Denies the request from HTTP(S) Load Balancing, with an HTTP response status
code of 502.
.TP 2m
\fBrate\-based\-ban\fR
Enforces rate\-based ban action from HTTP(S) Load Balancing, based on rate limit
options.
.TP 2m
\fBredirect\fR
Redirects the request from HTTP(S) Load Balancing, based on redirect options.
.TP 2m
\fBredirect\-to\-recaptcha\fR
(DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for reCAPTCHA
Enterprise assessment. This flag choice is deprecated. Use \-\-action=redirect
and \-\-redirect\-type=google\-recaptcha instead.
.TP 2m
\fBthrottle\fR
Enforces throttle action from HTTP(S) Load Balancing, based on rate limit
options.
.RE
.sp


.TP 2m

Security policy rule matcher.

At least one of these must be specified:


.RS 2m
.TP 2m
\fB\-\-expression\fR=\fIEXPRESSION\fR

The Cloud Armor rules language expression to match for this rule.

.TP 2m
\fB\-\-network\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]

The destination IPs/IP ranges to match for this rule. To match all IPs specify
*.

.TP 2m
\fB\-\-network\-dest\-ports\fR=[\fIDEST_PORT\fR,...]

The destination ports to match for this rule. Each element can be an 16\-bit
unsigned decimal number (e.g. "80") or range (e.g."0\-1023"), To match all
destination ports specify *.

.TP 2m
\fB\-\-network\-ip\-protocols\fR=[\fIIP_PROTOCOL\fR,...]

The IP protocols to match for this rule. Each element can be an 8\-bit unsigned
decimal number (e.g. "6"), range (e.g."253\-254"), or one of the following
protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp". To match
all protocols specify *.

.TP 2m
\fB\-\-network\-src\-asns\fR=[\fISRC_ASN\fR,...]

BGP Autonomous System Number associated with the source IP address to match for
this rule.

.TP 2m
\fB\-\-network\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.

.TP 2m
\fB\-\-network\-src\-ports\fR=[\fISRC_PORT\fR,...]

The source ports to match for this rule. Each element can be an 16\-bit unsigned
decimal number (e.g. "80") or range (e.g."0\-1023"), To match all source ports
specify *.

.TP 2m
\fB\-\-network\-src\-region\-codes\fR=[\fISRC_REGION_CODE\fR,...]

The two letter ISO 3166\-1 alpha\-2 country code associated with the source IP
address to match for this rule. To match all region codes specify *.

.TP 2m
\fB\-\-network\-user\-defined\-fields\fR=[\fINAME\fR;\fIVALUE\fR:\fIVALUE\fR:...,...]

Each element names a defined field and lists the matching values for that field.

.TP 2m
\fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]

The source IPs/IP ranges to match for this rule. To match all IPs specify *.


.RE
.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-ban\-duration\-sec\fR=\fIBAN_DURATION_SEC\fR

Can only be specified if the action for the rule is
\f5\fIrate\-based\-ban\fR\fR. If specified, determines the time (in seconds) the
traffic will continue to be banned by the rate limit after the rate falls below
the threshold.

.TP 2m
\fB\-\-ban\-threshold\-count\fR=\fIBAN_THRESHOLD_COUNT\fR

Number of HTTP(S) requests for calculating the threshold for banning requests.
Can only be specified if the action for the rule is
\f5\fIrate\-based\-ban\fR\fR. If specified, the key will be banned for the
configured \f5\fIBAN_DURATION_SEC\fR\fR when the number of requests that exceed
the \f5\fIRATE_LIMIT_THRESHOLD_COUNT\fR\fR also exceed this
\f5\fIBAN_THRESHOLD_COUNT\fR\fR.

.TP 2m
\fB\-\-ban\-threshold\-interval\-sec\fR=\fIBAN_THRESHOLD_INTERVAL_SEC\fR

Interval over which the threshold for banning requests is computed. Can only be
specified if the action for the rule is \f5\fIrate\-based\-ban\fR\fR. If
specified, the key will be banned for the configured
\f5\fIBAN_DURATION_SEC\fR\fR when the number of requests that exceed the
\f5\fIRATE_LIMIT_THRESHOLD_COUNT\fR\fR also exceed this
\f5\fIBAN_THRESHOLD_COUNT\fR\fR.

.TP 2m
\fB\-\-conform\-action\fR=\fICONFORM_ACTION\fR

Action to take when requests are under the given threshold. When requests are
throttled, this is also the action for all requests which are not dropped.
\fICONFORM_ACTION\fR must be (only one value is supported): \fBallow\fR.

.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR

An optional, textual description for the rule.

.TP 2m
\fB\-\-enforce\-on\-key\fR=\fIENFORCE_ON_KEY\fR

Different key types available to enforce the rate limit threshold limit on:
.RS 2m
.IP "\(em" 2m
\f5\fIip\fR\fR: each client IP address has this limit enforced separately
.IP "\(em" 2m
\f5\fIall\fR\fR: a single limit is applied to all requests matching this rule
.IP "\(em" 2m
\f5\fIhttp\-header\fR\fR: key type takes the value of the HTTP header configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIxff\-ip\fR\fR: takes the original IP address specified in the
X\-Forwarded\-For header as the key
.IP "\(em" 2m
\f5\fIhttp\-cookie\fR\fR: key type takes the value of the HTTP cookie configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIhttp\-path\fR\fR: key type takes the value of the URL path in the request
.IP "\(em" 2m
\f5\fIsni\fR\fR: key type takes the value of the server name indication from the
TLS session of the HTTPS request
.IP "\(em" 2m
\f5\fIregion\-code\fR\fR: key type takes the value of the region code from which
the request originates
.IP "\(em" 2m
\f5\fItls\-ja3\-fingerprint\fR\fR: key type takes the value of JA3 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.IP "\(em" 2m
\f5\fIuser\-ip\fR\fR: key type takes the IP address of the originating client,
which is resolved based on user\-ip\-request\-headers configured with the
security policy
.IP "\(em" 2m
\f5\fItls\-ja4\-fingerprint\fR\fR: key type takes the value of JA4 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.RE
.sp

\fIENFORCE_ON_KEY\fR must be one of: \fBip\fR, \fBall\fR, \fBhttp\-header\fR,
\fBxff\-ip\fR, \fBhttp\-cookie\fR, \fBhttp\-path\fR, \fBsni\fR,
\fBregion\-code\fR, \fBtls\-ja3\-fingerprint\fR, \fBuser\-ip\fR,
\fBtls\-ja4\-fingerprint\fR.

.TP 2m
\fB\-\-enforce\-on\-key\-configs\fR=[[\fIall\fR],[\fIip\fR],[\fIxff\-ip\fR],[\fIhttp\-cookie\fR=\fIHTTP_COOKIE\fR],[\fIhttp\-header\fR=\fIHTTP_HEADER\fR],[\fIhttp\-path\fR],[\fIsni\fR],[\fIregion\-code\fR],[\fItls\-ja3\-fingerprint\fR],[\fIuser\-ip\fR],[\fItls\-ja4\-fingerprint\fR]],[...]

Specify up to 3 key type/name pairs to rate limit. Valid key types are:

.RS 2m
.IP "\(em" 2m
\f5\fIip\fR\fR: each client IP address has this limit enforced separately
.IP "\(em" 2m
\f5\fIall\fR\fR: a single limit is applied to all requests matching this rule
.IP "\(em" 2m
\f5\fIhttp\-header\fR\fR: key type takes the value of the HTTP header configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIxff\-ip\fR\fR: takes the original IP address specified in the
X\-Forwarded\-For header as the key
.IP "\(em" 2m
\f5\fIhttp\-cookie\fR\fR: key type takes the value of the HTTP cookie configured
in enforce\-on\-key\-name as the key value
.IP "\(em" 2m
\f5\fIhttp\-path\fR\fR: key type takes the value of the URL path in the request
.IP "\(em" 2m
\f5\fIsni\fR\fR: key type takes the value of the server name indication from the
TLS session of the HTTPS request
.IP "\(em" 2m
\f5\fIregion\-code\fR\fR: key type takes the value of the region code from which
the request originates
.IP "\(em" 2m
\f5\fItls\-ja3\-fingerprint\fR\fR: key type takes the value of JA3 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.IP "\(em" 2m
\f5\fIuser\-ip\fR\fR: key type takes the IP address of the originating client,
which is resolved based on user\-ip\-request\-headers configured with the
security policy
.IP "\(em" 2m
\f5\fItls\-ja4\-fingerprint\fR\fR: key type takes the value of JA4 TLS/SSL
fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
.RE
.sp

Key names are only applicable to the following key types:
.RS 2m
.IP "\(em" 2m
http\-header: The name of the HTTP header whose value is taken as the key value.
.IP "\(em" 2m
http\-cookie: The name of the HTTP cookie whose value is taken as the key value.
.RE
.sp

.TP 2m
\fB\-\-enforce\-on\-key\-name\fR=\fIENFORCE_ON_KEY_NAME\fR

Determines the key name for the rate limit key. Applicable only for the
following rate limit key types:
.RS 2m
.IP "\(em" 2m
http\-header: The name of the HTTP header whose value is taken as the key value.
.IP "\(em" 2m
http\-cookie: The name of the HTTP cookie whose value is taken as the key value.
.RE
.sp

.TP 2m
\fB\-\-exceed\-action\fR=\fIEXCEED_ACTION\fR

Action to take when requests are above the given threshold. When a request is
denied, return the specified HTTP response code. When a request is redirected,
use the redirect options based on \-\-exceed\-redirect\-type and
\-\-exceed\-redirect\-target below. \fIEXCEED_ACTION\fR must be one of:
\fBdeny\-403\fR, \fBdeny\-404\fR, \fBdeny\-429\fR, \fBdeny\-502\fR, \fBdeny\fR,
\fBredirect\fR.

.TP 2m
\fB\-\-exceed\-redirect\-target\fR=\fIEXCEED_REDIRECT_TARGET\fR

URL target for the redirect action that is configured as the exceed action when
the redirect type is \f5\fIexternal\-302\fR\fR.

.TP 2m
\fB\-\-exceed\-redirect\-type\fR=\fIEXCEED_REDIRECT_TYPE\fR

Type for the redirect action that is configured as the exceed action.
\fIEXCEED_REDIRECT_TYPE\fR must be one of: \fBgoogle\-recaptcha\fR,
\fBexternal\-302\fR.

.TP 2m
\fB\-\-preview\fR

If specified, the action will not be enforced.

.TP 2m
\fB\-\-rate\-limit\-threshold\-count\fR=\fIRATE_LIMIT_THRESHOLD_COUNT\fR

Number of HTTP(S) requests for calculating the threshold for rate limiting
requests.

.TP 2m
\fB\-\-rate\-limit\-threshold\-interval\-sec\fR=\fIRATE_LIMIT_THRESHOLD_INTERVAL_SEC\fR

Interval over which the threshold for rate limiting requests is computed.

.TP 2m
\fB\-\-recaptcha\-action\-site\-keys\fR=[\fISITE_KEY\fR,...]

A comma\-separated list of site keys to be used during the validation of
reCAPTCHA action\-tokens. The provided site keys need to be created from the
reCAPTCHA API under the same project where the security policy is created.

.TP 2m
\fB\-\-recaptcha\-session\-site\-keys\fR=[\fISITE_KEY\fR,...]

A comma\-separated list of site keys to be used during the validation of
reCAPTCHA session\-tokens. The provided site keys need to be created from the
reCAPTCHA API under the same project where the security policy is created.

.TP 2m
\fB\-\-redirect\-target\fR=\fIREDIRECT_TARGET\fR

URL target for the redirect action. Must be specified if the redirect type is
\f5\fIexternal\-302\fR\fR. Cannot be specified if the redirect type is
\f5\fIgoogle\-recaptcha\fR\fR.

.TP 2m
\fB\-\-redirect\-type\fR=\fIREDIRECT_TYPE\fR

Type for the redirect action. Default to \f5\fIexternal\-302\fR\fR if
unspecified while \-\-redirect\-target is given. \fIREDIRECT_TYPE\fR must be one
of: \fBgoogle\-recaptcha\fR, \fBexternal\-302\fR.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Region of the security policy to add. If not specified, you might be prompted to
select a region (interactive mode only).

A list of regions can be fetched by running:

.RS 2m
$ gcloud compute regions list
.RE

Overrides the default \fBcompute/region\fR property value for this command
invocation.

.TP 2m
\fB\-\-request\-headers\-to\-add\fR=[\fIREQUEST_HEADERS_TO_ADD\fR,...]

A comma\-separated list of header names and header values to add to requests
that match this rule.

.TP 2m
\fB\-\-security\-policy\fR=\fISECURITY_POLICY\fR

The security policy that this rule belongs to.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

These variants are also available:

.RS 2m
$ gcloud alpha compute security\-policies rules create
.RE

.RS 2m
$ gcloud beta compute security\-policies rules create
.RE
@ Telegram