File: //snap/google-cloud-cli/396/help/man/man1/gcloud_compute_firewall-policies_rules_create.1
.TH "GCLOUD_COMPUTE_FIREWALL\-POLICIES_RULES_CREATE" 1
.SH "NAME"
.HP
gcloud compute firewall\-policies rules create \- creates a Compute Engine firewall policy rule
.SH "SYNOPSIS"
.HP
\f5gcloud compute firewall\-policies rules create\fR \fIPRIORITY\fR \fB\-\-action\fR=\fIACTION\fR \fB\-\-firewall\-policy\fR=\fIFIREWALL_POLICY\fR \fB\-\-layer4\-configs\fR=[\fILAYER4_CONFIG\fR,...] [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-dest\-address\-groups\fR=[\fIDEST_ADDRESS_GROUPS\fR,...]] [\fB\-\-dest\-fqdns\fR=[\fIDEST_FQDNS\fR,...]] [\fB\-\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]] [\fB\-\-dest\-region\-codes\fR=[\fIDEST_REGION_CODES\fR,...]] [\fB\-\-dest\-threat\-intelligence\fR=[\fIDEST_THREAT_INTELLIGENCE_LISTS\fR,...]] [\fB\-\-direction\fR=\fIDIRECTION\fR] [\fB\-\-[no\-]disabled\fR] [\fB\-\-[no\-]enable\-logging\fR] [\fB\-\-organization\fR=\fIORGANIZATION\fR] [\fB\-\-security\-profile\-group\fR=\fISECURITY_PROFILE_GROUP\fR] [\fB\-\-src\-address\-groups\fR=[\fISOURCE_ADDRESS_GROUPS\fR,...]] [\fB\-\-src\-fqdns\fR=[\fISOURCE_FQDNS\fR,...]] [\fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]] [\fB\-\-src\-region\-codes\fR=[\fISOURCE_REGION_CODES\fR,...]] [\fB\-\-src\-secure\-tags\fR=[\fISOURCE_SECURE_TAGS\fR,...]] [\fB\-\-src\-threat\-intelligence\fR=[\fISOURCE_THREAT_INTELLIGENCE_LISTS\fR,...]] [\fB\-\-target\-resources\fR=[\fITARGET_RESOURCES\fR,...]] [\fB\-\-target\-secure\-tags\fR=[\fITARGET_SECURE_TAGS\fR,...]] [\fB\-\-target\-service\-accounts\fR=[\fITARGET_SERVICE_ACCOUNTS\fR,...]] [\fB\-\-[no\-]tls\-inspect\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
\fBgcloud compute firewall\-policies rules create\fR is used to create
organization firewall policy rules.
.SH "EXAMPLES"
To create a rule with priority ``10" in an organization firewall policy with ID
``123456789", run:
.RS 2m
$ gcloud compute firewall\-policies rules create 10 \e
\-\-firewall\-policy=123456789 \-\-action=allow \e
\-\-description=example\-rule
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
\fIPRIORITY\fR
Priority of the firewall policy rule to create.
.RE
.sp
.SH "REQUIRED FLAGS"
.RS 2m
.TP 2m
\fB\-\-action\fR=\fIACTION\fR
Action to take if the request matches the match condition. \fIACTION\fR must be
one of: \fBallow\fR, \fBdeny\fR, \fBgoto_next\fR,
\fBapply_security_profile_group\fR.
.TP 2m
\fB\-\-firewall\-policy\fR=\fIFIREWALL_POLICY\fR
Short name of the firewall policy into which the rule should be inserted.
.TP 2m
\fB\-\-layer4\-configs\fR=[\fILAYER4_CONFIG\fR,...]
A list of destination protocols and ports to which the firewall rule will apply.
.RE
.sp
.SH "OPTIONAL FLAGS"
.RS 2m
.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR
An optional, textual description for the rule.
.TP 2m
\fB\-\-dest\-address\-groups\fR=[\fIDEST_ADDRESS_GROUPS\fR,...]
Destination address groups to match for this rule. Can only be specified if
DIRECTION is egress.
.TP 2m
\fB\-\-dest\-fqdns\fR=[\fIDEST_FQDNS\fR,...]
Destination FQDNs to match for this rule. Can only be specified if DIRECTION is
\f5egress\fR.
.TP 2m
\fB\-\-dest\-ip\-ranges\fR=[\fIDEST_IP_RANGE\fR,...]
Destination IP ranges to match for this rule.
.TP 2m
\fB\-\-dest\-region\-codes\fR=[\fIDEST_REGION_CODES\fR,...]
Destination Region Code to match for this rule. Can only be specified if
DIRECTION is \f5egress\fR.
.TP 2m
\fB\-\-dest\-threat\-intelligence\fR=[\fIDEST_THREAT_INTELLIGENCE_LISTS\fR,...]
Destination Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is \f5egress\fR. The available lists can be found here:
https://cloud.google.com/vpc/docs/firewall\-policies\-rule\-details#threat\-intelligence\-fw\-policy.
.TP 2m
\fB\-\-direction\fR=\fIDIRECTION\fR
Direction of the traffic the rule is applied. The default is to apply on
incoming traffic. \fIDIRECTION\fR must be one of: \fBINGRESS\fR, \fBEGRESS\fR.
.TP 2m
\fB\-\-[no\-]disabled\fR
Use this flag to disable the rule. Disabled rules will not affect traffic. Use
\fB\-\-disabled\fR to enable and \fB\-\-no\-disabled\fR to disable.
.TP 2m
\fB\-\-[no\-]enable\-logging\fR
Use this flag to enable logging of connections that allowed or denied by this
rule. Use \fB\-\-enable\-logging\fR to enable and \fB\-\-no\-enable\-logging\fR
to disable.
.TP 2m
\fB\-\-organization\fR=\fIORGANIZATION\fR
Organization which the organization firewall policy belongs to. Must be set if
FIREWALL_POLICY is short name.
.TP 2m
\fB\-\-security\-profile\-group\fR=\fISECURITY_PROFILE_GROUP\fR
An org\-based security profile group to be used with
apply_security_profile_group action. Allowed formats are: a)
http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
b)
(//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
c) <profile>. In case "c" \f5gcloud\fR CLI will create a reference matching
format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY
property must be set. In order to set this property, please run the command
\f5gcloud config set api_endpoint_overrides/networksecurity
https://<namespace>/\fR.
.TP 2m
\fB\-\-src\-address\-groups\fR=[\fISOURCE_ADDRESS_GROUPS\fR,...]
Source address groups to match for this rule. Can only be specified if DIRECTION
is ingress.
.TP 2m
\fB\-\-src\-fqdns\fR=[\fISOURCE_FQDNS\fR,...]
Source FQDNs to match for this rule. Can only be specified if DIRECTION is
\f5ingress\fR.
.TP 2m
\fB\-\-src\-ip\-ranges\fR=[\fISRC_IP_RANGE\fR,...]
Source IP ranges to match for this rule.
.TP 2m
\fB\-\-src\-region\-codes\fR=[\fISOURCE_REGION_CODES\fR,...]
Source Region Code to match for this rule. Can only be specified if DIRECTION is
\f5ingress\fR.
.TP 2m
\fB\-\-src\-secure\-tags\fR=[\fISOURCE_SECURE_TAGS\fR,...]
A list of instance secure tags indicating the set of instances on the network to
which the rule applies if all other fields match. Either \-\-src\-ip\-ranges or
\-\-src\-secure\-tags must be specified for ingress traffic. If both
\-\-src\-ip\-ranges and \-\-src\-secure\-tags are specified, an inbound
connection is allowed if either the range of the source matches
\-\-src\-ip\-ranges or the tag of the source matches \-\-src\-secure\-tags.
Secure Tags can be assigned to instances during instance creation.
.TP 2m
\fB\-\-src\-threat\-intelligence\fR=[\fISOURCE_THREAT_INTELLIGENCE_LISTS\fR,...]
Source Threat Intelligence lists to match for this rule. Can only be specified
if DIRECTION is \f5ingress\fR. The available lists can be found here:
https://cloud.google.com/vpc/docs/firewall\-policies\-rule\-details#threat\-intelligence\-fw\-policy.
.TP 2m
\fB\-\-target\-resources\fR=[\fITARGET_RESOURCES\fR,...]
List of URLs of target resources to which the rule is applied.
.TP 2m
\fB\-\-target\-secure\-tags\fR=[\fITARGET_SECURE_TAGS\fR,...]
An optional, list of target secure tags with a name of the format tagValues/ or
full namespaced name
.TP 2m
\fB\-\-target\-service\-accounts\fR=[\fITARGET_SERVICE_ACCOUNTS\fR,...]
List of target service accounts for the rule.
.TP 2m
\fB\-\-[no\-]tls\-inspect\fR
Use this flag to indicate whether TLS traffic should be inspected using the TLS
inspection policy when the security profile group is applied. Default: no TLS
inspection. Use \fB\-\-tls\-inspect\fR to enable and \fB\-\-no\-tls\-inspect\fR
to disable.
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.
.SH "NOTES"
These variants are also available:
.RS 2m
$ gcloud alpha compute firewall\-policies rules create
.RE
.RS 2m
$ gcloud beta compute firewall\-policies rules create
.RE