HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/current/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/current/help/man/man1/gcloud_alpha_compute_firewall-rules_create.1
.TH "GCLOUD_ALPHA_COMPUTE_FIREWALL\-RULES_CREATE" 1



.SH "NAME"
.HP
gcloud alpha compute firewall\-rules create \- create a Compute Engine firewall rule



.SH "SYNOPSIS"
.HP
\f5gcloud alpha compute firewall\-rules create\fR \fINAME\fR (\fB\-\-action\fR=\fIACTION\fR\ |\ \fB\-\-allow\fR=\fIPROTOCOL\fR[:\fIPORT\fR[\-\fIPORT\fR]],[...]) [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-destination\-ranges\fR=\fICIDR_RANGE\fR,[\fICIDR_RANGE\fR,...]] [\fB\-\-direction\fR=\fIDIRECTION\fR] [\fB\-\-disabled\fR] [\fB\-\-[no\-]enable\-logging\fR] [\fB\-\-logging\-metadata\fR=\fILOGGING_METADATA\fR] [\fB\-\-network\fR=\fINETWORK\fR;\ default="default"] [\fB\-\-priority\fR=\fIPRIORITY\fR] [\fB\-\-resource\-manager\-tags\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-rules\fR=\fIPROTOCOL\fR[:\fIPORT\fR[\-\fIPORT\fR]],[...]] [\fB\-\-source\-ranges\fR=\fICIDR_RANGE\fR,[\fICIDR_RANGE\fR,...]] [\fB\-\-source\-service\-accounts\fR=\fIEMAIL\fR,[\fIEMAIL\fR,...]] [\fB\-\-source\-tags\fR=\fITAG\fR,[\fITAG\fR,...]] [\fB\-\-target\-service\-accounts\fR=\fIEMAIL\fR,[\fIEMAIL\fR,...]] [\fB\-\-target\-tags\fR=\fITAG\fR,[\fITAG\fR,...]] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(ALPHA)\fR \fBgcloud alpha compute firewall\-rules create\fR is used to
create firewall rules to allow/deny incoming/outgoing traffic.



.SH "EXAMPLES"

To create a firewall rule allowing incoming TCP traffic on port 8080, run:

.RS 2m
$ gcloud alpha compute firewall\-rules create example\-service \e
    \-\-allow=tcp:8080 \e
    \-\-description="Allow incoming traffic on TCP port 8080" \e
    \-\-direction=INGRESS
.RE

To create a firewall rule that allows TCP traffic through port 80 and determines
a list of specific IP address blocks that are allowed to make inbound
connections, run:

.RS 2m
$ gcloud alpha compute firewall\-rules create tcp\-rule \e
    \-\-allow=tcp:80 \-\-source\-ranges="10.0.0.0/22,10.0.0.0/14" \e
    \-\-description="Narrowing TCP traffic"
.RE

To list existing firewall rules, run:

.RS 2m
$ gcloud compute firewall\-rules list
.RE

For more detailed examples see
https://cloud.google.com/vpc/docs/using\-firewalls



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fINAME\fR

Name of the firewall rule to create.


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m

Exactly one of these must be specified:


.RS 2m
.TP 2m
\fB\-\-action\fR=\fIACTION\fR

The action for the firewall rule: whether to allow or deny matching traffic. If
specified, the flag \f5\-\-rules\fR must also be specified. \fIACTION\fR must be
one of: \fBALLOW\fR, \fBDENY\fR.

.TP 2m
\fB\-\-allow\fR=\fIPROTOCOL\fR[:\fIPORT\fR[\-\fIPORT\fR]],[...]

A list of protocols and ports whose traffic will be allowed.

The protocols allowed over this connection. This can be the (case\-sensitive)
string values \f5tcp\fR, \f5udp\fR, \f5icmp\fR, \f5esp\fR, \f5ah\fR, \f5sctp\fR,
or any IP protocol number. An IP\-based protocol must be specified for each
rule. The rule applies only to specified protocol.

For port\-based protocols \- \f5tcp\fR, \f5udp\fR, and \f5sctp\fR \- a list of
destination ports or port ranges to which the rule applies may optionally be
specified. If no port or port range is specified, the rule applies to all
destination ports.

The ICMP protocol is supported, but there is no support for configuring ICMP
packet filtering by ICMP code.

For example, to create a rule that allows TCP traffic through port 80 and ICMP
traffic:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \e
    \-\-allow tcp:80,icmp
.RE

To create a rule that allows TCP traffic from port 20000 to 25000:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \e
    \-\-allow tcp:20000\-25000
.RE

To create a rule that allows all TCP traffic:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \-\-allow tcp
.RE


.RE
.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR

A textual description for the firewall rule.

.TP 2m
\fB\-\-destination\-ranges\fR=\fICIDR_RANGE\fR,[\fICIDR_RANGE\fR,...]

The firewall rule will apply to traffic that has destination IP address in these
IP address block list. The IP address blocks must be specified in CIDR format:
http://en.wikipedia.org/wiki/Classless_Inter\-Domain_Routing.

If \-\-destination\-ranges is NOT provided, then this flag will default to
0.0.0.0/0, allowing all IPv4 destinations. Multiple IP address blocks can be
specified if they are separated by commas.

.TP 2m
\fB\-\-direction\fR=\fIDIRECTION\fR

If direction is NOT specified, then default is to apply on incoming traffic. For
outbound traffic, it is NOT supported to specify source\-tags.

For convenience, 'IN' can be used to represent ingress direction and 'OUT' can
be used to represent egress direction.

\fIDIRECTION\fR must be one of: \fBINGRESS\fR, \fBEGRESS\fR, \fBIN\fR,
\fBOUT\fR.

.TP 2m
\fB\-\-disabled\fR

Disable a firewall rule and stop it from being enforced in the network. If a
firewall rule is disabled, the associated network behaves as if the rule did not
exist. To enable a disabled rule, use:

.RS 2m
$ gcloud alpha compute firewall\-rules update MY\-RULE \-\-no\-disabled
.RE

Firewall rules are enabled by default.

.TP 2m
\fB\-\-[no\-]enable\-logging\fR

Enable logging for the firewall rule. Logs will be exported to StackDriver.
Firewall logging is disabled by default. To enable logging for an existing rule,
run:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \-\-enable\-logging
.RE

To disable logging on an existing rule, run:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \e
    \-\-no\-enable\-logging
.RE

Use \fB\-\-enable\-logging\fR to enable and \fB\-\-no\-enable\-logging\fR to
disable.

.TP 2m
\fB\-\-logging\-metadata\fR=\fILOGGING_METADATA\fR

Adds or removes metadata fields to or from the reported firewall logs. Can only
be specified if \-\-enable\-logging is true. \fILOGGING_METADATA\fR must be one
of: \fBexclude\-all\fR, \fBinclude\-all\fR.

.TP 2m
\fB\-\-network\fR=\fINETWORK\fR; default="default"

The network to which this rule is attached. If omitted, the rule is attached to
the \f5\fIdefault\fR\fR network.

.TP 2m
\fB\-\-priority\fR=\fIPRIORITY\fR

This is an integer between 0 and 65535, both inclusive. When NOT specified, the
value assumed is 1000. Relative priority determines precedence of conflicting
rules: lower priority values imply higher precedence. DENY rules take precedence
over ALLOW rules having equal priority.

.TP 2m
\fB\-\-resource\-manager\-tags\fR=[\fIKEY\fR=\fIVALUE\fR,...]

A comma\-separated list of Resource Manager tags to apply to the firewall.

.TP 2m
\fB\-\-rules\fR=\fIPROTOCOL\fR[:\fIPORT\fR[\-\fIPORT\fR]],[...]

A list of protocols and ports to which the firewall rule will apply.

PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can be
either the name of a well\-known protocol (e.g., tcp or icmp) or the IP protocol
number. A list of IP protocols can be found at
http://www.iana.org/assignments/protocol\-numbers/protocol\-numbers.xhtml

A port or port range can be specified after PROTOCOL to which the firewall rule
apply on traffic through specific ports. If no port or port range is specified,
connections through all ranges are applied. TCP and UDP rules must include a
port or port range.

If specified, the flag \-\-action must also be specified.

For example, the following will create a rule that blocks TCP traffic through
port 80 and ICMP traffic:

.RS 2m
$ gcloud alpha compute firewall\-rules create MY\-RULE \-\-action deny \e
    \-\-rules tcp:80,icmp
.RE

.TP 2m
\fB\-\-source\-ranges\fR=\fICIDR_RANGE\fR,[\fICIDR_RANGE\fR,...]

A list of IP address blocks that are allowed to make inbound connections that
match the firewall rule to the instances on the network. The IP address blocks
must be specified in CIDR format:
http://en.wikipedia.org/wiki/Classless_Inter\-Domain_Routing.

If neither \-\-source\-ranges nor \-\-source\-tags are specified,
\-\-source\-ranges defaults to \f50.0.0.0/0\fR, which means that the rule
applies to all incoming IPv4 connections from inside or outside the network. If
both \-\-source\-ranges and \-\-source\-tags are specified, the rule matches if
either the range of the source matches \-\-source\-ranges or the tag of the
source matches \-\-source\-tags.

Multiple IP address blocks can be specified if they are separated by commas.

.TP 2m
\fB\-\-source\-service\-accounts\fR=\fIEMAIL\fR,[\fIEMAIL\fR,...]

The email of a service account indicating the set of instances on the network
which match a traffic source in the firewall rule.

If a source service account is specified then neither source tags nor target
tags can also be specified.

.TP 2m
\fB\-\-source\-tags\fR=\fITAG\fR,[\fITAG\fR,...]

A list of instance tags indicating the set of instances on the network to which
the rule applies if all other fields match. If neither \-\-source\-ranges nor
\-\-source\-tags are specified, \-\-source\-ranges defaults to \f50.0.0.0/0\fR,
which means that the rule applies to all incoming IPv4 connections from inside
or outside the network.

If both \-\-source\-ranges and \-\-source\-tags are specified, an inbound
connection is allowed if either the range of the source matches
\-\-source\-ranges or the tag of the source matches \-\-source\-tags.

Tags can be assigned to instances during instance creation.

If source tags are specified then neither a source nor target service account
can also be specified.

.TP 2m
\fB\-\-target\-service\-accounts\fR=\fIEMAIL\fR,[\fIEMAIL\fR,...]

The email of a service account indicating the set of instances to which firewall
rules apply. If both target tags and target service account are omitted, the
firewall rule is applied to all instances on the network.

If a target service account is specified then neither source tag nor target tags
can also be specified.

.TP 2m
\fB\-\-target\-tags\fR=\fITAG\fR,[\fITAG\fR,...]

List of instance tags indicating the set of instances on the network which may
accept connections that match the firewall rule. Note that tags can be assigned
to instances during instance creation.

If target tags are specified, then neither a source nor target service account
can also be specified.

If both target tags and target service account are omitted, all instances on the
network can receive connections that match the rule.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation\-only early access
allowlist. These variants are also available:

.RS 2m
$ gcloud compute firewall\-rules create
.RE

.RS 2m
$ gcloud beta compute firewall\-rules create
.RE
@ Telegram