NAME
    gcloud alpha compute org-security-policies rules create - create a Compute
        Engine security policy rule

SYNOPSIS
    gcloud alpha compute org-security-policies rules create PRIORITY
        --action=ACTION --security-policy=SECURITY_POLICY [--cloud-armor]
        [--description=DESCRIPTION] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
        [--dest-ports=[DEST_PORTS,...]] [--direction=DIRECTION]
        [--[no-]enable-logging] [--layer4-configs=[LAYER4_CONFIG,...]]
        [--organization=ORGANIZATION] [--preview]
        [--target-resources=[TARGET_RESOURCES,...]]
        [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
        [--expression=EXPRESSION | --src-ip-ranges=[SRC_IP_RANGE,...]]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) gcloud alpha compute org-security-policies rules create is used to
    create organization security policy rules.

EXAMPLES
    To create a rule with priority 10 in an organization security policy with
    ID 123456789, run:

        $ gcloud alpha compute org-security-policies rules create 10 \
            --security-policy=123456789 --action=allow \
            --description=example-rule --cloud-armor

POSITIONAL ARGUMENTS
     PRIORITY
        Priority of the security policy rule to create.

REQUIRED FLAGS
     --action=ACTION
        Action to take if the request matches the match condition. ACTION must
        be one of:

         allow
            Allows the request from HTTP(S) Load Balancing.
         deny
            (DEPRECATED) Only used for Hierarchical Firewalls.
         deny-403
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 403.
         deny-404
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 404.
         deny-502
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 502.
         goto-next
            Defers enforcement to the next policy in the hierarchy.
         redirect
            Redirects the request from HTTP(S) Load Balancing, based on
            redirect options.

     --security-policy=SECURITY_POLICY
        short name of the security policy into which the rule should be
        inserted.

OPTIONAL FLAGS
     --cloud-armor
        Specified for Hierarchical Cloud Armor rules.

     --description=DESCRIPTION
        An optional, textual description for the rule.

     --dest-ip-ranges=[DEST_IP_RANGE,...]
        Destination IP ranges to match for this rule. Can only be specified if
        DIRECTION is egress.

     --dest-ports=[DEST_PORTS,...]
        A list of destination protocols and ports to which the firewall rule
        will apply.

     --direction=DIRECTION
        Direction of the traffic the rule is applied. The default is to apply
        on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.

     --[no-]enable-logging
        Use this flag to enable logging of connections that allowed or denied
        by this rule. Use --enable-logging to enable and --no-enable-logging to
        disable.

     --layer4-configs=[LAYER4_CONFIG,...]
        A list of destination protocols and ports to which the firewall rule
        will apply.

     --organization=ORGANIZATION
        Organization which the organization security policy belongs to. Must be
        set if SECURITY_POLICY is short name.

     --preview
        If specified, the action will not be enforced.

     --target-resources=[TARGET_RESOURCES,...]
        List of URLs of target resources to which the rule is applied.

     --target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
        List of target service accounts for the rule.

     Security policy rule matcher.

     At most one of these can be specified:

       --expression=EXPRESSION
          The Cloud Armor rules language expression to match for this rule.

       --src-ip-ranges=[SRC_IP_RANGE,...]
          The source IPs/IP ranges to match for this rule. To match all IPs
          specify *.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud compute org-security-policies rules create

        $ gcloud beta compute org-security-policies rules create

