NAME
    gcloud beta compute firewall-policies rules create - creates a Compute
        Engine firewall policy rule

SYNOPSIS
    gcloud beta compute firewall-policies rules create PRIORITY --action=ACTION
        --firewall-policy=FIREWALL_POLICY --layer4-configs=[LAYER4_CONFIG,...]
        [--description=DESCRIPTION]
        [--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
        [--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
        [--dest-network-context=DEST_NETWORK_CONTEXT]
        [--dest-network-type=DEST_NETWORK_TYPE]
        [--dest-region-codes=[DEST_REGION_CODES,...]]
        [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
        [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
        [--organization=ORGANIZATION]
        [--security-profile-group=SECURITY_PROFILE_GROUP]
        [--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
        [--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
        [--src-network-context=SRC_NETWORK_CONTEXT]
        [--src-network-type=SRC_NETWORK_TYPE]
        [--src-networks=[SRC_NETWORKS,...]]
        [--src-region-codes=[SOURCE_REGION_CODES,...]]
        [--src-secure-tags=[SOURCE_SECURE_TAGS,...]]
        [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
        [--target-resources=[TARGET_RESOURCES,...]]
        [--target-secure-tags=[TARGET_SECURE_TAGS,...]]
        [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
        [--[no-]tls-inspect] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) gcloud beta compute firewall-policies rules create is used to create
    organization firewall policy rules.

EXAMPLES
    To create a rule with priority ``10" in an organization firewall policy
    with ID ``123456789", run:

        $ gcloud beta compute firewall-policies rules create 10 \
            --firewall-policy=123456789 --action=allow \
            --description=example-rule

POSITIONAL ARGUMENTS
     PRIORITY
        Priority of the firewall policy rule to create.

REQUIRED FLAGS
     --action=ACTION
        Action to take if the request matches the match condition. ACTION must
        be one of: allow, deny, goto_next, apply_security_profile_group.

     --firewall-policy=FIREWALL_POLICY
        Short name of the firewall policy into which the rule should be
        inserted.

     --layer4-configs=[LAYER4_CONFIG,...]
        A list of destination protocols and ports to which the firewall rule
        will apply.

OPTIONAL FLAGS
     --description=DESCRIPTION
        An optional, textual description for the rule.

     --dest-address-groups=[DEST_ADDRESS_GROUPS,...]
        Destination address groups to match for this rule. Can only be
        specified if DIRECTION is egress.

     --dest-fqdns=[DEST_FQDNS,...]
        Destination FQDNs to match for this rule. Can only be specified if
        DIRECTION is egress.

     --dest-ip-ranges=[DEST_IP_RANGE,...]
        Destination IP ranges to match for this rule.

     --dest-network-context=DEST_NETWORK_CONTEXT
        Use this flag to indicate that the rule should match internet or
        non-internet traffic. It applies to destination traffic for egress
        rules. Valid values are INTERNET and NON_INTERNET. Use empty string to
        clear the field.

     --dest-network-type=DEST_NETWORK_TYPE
        Use this flag to indicate that the rule should match internet or
        non-internet traffic. It applies to destination traffic for egress
        rules. Valid values are INTERNET and NON_INTERNET. Use empty string to
        clear the field.

     --dest-region-codes=[DEST_REGION_CODES,...]
        Destination Region Code to match for this rule. Can only be specified
        if DIRECTION is egress. Cannot be specified when the source network
        context is NON_INTERNET.

     --dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
        Destination Threat Intelligence lists to match for this rule. Can only
        be specified if DIRECTION is egress. Cannot be specified when source
        network context is NON_INTERNET. The available lists can be found here:
        https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

     --direction=DIRECTION
        Direction of the traffic the rule is applied. The default is to apply
        on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.

     --[no-]disabled
        Use this flag to disable the rule. Disabled rules will not affect
        traffic. Use --disabled to enable and --no-disabled to disable.

     --[no-]enable-logging
        Use this flag to enable logging of connections that allowed or denied
        by this rule. Use --enable-logging to enable and --no-enable-logging to
        disable.

     --organization=ORGANIZATION
        Organization which the organization firewall policy belongs to. Must be
        set if FIREWALL_POLICY is short name.

     --security-profile-group=SECURITY_PROFILE_GROUP
        An org-based security profile group to be used with
        apply_security_profile_group action. Allowed formats are: a)
        http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
        b)
        (//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
        c) <profile>. In case "c" gcloud CLI will create a reference matching
        format "a", but to make it work
        CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set.
        In order to set this property, please run the command gcloud config set
        api_endpoint_overrides/networksecurity https://<namespace>/.

     --src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
        Source address groups to match for this rule. Can only be specified if
        DIRECTION is ingress.

     --src-fqdns=[SOURCE_FQDNS,...]
        Source FQDNs to match for this rule. Can only be specified if DIRECTION
        is ingress.

     --src-ip-ranges=[SRC_IP_RANGE,...]
        Source IP ranges to match for this rule.

     --src-network-context=SRC_NETWORK_CONTEXT
        Use this flag to indicate that the rule should match internet,
        non-internet traffic or traffic coming from the network specified by
        --src-network. It applies to ingress rules. Valid values are INTERNET,
        NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the
        field.

     --src-network-type=SRC_NETWORK_TYPE
        Use this flag to indicate that the rule should match internet,
        non-internet traffic or traffic coming from the network specified by
        --src-network. It applies to ingress rules. Valid values are INTERNET,
        NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the
        field.

     --src-networks=[SRC_NETWORKS,...]
        The source VPC networks to match for this rule. It can only be
        specified when --src-network-type is VPC_NETWORKS. It applies to
        ingress rules. It accepts full or partial URLs.

     --src-region-codes=[SOURCE_REGION_CODES,...]
        Source Region Code to match for this rule. Can only be specified if
        DIRECTION is ingress. Cannot be specified when the source network
        context is NON_INTERNET, VPC_NETWORK or INTRA_VPC.

     --src-secure-tags=[SOURCE_SECURE_TAGS,...]
        A list of instance secure tags indicating the set of instances on the
        network to which the rule applies if all other fields match. Either
        --src-ip-ranges or --src-secure-tags must be specified for ingress
        traffic. If both --src-ip-ranges and --src-secure-tags are specified,
        an inbound connection is allowed if either the range of the source
        matches --src-ip-ranges or the tag of the source matches
        --src-secure-tags. Secure Tags can be assigned to instances during
        instance creation.

     --src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
        Source Threat Intelligence lists to match for this rule. Can only be
        specified if DIRECTION is ingress. Cannot be specified when the source
        network context is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The
        available lists can be found here:
        https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

     --target-resources=[TARGET_RESOURCES,...]
        List of URLs of target resources to which the rule is applied.

     --target-secure-tags=[TARGET_SECURE_TAGS,...]
        An optional, list of target secure tags with a name of the format
        tagValues/ or full namespaced name

     --target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
        List of target service accounts for the rule.

     --[no-]tls-inspect
        Use this flag to indicate whether TLS traffic should be inspected using
        the TLS inspection policy when the security profile group is applied.
        Default: no TLS inspection. Use --tls-inspect to enable and
        --no-tls-inspect to disable.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in beta and might change without notice. These
    variants are also available:

        $ gcloud compute firewall-policies rules create

        $ gcloud alpha compute firewall-policies rules create

