NAME
    gcloud beta compute security-policies rules create - create a Compute
        Engine security policy rule

SYNOPSIS
    gcloud beta compute security-policies rules create PRIORITY --action=ACTION
        (--expression=EXPRESSION --network-dest-ip-ranges=[DEST_IP_RANGE,...]
          --network-dest-ports=[DEST_PORT,...]
          --network-ip-protocols=[IP_PROTOCOL,...]
          --network-src-asns=[SRC_ASN,...]
          --network-src-ip-ranges=[SRC_IP_RANGE,...]
          --network-src-ports=[SRC_PORT,...]
          --network-src-region-codes=[SRC_REGION_CODE,...]
          --network-user-defined-fields=[NAME;VALUE:VALUE:...,...]
          --src-ip-ranges=[SRC_IP_RANGE,...])
        [--ban-duration-sec=BAN_DURATION_SEC]
        [--ban-threshold-count=BAN_THRESHOLD_COUNT]
        [--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC]
        [--conform-action=CONFORM_ACTION] [--description=DESCRIPTION]
        [--enforce-on-key=ENFORCE_ON_KEY]
        [--enforce-on-key-configs=[[all],[ip],[xff-ip],
          [http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],
          [region-code],
          [tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[...]]
        [--enforce-on-key-name=ENFORCE_ON_KEY_NAME]
        [--exceed-action=EXCEED_ACTION]
        [--exceed-redirect-target=EXCEED_REDIRECT_TARGET]
        [--exceed-redirect-type=EXCEED_REDIRECT_TYPE] [--preview]
        [--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT]
        [--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC]
        [--recaptcha-action-site-keys=[SITE_KEY,...]]
        [--recaptcha-session-site-keys=[SITE_KEY,...]]
        [--redirect-target=REDIRECT_TARGET] [--redirect-type=REDIRECT_TYPE]
        [--region=REGION]
        [--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]]
        [--security-policy=SECURITY_POLICY] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) gcloud beta compute security-policies rules create is used to create
    security policy rules.

EXAMPLES
    To create a rule at priority 1000 to block the IP range 1.2.3.0/24, run:

        $ gcloud beta compute security-policies rules create 1000 \
            --action=deny-403 --security-policy=my-policy \
            --description="block 1.2.3.0/24" --src-ip-ranges=1.2.3.0/24

POSITIONAL ARGUMENTS
     PRIORITY
        The priority of the rule to add. Rules are evaluated in order from
        highest priority to lowest priority where 0 is the highest priority and
        2147483647 is the lowest priority.

REQUIRED FLAGS
     --action=ACTION
        The action to take if the request matches the match condition. ACTION
        must be one of:

         allow
            Allows the request from HTTP(S) Load Balancing.
         deny
            Denies the request from TCP/SSL Proxy and Network Load Balancing.
         deny-403
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 403.
         deny-404
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 404.
         deny-502
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 502.
         fairshare
            When traffic reaches the threshold limit, requests from the clients
            matching this rule begin to be rate-limited using the Fair Share
            algorithm.
         rate-based-ban
            Enforces rate-based ban action from HTTP(S) Load Balancing, based
            on rate limit options.
         redirect
            Redirects the request from HTTP(S) Load Balancing, based on
            redirect options.
         redirect-to-recaptcha
            (DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for
            reCAPTCHA Enterprise assessment. This flag choice is deprecated.
            Use --action=redirect and --redirect-type=google-recaptcha instead.
         throttle
            Enforces throttle action from HTTP(S) Load Balancing, based on rate
            limit options.

     Security policy rule matcher.

     At least one of these must be specified:

       --expression=EXPRESSION
          The Cloud Armor rules language expression to match for this rule.

       --network-dest-ip-ranges=[DEST_IP_RANGE,...]
          The destination IPs/IP ranges to match for this rule. To match all
          IPs specify *.

       --network-dest-ports=[DEST_PORT,...]
          The destination ports to match for this rule. Each element can be an
          16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"),
          To match all destination ports specify *.

       --network-ip-protocols=[IP_PROTOCOL,...]
          The IP protocols to match for this rule. Each element can be an 8-bit
          unsigned decimal number (e.g. "6"), range (e.g."253-254"), or one of
          the following protocol names: "tcp", "udp", "icmp", "esp", "ah",
          "ipip", or "sctp". To match all protocols specify *.

       --network-src-asns=[SRC_ASN,...]
          BGP Autonomous System Number associated with the source IP address to
          match for this rule.

       --network-src-ip-ranges=[SRC_IP_RANGE,...]
          The source IPs/IP ranges to match for this rule. To match all IPs
          specify *.

       --network-src-ports=[SRC_PORT,...]
          The source ports to match for this rule. Each element can be an
          16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"),
          To match all source ports specify *.

       --network-src-region-codes=[SRC_REGION_CODE,...]
          The two letter ISO 3166-1 alpha-2 country code associated with the
          source IP address to match for this rule. To match all region codes
          specify *.

       --network-user-defined-fields=[NAME;VALUE:VALUE:...,...]
          Each element names a defined field and lists the matching values for
          that field.

       --src-ip-ranges=[SRC_IP_RANGE,...]
          The source IPs/IP ranges to match for this rule. To match all IPs
          specify *.

OPTIONAL FLAGS
     --ban-duration-sec=BAN_DURATION_SEC
        Can only be specified if the action for the rule is rate-based-ban. If
        specified, determines the time (in seconds) the traffic will continue
        to be banned by the rate limit after the rate falls below the
        threshold.

     --ban-threshold-count=BAN_THRESHOLD_COUNT
        Number of HTTP(S) requests for calculating the threshold for banning
        requests. Can only be specified if the action for the rule is
        rate-based-ban. If specified, the key will be banned for the configured
        BAN_DURATION_SEC when the number of requests that exceed the
        RATE_LIMIT_THRESHOLD_COUNT also exceed this BAN_THRESHOLD_COUNT.

     --ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC
        Interval over which the threshold for banning requests is computed. Can
        only be specified if the action for the rule is rate-based-ban. If
        specified, the key will be banned for the configured BAN_DURATION_SEC
        when the number of requests that exceed the RATE_LIMIT_THRESHOLD_COUNT
        also exceed this BAN_THRESHOLD_COUNT.

     --conform-action=CONFORM_ACTION
        Action to take when requests are under the given threshold. When
        requests are throttled, this is also the action for all requests which
        are not dropped. CONFORM_ACTION must be (only one value is supported):
        allow.

     --description=DESCRIPTION
        An optional, textual description for the rule.

     --enforce-on-key=ENFORCE_ON_KEY
        Different key types available to enforce the rate limit threshold limit
        on:
        ◆ ip: each client IP address has this limit enforced separately
        ◆ all: a single limit is applied to all requests matching this rule
        ◆ http-header: key type takes the value of the HTTP header configured
          in enforce-on-key-name as the key value
        ◆ xff-ip: takes the original IP address specified in the
          X-Forwarded-For header as the key
        ◆ http-cookie: key type takes the value of the HTTP cookie configured
          in enforce-on-key-name as the key value
        ◆ http-path: key type takes the value of the URL path in the request
        ◆ sni: key type takes the value of the server name indication from
          the TLS session of the HTTPS request
        ◆ region-code: key type takes the value of the region code from which
          the request originates
        ◆ tls-ja3-fingerprint: key type takes the value of JA3 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
        ◆ user-ip: key type takes the IP address of the originating client,
          which is resolved based on user-ip-request-headers configured with
          the security policy
        ◆ tls-ja4-fingerprint: key type takes the value of JA4 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

        ENFORCE_ON_KEY must be one of: ip, all, http-header, xff-ip,
        http-cookie, http-path, sni, region-code, tls-ja3-fingerprint, user-ip,
        tls-ja4-fingerprint.

     --enforce-on-key-configs=[[all],[ip],[xff-ip],[http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],[region-code],[tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[...]
        Specify up to 3 key type/name pairs to rate limit. Valid key types are:

        ◆ ip: each client IP address has this limit enforced separately
        ◆ all: a single limit is applied to all requests matching this rule
        ◆ http-header: key type takes the value of the HTTP header configured
          in enforce-on-key-name as the key value
        ◆ xff-ip: takes the original IP address specified in the
          X-Forwarded-For header as the key
        ◆ http-cookie: key type takes the value of the HTTP cookie configured
          in enforce-on-key-name as the key value
        ◆ http-path: key type takes the value of the URL path in the request
        ◆ sni: key type takes the value of the server name indication from
          the TLS session of the HTTPS request
        ◆ region-code: key type takes the value of the region code from which
          the request originates
        ◆ tls-ja3-fingerprint: key type takes the value of JA3 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
        ◆ user-ip: key type takes the IP address of the originating client,
          which is resolved based on user-ip-request-headers configured with
          the security policy
        ◆ tls-ja4-fingerprint: key type takes the value of JA4 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

        Key names are only applicable to the following key types:
        ◆ http-header: The name of the HTTP header whose value is taken as
          the key value.
        ◆ http-cookie: The name of the HTTP cookie whose value is taken as
          the key value.

     --enforce-on-key-name=ENFORCE_ON_KEY_NAME
        Determines the key name for the rate limit key. Applicable only for the
        following rate limit key types:
        ◆ http-header: The name of the HTTP header whose value is taken as
          the key value.
        ◆ http-cookie: The name of the HTTP cookie whose value is taken as
          the key value.

     --exceed-action=EXCEED_ACTION
        Action to take when requests are above the given threshold. When a
        request is denied, return the specified HTTP response code. When a
        request is redirected, use the redirect options based on
        --exceed-redirect-type and --exceed-redirect-target below.
        EXCEED_ACTION must be one of: deny-403, deny-404, deny-429, deny-502,
        deny, redirect.

     --exceed-redirect-target=EXCEED_REDIRECT_TARGET
        URL target for the redirect action that is configured as the exceed
        action when the redirect type is external-302.

     --exceed-redirect-type=EXCEED_REDIRECT_TYPE
        Type for the redirect action that is configured as the exceed action.
        EXCEED_REDIRECT_TYPE must be one of: google-recaptcha, external-302.

     --preview
        If specified, the action will not be enforced.

     --rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT
        Number of HTTP(S) requests for calculating the threshold for rate
        limiting requests.

     --rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC
        Interval over which the threshold for rate limiting requests is
        computed.

     --recaptcha-action-site-keys=[SITE_KEY,...]
        A comma-separated list of site keys to be used during the validation of
        reCAPTCHA action-tokens. The provided site keys need to be created from
        the reCAPTCHA API under the same project where the security policy is
        created.

     --recaptcha-session-site-keys=[SITE_KEY,...]
        A comma-separated list of site keys to be used during the validation of
        reCAPTCHA session-tokens. The provided site keys need to be created
        from the reCAPTCHA API under the same project where the security policy
        is created.

     --redirect-target=REDIRECT_TARGET
        URL target for the redirect action. Must be specified if the redirect
        type is external-302. Cannot be specified if the redirect type is
        google-recaptcha.

     --redirect-type=REDIRECT_TYPE
        Type for the redirect action. Default to external-302 if unspecified
        while --redirect-target is given. REDIRECT_TYPE must be one of:
        google-recaptcha, external-302.

     --region=REGION
        Region of the security policy to add. If not specified, you might be
        prompted to select a region (interactive mode only).

        A list of regions can be fetched by running:

            $ gcloud compute regions list

        Overrides the default compute/region property value for this command
        invocation.

     --request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]
        A comma-separated list of header names and header values to add to
        requests that match this rule.

     --security-policy=SECURITY_POLICY
        The security policy that this rule belongs to.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in beta and might change without notice. These
    variants are also available:

        $ gcloud compute security-policies rules create

        $ gcloud alpha compute security-policies rules create

