NAME
    gcloud compute firewall-rules create - create a Compute Engine firewall
        rule

SYNOPSIS
    gcloud compute firewall-rules create NAME
        (--action=ACTION | --allow=PROTOCOL[:PORT[-PORT]],[...])
        [--description=DESCRIPTION]
        [--destination-ranges=CIDR_RANGE,[CIDR_RANGE,...]]
        [--direction=DIRECTION] [--disabled] [--[no-]enable-logging]
        [--logging-metadata=LOGGING_METADATA]
        [--network=NETWORK; default="default"] [--priority=PRIORITY]
        [--resource-manager-tags=[KEY=VALUE,...]]
        [--rules=PROTOCOL[:PORT[-PORT]],[...]]
        [--source-ranges=CIDR_RANGE,[CIDR_RANGE,...]]
        [--source-service-accounts=EMAIL,[EMAIL,...]]
        [--source-tags=TAG,[TAG,...]]
        [--target-service-accounts=EMAIL,[EMAIL,...]]
        [--target-tags=TAG,[TAG,...]] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    gcloud compute firewall-rules create is used to create firewall rules to
    allow/deny incoming/outgoing traffic.

EXAMPLES
    To create a firewall rule allowing incoming TCP traffic on port 8080, run:

        $ gcloud compute firewall-rules create example-service \
            --allow=tcp:8080 \
            --description="Allow incoming traffic on TCP port 8080" \
            --direction=INGRESS

    To create a firewall rule that allows TCP traffic through port 80 and
    determines a list of specific IP address blocks that are allowed to make
    inbound connections, run:

        $ gcloud compute firewall-rules create tcp-rule --allow=tcp:80 \
            --source-ranges="10.0.0.0/22,10.0.0.0/14" \
            --description="Narrowing TCP traffic"

    To list existing firewall rules, run:

        $ gcloud compute firewall-rules list

    For more detailed examples see
    https://cloud.google.com/vpc/docs/using-firewalls

POSITIONAL ARGUMENTS
     NAME
        Name of the firewall rule to create.

REQUIRED FLAGS
     Exactly one of these must be specified:

       --action=ACTION
          The action for the firewall rule: whether to allow or deny matching
          traffic. If specified, the flag --rules must also be specified.
          ACTION must be one of: ALLOW, DENY.

       --allow=PROTOCOL[:PORT[-PORT]],[...]
          A list of protocols and ports whose traffic will be allowed.

          The protocols allowed over this connection. This can be the
          (case-sensitive) string values tcp, udp, icmp, esp, ah, sctp, or any
          IP protocol number. An IP-based protocol must be specified for each
          rule. The rule applies only to specified protocol.

          For port-based protocols - tcp, udp, and sctp - a list of destination
          ports or port ranges to which the rule applies may optionally be
          specified. If no port or port range is specified, the rule applies to
          all destination ports.

          The ICMP protocol is supported, but there is no support for
          configuring ICMP packet filtering by ICMP code.

          For example, to create a rule that allows TCP traffic through port 80
          and ICMP traffic:

              $ gcloud compute firewall-rules create MY-RULE --allow tcp:80,icmp

          To create a rule that allows TCP traffic from port 20000 to 25000:

              $ gcloud compute firewall-rules create MY-RULE \
                  --allow tcp:20000-25000

          To create a rule that allows all TCP traffic:

              $ gcloud compute firewall-rules create MY-RULE --allow tcp

OPTIONAL FLAGS
     --description=DESCRIPTION
        A textual description for the firewall rule.

     --destination-ranges=CIDR_RANGE,[CIDR_RANGE,...]
        The firewall rule will apply to traffic that has destination IP address
        in these IP address block list. The IP address blocks must be specified
        in CIDR format:
        http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.

        If --destination-ranges is NOT provided, then this flag will default to
        0.0.0.0/0, allowing all IPv4 destinations. Multiple IP address blocks
        can be specified if they are separated by commas.

     --direction=DIRECTION
        If direction is NOT specified, then default is to apply on incoming
        traffic. For outbound traffic, it is NOT supported to specify
        source-tags.

        For convenience, 'IN' can be used to represent ingress direction and
        'OUT' can be used to represent egress direction.

        DIRECTION must be one of: INGRESS, EGRESS, IN, OUT.

     --disabled
        Disable a firewall rule and stop it from being enforced in the network.
        If a firewall rule is disabled, the associated network behaves as if
        the rule did not exist. To enable a disabled rule, use:

            $ gcloud compute firewall-rules update MY-RULE --no-disabled

        Firewall rules are enabled by default.

     --[no-]enable-logging
        Enable logging for the firewall rule. Logs will be exported to
        StackDriver. Firewall logging is disabled by default. To enable logging
        for an existing rule, run:

            $ gcloud compute firewall-rules create MY-RULE --enable-logging

        To disable logging on an existing rule, run:

            $ gcloud compute firewall-rules create MY-RULE --no-enable-logging

        Use --enable-logging to enable and --no-enable-logging to disable.

     --logging-metadata=LOGGING_METADATA
        Adds or removes metadata fields to or from the reported firewall logs.
        Can only be specified if --enable-logging is true. LOGGING_METADATA
        must be one of: exclude-all, include-all.

     --network=NETWORK; default="default"
        The network to which this rule is attached. If omitted, the rule is
        attached to the default network.

     --priority=PRIORITY
        This is an integer between 0 and 65535, both inclusive. When NOT
        specified, the value assumed is 1000. Relative priority determines
        precedence of conflicting rules: lower priority values imply higher
        precedence. DENY rules take precedence over ALLOW rules having equal
        priority.

     --resource-manager-tags=[KEY=VALUE,...]
        A comma-separated list of Resource Manager tags to apply to the
        firewall.

     --rules=PROTOCOL[:PORT[-PORT]],[...]
        A list of protocols and ports to which the firewall rule will apply.

        PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can
        be either the name of a well-known protocol (e.g., tcp or icmp) or the
        IP protocol number. A list of IP protocols can be found at
        http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

        A port or port range can be specified after PROTOCOL to which the
        firewall rule apply on traffic through specific ports. If no port or
        port range is specified, connections through all ranges are applied.
        TCP and UDP rules must include a port or port range.

        If specified, the flag --action must also be specified.

        For example, the following will create a rule that blocks TCP traffic
        through port 80 and ICMP traffic:

            $ gcloud compute firewall-rules create MY-RULE --action deny \
                --rules tcp:80,icmp

     --source-ranges=CIDR_RANGE,[CIDR_RANGE,...]
        A list of IP address blocks that are allowed to make inbound
        connections that match the firewall rule to the instances on the
        network. The IP address blocks must be specified in CIDR format:
        http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.

        If neither --source-ranges nor --source-tags are specified,
        --source-ranges defaults to 0.0.0.0/0, which means that the rule
        applies to all incoming IPv4 connections from inside or outside the
        network. If both --source-ranges and --source-tags are specified, the
        rule matches if either the range of the source matches --source-ranges
        or the tag of the source matches --source-tags.

        Multiple IP address blocks can be specified if they are separated by
        commas.

     --source-service-accounts=EMAIL,[EMAIL,...]
        The email of a service account indicating the set of instances on the
        network which match a traffic source in the firewall rule.

        If a source service account is specified then neither source tags nor
        target tags can also be specified.

     --source-tags=TAG,[TAG,...]
        A list of instance tags indicating the set of instances on the network
        to which the rule applies if all other fields match. If neither
        --source-ranges nor --source-tags are specified, --source-ranges
        defaults to 0.0.0.0/0, which means that the rule applies to all
        incoming IPv4 connections from inside or outside the network.

        If both --source-ranges and --source-tags are specified, an inbound
        connection is allowed if either the range of the source matches
        --source-ranges or the tag of the source matches --source-tags.

        Tags can be assigned to instances during instance creation.

        If source tags are specified then neither a source nor target service
        account can also be specified.

     --target-service-accounts=EMAIL,[EMAIL,...]
        The email of a service account indicating the set of instances to which
        firewall rules apply. If both target tags and target service account
        are omitted, the firewall rule is applied to all instances on the
        network.

        If a target service account is specified then neither source tag nor
        target tags can also be specified.

     --target-tags=TAG,[TAG,...]
        List of instance tags indicating the set of instances on the network
        which may accept connections that match the firewall rule. Note that
        tags can be assigned to instances during instance creation.

        If target tags are specified, then neither a source nor target service
        account can also be specified.

        If both target tags and target service account are omitted, all
        instances on the network can receive connections that match the rule.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha compute firewall-rules create

        $ gcloud beta compute firewall-rules create

