NAME
    gcloud compute security-policies rules create - create a Compute Engine
        security policy rule

SYNOPSIS
    gcloud compute security-policies rules create PRIORITY --action=ACTION
        (--expression=EXPRESSION --network-dest-ip-ranges=[DEST_IP_RANGE,...]
          --network-dest-ports=[DEST_PORT,...]
          --network-ip-protocols=[IP_PROTOCOL,...]
          --network-src-asns=[SRC_ASN,...]
          --network-src-ip-ranges=[SRC_IP_RANGE,...]
          --network-src-ports=[SRC_PORT,...]
          --network-src-region-codes=[SRC_REGION_CODE,...]
          --network-user-defined-fields=[NAME;VALUE:VALUE:...,...]
          --src-ip-ranges=[SRC_IP_RANGE,...])
        [--ban-duration-sec=BAN_DURATION_SEC]
        [--ban-threshold-count=BAN_THRESHOLD_COUNT]
        [--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC]
        [--conform-action=CONFORM_ACTION] [--description=DESCRIPTION]
        [--enforce-on-key=ENFORCE_ON_KEY]
        [--enforce-on-key-configs=[[all],[ip],[xff-ip],
          [http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],
          [region-code],
          [tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[...]]
        [--enforce-on-key-name=ENFORCE_ON_KEY_NAME]
        [--exceed-action=EXCEED_ACTION]
        [--exceed-redirect-target=EXCEED_REDIRECT_TARGET]
        [--exceed-redirect-type=EXCEED_REDIRECT_TYPE] [--preview]
        [--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT]
        [--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC]
        [--recaptcha-action-site-keys=[SITE_KEY,...]]
        [--recaptcha-session-site-keys=[SITE_KEY,...]]
        [--redirect-target=REDIRECT_TARGET] [--redirect-type=REDIRECT_TYPE]
        [--region=REGION]
        [--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]]
        [--security-policy=SECURITY_POLICY] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    gcloud compute security-policies rules create is used to create security
    policy rules.

EXAMPLES
    To create a rule at priority 1000 to block the IP range 1.2.3.0/24, run:

        $ gcloud compute security-policies rules create 1000 \
            --action=deny-403 --security-policy=my-policy \
            --description="block 1.2.3.0/24" --src-ip-ranges=1.2.3.0/24

POSITIONAL ARGUMENTS
     PRIORITY
        The priority of the rule to add. Rules are evaluated in order from
        highest priority to lowest priority where 0 is the highest priority and
        2147483647 is the lowest priority.

REQUIRED FLAGS
     --action=ACTION
        The action to take if the request matches the match condition. ACTION
        must be one of:

         allow
            Allows the request from HTTP(S) Load Balancing.
         deny
            Denies the request from TCP/SSL Proxy and Network Load Balancing.
         deny-403
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 403.
         deny-404
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 404.
         deny-502
            Denies the request from HTTP(S) Load Balancing, with an HTTP
            response status code of 502.
         rate-based-ban
            Enforces rate-based ban action from HTTP(S) Load Balancing, based
            on rate limit options.
         redirect
            Redirects the request from HTTP(S) Load Balancing, based on
            redirect options.
         redirect-to-recaptcha
            (DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for
            reCAPTCHA Enterprise assessment. This flag choice is deprecated.
            Use --action=redirect and --redirect-type=google-recaptcha instead.
         throttle
            Enforces throttle action from HTTP(S) Load Balancing, based on rate
            limit options.

     Security policy rule matcher.

     At least one of these must be specified:

       --expression=EXPRESSION
          The Cloud Armor rules language expression to match for this rule.

       --network-dest-ip-ranges=[DEST_IP_RANGE,...]
          The destination IPs/IP ranges to match for this rule. To match all
          IPs specify *.

       --network-dest-ports=[DEST_PORT,...]
          The destination ports to match for this rule. Each element can be an
          16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"),
          To match all destination ports specify *.

       --network-ip-protocols=[IP_PROTOCOL,...]
          The IP protocols to match for this rule. Each element can be an 8-bit
          unsigned decimal number (e.g. "6"), range (e.g."253-254"), or one of
          the following protocol names: "tcp", "udp", "icmp", "esp", "ah",
          "ipip", or "sctp". To match all protocols specify *.

       --network-src-asns=[SRC_ASN,...]
          BGP Autonomous System Number associated with the source IP address to
          match for this rule.

       --network-src-ip-ranges=[SRC_IP_RANGE,...]
          The source IPs/IP ranges to match for this rule. To match all IPs
          specify *.

       --network-src-ports=[SRC_PORT,...]
          The source ports to match for this rule. Each element can be an
          16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"),
          To match all source ports specify *.

       --network-src-region-codes=[SRC_REGION_CODE,...]
          The two letter ISO 3166-1 alpha-2 country code associated with the
          source IP address to match for this rule. To match all region codes
          specify *.

       --network-user-defined-fields=[NAME;VALUE:VALUE:...,...]
          Each element names a defined field and lists the matching values for
          that field.

       --src-ip-ranges=[SRC_IP_RANGE,...]
          The source IPs/IP ranges to match for this rule. To match all IPs
          specify *.

OPTIONAL FLAGS
     --ban-duration-sec=BAN_DURATION_SEC
        Can only be specified if the action for the rule is rate-based-ban. If
        specified, determines the time (in seconds) the traffic will continue
        to be banned by the rate limit after the rate falls below the
        threshold.

     --ban-threshold-count=BAN_THRESHOLD_COUNT
        Number of HTTP(S) requests for calculating the threshold for banning
        requests. Can only be specified if the action for the rule is
        rate-based-ban. If specified, the key will be banned for the configured
        BAN_DURATION_SEC when the number of requests that exceed the
        RATE_LIMIT_THRESHOLD_COUNT also exceed this BAN_THRESHOLD_COUNT.

     --ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC
        Interval over which the threshold for banning requests is computed. Can
        only be specified if the action for the rule is rate-based-ban. If
        specified, the key will be banned for the configured BAN_DURATION_SEC
        when the number of requests that exceed the RATE_LIMIT_THRESHOLD_COUNT
        also exceed this BAN_THRESHOLD_COUNT.

     --conform-action=CONFORM_ACTION
        Action to take when requests are under the given threshold. When
        requests are throttled, this is also the action for all requests which
        are not dropped. CONFORM_ACTION must be (only one value is supported):
        allow.

     --description=DESCRIPTION
        An optional, textual description for the rule.

     --enforce-on-key=ENFORCE_ON_KEY
        Different key types available to enforce the rate limit threshold limit
        on:
        ◆ ip: each client IP address has this limit enforced separately
        ◆ all: a single limit is applied to all requests matching this rule
        ◆ http-header: key type takes the value of the HTTP header configured
          in enforce-on-key-name as the key value
        ◆ xff-ip: takes the original IP address specified in the
          X-Forwarded-For header as the key
        ◆ http-cookie: key type takes the value of the HTTP cookie configured
          in enforce-on-key-name as the key value
        ◆ http-path: key type takes the value of the URL path in the request
        ◆ sni: key type takes the value of the server name indication from
          the TLS session of the HTTPS request
        ◆ region-code: key type takes the value of the region code from which
          the request originates
        ◆ tls-ja3-fingerprint: key type takes the value of JA3 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
        ◆ user-ip: key type takes the IP address of the originating client,
          which is resolved based on user-ip-request-headers configured with
          the security policy
        ◆ tls-ja4-fingerprint: key type takes the value of JA4 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

        ENFORCE_ON_KEY must be one of: ip, all, http-header, xff-ip,
        http-cookie, http-path, sni, region-code, tls-ja3-fingerprint, user-ip,
        tls-ja4-fingerprint.

     --enforce-on-key-configs=[[all],[ip],[xff-ip],[http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],[region-code],[tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]],[...]
        Specify up to 3 key type/name pairs to rate limit. Valid key types are:

        ◆ ip: each client IP address has this limit enforced separately
        ◆ all: a single limit is applied to all requests matching this rule
        ◆ http-header: key type takes the value of the HTTP header configured
          in enforce-on-key-name as the key value
        ◆ xff-ip: takes the original IP address specified in the
          X-Forwarded-For header as the key
        ◆ http-cookie: key type takes the value of the HTTP cookie configured
          in enforce-on-key-name as the key value
        ◆ http-path: key type takes the value of the URL path in the request
        ◆ sni: key type takes the value of the server name indication from
          the TLS session of the HTTPS request
        ◆ region-code: key type takes the value of the region code from which
          the request originates
        ◆ tls-ja3-fingerprint: key type takes the value of JA3 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
        ◆ user-ip: key type takes the IP address of the originating client,
          which is resolved based on user-ip-request-headers configured with
          the security policy
        ◆ tls-ja4-fingerprint: key type takes the value of JA4 TLS/SSL
          fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

        Key names are only applicable to the following key types:
        ◆ http-header: The name of the HTTP header whose value is taken as
          the key value.
        ◆ http-cookie: The name of the HTTP cookie whose value is taken as
          the key value.

     --enforce-on-key-name=ENFORCE_ON_KEY_NAME
        Determines the key name for the rate limit key. Applicable only for the
        following rate limit key types:
        ◆ http-header: The name of the HTTP header whose value is taken as
          the key value.
        ◆ http-cookie: The name of the HTTP cookie whose value is taken as
          the key value.

     --exceed-action=EXCEED_ACTION
        Action to take when requests are above the given threshold. When a
        request is denied, return the specified HTTP response code. When a
        request is redirected, use the redirect options based on
        --exceed-redirect-type and --exceed-redirect-target below.
        EXCEED_ACTION must be one of: deny-403, deny-404, deny-429, deny-502,
        deny, redirect.

     --exceed-redirect-target=EXCEED_REDIRECT_TARGET
        URL target for the redirect action that is configured as the exceed
        action when the redirect type is external-302.

     --exceed-redirect-type=EXCEED_REDIRECT_TYPE
        Type for the redirect action that is configured as the exceed action.
        EXCEED_REDIRECT_TYPE must be one of: google-recaptcha, external-302.

     --preview
        If specified, the action will not be enforced.

     --rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT
        Number of HTTP(S) requests for calculating the threshold for rate
        limiting requests.

     --rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC
        Interval over which the threshold for rate limiting requests is
        computed.

     --recaptcha-action-site-keys=[SITE_KEY,...]
        A comma-separated list of site keys to be used during the validation of
        reCAPTCHA action-tokens. The provided site keys need to be created from
        the reCAPTCHA API under the same project where the security policy is
        created.

     --recaptcha-session-site-keys=[SITE_KEY,...]
        A comma-separated list of site keys to be used during the validation of
        reCAPTCHA session-tokens. The provided site keys need to be created
        from the reCAPTCHA API under the same project where the security policy
        is created.

     --redirect-target=REDIRECT_TARGET
        URL target for the redirect action. Must be specified if the redirect
        type is external-302. Cannot be specified if the redirect type is
        google-recaptcha.

     --redirect-type=REDIRECT_TYPE
        Type for the redirect action. Default to external-302 if unspecified
        while --redirect-target is given. REDIRECT_TYPE must be one of:
        google-recaptcha, external-302.

     --region=REGION
        Region of the security policy to add. If not specified, you might be
        prompted to select a region (interactive mode only).

        A list of regions can be fetched by running:

            $ gcloud compute regions list

        Overrides the default compute/region property value for this command
        invocation.

     --request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]
        A comma-separated list of header names and header values to add to
        requests that match this rule.

     --security-policy=SECURITY_POLICY
        The security policy that this rule belongs to.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha compute security-policies rules create

        $ gcloud beta compute security-policies rules create

