NAME
    gcloud beta compute network-firewall-policies rules create - creates a
        Compute Engine network firewall policy rule

SYNOPSIS
    gcloud beta compute network-firewall-policies rules create PRIORITY
        --action=ACTION --firewall-policy=FIREWALL_POLICY
        [--description=DESCRIPTION]
        [--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
        [--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
        [--dest-region-codes=[DEST_REGION_CODES,...]]
        [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
        [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
        [--layer4-configs=[LAYER4_CONFIG,...]]
        [--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
        [--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
        [--src-region-codes=[SOURCE_REGION_CODES,...]]
        [--src-secure-tags=[SOURCE_SECURE_TAGS,...]]
        [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
        [--target-secure-tags=[TARGET_SECURE_TAGS,...]]
        [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
        [--firewall-policy-region=FIREWALL_POLICY_REGION
          | --global-firewall-policy] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (BETA) gcloud beta compute network-firewall-policies rules create is used
    to create network firewall policy rules.

EXAMPLES
    To create a rule with priority 10 in a global network firewall policy with
    name my-policy and description example rule, run:

        $ gcloud beta compute network-firewall-policies rules create 10 \
          --firewall-policy=my-policy --action=allow \
          --description="example rule" --global-firewall-policy

    To create a rule with priority 10 in a regional network firewall policy
    with name my-region-policy and description example rule, in region
    region-a, run:

        $ gcloud beta compute network-firewall-policies rules create 10 \
          --firewall-policy=my-policy --action=allow \
          --description="example rule"

POSITIONAL ARGUMENTS
     PRIORITY
        Priority of the rule to be inserted. Valid in [0, 65535].

REQUIRED FLAGS
     --action=ACTION
        Action to take if the request matches the match condition. ACTION must
        be one of: allow, deny, goto_next.

     --firewall-policy=FIREWALL_POLICY
        Firewall policy ID with which to create rule.

OPTIONAL FLAGS
     --description=DESCRIPTION
        An optional, textual description for the rule.

     --dest-address-groups=[DEST_ADDRESS_GROUPS,...]
        Destination address groups to match for this rule. Can only be
        specified if DIRECTION is engress.

     --dest-fqdns=[DEST_FQDNS,...]
        Destination FQDNs to match for this rule. Can only be specified if
        DIRECTION is egress.

     --dest-ip-ranges=[DEST_IP_RANGE,...]
        Destination IP ranges to match for this rule.

     --dest-region-codes=[DEST_REGION_CODES,...]
        Destination Region Code to match for this rule. Can only be specified
        if DIRECTION is egress.

     --dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
        Destination Threat Intelligence lists to match for this rule. Can only
        be specified if DIRECTION is egress. The available lists can be found
        here:
        https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

     --direction=DIRECTION
        Direction of the traffic the rule is applied. The default is to apply
        on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.

     --[no-]disabled
        Use this flag to disable the rule. Disabled rules will not affect
        traffic. Use --disabled to enable and --no-disabled to disable.

     --[no-]enable-logging
        Use this flag to enable logging of connections that allowed or denied
        by this rule. Use --enable-logging to enable and --no-enable-logging to
        disable.

     --layer4-configs=[LAYER4_CONFIG,...]
        A list of destination protocols and ports to which the firewall rule
        will apply.

     --src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
        Source address groups to match for this rule. Can only be specified if
        DIRECTION is ingress.

     --src-fqdns=[SOURCE_FQDNS,...]
        Source FQDNs to match for this rule. Can only be specified if DIRECTION
        is ingress.

     --src-ip-ranges=[SRC_IP_RANGE,...]
        A list of IP address blocks that are allowed to make inbound
        connections that match the firewall rule to the instances on the
        network. The IP address blocks must be specified in CIDR format:
        http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either
        --src-ip-ranges or --src-secure-tags must be specified for INGRESS
        traffic. If both --src-ip-ranges and --src-secure-tags are specified,
        the rule matches if either the range of the source matches
        --src-ip-ranges or the secure tag of the source matches
        --src-secure-tags.Multiple IP address blocks can be specified if they
        are separated by commas.

     --src-region-codes=[SOURCE_REGION_CODES,...]
        Source Region Code to match for this rule. Can only be specified if
        DIRECTION is ingress.

     --src-secure-tags=[SOURCE_SECURE_TAGS,...]
        A list of instance secure tags indicating the set of instances on the
        network to which the rule applies if all other fields match. Either
        --src-ip-ranges or --src-secure-tags must be specified for ingress
        traffic. If both --src-ip-ranges and --src-secure-tags are specified,
        an inbound connection is allowed if either the range of the source
        matches --src-ip-ranges or the tag of the source matches
        --src-secure-tags. Secure Tags can be assigned to instances during
        instance creation.

     --src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
        Source Threat Intelligence lists to match for this rule. Can only be
        specified if DIRECTION is ingress. The available lists can be found
        here:
        https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.

     --target-secure-tags=[TARGET_SECURE_TAGS,...]
        An optional, list of target secure tags with a name of the format
        tagValues/ or full namespaced name

     --target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
        List of target service accounts for the rule.

     At most one of these can be specified:

       --firewall-policy-region=FIREWALL_POLICY_REGION
          Region of the firewall policy to create. Overrides the default
          compute/region property value for this command invocation.

       --global-firewall-policy
          If set, the firewall policy is global.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in beta and might change without notice. These
    variants are also available:

        $ gcloud compute network-firewall-policies rules create

        $ gcloud alpha compute network-firewall-policies rules create

