1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00
gcloud-help/gcloud/compute/firewall-policies/rules/create
2024-02-22 10:25:44 +00:00

153 lines
6.4 KiB
Text

NAME
gcloud compute firewall-policies rules create - creates a Compute Engine
firewall policy rule
SYNOPSIS
gcloud compute firewall-policies rules create PRIORITY --action=ACTION
--firewall-policy=FIREWALL_POLICY [--description=DESCRIPTION]
[--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
[--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
[--dest-region-codes=[DEST_REGION_CODES,...]]
[--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
[--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
[--layer4-configs=[LAYER4_CONFIG,...]] [--organization=ORGANIZATION]
[--security-profile-group=SECURITY_PROFILE_GROUP]
[--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
[--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
[--src-region-codes=[SOURCE_REGION_CODES,...]]
[--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
[--target-resources=[TARGET_RESOURCES,...]]
[--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
[--[no-]tls-inspect] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
gcloud compute firewall-policies rules create is used to create
organization firewall policy rules.
EXAMPLES
To create a rule with priority ``10" in an organization firewall policy
with ID ``123456789", run:
$ gcloud compute firewall-policies rules create 10 \
--firewall-policy=123456789 --action=allow \
--description=example-rule
POSITIONAL ARGUMENTS
PRIORITY
Priority of the firewall policy rule to create.
REQUIRED FLAGS
--action=ACTION
Action to take if the request matches the match condition. ACTION must
be one of: allow, deny, goto_next, apply_security_profile_group.
--firewall-policy=FIREWALL_POLICY
Short name of the firewall policy into which the rule should be
inserted.
OPTIONAL FLAGS
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,...]
Destination address groups to match for this rule. Can only be
specified if DIRECTION is egress.
--dest-fqdns=[DEST_FQDNS,...]
Destination FQDNs to match for this rule. Can only be specified if
DIRECTION is egress.
--dest-ip-ranges=[DEST_IP_RANGE,...]
Destination IP ranges to match for this rule.
--dest-region-codes=[DEST_REGION_CODES,...]
Destination Region Code to match for this rule. Can only be specified
if DIRECTION is egress.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
Destination Threat Intelligence lists to match for this rule. Can only
be specified if DIRECTION is egress. The available lists can be found
here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply
on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect
traffic. Use --disabled to enable and --no-disabled to disable.
--[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied
by this rule. Use --enable-logging to enable and --no-enable-logging to
disable.
--layer4-configs=[LAYER4_CONFIG,...]
A list of destination protocols and ports to which the firewall rule
will apply.
--organization=ORGANIZATION
Organization which the organization firewall policy belongs to. Must be
set if FIREWALL_POLICY is short name.
--security-profile-group=SECURITY_PROFILE_GROUP
An org-based security profile group to be used with
apply_security_profile_group action. Allowed formats are: a)
http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
b)
(//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
c) <profile>. In case "c" gCloud CLI will create a reference matching
format "a", but to make it work
CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set.
In order to set this property, please run the command gcloud config set
api_endpoint_overrides/networksecurity https://<namespace>/.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
Source address groups to match for this rule. Can only be specified if
DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,...]
Source FQDNs to match for this rule. Can only be specified if DIRECTION
is ingress.
--src-ip-ranges=[SRC_IP_RANGE,...]
Source IP ranges to match for this rule.
--src-region-codes=[SOURCE_REGION_CODES,...]
Source Region Code to match for this rule. Can only be specified if
DIRECTION is ingress.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
Source Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is ingress. The available lists can be found
here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-resources=[TARGET_RESOURCES,...]
List of URLs of target resources to which the rule is applied.
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
List of target service accounts for the rule.
--[no-]tls-inspect
Use this flag to indicate whether TLS traffic should be inspected using
the TLS inspection policy when the security profile group is applied.
Default: no TLS inspection. Use --tls-inspect to enable and
--no-tls-inspect to disable.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
These variants are also available:
$ gcloud alpha compute firewall-policies rules create
$ gcloud beta compute firewall-policies rules create