1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-11 23:49:35 +00:00
gcloud-help/gcloud/beta/compute/network-firewall-policies/rules/create
2025-08-13 10:57:56 +00:00

206 lines
9.2 KiB
Text

NAME
gcloud beta compute network-firewall-policies rules create - creates a
Compute Engine network firewall policy rule
SYNOPSIS
gcloud beta compute network-firewall-policies rules create PRIORITY
--action=ACTION --firewall-policy=FIREWALL_POLICY
--layer4-configs=[LAYER4_CONFIG,...] [--description=DESCRIPTION]
[--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
[--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
[--dest-network-type=DEST_NETWORK_TYPE]
[--dest-region-codes=[DEST_REGION_CODES,...]]
[--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
[--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
[--security-profile-group=SECURITY_PROFILE_GROUP]
[--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
[--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
[--src-network-type=SRC_NETWORK_TYPE]
[--src-networks=[SRC_NETWORKS,...]]
[--src-region-codes=[SOURCE_REGION_CODES,...]]
[--src-secure-tags=[SOURCE_SECURE_TAGS,...]]
[--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
[--target-secure-tags=[TARGET_SECURE_TAGS,...]]
[--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
[--[no-]tls-inspect]
[--firewall-policy-region=FIREWALL_POLICY_REGION
| --global-firewall-policy] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) gcloud beta compute network-firewall-policies rules create is used
to create network firewall policy rules.
EXAMPLES
To create a rule with priority 10 in a global network firewall policy with
name my-policy and description example rule, run:
$ gcloud beta compute network-firewall-policies rules create 10 \
--firewall-policy=my-policy --action=allow \
--description="example rule" --global-firewall-policy
To create a rule with priority 10 in a regional network firewall policy
with name my-region-policy and description example rule, in region
region-a, run:
$ gcloud beta compute network-firewall-policies rules create 10 \
--firewall-policy=my-policy --action=allow \
--description="example rule"
POSITIONAL ARGUMENTS
PRIORITY
Priority of the rule to be inserted. Valid in [0, 65535].
REQUIRED FLAGS
--action=ACTION
Action to take if the request matches the match condition. ACTION must
be one of: allow, deny, goto_next, apply_security_profile_group.
--firewall-policy=FIREWALL_POLICY
Firewall policy ID with which to create rule.
--layer4-configs=[LAYER4_CONFIG,...]
A list of destination protocols and ports to which the firewall rule
will apply.
OPTIONAL FLAGS
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,...]
Destination address groups to match for this rule. Can only be
specified if DIRECTION is engress.
--dest-fqdns=[DEST_FQDNS,...]
Destination FQDNs to match for this rule. Can only be specified if
DIRECTION is egress.
--dest-ip-ranges=[DEST_IP_RANGE,...]
Destination IP ranges to match for this rule.
--dest-network-type=DEST_NETWORK_TYPE
Use this flag to indicate that the rule should match internet or
non-internet traffic. It applies to destination traffic for egress
rules. Valid values are INTERNET and NON_INTERNET. Use empty string to
clear the field.
--dest-region-codes=[DEST_REGION_CODES,...]
Destination Region Code to match for this rule. Can only be specified
if DIRECTION is egress. Cannot be specified when the source network
type is NON_INTERNET.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
Destination Threat Intelligence lists to match for this rule. Can only
be specified if DIRECTION is egress. Cannot be specified when source
network type is NON_INTERNET. The available lists can be found here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply
on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect
traffic. Use --disabled to enable and --no-disabled to disable.
--[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied
by this rule. Use --enable-logging to enable and --no-enable-logging to
disable.
--security-profile-group=SECURITY_PROFILE_GROUP
A security profile group to be used with apply_security_profile_group
action.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
Source address groups to match for this rule. Can only be specified if
DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,...]
Source FQDNs to match for this rule. Can only be specified if DIRECTION
is ingress.
--src-ip-ranges=[SRC_IP_RANGE,...]
A list of IP address blocks that are allowed to make inbound
connections that match the firewall rule to the instances on the
network. The IP address blocks must be specified in CIDR format:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either
--src-ip-ranges or --src-secure-tags must be specified for INGRESS
traffic. If both --src-ip-ranges and --src-secure-tags are specified,
the rule matches if either the range of the source matches
--src-ip-ranges or the secure tag of the source matches
--src-secure-tags.Multiple IP address blocks can be specified if they
are separated by commas.
--src-network-type=SRC_NETWORK_TYPE
Use this flag to indicate that the rule should match internet,
non-internet traffic or traffic coming from the network specified by
--src-networks. It applies to ingress rules. Valid values are INTERNET,
NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the
field.
--src-networks=[SRC_NETWORKS,...]
The source VPC networks to match for this rule. It can only be
specified when --src-network-type is VPC_NETWORKS. It applies to
ingress rules. It accepts full or partial URLs.
--src-region-codes=[SOURCE_REGION_CODES,...]
Source Region Code to match for this rule. Can only be specified if
DIRECTION is ingress. Cannot be specified when the source network type
is NON_INTERNET, VPC_NETWORK or INTRA_VPC.
--src-secure-tags=[SOURCE_SECURE_TAGS,...]
A list of instance secure tags indicating the set of instances on the
network to which the rule applies if all other fields match. Either
--src-ip-ranges or --src-secure-tags must be specified for ingress
traffic. If both --src-ip-ranges and --src-secure-tags are specified,
an inbound connection is allowed if either the range of the source
matches --src-ip-ranges or the tag of the source matches
--src-secure-tags. Secure Tags can be assigned to instances during
instance creation. Secure tags cannot be specified if source network
type is INTERNET.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
Source Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is ingress. Cannot be specified when the source
network type is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available
lists can be found here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-secure-tags=[TARGET_SECURE_TAGS,...]
An optional, list of target secure tags with a name of the format
tagValues/ or full namespaced name
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
List of target service accounts for the rule.
--[no-]tls-inspect
Use this flag to indicate whether TLS traffic should be inspected using
the TLS inspection policy when the security profile group is applied.
Default: no TLS inspection. Use --tls-inspect to enable and
--no-tls-inspect to disable.
At most one of these can be specified:
--firewall-policy-region=FIREWALL_POLICY_REGION
Region of the firewall policy to create. Overrides the default
compute/region property value for this command invocation.
--global-firewall-policy
If set, the firewall policy is global.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. These
variants are also available:
$ gcloud compute network-firewall-policies rules create
$ gcloud alpha compute network-firewall-policies rules create