1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 18:45:13 +00:00
gcloud-help/gcloud/alpha/compute/firewall-policies/rules/create
2023-07-20 11:47:25 +00:00

157 lines
6.6 KiB
Text

NAME
gcloud alpha compute firewall-policies rules create - creates a Compute
Engine firewall policy rule
SYNOPSIS
gcloud alpha compute firewall-policies rules create PRIORITY
--action=ACTION --firewall-policy=FIREWALL_POLICY
[--description=DESCRIPTION]
[--dest-address-groups=[DEST_ADDRESS_GROUPS,...]]
[--dest-fqdns=[DEST_FQDNS,...]] [--dest-ip-ranges=[DEST_IP_RANGE,...]]
[--dest-region-codes=[DEST_REGION_CODES,...]]
[--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]]
[--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging]
[--layer4-configs=[LAYER4_CONFIG,...]] [--organization=ORGANIZATION]
[--security-profile-group=SECURITY_PROFILE_GROUP]
[--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]]
[--src-fqdns=[SOURCE_FQDNS,...]] [--src-ip-ranges=[SRC_IP_RANGE,...]]
[--src-region-codes=[SOURCE_REGION_CODES,...]]
[--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]]
[--target-resources=[TARGET_RESOURCES,...]]
[--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]]
[--[no-]tls-inspect] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) gcloud alpha compute firewall-policies rules create is used to
create organization firewall policy rules.
EXAMPLES
To create a rule with priority ``10" in an organization firewall policy
with ID ``123456789", run:
$ gcloud alpha compute firewall-policies rules create 10 \
--firewall-policy=123456789 --action=allow \
--description=example-rule
POSITIONAL ARGUMENTS
PRIORITY
Priority of the firewall policy rule to create.
REQUIRED FLAGS
--action=ACTION
Action to take if the request matches the match condition. ACTION must
be one of: allow, deny, goto_next, apply_security_profile_group.
--firewall-policy=FIREWALL_POLICY
Short name of the firewall policy into which the rule should be
inserted.
OPTIONAL FLAGS
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,...]
Destination address groups to match for this rule. Can only be
specified if DIRECTION is egress.
--dest-fqdns=[DEST_FQDNS,...]
Destination FQDNs to match for this rule. Can only be specified if
DIRECTION is egress.
--dest-ip-ranges=[DEST_IP_RANGE,...]
Destination IP ranges to match for this rule.
--dest-region-codes=[DEST_REGION_CODES,...]
Destination Region Code to match for this rule. Can only be specified
if DIRECTION is egress.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,...]
Destination Threat Intelligence lists to match for this rule. Can only
be specified if DIRECTION is egress. The available lists can be found
here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply
on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect
traffic. Use --disabled to enable and --no-disabled to disable.
--[no-]enable-logging
Use this flag to enable logging of connections that allowed or denied
by this rule. Use --enable-logging to enable and --no-enable-logging to
disable.
--layer4-configs=[LAYER4_CONFIG,...]
A list of destination protocols and ports to which the firewall rule
will apply.
--organization=ORGANIZATION
Organization which the organization firewall policy belongs to. Must be
set if FIREWALL_POLICY is short name.
--security-profile-group=SECURITY_PROFILE_GROUP
An org-based security profile group to be used with
apply_security_profile_group action. Allowed formats are: a)
http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
b)
(//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
c) <profile>. In case "c" gCloud CLI will create a reference matching
format "a", but to make it work
CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set.
In order to set this property, please run the command gcloud config set
api_endpoint_overrides/networksecurity https://<namespace>/.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,...]
Source address groups to match for this rule. Can only be specified if
DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,...]
Source FQDNs to match for this rule. Can only be specified if DIRECTION
is ingress.
--src-ip-ranges=[SRC_IP_RANGE,...]
Source IP ranges to match for this rule.
--src-region-codes=[SOURCE_REGION_CODES,...]
Source Region Code to match for this rule. Can only be specified if
DIRECTION is ingress.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,...]
Source Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is ingress. The available lists can be found
here:
https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-resources=[TARGET_RESOURCES,...]
List of URLs of target resources to which the rule is applied.
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,...]
List of target service accounts for the rule.
--[no-]tls-inspect
Use this flag to indicate whether TLS traffic should be inspected using
the TLS inspection policy when the security profile group is applied.
Default: no TLS inspection. Use --tls-inspect to enable and
--no-tls-inspect to disable.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud compute firewall-policies rules create
$ gcloud beta compute firewall-policies rules create