- NAME
-
- gcloud compute firewall-policies rules create - creates a Compute Engine firewall policy rule
- SYNOPSIS
-
-
gcloud compute firewall-policies rules createPRIORITY--action=ACTION--firewall-policy=FIREWALL_POLICY--layer4-configs= [LAYER4_CONFIG, …] [--description=DESCRIPTION] [--dest-address-groups=[DEST_ADDRESS_GROUPS, …]] [--dest-fqdns=[DEST_FQDNS, …]] [--dest-ip-ranges=[DEST_IP_RANGE, …]] [--dest-network-context=DEST_NETWORK_CONTEXT] [--dest-region-codes=[DEST_REGION_CODES, …]] [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS, …]] [--direction=DIRECTION] [--[no-]disabled] [--[no-]enable-logging] [--organization=ORGANIZATION] [--security-profile-group=SECURITY_PROFILE_GROUP] [--src-address-groups=[SOURCE_ADDRESS_GROUPS, …]] [--src-fqdns=[SOURCE_FQDNS, …]] [--src-ip-ranges=[SRC_IP_RANGE, …]] [--src-network-context=SRC_NETWORK_CONTEXT] [--src-networks=[SRC_NETWORKS, …]] [--src-region-codes=[SOURCE_REGION_CODES, …]] [--src-secure-tags=[SOURCE_SECURE_TAGS, …]] [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS, …]] [--target-resources=[TARGET_RESOURCES, …]] [--target-secure-tags=[TARGET_SECURE_TAGS, …]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS, …]] [--[no-]tls-inspect] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
gcloud compute firewall-policies rules createis used to create organization firewall policy rules. - EXAMPLES
- To create a rule with priority ``10" in an organization firewall policy with ID
``123456789", run:
gcloud compute firewall-policies rules create 10 --firewall-policy = 123456789 --action = allow --description = example-rule - POSITIONAL ARGUMENTS
-
-
PRIORITY - Priority of the firewall policy rule to create.
-
- REQUIRED FLAGS
-
-
--action=ACTION - Action to take if the request matches the match condition.
ACTIONmust be one of:allow,deny,goto_next,apply_security_profile_group. -
--firewall-policy=FIREWALL_POLICY - Short name of the firewall policy into which the rule should be inserted.
-
--layer4-configs=[LAYER4_CONFIG,…] - A list of destination protocols and ports to which the firewall rule will apply.
-
- OPTIONAL FLAGS
-
-
--description=DESCRIPTION - An optional, textual description for the rule.
-
--dest-address-groups=[DEST_ADDRESS_GROUPS,…] - Destination address groups to match for this rule. Can only be specified if DIRECTION is egress.
-
--dest-fqdns=[DEST_FQDNS,…] - Destination FQDNs to match for this rule. Can only be specified if DIRECTION is
egress. -
--dest-ip-ranges=[DEST_IP_RANGE,…] - Destination IP ranges to match for this rule.
-
--dest-network-context=DEST_NETWORK_CONTEXT - Use this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.
-
--dest-region-codes=[DEST_REGION_CODES,…] - Destination Region Code to match for this rule. Can only be specified if
DIRECTION is
egress. Cannot be specified when the source network context is NON_INTERNET. -
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…] - Destination Threat Intelligence lists to match for this rule. Can only be
specified if DIRECTION is
egress. Cannot be specified when source network context is NON_INTERNET. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy . -
--direction=DIRECTION - Direction of the traffic the rule is applied. The default is to apply on
incoming traffic.
DIRECTIONmust be one of:INGRESS,EGRESS. -
--[no-]disabled - Use this flag to disable the rule. Disabled rules will not affect traffic. Use
--disabledto enable and--no-disabledto disable. -
--[no-]enable-logging - Use this flag to enable logging of connections that allowed or denied by this
rule. Use
--enable-loggingto enable and--no-enable-loggingto disable. -
--organization=ORGANIZATION - Organization which the organization firewall policy belongs to. Must be set if FIREWALL_POLICY is short name.
-
--security-profile-group=SECURITY_PROFILE_GROUP - An org-based security profile group to be used with apply_security_profile_group
action. Allowed formats are: a)
http(s)://<namespace>/<api>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
b)
(//)<namespace>/organizations/<org_id>/locations/global/securityProfileGroups/<profile>
c) <profile>. In case "c"
gcloudCLI will create a reference matching format "a", but to make it work CLOUDSDK_API_ENDPOINT_OVERRIDES_NETWORKSECURITY property must be set. In order to set this property, please run the commandgcloud config set api_endpoint_overrides/networksecurity https://<namespace>/. -
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…] - Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
-
--src-fqdns=[SOURCE_FQDNS,…] - Source FQDNs to match for this rule. Can only be specified if DIRECTION is
ingress. -
--src-ip-ranges=[SRC_IP_RANGE,…] - Source IP ranges to match for this rule.
-
--src-network-context=SRC_NETWORK_CONTEXT - Use this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-network. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.
-
--src-networks=[SRC_NETWORKS,…] - The source VPC networks to match for this rule. It can only be specified when --src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts full or partial URLs.
-
--src-region-codes=[SOURCE_REGION_CODES,…] - Source Region Code to match for this rule. Can only be specified if DIRECTION is
ingress. Cannot be specified when the source network context is NON_INTERNET, VPC_NETWORK or INTRA_VPC. - A list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.
-
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…] - Source Threat Intelligence lists to match for this rule. Can only be specified
if DIRECTION is
ingress. Cannot be specified when the source network context is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy . -
--target-resources=[TARGET_RESOURCES,…] - List of URLs of target resources to which the rule is applied.
- An optional, list of target secure tags with a name of the format tagValues/ or full namespaced name
-
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…] - List of target service accounts for the rule.
-
--[no-]tls-inspect - Use this flag to indicate whether TLS traffic should be inspected using the TLS
inspection policy when the security profile group is applied. Default: no TLS
inspection. Use
--tls-inspectto enable and--no-tls-inspectto disable.
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- These variants are also available:
gcloud alpha compute firewall-policies rules creategcloud beta compute firewall-policies rules creategcloud preview compute firewall-policies rules create
gcloud compute firewall-policies rules create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
