- NAME
-
- gcloud compute org-security-policies rules create - create a Compute Engine organizationsecurity policy rule
- SYNOPSIS
-
-
gcloud compute org-security-policies rules createPRIORITY--action=ACTION--security-policy=SECURITY_POLICY[--cloud-armor] [--description=DESCRIPTION] [--dest-ip-ranges=[DEST_IP_RANGE, …]] [--direction=DIRECTION] [--[no-]enable-logging] [--layer4-configs=[LAYER4_CONFIG, …]] [--organization=ORGANIZATION] [--preview] [--target-resources=[TARGET_RESOURCES, …]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS, …]] [--expression=EXPRESSION|--src-ip-ranges=[SRC_IP_RANGE, …]] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
gcloud compute org-security-policies rules createis used to create organization security policy rules. - EXAMPLES
- To create a rule with priority
10123456789gcloud compute org-security-policies rules create 10 --security-policy = 123456789 --action = allow --description = example-rule --cloud-armor - POSITIONAL ARGUMENTS
-
-
PRIORITY - Priority of the security policy rule to create.
-
- REQUIRED FLAGS
-
-
--action=ACTION - Action to take if the request matches the match condition.
ACTIONmust be one of:-
allow - Allows the request from HTTP(S) Load Balancing.
-
deny - (DEPRECATED) Only used for Hierarchical Firewalls.
-
deny-403 - Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 403.
-
deny-404 - Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 404.
-
deny-502 - Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 502.
-
goto-next - Defers enforcement to the next policy in the hierarchy.
-
redirect - Redirects the request from HTTP(S) Load Balancing, based on redirect options.
-
-
--security-policy=SECURITY_POLICY - short name of the security policy into which the rule should be inserted.
-
- OPTIONAL FLAGS
-
-
--cloud-armor - Specified for Hierarchical Cloud Armor rules.
-
--description=DESCRIPTION - An optional, textual description for the rule.
-
--dest-ip-ranges=[DEST_IP_RANGE,…] - Destination IP ranges to match for this rule. Can only be specified if DIRECTION is egress.
-
--direction=DIRECTION - Direction of the traffic the rule is applied. The default is to apply on
incoming traffic.
DIRECTIONmust be one of:INGRESS,EGRESS. -
--[no-]enable-logging - Use this flag to enable logging of connections that allowed or denied by this
rule. Use
--enable-loggingto enable and--no-enable-loggingto disable. -
--layer4-configs=[LAYER4_CONFIG,…] - A list of destination protocols and ports to which the firewall rule will apply.
-
--organization=ORGANIZATION - Organization which the organization security policy belongs to. Must be set if SECURITY_POLICY is short name.
-
--preview - If specified, the action will not be enforced.
-
--target-resources=[TARGET_RESOURCES,…] - List of URLs of target resources to which the rule is applied.
-
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…] - List of target service accounts for the rule.
- Security policy rule matcher.
At most one of these can be specified:
-
--expression=EXPRESSION - The Cloud Armor rules language expression to match for this rule.
-
--src-ip-ranges=[SRC_IP_RANGE,…] - The source IPs/IP ranges to match for this rule. To match all IPs specify *.
-
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- These variants are also available:
gcloud alpha compute org-security-policies rules creategcloud beta compute org-security-policies rules creategcloud preview compute org-security-policies rules create
gcloud compute org-security-policies rules create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
