Console
    Start free

    gcloud compute security-policies rules create

    NAME
    gcloud compute security-policies rules create - create a Compute Engine security policy rule
    SYNOPSIS
    gcloud compute security-policies rules create PRIORITY --action = ACTION ( --expression = EXPRESSION --network-dest-ip-ranges =[ DEST_IP_RANGE , …] --network-dest-ports =[ DEST_PORT , …] --network-ip-protocols =[ IP_PROTOCOL , …] --network-src-asns =[ SRC_ASN , …] --network-src-ip-ranges =[ SRC_IP_RANGE , …] --network-src-ports =[ SRC_PORT , …] --network-src-region-codes =[ SRC_REGION_CODE , …] --network-user-defined-fields =[ NAME ; VALUE : VALUE :…, …] --src-ip-ranges =[ SRC_IP_RANGE , …]) [ --ban-duration-sec = BAN_DURATION_SEC ] [ --ban-threshold-count = BAN_THRESHOLD_COUNT ] [ --ban-threshold-interval-sec = BAN_THRESHOLD_INTERVAL_SEC ] [ --conform-action = CONFORM_ACTION ] [ --description = DESCRIPTION ] [ --enforce-on-key = ENFORCE_ON_KEY ] [ --enforce-on-key-configs =[[ all ], [ ip ], [ xff-ip ], [ http-cookie = HTTP_COOKIE ], [ http-header = HTTP_HEADER ], [ http-path ], [ sni ], [ region-code ], [ tls-ja3-fingerprint ], [ user-ip ], [ tls-ja4-fingerprint ]], […]] [ --enforce-on-key-name = ENFORCE_ON_KEY_NAME ] [ --exceed-action = EXCEED_ACTION ] [ --exceed-redirect-target = EXCEED_REDIRECT_TARGET ] [ --exceed-redirect-type = EXCEED_REDIRECT_TYPE ] [ --preview ] [ --rate-limit-threshold-count = RATE_LIMIT_THRESHOLD_COUNT ] [ --rate-limit-threshold-interval-sec = RATE_LIMIT_THRESHOLD_INTERVAL_SEC ] [ --recaptcha-action-site-keys =[ SITE_KEY , …]] [ --recaptcha-session-site-keys =[ SITE_KEY , …]] [ --redirect-target = REDIRECT_TARGET ] [ --redirect-type = REDIRECT_TYPE ] [ --region = REGION ] [ --request-headers-to-add =[ REQUEST_HEADERS_TO_ADD , …]] [ --security-policy = SECURITY_POLICY ] [ GCLOUD_WIDE_FLAG ]
    DESCRIPTION
    gcloud compute security-policies rules create is used to create security policy rules.
    EXAMPLES
    To create a rule at priority 1000 to block the IP range 1.2.3.0/24, run: 
     gcloud  
compute  
security-policies  
rules  
create  
 1000 
  
 --action 
 = 
deny-403  
 --security-policy 
 = 
my-policy  
 --description 
 = 
 "block 1.2.3.0/24" 
  
 --src-ip-ranges 
 = 
 1 
.2.3.0/24
    POSITIONAL ARGUMENTS
    PRIORITY
    The priority of the rule to add. Rules are evaluated in order from highest priority to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
    REQUIRED FLAGS
    --action = ACTION
    The action to take if the request matches the match condition. ACTION must be one of:
    allow
    Allows the request from HTTP(S) Load Balancing.
    deny
    Denies the request from TCP/SSL Proxy and Network Load Balancing.
    deny-403
    Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 403.
    deny-404
    Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 404.
    deny-502
    Denies the request from HTTP(S) Load Balancing, with an HTTP response status code of 502.
    rate-based-ban
    Enforces rate-based ban action from HTTP(S) Load Balancing, based on rate limit options.
    redirect
    Redirects the request from HTTP(S) Load Balancing, based on redirect options.
    redirect-to-recaptcha
    (DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for reCAPTCHA Enterprise assessment. This flag choice is deprecated. Use --action=redirect and --redirect-type=google-recaptcha instead.
    throttle
    Enforces throttle action from HTTP(S) Load Balancing, based on rate limit options.
    Security policy rule matcher.

    At least one of these must be specified:

    --expression = EXPRESSION
    The Cloud Armor rules language expression to match for this rule.
    --network-dest-ip-ranges =[ DEST_IP_RANGE ,…]
    The destination IPs/IP ranges to match for this rule. To match all IPs specify *.
    --network-dest-ports =[ DEST_PORT ,…]
    The destination ports to match for this rule. Each element can be an 16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"), To match all destination ports specify *.
    --network-ip-protocols =[ IP_PROTOCOL ,…]
    The IP protocols to match for this rule. Each element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g."253-254"), or one of the following protocol names: "tcp", "udp", "icmp", "esp", "ah", "ipip", or "sctp". To match all protocols specify *.
    --network-src-asns =[ SRC_ASN ,…]
    BGP Autonomous System Number associated with the source IP address to match for this rule.
    --network-src-ip-ranges =[ SRC_IP_RANGE ,…]
    The source IPs/IP ranges to match for this rule. To match all IPs specify *.
    --network-src-ports =[ SRC_PORT ,…]
    The source ports to match for this rule. Each element can be an 16-bit unsigned decimal number (e.g. "80") or range (e.g."0-1023"), To match all source ports specify *.
    --network-src-region-codes =[ SRC_REGION_CODE ,…]
    The two letter ISO 3166-1 alpha-2 country code associated with the source IP address to match for this rule. To match all region codes specify *.
    --network-user-defined-fields =[ NAME ; VALUE : VALUE :…,…]
    Each element names a defined field and lists the matching values for that field.
    --src-ip-ranges =[ SRC_IP_RANGE ,…]
    The source IPs/IP ranges to match for this rule. To match all IPs specify *.
    OPTIONAL FLAGS
    --ban-duration-sec = BAN_DURATION_SEC
    Can only be specified if the action for the rule is rate-based-ban . If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold.
    --ban-threshold-count = BAN_THRESHOLD_COUNT
    Number of HTTP(S) requests for calculating the threshold for banning requests. Can only be specified if the action for the rule is rate-based-ban . If specified, the key will be banned for the configured BAN_DURATION_SEC when the number of requests that exceed the RATE_LIMIT_THRESHOLD_COUNT also exceed this BAN_THRESHOLD_COUNT .
    --ban-threshold-interval-sec = BAN_THRESHOLD_INTERVAL_SEC
    Interval over which the threshold for banning requests is computed. Can only be specified if the action for the rule is rate-based-ban . If specified, the key will be banned for the configured BAN_DURATION_SEC when the number of requests that exceed the RATE_LIMIT_THRESHOLD_COUNT also exceed this BAN_THRESHOLD_COUNT .
    --conform-action = CONFORM_ACTION
    Action to take when requests are under the given threshold. When requests are throttled, this is also the action for all requests which are not dropped. CONFORM_ACTION must be (only one value is supported): allow .
    --description = DESCRIPTION
    An optional, textual description for the rule.
    --enforce-on-key = ENFORCE_ON_KEY
    Different key types available to enforce the rate limit threshold limit on:
    • ip : each client IP address has this limit enforced separately
    • all : a single limit is applied to all requests matching this rule
    • http-header : key type takes the value of the HTTP header configured in enforce-on-key-name as the key value
    • xff-ip : takes the original IP address specified in the X-Forwarded-For header as the key
    • http-cookie : key type takes the value of the HTTP cookie configured in enforce-on-key-name as the key value
    • http-path : key type takes the value of the URL path in the request
    • sni : key type takes the value of the server name indication from the TLS session of the HTTPS request
    • region-code : key type takes the value of the region code from which the request originates
    • tls-ja3-fingerprint : key type takes the value of JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
    • user-ip : key type takes the IP address of the originating client, which is resolved based on user-ip-request-headers configured with the security policy
    • tls-ja4-fingerprint : key type takes the value of JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

    ENFORCE_ON_KEY must be one of: ip , all , http-header , xff-ip , http-cookie , http-path , sni , region-code , tls-ja3-fingerprint , user-ip , tls-ja4-fingerprint .

    --enforce-on-key-configs =[[ all ],[ ip ],[ xff-ip ],[ http-cookie = HTTP_COOKIE ],[ http-header = HTTP_HEADER ],[ http-path ],[ sni ],[ region-code ],[ tls-ja3-fingerprint ],[ user-ip ],[ tls-ja4-fingerprint ]],[…]
    Specify up to 3 key type/name pairs to rate limit. Valid key types are:
    • ip : each client IP address has this limit enforced separately
    • all : a single limit is applied to all requests matching this rule
    • http-header : key type takes the value of the HTTP header configured in enforce-on-key-name as the key value
    • xff-ip : takes the original IP address specified in the X-Forwarded-For header as the key
    • http-cookie : key type takes the value of the HTTP cookie configured in enforce-on-key-name as the key value
    • http-path : key type takes the value of the URL path in the request
    • sni : key type takes the value of the server name indication from the TLS session of the HTTPS request
    • region-code : key type takes the value of the region code from which the request originates
    • tls-ja3-fingerprint : key type takes the value of JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3
    • user-ip : key type takes the IP address of the originating client, which is resolved based on user-ip-request-headers configured with the security policy
    • tls-ja4-fingerprint : key type takes the value of JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3

    Key names are only applicable to the following key types:

    • http-header: The name of the HTTP header whose value is taken as the key value.
    • http-cookie: The name of the HTTP cookie whose value is taken as the key value.
    --enforce-on-key-name = ENFORCE_ON_KEY_NAME
    Determines the key name for the rate limit key. Applicable only for the following rate limit key types:
    • http-header: The name of the HTTP header whose value is taken as the key value.
    • http-cookie: The name of the HTTP cookie whose value is taken as the key value.
    --exceed-action = EXCEED_ACTION
    Action to take when requests are above the given threshold. When a request is denied, return the specified HTTP response code. When a request is redirected, use the redirect options based on --exceed-redirect-type and --exceed-redirect-target below. EXCEED_ACTION must be one of: deny-403 , deny-404 , deny-429 , deny-502 , deny , redirect .
    --exceed-redirect-target = EXCEED_REDIRECT_TARGET
    URL target for the redirect action that is configured as the exceed action when the redirect type is external-302 .
    --exceed-redirect-type = EXCEED_REDIRECT_TYPE
    Type for the redirect action that is configured as the exceed action. EXCEED_REDIRECT_TYPE must be one of: google-recaptcha , external-302 .
    --preview
    If specified, the action will not be enforced.
    --rate-limit-threshold-count = RATE_LIMIT_THRESHOLD_COUNT
    Number of HTTP(S) requests for calculating the threshold for rate limiting requests.
    --rate-limit-threshold-interval-sec = RATE_LIMIT_THRESHOLD_INTERVAL_SEC
    Interval over which the threshold for rate limiting requests is computed.
    --recaptcha-action-site-keys =[ SITE_KEY ,…]
    A comma-separated list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from the reCAPTCHA API under the same project where the security policy is created.
    --recaptcha-session-site-keys =[ SITE_KEY ,…]
    A comma-separated list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from the reCAPTCHA API under the same project where the security policy is created.
    --redirect-target = REDIRECT_TARGET
    URL target for the redirect action. Must be specified if the redirect type is external-302 . Cannot be specified if the redirect type is google-recaptcha .
    --redirect-type = REDIRECT_TYPE
    Type for the redirect action. Default to external-302 if unspecified while --redirect-target is given. REDIRECT_TYPE must be one of: google-recaptcha , external-302 .
    --region = REGION
    Region of the security policy to add. If not specified, you might be prompted to select a region (interactive mode only).

    A list of regions can be fetched by running:

      gcloud  
compute  
regions  
list

    Overrides the default compute/region property value for this command invocation.

    --request-headers-to-add =[ REQUEST_HEADERS_TO_ADD ,…]
    A comma-separated list of header names and header values to add to requests that match this rule.
    --security-policy = SECURITY_POLICY
    The security policy that this rule belongs to.
    GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file , --account , --billing-project , --configuration , --flags-file , --flatten , --format , --help , --impersonate-service-account , --log-http , --project , --quiet , --trace-token , --user-output-enabled , --verbosity .

    Run $ gcloud help for details.

    NOTES
    These variants are also available: 
      gcloud  
alpha  
compute  
security-policies  
rules  
create 
 

      gcloud  
beta  
compute  
security-policies  
rules  
create 
 

      gcloud  
preview  
compute  
security-policies  
rules  
create
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: