--account <ACCOUNT> | Google Cloud Platform user account to use for invocation. Overrides the default *core/account* property value for this command invocation |
--allow <PROTOCOL[:PORT[-PORT]]> | A list of protocols and ports whose traffic will be allowed.
+
The protocols allowed over this connection. This can be the
(case-sensitive) string values `tcp`, `udp`, `icmp`, `esp`, `ah`, `sctp`,
or any IP protocol number. An IP-based protocol must be specified for each
rule. The rule applies only to specified protocol.
+
For port-based protocols - `tcp`, `udp`, and `sctp` - a list of
destination ports or port ranges to which the rule applies may optionally
be specified. If no port or port range is specified, the rule applies to
all destination ports.
+
The ICMP protocol is supported, but there is no support for configuring
ICMP packet filtering by ICMP code.
+
For example, to create a rule that allows TCP traffic through port 80 and
ICMP traffic:
+
$ {command} MY-RULE --allow tcp:80,icmp
+
To create a rule that allows TCP traffic from port 20000 to 25000:
+
$ {command} MY-RULE --allow tcp:20000-25000
+
To create a rule that allows all TCP traffic:
+
$ {command} MY-RULE --allow tcp
+
Setting this will override the current values |
--billing-project <BILLING_PROJECT> | The Google Cloud Platform project that will be charged quota for operations performed in gcloud. If you need to operate on one project, but need quota against a different project, you can use this flag to specify the billing project. If both `billing/quota_project` and `--billing-project` are specified, `--billing-project` takes precedence. Run `$ gcloud config set --help` to see more information about `billing/quota_project` |
--configuration <CONFIGURATION> | The configuration to use for this command invocation. For more
information on how to use configurations, run:
`gcloud topic configurations`. You can also use the CLOUDSDK_ACTIVE_CONFIG_NAME environment
variable to set the equivalent of this flag for a terminal
session |
--description <DESCRIPTION> | A textual description for the firewall rule. Set to an empty string to clear existing |
--destination-ranges <CIDR_RANGE> | The firewall rule will apply to traffic that has destination IP address
in these IP address block list. The IP address blocks must be specified
in CIDR format:
link:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[].
+
Setting this will override the existing destination ranges for the
firewall. The following will clear the existing destination ranges:
+
$ {command} MY-RULE --destination-ranges |
--disabled | Disable a firewall rule and stop it from being enforced in the network.
If a firewall rule is disabled, the associated network behaves as if the
rule did not exist. To enable a disabled rule, use:
+
$ {parent_command} update MY-RULE --no-disabled
+ |
--enable-logging | Enable logging for the firewall rule. Logs will be exported to
StackDriver. Firewall logging is disabled by default. To enable logging
for an existing rule, run:
+
$ {command} MY-RULE --enable-logging
+
To disable logging on an existing rule, run:
+
$ {command} MY-RULE --no-enable-logging
+
Use *--enable-logging* to enable and *--no-enable-logging* to disable |
--flags-file <YAML_FILE> | A YAML or JSON file that specifies a *--flag*:*value* dictionary.
Useful for specifying complex flag values with special characters
that work with any command interpreter. Additionally, each
*--flags-file* arg is replaced by its constituent flags. See
$ gcloud topic flags-file for more information |
--flatten <KEY> | Flatten _name_[] output resource slices in _KEY_ into separate records
for each item in each slice. Multiple keys and slices may be specified.
This also flattens keys for *--format* and *--filter*. For example,
*--flatten=abc.def* flattens *abc.def[].ghi* references to
*abc.def.ghi*. A resource record containing *abc.def[]* with N elements
will expand to N records in the flattened output. This flag interacts
with other flags that are applied in this order: *--flatten*,
*--sort-by*, *--filter*, *--limit* |
--format <FORMAT> | Set the format for printing command output resources. The default is a
command-specific human-friendly output format. The supported formats
are: `config`, `csv`, `default`, `diff`, `disable`, `flattened`, `get`, `json`, `list`, `multi`, `none`, `object`, `table`, `text`, `value`, `yaml`. For more details run $ gcloud topic formats |
--help | Display detailed help |
--impersonate-service-account <SERVICE_ACCOUNT_EMAIL> | For this gcloud invocation, all API requests will be made as the given service account instead of the currently selected account. This is done without needing to create, download, and activate a key for the account. In order to perform operations as the service account, your currently selected account must have an IAM role that includes the iam.serviceAccounts.getAccessToken permission for the service account. The roles/iam.serviceAccountTokenCreator role has this permission or you may create a custom role. Overrides the default *auth/impersonate_service_account* property value for this command invocation |
--log-http | Log all HTTP server requests and responses to stderr. Overrides the default *core/log_http* property value for this command invocation |
--logging-metadata <LOGGING_METADATA> | Adds or removes metadata fields to or from the reported firewall logs. Can only be specified if --enable-logging is true. _LOGGING_METADATA_ must be one of: *exclude-all*, *include-all* |
--priority <PRIORITY> | This is an integer between 0 and 65535, both inclusive. When NOT
specified, the value assumed is 1000. Relative priority determines
precedence of conflicting rules: lower priority values imply higher
precedence. DENY rules take precedence over ALLOW rules having equal
priority |
--project <PROJECT_ID> | The Google Cloud Platform project ID to use for this invocation. If
omitted, then the current project is assumed; the current project can
be listed using `gcloud config list --format='text(core.project)'`
and can be set using `gcloud config set project PROJECTID`.
+
`--project` and its fallback `core/project` property play two roles
in the invocation. It specifies the project of the resource to
operate on. It also specifies the project for API enablement check,
quota, and billing. To specify a different project for quota and
billing, use `--billing-project` or `billing/quota_project` property |
--quiet | Disable all interactive prompts when running gcloud commands. If input
is required, defaults will be used, or an error will be raised.
Overrides the default core/disable_prompts property value for this
command invocation. This is equivalent to setting the environment
variable `CLOUDSDK_CORE_DISABLE_PROMPTS` to 1 |
--rules <PROTOCOL[:PORT[-PORT]]> | A list of protocols and ports to which the firewall rule will apply.
+
PROTOCOL is the IP protocol whose traffic will be checked.
PROTOCOL can be either the name of a well-known protocol
(e.g., tcp or icmp) or the IP protocol number.
A list of IP protocols can be found at
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+
A port or port range can be specified after PROTOCOL to which the
firewall rule apply on traffic through specific ports. If no port
or port range is specified, connections through all ranges are applied.
TCP and UDP rules must include a port or port range.
+
Setting this will override the current values |
--source-ranges <CIDR_RANGE> | A list of IP address blocks that are allowed to make inbound
connections that match the firewall rule to the instances on
the network. The IP address blocks must be specified in CIDR
format:
link:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[].
+
If neither --source-ranges nor --source-tags are specified,
--source-ranges defaults to `0.0.0.0/0`, which means that the rule applies
to all incoming connections from inside or outside the network. If both
--source-ranges and --source-tags are specified, the rule matches if
either the range of the source matches --source-ranges or the tag of the
source matches --source-tags.
+
Setting this will override the existing source ranges for the firewall.
The following will clear the existing source ranges:
+
$ {command} MY-RULE --source-ranges |
--source-service-accounts <EMAIL> | The email of a service account indicating the set of instances on the
network which match a traffic source in the firewall rule.
+
If a source service account is specified then neither source tags nor
target tags can also be specified.
+
Setting this will override the existing source service accounts for the
firewall.
The following will clear the existing source service accounts:
+
$ {command} MY-RULE --source-service-accounts |
--source-tags <TAG> | A list of instance tags indicating the set of instances on the network to
which the rule applies if all other fields match. If neither
--source-ranges nor --source-tags are specified, --source-ranges
defaults to `0.0.0.0/0`, which means that the rule applies to all
incoming connections from inside or outside the network.
+
If both --source-ranges and --source-tags are specified, an inbound
connection is allowed if either the range of the source matches
--source-ranges or the tag of the source matches --source-tags.
+
Tags can be assigned to instances during instance creation.
+
If source tags are specified then neither a source nor target service
account can also be specified.
+
Setting this will override the existing source tags for the firewall.
The following will clear the existing source tags:
+
$ {command} MY-RULE --source-tags |
--target-service-accounts <EMAIL> | The email of a service account indicating the set of instances to which
firewall rules apply. If both target tags and target service account are
omitted, the firewall rule is applied to all instances on the network.
+
If a target service account is specified then neither source tag nor
target tags can also be specified.
+
Setting this will override the existing target service accounts for the
firewall.
The following will clear the existing target service accounts:
+
$ {command} MY-RULE --target-service-accounts |
--target-tags <TAG> | List of instance tags indicating the set of instances on the
network which may accept connections that match the
firewall rule.
Note that tags can be assigned to instances during instance creation.
+
If target tags are specified, then neither a source nor target
service account can also be specified.
+
If both target tags and target service account
are omitted, all instances on the network can receive
connections that match the rule.
+
Setting this will override the existing target tags for the firewall.
The following will clear the existing target tags:
+
$ {command} MY-RULE --target-tags |
--trace-token <TRACE_TOKEN> | Token used to route traces of service requests for investigation of issues. Overrides the default *core/trace_token* property value for this command invocation |
--user-output-enabled | Print user intended output to the console. Overrides the default *core/user_output_enabled* property value for this command invocation. Use *--no-user-output-enabled* to disable |
--verbosity <VERBOSITY> | Override the default verbosity for this command. Overrides the default *core/verbosity* property value for this command invocation. _VERBOSITY_ must be one of: *debug*, *info*, *warning*, *error*, *critical*, *none* |