gcloud_compute_firewall-rules_update (1)
NAME
- gcloud compute firewall-rules update - update a firewall rule
SYNOPSIS
-
gcloud compute firewall-rules update NAME [--allow=[PROTOCOL[:PORT[-PORT]],...]] [--description=DESCRIPTION] [--destination-ranges=[CIDR_RANGE,...]] [--disabled] [--enable-logging] [--priority=PRIORITY] [--rules=[PROTOCOL[:PORT[-PORT]],...]] [--source-ranges=[CIDR_RANGE,...]] [--source-service-accounts=[EMAIL,...]] [--source-tags=[TAG,...]] [--target-service-accounts=[EMAIL,...]] [--target-tags=[TAG,...]] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
gcloud compute firewall-rules update is used to update firewall rules
POSITIONAL ARGUMENTS
-
- NAME
-
Name of the firewall rule to update.
FLAGS
-
- --allow=[PROTOCOL[:PORT[-PORT]],...]
-
A list of protocols and ports whose traffic will be allowed.
The protocols allowed over this connection. This can be the (case-sensitive) string values tcp, udp, icmp, esp, ah, sctp, or any IP protocol number. An IP-based protocol must be specified for each rule. The rule applies only to specified protocol.
For port-based protocols - tcp, udp, and sctp - a list of destination ports or port ranges to which the rule applies may optionally be specified. If no port or port range is specified, the rule applies to all destination ports.
The ICMP protocol is supported, but there is no support for configuring ICMP packet filtering by ICMP code.
For example, to create a rule that allows TCP traffic through port 80 and ICMP traffic:
- $ gcloud compute firewall-rules update MY-RULE --allow tcp:80,icmp
To create a rule that allows TCP traffic from port 20000 to 25000:
-
$ gcloud compute firewall-rules update MY-RULE \
--allow tcp:20000-25000
To create a rule that allows all TCP traffic:
- $ gcloud compute firewall-rules update MY-RULE --allow tcp
Setting this will override the current values.
-
- --description=DESCRIPTION
-
A textual description for the firewall rule. Set to an empty string to clear
existing.
- --destination-ranges=[CIDR_RANGE,...]
-
The firewall rule will apply to traffic that has destination IP address in these
IP address block list. The IP address blocks must be specified in CIDR format:
en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Setting this will override the existing destination ranges for the firewall. The following will clear the existing destination ranges:
- $ gcloud compute firewall-rules update MY-RULE --destination-ranges
- --disabled
-
Disable a firewall rule and stop it from being enforced in the network. If a
firewall rule is disabled, the associated network behaves as if the rule did not
exist. To enable a disabled rule, use:
- $ gcloud compute firewall-rules update MY-RULE --no-disabled
- --enable-logging
-
Enable logging for the firewall rule. Logs will be exported to StackDriver.
Firewall logging is disabled by default.
- --priority=PRIORITY
-
This is an integer between 0 and 65535, both inclusive. When NOT specified, the
value assumed is 1000. Relative priority determines precedence of conflicting
rules: lower priority values imply higher precedence. DENY rules take precedence
over ALLOW rules having equal priority.
- --rules=[PROTOCOL[:PORT[-PORT]],...]
-
A list of protocols and ports to which the firewall rule will apply.
PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can be either the name of a well-known protocol (e.g., tcp or icmp) or the IP protocol number. A list of IP protocols can be found at www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
A port or port range can be specified after PROTOCOL to which the firewall rule apply on traffic through specific ports. If no port or port range is specified, connections through all ranges are applied. TCP and UDP rules must include a port or port range.
Setting this will override the current values.
- --source-ranges=[CIDR_RANGE,...]
-
A list of IP address blocks that are allowed to make inbound connections that
match the firewall rule to the instances on the network. The IP address blocks
must be specified in CIDR format:
en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
If neither --source-ranges nor --source-tags are specified, --source-ranges defaults to 0.0.0.0/0, which means that the rule applies to all incoming connections from inside or outside the network. If both --source-ranges and --source-tags are specified, the rule matches if either the range of the source matches --source-ranges or the tag of the source matches --source-tags.
Setting this will override the existing source ranges for the firewall. The following will clear the existing source ranges:
- $ gcloud compute firewall-rules update MY-RULE --source-ranges
- --source-service-accounts=[EMAIL,...]
-
The email of a service account indicating the set of instances on the network
which match a traffic source in the firewall rule.
If a source service account is specified then neither source tags nor target tags can also be specified.
Setting this will override the existing source service accounts for the firewall. The following will clear the existing source service accounts:
-
$ gcloud compute firewall-rules update MY-RULE \
--source-service-accounts
-
$ gcloud compute firewall-rules update MY-RULE \
- --source-tags=[TAG,...]
-
A list of instance tags indicating the set of instances on the network to which
the rule applies if all other fields match. If neither --source-ranges nor
--source-tags are specified, --source-ranges defaults to 0.0.0.0/0,
which means that the rule applies to all incoming connections from inside or
outside the network.
If both --source-ranges and --source-tags are specified, an inbound connection is allowed if either the range of the source matches --source-ranges or the tag of the source matches --source-tags.
Tags can be assigned to instances during instance creation.
If source tags are specified then neither a source nor target service account can also be specified.
Setting this will override the existing source tags for the firewall. The following will clear the existing source tags:
- $ gcloud compute firewall-rules update MY-RULE --source-tags
- --target-service-accounts=[EMAIL,...]
-
The email of a service account indicating the set of instances to which firewall
rules apply. If both target tags and target service account are omitted, the
firewall rule is applied to all instances on the network.
If a target service account is specified then neither source tag nor target tags can also be specified.
Setting this will override the existing target service accounts for the firewall. The following will clear the existing target service accounts:
-
$ gcloud compute firewall-rules update MY-RULE \
--target-service-accounts
-
$ gcloud compute firewall-rules update MY-RULE \
- --target-tags=[TAG,...]
-
A list of instance tags indicating the set of instances on the network which may
accept inbound connections that match the firewall rule. If both target tags and
target service account are omitted, all instances on the network can receive
inbound connections that match the rule.
Tags can be assigned to instances during instance creation.
If target tags are specified then neither a source nor target service account can also be specified.
Setting this will override the existing target tags for the firewall. The following will clear the existing target tags:
- $ gcloud compute firewall-rules update MY-RULE --target-tags
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --configuration, --flags-file, --flatten, --format, --help, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity. Run $ gcloud help for details.
NOTES
These variants are also available:
- $ gcloud alpha compute firewall-rules update $ gcloud beta compute firewall-rules update