All items must be unique
Ensures that if Service-Accounts are specified in either Sources or Targets, only IP CIDR Ranges or Service-Accounts can be included in them.
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
Validates the presence of a service account in the sources array.
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
Validates the presence of a service account in the targets array.
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
Indicates if the rule is disabled.
true
false
The name of the firewall rule. If not specified, it will be based on the id field.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 1 characters long
Must be at most 63 characters long
"<prefix>-<environment>-<network>-firewall-<id>"
Defines whether the rule allows or denies traffic.
Allow the traffic.
Specific value:"ALLOW" Deny the traffic.
Specific value:"DENY" "ALLOW"
"DENY"
The direction of traffic to which this rule applies. Can be ingress (incoming traffic) or egress (outgoing traffic).
Incoming traffic direction.
Specific value:"INGRESS" Outgoing traffic direction.
Specific value:"EGRESS" "INGRESS"
"EGRESS"
A detailed description of the rule.
"This rule allows traffic from specific IP ranges."
The Google Cloud project ID to use for this firewall rule. If omitted, then project_id will be inherited.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 5 characters long
Must be at most 63 characters long
"my-example-project"
The network to which this rule is attached. If omitted, then network will be inherited.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at least 5 characters long
Must be at most 63 characters long
"default-vpc"
A unique identifier for the rule. If not specified, the name will be based on this field.
Must match regular expression:^[a-z0-9][a-z0-9-]{0,23}$ Must be at least 1 characters long
Must be at most 24 characters long
"example-rule-id-allow-tcp-443"
The prefix to apply to the rule when generating a dynamic name.
"fw-rule"
The environment to apply the rule to.
"prod"
"dev"
"stage"
A list of individual rules that define the behavior of the firewall rule based on specified conditions of protocol and port combinations.
Must contain a minimum of 1 items
All items must be unique
If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(TCP|UDP)$ The IP protocol to which this rule applies. The value can be TCP, UDP, ICMP, or ALL.
"TCP"
"UDP"
"ICMP"
A list of ports or port-ranges to which the firewall rule will apply. If no port or port range is specified, all ranges are applied.
Must contain a minimum of 0 items
^(0|6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})-(6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})$ ^(0|6[0-5][0-5][0-3][0-5]|[1-5][0-9][0-9][0-9][0-9]|[1-9][0-9]{0,3})$ If the conditions in the "If" tab are respected, then the conditions in the "Then" tab should be respected. Otherwise, the conditions in the "Else" tab should be respected.
^(ALL|ICMP|ESP|AH|SCTP|IPIP)$ The IP protocol to which this rule applies. The value can be TCP, UDP, ICMP, or ALL.
"TCP"
"UDP"
"ICMP"
For protocols other than TCP/UDP this should be an empty list.
Must contain a maximum of 0 items
^(?!.*) Must be at most 0 characters long
The IP protocol to which this rule applies. The value can be TCP, UDP, ICMP, or ALL.
"TCP"
"UDP"
"ICMP"
{
"protocol": "TCP",
"ports": [
"80",
"443"
]
}
List of source specifications for the firewall rule. Can be an IP CIDR range, a tag, or a service account email.
Must contain a minimum of 0 items
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Strings added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. Tags enable you to make firewall rules and routes applicable to specific VM instances.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at most 63 characters long
"alpha-tag"
"bravo-tag"
"charlie-tag"
"web-server"
"database"
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
"192.168.1.0/24"
"example-tag"
"example-service-account@example.com"
List of target specifications for the firewall rule. Can be an IP CIDR range, a tag, or a service account email.
Must contain a minimum of 0 items
IP space allocated to this subnetwork in CIDR format.
Must match regular expression:^(?:([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]{0,1}|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])){3}/(([0-9]|[1-2][0-9]|3[0-2])))$ "192.168.0.0/24"
Strings added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. Tags enable you to make firewall rules and routes applicable to specific VM instances.
Must match regular expression:^(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)$ Must be at most 63 characters long
"alpha-tag"
"bravo-tag"
"charlie-tag"
"web-server"
"database"
The email address of a service account. Firewall rules can target or be applied based on service accounts.
Must match regular expression:^\S+@\S+\.\S+$ Must be at most 63 characters long
"project-number-compute@developer.gserviceaccount.com"
"project-id@appspot.gserviceaccount.com"
"project-number@cloudservices.gserviceaccount.com"
"192.168.1.0/24"
"example-tag"
"example-service-account@example.com"
The priority of the rule. Lower values indicate higher priority.
Value must be greater or equal to 0 and lesser or equal to 65535
1000
2000
Defines how traffic that matches this rule should be logged.
Exclude all metadata from the logs.
Specific value:"EXCLUDE_ALL_METADATA" Include all metadata in the logs.
Specific value:"INCLUDE_ALL_METADATA" Disable logging for this rule.
Specific value:"DISABLED" "EXCLUDE_ALL_METADATA"
"INCLUDE_ALL_METADATA"
"DISABLED"