Google Cloud Native v0.32.0, Nov 29 23

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.compute/beta.Firewall

Explore with Pulumi AI

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

Create Firewall Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Firewall(name: string, args?: FirewallArgs, opts?: CustomResourceOptions);

@overload
def Firewall(resource_name: str,
             args: Optional[FirewallArgs] = None,
             opts: Optional[ResourceOptions] = None)

@overload
def Firewall(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             allowed: Optional[Sequence[FirewallAllowedItemArgs]] = None,
             denied: Optional[Sequence[FirewallDeniedItemArgs]] = None,
             description: Optional[str] = None,
             destination_ranges: Optional[Sequence[str]] = None,
             direction: Optional[FirewallDirection] = None,
             disabled: Optional[bool] = None,
             enable_logging: Optional[bool] = None,
             log_config: Optional[FirewallLogConfigArgs] = None,
             name: Optional[str] = None,
             network: Optional[str] = None,
             priority: Optional[int] = None,
             project: Optional[str] = None,
             request_id: Optional[str] = None,
             source_ranges: Optional[Sequence[str]] = None,
             source_service_accounts: Optional[Sequence[str]] = None,
             source_tags: Optional[Sequence[str]] = None,
             target_service_accounts: Optional[Sequence[str]] = None,
             target_tags: Optional[Sequence[str]] = None)

func NewFirewall(ctx *Context, name string, args *FirewallArgs, opts ...ResourceOption) (*Firewall, error)

public Firewall(string name, FirewallArgs? args = null, CustomResourceOptions? opts = null)

public Firewall(String name, FirewallArgs args)
public Firewall(String name, FirewallArgs args, CustomResourceOptions options)

type: google-native:compute/beta:Firewall
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var google_nativeFirewallResource = new GoogleNative.Compute.Beta.Firewall("google-nativeFirewallResource", new()
{
    Allowed = new[]
    {
        new GoogleNative.Compute.Beta.Inputs.FirewallAllowedItemArgs
        {
            IpProtocol = "string",
            Ports = new[]
            {
                "string",
            },
        },
    },
    Denied = new[]
    {
        new GoogleNative.Compute.Beta.Inputs.FirewallDeniedItemArgs
        {
            IpProtocol = "string",
            Ports = new[]
            {
                "string",
            },
        },
    },
    Description = "string",
    DestinationRanges = new[]
    {
        "string",
    },
    Direction = GoogleNative.Compute.Beta.FirewallDirection.Egress,
    Disabled = false,
    LogConfig = new GoogleNative.Compute.Beta.Inputs.FirewallLogConfigArgs
    {
        Enable = false,
        Metadata = GoogleNative.Compute.Beta.FirewallLogConfigMetadata.ExcludeAllMetadata,
    },
    Name = "string",
    Network = "string",
    Priority = 0,
    Project = "string",
    RequestId = "string",
    SourceRanges = new[]
    {
        "string",
    },
    SourceServiceAccounts = new[]
    {
        "string",
    },
    SourceTags = new[]
    {
        "string",
    },
    TargetServiceAccounts = new[]
    {
        "string",
    },
    TargetTags = new[]
    {
        "string",
    },
});

example, err := computebeta.NewFirewall(ctx, "google-nativeFirewallResource", &computebeta.FirewallArgs{
Allowed: compute.FirewallAllowedItemArray{
&compute.FirewallAllowedItemArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Denied: compute.FirewallDeniedItemArray{
&compute.FirewallDeniedItemArgs{
IpProtocol: pulumi.String("string"),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Description: pulumi.String("string"),
DestinationRanges: pulumi.StringArray{
pulumi.String("string"),
},
Direction: computebeta.FirewallDirectionEgress,
Disabled: pulumi.Bool(false),
LogConfig: &compute.FirewallLogConfigArgs{
Enable: pulumi.Bool(false),
Metadata: computebeta.FirewallLogConfigMetadataExcludeAllMetadata,
},
Name: pulumi.String("string"),
Network: pulumi.String("string"),
Priority: pulumi.Int(0),
Project: pulumi.String("string"),
RequestId: pulumi.String("string"),
SourceRanges: pulumi.StringArray{
pulumi.String("string"),
},
SourceServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
SourceTags: pulumi.StringArray{
pulumi.String("string"),
},
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("string"),
},
TargetTags: pulumi.StringArray{
pulumi.String("string"),
},
})

var google_nativeFirewallResource = new Firewall("google-nativeFirewallResource", FirewallArgs.builder()
    .allowed(FirewallAllowedItemArgs.builder()
        .ipProtocol("string")
        .ports("string")
        .build())
    .denied(FirewallDeniedItemArgs.builder()
        .ipProtocol("string")
        .ports("string")
        .build())
    .description("string")
    .destinationRanges("string")
    .direction("EGRESS")
    .disabled(false)
    .logConfig(FirewallLogConfigArgs.builder()
        .enable(false)
        .metadata("EXCLUDE_ALL_METADATA")
        .build())
    .name("string")
    .network("string")
    .priority(0)
    .project("string")
    .requestId("string")
    .sourceRanges("string")
    .sourceServiceAccounts("string")
    .sourceTags("string")
    .targetServiceAccounts("string")
    .targetTags("string")
    .build());

google_native_firewall_resource = google_native.compute.beta.Firewall("google-nativeFirewallResource",
    allowed=[google_native.compute.beta.FirewallAllowedItemArgs(
        ip_protocol="string",
        ports=["string"],
    )],
    denied=[google_native.compute.beta.FirewallDeniedItemArgs(
        ip_protocol="string",
        ports=["string"],
    )],
    description="string",
    destination_ranges=["string"],
    direction=google_native.compute.beta.FirewallDirection.EGRESS,
    disabled=False,
    log_config=google_native.compute.beta.FirewallLogConfigArgs(
        enable=False,
        metadata=google_native.compute.beta.FirewallLogConfigMetadata.EXCLUDE_ALL_METADATA,
    ),
    name="string",
    network="string",
    priority=0,
    project="string",
    request_id="string",
    source_ranges=["string"],
    source_service_accounts=["string"],
    source_tags=["string"],
    target_service_accounts=["string"],
    target_tags=["string"])

const google_nativeFirewallResource = new google_native.compute.beta.Firewall("google-nativeFirewallResource", {
    allowed: [{
        ipProtocol: "string",
        ports: ["string"],
    }],
    denied: [{
        ipProtocol: "string",
        ports: ["string"],
    }],
    description: "string",
    destinationRanges: ["string"],
    direction: google_native.compute.beta.FirewallDirection.Egress,
    disabled: false,
    logConfig: {
        enable: false,
        metadata: google_native.compute.beta.FirewallLogConfigMetadata.ExcludeAllMetadata,
    },
    name: "string",
    network: "string",
    priority: 0,
    project: "string",
    requestId: "string",
    sourceRanges: ["string"],
    sourceServiceAccounts: ["string"],
    sourceTags: ["string"],
    targetServiceAccounts: ["string"],
    targetTags: ["string"],
});

type: google-native:compute/beta:Firewall
properties:
    allowed:
        - ipProtocol: string
          ports:
            - string
    denied:
        - ipProtocol: string
          ports:
            - string
    description: string
    destinationRanges:
        - string
    direction: EGRESS
    disabled: false
    logConfig:
        enable: false
        metadata: EXCLUDE_ALL_METADATA
    name: string
    network: string
    priority: 0
    project: string
    requestId: string
    sourceRanges:
        - string
    sourceServiceAccounts:
        - string
    sourceTags:
        - string
    targetServiceAccounts:
        - string
    targetTags:
        - string

Firewall Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Firewall resource accepts the following input properties:

Allowed List<Pulumi.GoogleNative.Compute.Beta.Inputs.FirewallAllowedItem>: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
Denied List<Pulumi.GoogleNative.Compute.Beta.Inputs.FirewallDeniedItem>: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
Description string: An optional description of this resource. Provide this field when you create the resource.
DestinationRanges List<string>: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
Direction Pulumi.GoogleNative.Compute.Beta.FirewallDirection: Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
Disabled bool: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
EnableLogging bool: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
LogConfig Pulumi.GoogleNative.Compute.Beta.Inputs.FirewallLogConfig: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
Name string: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
Network string: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
Priority int: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
Project string
RequestId string: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
SourceRanges List<string>: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
SourceServiceAccounts List<string>: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
SourceTags List<string>: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
TargetServiceAccounts List<string>: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
TargetTags List<string>: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

Allowed []FirewallAllowedItemArgs: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
Denied []FirewallDeniedItemArgs: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
Description string: An optional description of this resource. Provide this field when you create the resource.
DestinationRanges []string: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
Direction FirewallDirection: Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
Disabled bool: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
EnableLogging bool: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
LogConfig FirewallLogConfigArgs: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
Name string: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
Network string: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
Priority int: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
Project string
RequestId string: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
SourceRanges []string: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
SourceServiceAccounts []string: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
SourceTags []string: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
TargetServiceAccounts []string: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
TargetTags []string: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

allowed List<FirewallAllowedItem>: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
denied List<FirewallDeniedItem>: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
description String: An optional description of this resource. Provide this field when you create the resource.
destinationRanges List<String>: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
direction FirewallDirection: Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
disabled Boolean: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
enableLogging Boolean: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
logConfig FirewallLogConfig: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
name String: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network String: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
priority Integer: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
project String
requestId String: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
sourceRanges List<String>: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
sourceServiceAccounts List<String>: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
sourceTags List<String>: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
targetServiceAccounts List<String>: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
targetTags List<String>: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

allowed FirewallAllowedItem[]: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
denied FirewallDeniedItem[]: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
description string: An optional description of this resource. Provide this field when you create the resource.
destinationRanges string[]: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
direction FirewallDirection: Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
disabled boolean: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
enableLogging boolean: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
logConfig FirewallLogConfig: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
name string: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network string: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
priority number: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
project string
requestId string: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
sourceRanges string[]: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
sourceServiceAccounts string[]: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
sourceTags string[]: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
targetServiceAccounts string[]: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
targetTags string[]: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

allowed Sequence[FirewallAllowedItemArgs]: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
denied Sequence[FirewallDeniedItemArgs]: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
description str: An optional description of this resource. Provide this field when you create the resource.
destination_ranges Sequence[str]: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
direction FirewallDirection: Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
disabled bool: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
enable_logging bool: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
log_config FirewallLogConfigArgs: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
name str: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network str: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
priority int: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
project str
request_id str: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
source_ranges Sequence[str]: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
source_service_accounts Sequence[str]: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
source_tags Sequence[str]: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
target_service_accounts Sequence[str]: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
target_tags Sequence[str]: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

allowed List<Property Map>: The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.
denied List<Property Map>: The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
description String: An optional description of this resource. Provide this field when you create the resource.
destinationRanges List<String>: If destination ranges are specified, the firewall rule applies only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are supported.
direction "EGRESS" | "INGRESS": Direction of traffic to which this firewall applies, either INGRESS or EGRESS. The default is INGRESS. For EGRESS traffic, you cannot specify the sourceTags fields.
disabled Boolean: Denotes whether the firewall rule is disabled. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.
enableLogging Boolean: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
Deprecated: Deprecated in favor of enable in LogConfig. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported t Cloud Logging.
logConfig Property Map: This field denotes the logging options for a particular firewall rule. If logging is enabled, logs will be exported to Cloud Logging.
name String: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. The first character must be a lowercase letter, and all following characters (except for the last character) must be a dash, lowercase letter, or digit. The last character must be a lowercase letter or digit.
network String: URL of the network resource for this firewall rule. If not specified when creating a firewall rule, the default network is used: global/networks/default If you choose to specify this field, you can specify the network as a full or partial URL. For example, the following are all valid URLs: - https://www.googleapis.com/compute/v1/projects/myproject/global/networks/my-network - projects/myproject/global/networks/my-network - global/networks/default
priority Number: Priority for this rule. This is an integer between 0 and 65535, both inclusive. The default value is 1000. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority. For example, a rule with priority 0 has higher precedence than a rule with priority 1. DENY rules take precedence over ALLOW rules if they have equal priority. Note that VPC networks have implied rules with a priority of 65535. To avoid conflicts with the implied rules, use a priority number less than 65535.
project String
requestId String: An optional request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments. The request ID must be a valid UUID with the exception that zero UUID is not supported ( 00000000-0000-0000-0000-000000000000).
sourceRanges List<String>: If source ranges are specified, the firewall rule applies only to traffic that has a source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both fields are set, the rule applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the rule to apply. Both IPv4 and IPv6 are supported.
sourceServiceAccounts List<String>: If source service accounts are specified, the firewall rules apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall applies to traffic that has a source IP address within the sourceRanges OR a source IP that belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both fields for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.
sourceTags List<String>: If source tags are specified, the firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network. Source tags cannot be used to control traffic to an instance's external IP address, it only applies to traffic between instances in the same virtual network. Because tags are associated with instances, not IP addresses. One or both of sourceRanges and sourceTags may be set. If both fields are set, the firewall applies to traffic that has a source IP address within sourceRanges OR a source IP from a resource with a matching tag listed in the sourceTags field. The connection does not need to match both fields for the firewall to apply.
targetServiceAccounts List<String>: A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.
targetTags List<String>: A list of tags that controls which instances the firewall rule applies to. If targetTags are specified, then the firewall rule applies only to instances in the VPC network that have one of those tags. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

Outputs

All input properties are implicitly available as output properties. Additionally, the Firewall resource produces the following output properties:

CreationTimestamp string: Creation timestamp in RFC3339 text format.
Id string: The provider-assigned unique ID for this managed resource.
Kind string: Type of the resource. Always compute#firewall for firewall rules.
SelfLink string: Server-defined URL for the resource.

CreationTimestamp string: Creation timestamp in RFC3339 text format.
Id string: The provider-assigned unique ID for this managed resource.
Kind string: Type of the resource. Always compute#firewall for firewall rules.
SelfLink string: Server-defined URL for the resource.

creationTimestamp String: Creation timestamp in RFC3339 text format.
id String: The provider-assigned unique ID for this managed resource.
kind String: Type of the resource. Always compute#firewall for firewall rules.
selfLink String: Server-defined URL for the resource.

creationTimestamp string: Creation timestamp in RFC3339 text format.
id string: The provider-assigned unique ID for this managed resource.
kind string: Type of the resource. Always compute#firewall for firewall rules.
selfLink string: Server-defined URL for the resource.

creation_timestamp str: Creation timestamp in RFC3339 text format.
id str: The provider-assigned unique ID for this managed resource.
kind str: Type of the resource. Always compute#firewall for firewall rules.
self_link str: Server-defined URL for the resource.

creationTimestamp String: Creation timestamp in RFC3339 text format.
id String: The provider-assigned unique ID for this managed resource.
kind String: Type of the resource. Always compute#firewall for firewall rules.
selfLink String: Server-defined URL for the resource.

Supporting Types

FirewallAllowedItem, FirewallAllowedItemArgs

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports List<string>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports []string: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports string[]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ip_protocol str: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports Sequence[str]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

FirewallAllowedItemResponse, FirewallAllowedItemResponseArgs

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports List<string>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports []string: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports string[]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ip_protocol str: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports Sequence[str]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

FirewallDeniedItem, FirewallDeniedItemArgs

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports List<string>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports []string: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports string[]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ip_protocol str: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports Sequence[str]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

FirewallDeniedItemResponse, FirewallDeniedItemResponseArgs

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports List<string>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

IpProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
Ports []string: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol string: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports string[]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ip_protocol str: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports Sequence[str]: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

ipProtocol String: The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) or the IP protocol number.
ports List<String>: An optional list of ports to which this rule applies. This field is only applicable for the UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

FirewallDirection, FirewallDirectionArgs

Egress: EGRESSIndicates that firewall should apply to outgoing traffic.
Ingress: INGRESSIndicates that firewall should apply to incoming traffic.

FirewallDirectionEgress: EGRESSIndicates that firewall should apply to outgoing traffic.
FirewallDirectionIngress: INGRESSIndicates that firewall should apply to incoming traffic.

Egress: EGRESSIndicates that firewall should apply to outgoing traffic.
Ingress: INGRESSIndicates that firewall should apply to incoming traffic.

Egress: EGRESSIndicates that firewall should apply to outgoing traffic.
Ingress: INGRESSIndicates that firewall should apply to incoming traffic.

EGRESS: EGRESSIndicates that firewall should apply to outgoing traffic.
INGRESS: INGRESSIndicates that firewall should apply to incoming traffic.

"EGRESS": EGRESSIndicates that firewall should apply to outgoing traffic.
"INGRESS": INGRESSIndicates that firewall should apply to incoming traffic.

FirewallLogConfig, FirewallLogConfigArgs

Enable bool: This field denotes whether to enable logging for a particular firewall rule.
Metadata Pulumi.GoogleNative.Compute.Beta.FirewallLogConfigMetadata: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

Enable bool: This field denotes whether to enable logging for a particular firewall rule.
Metadata FirewallLogConfigMetadata: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable Boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata FirewallLogConfigMetadata: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata FirewallLogConfigMetadata: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable bool: This field denotes whether to enable logging for a particular firewall rule.
metadata FirewallLogConfigMetadata: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable Boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata "EXCLUDE_ALL_METADATA" | "INCLUDE_ALL_METADATA": This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

FirewallLogConfigMetadata, FirewallLogConfigMetadataArgs

ExcludeAllMetadata: EXCLUDE_ALL_METADATA
IncludeAllMetadata: INCLUDE_ALL_METADATA

FirewallLogConfigMetadataExcludeAllMetadata: EXCLUDE_ALL_METADATA
FirewallLogConfigMetadataIncludeAllMetadata: INCLUDE_ALL_METADATA

ExcludeAllMetadata: EXCLUDE_ALL_METADATA
IncludeAllMetadata: INCLUDE_ALL_METADATA

ExcludeAllMetadata: EXCLUDE_ALL_METADATA
IncludeAllMetadata: INCLUDE_ALL_METADATA

EXCLUDE_ALL_METADATA: EXCLUDE_ALL_METADATA
INCLUDE_ALL_METADATA: INCLUDE_ALL_METADATA

"EXCLUDE_ALL_METADATA": EXCLUDE_ALL_METADATA
"INCLUDE_ALL_METADATA": INCLUDE_ALL_METADATA

FirewallLogConfigResponse, FirewallLogConfigResponseArgs

Enable bool: This field denotes whether to enable logging for a particular firewall rule.
Metadata string: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

Enable bool: This field denotes whether to enable logging for a particular firewall rule.
Metadata string: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable Boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata String: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata string: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable bool: This field denotes whether to enable logging for a particular firewall rule.
metadata str: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

enable Boolean: This field denotes whether to enable logging for a particular firewall rule.
metadata String: This field can only be specified for a particular firewall rule if logging is enabled for that rule. This field denotes whether to include or exclude metadata for firewall logs.

Package Details

Repository: Google Cloud Native pulumi/pulumi-google-native
License: Apache-2.0

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.compute/beta.Firewall

On this page

On this page

Create Firewall Resource

Constructor syntax

Parameters

Constructor example

Firewall Resource Properties

Inputs

Outputs

Supporting Types

FirewallAllowedItem, FirewallAllowedItemArgs

FirewallAllowedItemResponse, FirewallAllowedItemResponseArgs

FirewallDeniedItem, FirewallDeniedItemArgs

FirewallDeniedItemResponse, FirewallDeniedItemResponseArgs

FirewallDirection, FirewallDirectionArgs

FirewallLogConfig, FirewallLogConfigArgs

FirewallLogConfigMetadata, FirewallLogConfigMetadataArgs

FirewallLogConfigResponse, FirewallLogConfigResponseArgs

Package Details

On this page

On this page