> ## Documentation Index > Fetch the complete documentation index at: https://docs.nebius.com/llms.txt > Use this file to discover all available pages before exploring further. # create

Name

nebius vpc security-rule create

Synopsis

``` nebius vpc security-rule create --access [required] --egress-destination-cidrs --egress-destination-ports --egress-destination-security-group-id --ingress-destination-ports --ingress-source-cidrs --ingress-source-security-group-id --labels --name --parent-id [required] --priority --protocol [required] --resource-version --type --async -i, --interactive ```

Options

`--access` (string) \[required]

Access action for the rule.
Required. Determines whether matching traffic is allowed or denied.

A value must be one of:

`--egress-destination-cidrs` (string array)

CIDR blocks as the destination.
Optional. Empty list means any address.
Must be a valid IPv4.
Maximum of 8 CIDRs can be specified.

Mutually exclusive with: `--ingress-destination-ports`, `--ingress-source-cidrs`, `--ingress-source-security-group-id`.

`--egress-destination-ports` (int32 array)

List of ports to which the rule applies.
Optional. Empty list means any port.
Valid range: 1–65535.
Maximum of 8 ports can be specified.

Mutually exclusive with: `--ingress-destination-ports`, `--ingress-source-cidrs`, `--ingress-source-security-group-id`.

`--egress-destination-security-group-id` (string)

ID of the referenced Security Group as the destination.

Mutually exclusive with: `--ingress-destination-ports`, `--ingress-source-cidrs`, `--ingress-source-security-group-id`.

`--ingress-destination-ports` (int32 array)

List of destination ports to which the rule applies.
Optional. Empty list means any port.
Valid range: 1–65535.
Maximum of 8 ports can be specified.

Mutually exclusive with: `--egress-destination-cidrs`, `--egress-destination-ports`, `--egress-destination-security-group-id`.

`--ingress-source-cidrs` (string array)

CIDR blocks as the source.
Optional. Empty list means any address.
Must be a valid IPv4
Maximum of 8 CIDRs can be specified.

Mutually exclusive with: `--egress-destination-cidrs`, `--egress-destination-ports`, `--egress-destination-security-group-id`.

`--ingress-source-security-group-id` (string)

ID of the referenced Security Group as the source.

Mutually exclusive with: `--egress-destination-cidrs`, `--egress-destination-ports`, `--egress-destination-security-group-id`.

`--labels` (string->string)

Labels associated with the resource.

`--name` (string)

Human readable name for the resource.

`--parent-id` (string) \[required]

Identifier of the parent resource to which the resource belongs.

`--priority` (int32)

Priority of the rule. Valid range: 0-1000.
Optional. If not specified or set to 0, defaults to 500.
Rules are evaluated in priority order (lower numbers first) using a first-match algorithm:
only the first matching rule takes effect (ALLOW or DENY), and subsequent rules are skipped.

When multiple rules share the same priority, DENY rules are evaluated before ALLOW rules.
The final evaluation order is reflected in 'effective\_priority' (see SecurityRuleStatus).

`--protocol` (string) \[required]

Protocol used in the rule.
Supported values: ANY, TCP, UDP, ICMP.

A value must be one of:

`--resource-version` (int64)

Version of the resource for safe concurrent modifications and consistent reads.
Positive and monotonically increases on each resource spec change (but *not* on each change of the
resource's container(s) or status).
Service allows zero value or current.

`--type` (string)

Type of the rule (STATEFUL or STATELESS)
Default value is STATEFUL.

A value must be one of:

`--async` (bool)

If set, returns operation id. Otherwise, waits for the operation to complete and returns its resource.

`-i, --interactive` (bool)

If set, suggests to insert field values in interactive mode.

Global Options

`-h, --help` (bool)

Show this message.

`-p, --profile` (string)

Set a profile for interacting with the cloud.

`--format` (string)

Output format. Supported values: yaml|json|jsonpath|table|text.

`-f, --file` (string)

Input file. For 'update' commands automatically set --full=true.

`-c, --config` (string)

Provide path to config file.

`--debug` (bool)

Enable debug logs.

`--color` (bool)

Enable colored output.

`--no-browser` (bool)

Do not open browser automatically on auth.

`--insecure` (bool)

Disable transport security.

`--auth-timeout` (duration: 2h30m10s)

Set the timeout for the request including authentication process, default is 15m0s.

`--per-retry-timeout` (duration: 2h30m10s)

Set the timeout for each retry attempt, default is 20s.

`--retries` (uint)

Set the number of retry attempts, 1 is disable retries, default is 3.

`--timeout` (duration: 2h30m10s)

Set the timeout for the main request, default is 1m0s.

`--no-check-update` (bool)

Suppress check for updates.

`--no-progress` (bool)

Suppress progress indicators and spinners.

```json theme={null} { "metadata": { // [required] "labels": { // [map] // Labels associated with the resource. string: string }, "name": string, // Human readable name for the resource. "parent_id": string, // [required] // Identifier of the parent resource to which the resource belongs. "resource_version": int64 // Version of the resource for safe concurrent modifications and consistent reads. // Positive and monotonically increases on each resource spec change (but *not* on each change of the // resource's container(s) or status). // Service allows zero value or current. }, "spec": { // [required] "access": enum( // [required] [immutable] // Access action for the rule. // Required. Determines whether matching traffic is allowed or denied. "ACCESS_UNSPECIFIED", "ALLOW", "DENY" ), "egress": { // [immutable] // Cannot be set together with: ingress "destination_cidrs": [string], // CIDR blocks as the destination. // Optional. Empty list means any address. // Must be a valid IPv4. // Maximum of 8 CIDRs can be specified. "destination_ports": [int32], // List of ports to which the rule applies. // Optional. Empty list means any port. // Valid range: 1–65535. // Maximum of 8 ports can be specified. "destination_security_group_id": string // ID of the referenced Security Group as the destination. }, "ingress": { // [immutable] // Cannot be set together with: egress "destination_ports": [int32], // List of destination ports to which the rule applies. // Optional. Empty list means any port. // Valid range: 1–65535. // Maximum of 8 ports can be specified. "source_cidrs": [string], // CIDR blocks as the source. // Optional. Empty list means any address. // Must be a valid IPv4 // Maximum of 8 CIDRs can be specified. "source_security_group_id": string // ID of the referenced Security Group as the source. }, "priority": int32, // [immutable] [non_empty_default] // Priority of the rule. Valid range: 0-1000. // Optional. If not specified or set to 0, defaults to 500. // Rules are evaluated in priority order (lower numbers first) using a first-match algorithm: // only the first matching rule takes effect (ALLOW or DENY), and subsequent rules are skipped. // // When multiple rules share the same priority, DENY rules are evaluated before ALLOW rules. // The final evaluation order is reflected in 'effective_priority' (see SecurityRuleStatus). "protocol": enum( // [required] [immutable] // Protocol used in the rule. // Supported values: ANY, TCP, UDP, ICMP. "PROTOCOL_UNSPECIFIED", "ANY", "TCP", "UDP", "ICMP" ), "type": enum( // [immutable] [non_empty_default] // Type of the rule (STATEFUL or STATELESS) // Default value is STATEFUL. "RULE_TYPE_UNSPECIFIED", "STATEFUL", "STATELESS" ) } } ``` ```json theme={null} nebius vpc security-rule create ' { "metadata": { "labels": { "": "" }, "name": "", "parent_id": "", "resource_version": 0 }, "spec": { "access": "access_unspecified"|"allow"|"deny" , "egress": { "destination_cidrs": [""], "destination_ports": [0], "destination_security_group_id": "" }, "priority": 0, "protocol": "protocol_unspecified"|"any"|"tcp"|"udp"|"icmp", "type": "rule_type_unspecified"|"stateful"|"stateless" } } ' ``` Auto generated on 19-May-2026