Skip to main content
SecurityRules define rules for controlling network traffic within a network. These rules specify when traffic is ALLOWED or DENIED based on direction, protocol, match source, and ports.

Schema

Required

  • access (String) : Access action for the rule. Required. Determines whether matching traffic is allowed or denied.

    Supported values

    Access specifies action on matching traffic: ALLOW or DENY. Possible values:
    • ACCESS_UNSPECIFIED
    • ALLOW
    • DENY
  • parent_id (String) Identifier of the parent resource to which the resource belongs.
  • protocol (String) : Protocol used in the rule. Supported values: ANY, TCP, UDP, ICMP.

    Supported values

    Protocol specifies traffic protocol. Possible values:
    • PROTOCOL_UNSPECIFIED
    • ANY
    • TCP
    • UDP
    • ICMP

Optional

  • egress (Attributes) :

    Inner value description

    Defines match for outgoing traffic. Cannot be set alongside ingress. (see below for nested schema)
  • ingress (Attributes) :

    Inner value description

    Defines match for incoming traffic. Cannot be set alongside egress. (see below for nested schema)
  • labels (Map of String) : Labels associated with the resource.
  • metadata (Attributes) : metadata.parent_id represents the SecurityGroup.

    Inner value description

    Common resource metadata. (see below for nested schema)
  • name (String) Human readable name for the resource.
  • priority (Number) : Priority of the rule. Valid range: 0-1000. Optional. If not specified or set to 0, defaults to 500. Rules are evaluated in priority order (lower numbers first) using a first-match algorithm: only the first matching rule takes effect (ALLOW or DENY), and subsequent rules are skipped. When multiple rules share the same priority, DENY rules are evaluated before ALLOW rules. The final evaluation order is reflected in ‘effective_priority’ (see SecurityRuleStatus).
  • type (String) : Type of the rule (STATEFUL or STATELESS) Default value is STATEFUL

    Supported values

    RuleType specifies whether the security rule is stateful or stateless. Possible values:
    • RULE_TYPE_UNSPECIFIED
    • STATEFUL
    • STATELESS

Read-Only

  • created_at (String) : Timestamp indicating when the resource was created. A string representing a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ or YYYY-MM-DDTHH:MM:SS.SSS±HH:MM
  • id (String) Identifier for the resource, unique for its resource type.
  • resource_version (Number) : Version of the resource for safe concurrent modifications and consistent reads. Positive and monotonically increases on each resource spec change (but not on each change of the resource’s container(s) or status). Service allows zero value or current.
  • status (Attributes) Current status of the security rule. (see below for nested schema)
  • updated_at (String) : Timestamp indicating when the resource was last updated. A string representing a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ or YYYY-MM-DDTHH:MM:SS.SSS±HH:MM

Nested Schema for egress

Optional:
  • destination_cidrs (List of String) : CIDR blocks as the destination. Optional. Empty list means any address. Must be a valid IPv4. Maximum of 8 CIDRs can be specified.
  • destination_ports (List of Number) : List of ports to which the rule applies. Optional. Empty list means any port. Valid range: 1–65535. Maximum of 8 ports can be specified.
  • destination_security_group_id (String) ID of the referenced Security Group as the destination.

Nested Schema for ingress

Optional:
  • destination_ports (List of Number) : List of destination ports to which the rule applies. Optional. Empty list means any port. Valid range: 1–65535. Maximum of 8 ports can be specified.
  • source_cidrs (List of String) : CIDR blocks as the source. Optional. Empty list means any address. Must be a valid IPv4 Maximum of 8 CIDRs can be specified.
  • source_security_group_id (String) ID of the referenced Security Group as the source.

Nested Schema for metadata

Nested Schema for status

Read-Only:
  • destination (Attributes) Destination of the traffic that matched the rule. (see below for nested schema)
  • direction (String) : Direction of traffic affected by the rule.

    Supported values

    Direction specifies whether traffic is INGRESS (incoming) or EGRESS (outgoing). Possible values:
    • DIRECTION_UNSPECIFIED
    • INGRESS
    • EGRESS
  • effective_priority (Number) : Effective priority used for rule evaluation order, calculated by the system. This value is computed from the user-specified ‘priority’ (SecurityRuleSpec). Rules are evaluated in ascending order of effective_priority using a first-match algorithm.
  • source (Attributes) Source of the traffic that matched the rule. (see below for nested schema)
  • state (String) :

    Supported values

    State describes lifecycle phases of a security rule. Possible values:
    • STATE_UNSPECIFIED
    • CREATING
    • READY
    • DELETING

Nested Schema for status.destination

Read-Only:
  • cidrs (List of String) List of CIDR blocks.
  • ports (List of Number) List of ports.
  • security_group_id (String) ID of the Security Group.

Nested Schema for status.source

Read-Only:
  • cidrs (List of String) List of CIDR blocks.
  • ports (List of Number) List of ports.
  • security_group_id (String) ID of the Security Group.