Compute V1 Client - Class SecurityPolicyRule (1.21.0)

Reference documentation and code samples for the Compute V1 Client class SecurityPolicyRule.

Represents a rule that describes one or more match conditions along with the action to be taken when traffic matches this condition (allow or deny).

Generated from protobuf message google.cloud.compute.v1.SecurityPolicyRule

Namespace

Google \ Cloud \ Compute \ V1

Methods

__construct

Constructor.

Parameters
Name Description
data array

Optional. Data for populating the Message object.

↳ action string

The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this.

↳ description string

An optional description of this resource. Provide this property when you create the resource.

↳ header_action SecurityPolicyRuleHttpHeaderAction

Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

↳ kind string

[Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules

↳ match SecurityPolicyRuleMatcher

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

↳ network_match SecurityPolicyRuleNetworkMatcher

A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.

↳ preconfigured_waf_config SecurityPolicyRulePreconfiguredWafConfig

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

↳ preview bool

If set to true, the specified action is not enforced.

↳ priority int

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

↳ rate_limit_options SecurityPolicyRuleRateLimitOptions

Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.

↳ redirect_options SecurityPolicyRuleRedirectOptions

Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

getAction

The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this.

Returns
Type Description
string

hasAction

clearAction

setAction

The Action to perform when the rule is matched. The following are the valid actions: - allow: allow access to target. - deny(STATUS): deny access to target, returns the HTTP response code specified. Valid values for STATUS are 403, 404, and 502. - rate_based_ban: limit client traffic to the configured threshold and ban the client if the traffic exceeds the threshold. Configure parameters for this action in RateLimitOptions. Requires rate_limit_options to be set. - redirect: redirect to a different target. This can either be an internal reCAPTCHA redirect, or an external URL-based redirect via a 302 response. Parameters for this action can be configured via redirectOptions. This action is only supported in Global Security Policies of type CLOUD_ARMOR. - throttle: limit client traffic to the configured threshold. Configure parameters for this action in rateLimitOptions. Requires rate_limit_options to be set for this.

Parameter
Name Description
var string
Returns
Type Description
$this

getDescription

An optional description of this resource. Provide this property when you create the resource.

Returns
Type Description
string

hasDescription

clearDescription

setDescription

An optional description of this resource. Provide this property when you create the resource.

Parameter
Name Description
var string
Returns
Type Description
$this

getHeaderAction

Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Returns
Type Description
SecurityPolicyRuleHttpHeaderAction|null

hasHeaderAction

clearHeaderAction

setHeaderAction

Optional, additional actions that are performed on headers. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Parameter
Name Description
var SecurityPolicyRuleHttpHeaderAction
Returns
Type Description
$this

getKind

[Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules

Returns
Type Description
string

hasKind

clearKind

setKind

[Output only] Type of the resource. Always compute#securityPolicyRule for security policy rules

Parameter
Name Description
var string
Returns
Type Description
$this

getMatch

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

Returns
Type Description
SecurityPolicyRuleMatcher|null

hasMatch

clearMatch

setMatch

A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.

Parameter
Name Description
var SecurityPolicyRuleMatcher
Returns
Type Description
$this

getNetworkMatch

A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.

Returns
Type Description
SecurityPolicyRuleNetworkMatcher|null

hasNetworkMatch

clearNetworkMatch

setNetworkMatch

A match condition that incoming packets are evaluated against for CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding 'action' is enforced. The match criteria for a rule consists of built-in match fields (like 'srcIpRanges') and potentially multiple user-defined match fields ('userDefinedFields'). Field values may be extracted directly from the packet or derived from it (e.g. 'srcRegionCodes'). Some fields may not be present in every packet (e.g. 'srcPorts'). A user-defined field is only present if the base header is found in the packet and the entire field is in bounds. Each match field may specify which values can match it, listing one or more ranges, prefixes, or exact values that are considered a match for the field. A field value must be present in order to match a specified match field. If no match values are specified for a match field, then any field value is considered to match it, and it's not required to be present. For strings specifying '*' is also equivalent to match all. For a packet to match a rule, all specified match fields must match the corresponding field values derived from the packet. Example: networkMatch: srcIpRanges: - "192.0.2.0/24" - "198.51.100.0/24" userDefinedFields: - name: "ipv4_fragment_offset" values: - "1-0x1fff" The above match condition matches packets with a source IP in 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive.

Parameter
Name Description
var SecurityPolicyRuleNetworkMatcher
Returns
Type Description
$this

getPreconfiguredWafConfig

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

Returns
Type Description
SecurityPolicyRulePreconfiguredWafConfig|null

hasPreconfiguredWafConfig

clearPreconfiguredWafConfig

setPreconfiguredWafConfig

Preconfigured WAF configuration to be applied for the rule. If the rule does not evaluate preconfigured WAF rules, i.e., if evaluatePreconfiguredWaf() is not used, this field will have no effect.

Parameter
Name Description
var SecurityPolicyRulePreconfiguredWafConfig
Returns
Type Description
$this

getPreview

If set to true, the specified action is not enforced.

Returns
Type Description
bool

hasPreview

clearPreview

setPreview

If set to true, the specified action is not enforced.

Parameter
Name Description
var bool
Returns
Type Description
$this

getPriority

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

Returns
Type Description
int

hasPriority

clearPriority

setPriority

An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.

Parameter
Name Description
var int
Returns
Type Description
$this

getRateLimitOptions

Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.

Returns
Type Description
SecurityPolicyRuleRateLimitOptions|null

hasRateLimitOptions

clearRateLimitOptions

setRateLimitOptions

Must be specified if the action is "rate_based_ban" or "throttle". Cannot be specified for any other actions.

Parameter
Name Description
var SecurityPolicyRuleRateLimitOptions
Returns
Type Description
$this

getRedirectOptions

Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Returns
Type Description
SecurityPolicyRuleRedirectOptions|null

hasRedirectOptions

clearRedirectOptions

setRedirectOptions

Parameters defining the redirect action. Cannot be specified for any other actions. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

Parameter
Name Description
var SecurityPolicyRuleRedirectOptions
Returns
Type Description
$this