gcloud alpha compute network-firewall-policies mirroring-rules create

NAME
gcloud alpha compute network-firewall-policies mirroring-rules create - creates a Compute Engine network firewall policy packet mirroring rule
SYNOPSIS
gcloud alpha compute network-firewall-policies mirroring-rules create PRIORITY --action=ACTION --firewall-policy=FIREWALL_POLICY --global-firewall-policy [--description=DESCRIPTION] [--dest-address-groups=[DEST_ADDRESS_GROUPS,…]] [--dest-fqdns=[DEST_FQDNS,…]] [--dest-ip-ranges=[DEST_IP_RANGE,…]] [--dest-region-codes=[DEST_REGION_CODES,…]] [--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]] [--direction=DIRECTION] [--[no-]disabled] [--layer4-configs=[LAYER4_CONFIG,…]] [--security-profile-group=SECURITY_PROFILE_GROUP] [--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]] [--src-fqdns=[SOURCE_FQDNS,…]] [--src-ip-ranges=[SRC_IP_RANGE,…]] [--src-region-codes=[SOURCE_REGION_CODES,…]] [--src-secure-tags=[SOURCE_SECURE_TAGS,…]] [--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]] [--target-secure-tags=[TARGET_SECURE_TAGS,…]] [--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]] [GCLOUD_WIDE_FLAG]
DESCRIPTION
(ALPHA) gcloud alpha compute network-firewall-policies mirroring-rules create is used to create network firewall policy packet mirroring rules.
EXAMPLES
To create a rule with priority 10 in a global network firewall policy with name my-policy and description example rule, run: 
gcloud alpha compute network-firewall-policies mirroring-rules create 10 --firewall-policy=my-policy --action=do_not_mirror --description="example rule" --global-firewall-policy
POSITIONAL ARGUMENTS
PRIORITY
Priority of the rule to be inserted. Valid in [0, 65535].
REQUIRED FLAGS
--action=ACTION
Action to take if the request matches the match condition. ACTION must be one of: mirror, do_not_mirror, goto_next.
--firewall-policy=FIREWALL_POLICY
Firewall policy ID with which to create rule.
--global-firewall-policy
Use this flag to indicate that firewall policy is global.
OPTIONAL FLAGS
--description=DESCRIPTION
An optional, textual description for the rule.
--dest-address-groups=[DEST_ADDRESS_GROUPS,…]
Destination address groups to match for this rule. Can only be specified if DIRECTION is engress.
--dest-fqdns=[DEST_FQDNS,…]
Destination FQDNs to match for this rule. Can only be specified if DIRECTION is egress.
--dest-ip-ranges=[DEST_IP_RANGE,…]
Destination IP ranges to match for this rule.
--dest-region-codes=[DEST_REGION_CODES,…]
Destination Region Code to match for this rule. Can only be specified if DIRECTION is egress.
--dest-threat-intelligence=[DEST_THREAT_INTELLIGENCE_LISTS,…]
Destination Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is egress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--direction=DIRECTION
Direction of the traffic the rule is applied. The default is to apply on incoming traffic. DIRECTION must be one of: INGRESS, EGRESS.
--[no-]disabled
Use this flag to disable the rule. Disabled rules will not affect traffic. Use --disabled to enable and --no-disabled to disable.
--layer4-configs=[LAYER4_CONFIG,…]
A list of destination protocols and ports to which the firewall rule will apply.
--security-profile-group=SECURITY_PROFILE_GROUP
A security profile group to be used with apply_security_profile_group action.
--src-address-groups=[SOURCE_ADDRESS_GROUPS,…]
Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.
--src-fqdns=[SOURCE_FQDNS,…]
Source FQDNs to match for this rule. Can only be specified if DIRECTION is ingress.
--src-ip-ranges=[SRC_IP_RANGE,…]
A list of IP address blocks that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address blocks must be specified in CIDR format: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either --src-ip-ranges or --src-secure-tags must be specified for INGRESS traffic. If both --src-ip-ranges and --src-secure-tags are specified, the rule matches if either the range of the source matches --src-ip-ranges or the secure tag of the source matches --src-secure-tags.Multiple IP address blocks can be specified if they are separated by commas.
--src-region-codes=[SOURCE_REGION_CODES,…]
Source Region Code to match for this rule. Can only be specified if DIRECTION is ingress.
--src-secure-tags=[SOURCE_SECURE_TAGS,…]
A list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.
--src-threat-intelligence=[SOURCE_THREAT_INTELLIGENCE_LISTS,…]
Source Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is ingress. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.
--target-secure-tags=[TARGET_SECURE_TAGS,…]
An optional, list of target secure tags with a name of the format tagValues/ or full namespaced name
--target-service-accounts=[TARGET_SERVICE_ACCOUNTS,…]
List of target service accounts for the rule.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist.