gdcloud network project-network-policies create

gdcloud network project-network-policies create POLICY_NAME [flags]

To create an ingress project network policy that targets all user workloads allowing only UDP traffic on Port 53 and TCP traffic on Port 80, run:
    gdcloud network project-network-policies create example-policy \
      --policy-type=Ingress \
      --layer4-configs=udp:53,tcp:80

To create an egress project network policy in project 'project-1' that allows only UDP traffic on port 53 to project 'project-2', run:
    gdcloud network project-network-policies create example-policy \
      --project=project-1 \
      --policy-type=Egress \
      --destination-projects=project-2 \
      --layer4-configs=udp:53

      --destination-cidrs string         Destination IPv4 CIDR range to allow traffic to. Can only be specified if 'policy-type' is 'Egress'.
      --destination-projects string      Name of the destination project in the organization to allow traffic to. If not specified, traffic to all project workloads is allowed. Can only be specified if 'policy-type' is 'Egress'.
      --layer4-configs strings           A list of protocol and port combinations to which the policy applies.
                                         This flag can be specified multiple times. For example:
                                             --layer4-configs=udp:53 --layer4-configs=tcp:8080
                                         A comma-separated list is also supported. For example:
                                             --layer4-configs=udp:53,tcp:8080
                                         To allow all ports for a protocol, specify only the protocol. For example:
                                             --layer4-configs=tcp
                                         To allow all protocols and ports, use '--layer4-configs=all'.
                                         This flag cannot be used with '--target-managed-services'.
      --policy-type string               The direction of traffic for the project network policy. Supported values are "Ingress" and "Egress". Defaults to "Ingress" if not specified.
      --source-cidrs string              Source IPv4 CIDR range to allow traffic from. Can only be specified if 'policy-type' is 'Ingress'.
      --source-projects string           Name of the source project in the organization to allow traffic from. If not specified, traffic from all project workloads is allowed. Can only be specified if 'policy-type' is 'Ingress'.
      --target-managed-services string   Name of the managed service to apply this policy on. If omitted, this policy applies to all user workloads within the project.