gcloud beta compute security-policies update

gcloud beta compute security-policies update - update a Compute Engine security policy

gcloud beta compute security-policies update NAME [--description=DESCRIPTION] [--enable-layer7-ddos-defense] [--json-custom-content-types=[CONTENT_TYPE,…]] [--json-parsing=JSON_PARSING] [--layer7-ddos-defense-auto-deploy-confidence-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_CONFIDENCE_THRESHOLD] [--layer7-ddos-defense-auto-deploy-expiration-sec=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_EXPIRATION_SEC] [--layer7-ddos-defense-auto-deploy-impacted-baseline-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_IMPACTED_BASELINE_THRESHOLD] [--layer7-ddos-defense-auto-deploy-load-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_LOAD_THRESHOLD] [--layer7-ddos-defense-rule-visibility=VISIBILITY_TYPE] [--log-level=LOG_LEVEL] [--network-ddos-adaptive-protection=NETWORK_DDOS_ADAPTIVE_PROTECTION] [--network-ddos-protection=NETWORK_DDOS_PROTECTION] [--recaptcha-redirect-site-key=RECAPTCHA_REDIRECT_SITE_KEY] [--request-body-inspection-size=REQUEST_BODY_INSPECTION_SIZE] [--user-ip-request-headers=[USER_IP_REQUEST_HEADER,…]] [--clear-network-ddos-impacted-baseline-threshold     | --network-ddos-impacted-baseline-threshold=NETWORK_DDOS_IMPACTED_BASELINE_THRESHOLD] [--global     | --region=REGION] [GCLOUD_WIDE_FLAG …]

NAME

Name of the security policy to update.

--description=DESCRIPTION

An optional, textual description for the security policy.

--enable-layer7-ddos-defense

Whether to enable Cloud Armor Layer 7 DDoS Defense Adaptive Protection.

--json-custom-content-types=[CONTENT_TYPE,…]

A comma-separated list of custom Content-Type header values to apply JSON parsing for preconfigured WAF rules. Only applicable when JSON parsing is enabled, like --json-parsing=STANDARD. When configuring a Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

--json-parsing=JSON_PARSING

The JSON parsing behavior for this rule. Must be one of the following values: [DISABLED, STANDARD, STANDARD_WITH_GRAPHQL]. JSON_PARSING must be one of: DISABLED, STANDARD, STANDARD_WITH_GRAPHQL.

--layer7-ddos-defense-auto-deploy-confidence-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_CONFIDENCE_THRESHOLD

Confidence threshold above which Adaptive Protection's auto-deploy takes actions

--layer7-ddos-defense-auto-deploy-expiration-sec=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_EXPIRATION_SEC

Duration over which Adaptive Protection's auto-deployed actions last

--layer7-ddos-defense-auto-deploy-impacted-baseline-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_IMPACTED_BASELINE_THRESHOLD

Impacted baseline threshold below which Adaptive Protection's auto-deploy takes actions

--layer7-ddos-defense-auto-deploy-load-threshold=LAYER7_DDOS_DEFENSE_AUTO_DEPLOY_LOAD_THRESHOLD

Load threshold above which Adaptive Protection's auto-deploy takes actions

--layer7-ddos-defense-rule-visibility=VISIBILITY_TYPE

The visibility type indicates whether the rules are opaque or transparent. VISIBILITY_TYPE must be one of: STANDARD, PREMIUM.

--log-level=LOG_LEVEL

The level of detail to display for WAF logging. LOG_LEVEL must be one of: NORMAL, VERBOSE.

--network-ddos-adaptive-protection=NETWORK_DDOS_ADAPTIVE_PROTECTION

The DDoS adaptive protection level for network load balancing and instances with external IPs. NETWORK_DDOS_ADAPTIVE_PROTECTION must be one of: DISABLED, ENABLED, PREVIEW.

--network-ddos-protection=NETWORK_DDOS_PROTECTION

The DDoS protection level for network load balancing and instances with external IPs. NETWORK_DDOS_PROTECTION must be one of: STANDARD, ADVANCED, ADVANCED_PREVIEW.

--recaptcha-redirect-site-key=RECAPTCHA_REDIRECT_SITE_KEY

The reCAPTCHA site key to be used for rules using the redirect action and the google-recaptcha redirect type under the security policy.

--request-body-inspection-size=REQUEST_BODY_INSPECTION_SIZE

Maximum request body inspection size. REQUEST_BODY_INSPECTION_SIZE must be one of: 8KB, 16KB, 32KB, 48KB, 64KB.

--user-ip-request-headers=[USER_IP_REQUEST_HEADER,…]

A comma-separated list of request header names to use for resolving the caller's user IP address.

At most one of these can be specified:

--clear-network-ddos-impacted-baseline-threshold

If provided, clears the Network DDoS impacted baseline threshold from the security policy.

--network-ddos-impacted-baseline-threshold=NETWORK_DDOS_IMPACTED_BASELINE_THRESHOLD

DDoS Protection for Network Load Balancers (and VMs with public IPs) builds DDoS mitigations that minimize collateral damage. It quantifies this as the fraction of a non-abuse baseline that's inadvertently blocked. Rules whose collateral damage exceeds ddosImpactedBaselineThreshold will not be deployed. Using a lower value will prioritize keeping collateral damage low, possibly at the cost of its effectiveness in rate limiting some or all of the attack. It should typically be unset, so Advanced DDoS (and Adaptive Protection) uses the best mitigation it can find. Setting the threshold is advised if there are logs for false positive detections with high collateral damage, and will cause Advanced DDoS to attempt to find a less aggressive rule that satisfies the constraint. If a suitable rule cannot be found, the system falls back to either no mitigation for smaller attacks or broader network throttles for larger ones.

At most one of these can be specified:

--global

If set, the security policy is global.

--region=REGION

Region of the security policy to update. Overrides the default compute/region property value for this command invocation.

Run $ gcloud help for details.