Skip to content
Latchkey

gcloud compute firewall-rules create: Open Ports

gcloud compute firewall-rules create adds an ingress or egress rule to a VPC network.

When a test VM needs a port open, or you must whitelist the IAP range for SSH, this command writes the rule. Source ranges and target tags scope who it applies to.

What it does

gcloud compute firewall-rules create defines a firewall rule on a network: which protocols and ports it allows or denies, the source ranges it applies to, and the instances it targets via tags or service accounts.

Common usage

Terminal
gcloud compute firewall-rules create allow-http \
  --network=default --allow=tcp:80,tcp:443 \
  --source-ranges=0.0.0.0/0 --target-tags=web
# allow IAP SSH to reach private VMs
gcloud compute firewall-rules create allow-iap-ssh \
  --network=default --allow=tcp:22 \
  --source-ranges=35.235.240.0/20

Flags

FlagWhat it does
--network <name>VPC network the rule belongs to
--allow <proto:port>Protocols and ports to permit (e.g. tcp:443)
--source-ranges <cidr>Source CIDR ranges the rule applies to
--target-tags <tags>Apply only to instances with these network tags
--direction INGRESS|EGRESSTraffic direction (default INGRESS)
--priority <n>Rule priority, lower wins (default 1000)

In CI

The IAP source range 35.235.240.0/20 is what you allow on tcp:22 so gcloud compute ssh --tunnel-through-iap works against private instances. Scope rules with --target-tags rather than opening them network-wide.

Common errors in CI

"already exists" means a rule of that name is present; use firewall-rules update or delete it first. "Invalid value for field 'resource.allowed'" means a malformed --allow spec, e.g. a missing protocol. "Required 'compute.firewalls.create' permission" means the service account lacks roles/compute.securityAdmin.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →