Firewall resources are used to define a collection of access control rules for an Application.
Each rule is defined with a position which specifies the rule's order in the sequence of rules, an IP range to be matched against requests, and an action to take upon matching requests.
Every request is evaluated against the Firewall rules in priority order. Processesing stops at the first rule which matches the request's IP address. A final rule always specifies an action that applies to all remaining IP addresses. The default final rule for a newly-created application will be set to "allow" if not otherwise specified by the user.
Equality
Instances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal std::shared_ptr<*Connection> objects compare equal. Objects that compare equal share the same underlying resources.
Performance
Creating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.
Thread Safety
Concurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.ListIngressRulesRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has begin() and end() member functions returning a iterator class meeting the input iterator requirements. The value type for this iterator is a StatusOr as the iteration may fail even after some values are retrieved successfully, for example, if there is a network disconnect. An empty set of results does not indicate an error, it indicates that there are no resources meeting the request criteria. On a successful iteration the StatusOr<T> contains elements of type google.appengine.v1.FirewallRule, or rather, the C++ class generated by Protobuf from that type. Please consult the Protobuf documentation for details on the Protobuf mapping rules.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.BatchUpdateIngressRulesRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.CreateIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.GetIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.UpdateIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.DeleteIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Returns
Type
Description
Status
a Status object. If the request failed, the status contains the details of the failure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[[["\u003cp\u003eThis page details the \u003ccode\u003eFirewallClient\u003c/code\u003e class, which manages access control rules for applications, using different version numbers.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eFirewallClient\u003c/code\u003e class uses firewall rules defined by position, IP range, and action to control request access, with processing stopping at the first matching rule.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eFirewallClient\u003c/code\u003e class supports functions such as \u003ccode\u003eListIngressRules\u003c/code\u003e, \u003ccode\u003eBatchUpdateIngressRules\u003c/code\u003e, \u003ccode\u003eCreateIngressRule\u003c/code\u003e, \u003ccode\u003eGetIngressRule\u003c/code\u003e, \u003ccode\u003eUpdateIngressRule\u003c/code\u003e, and \u003ccode\u003eDeleteIngressRule\u003c/code\u003e for managing firewall rules.\u003c/p\u003e\n"],["\u003cp\u003eCreating a new instance of \u003ccode\u003eFirewallClient\u003c/code\u003e establishes a new connection, while copy/move operations are efficient because they share underlying resources, and concurrent access to different instances is thread-safe.\u003c/p\u003e\n"],["\u003cp\u003eThe default final rule for a newly-created application will be set to "allow" if not otherwise specified by the user.\u003c/p\u003e\n"]]],[],null,["# Class FirewallClient (2.15.1)\n\nVersion 2.15.1keyboard_arrow_down\n\n- [2.42.0-rc (latest)](/cpp/docs/reference/appengine/latest/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.41.0](/cpp/docs/reference/appengine/2.41.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.40.0](/cpp/docs/reference/appengine/2.40.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.39.0](/cpp/docs/reference/appengine/2.39.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.38.0](/cpp/docs/reference/appengine/2.38.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.37.0](/cpp/docs/reference/appengine/2.37.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.36.0](/cpp/docs/reference/appengine/2.36.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.35.0](/cpp/docs/reference/appengine/2.35.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.34.0](/cpp/docs/reference/appengine/2.34.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.33.0](/cpp/docs/reference/appengine/2.33.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.32.0](/cpp/docs/reference/appengine/2.32.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.31.0](/cpp/docs/reference/appengine/2.31.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.30.0](/cpp/docs/reference/appengine/2.30.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.29.0](/cpp/docs/reference/appengine/2.29.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.28.0](/cpp/docs/reference/appengine/2.28.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.27.0](/cpp/docs/reference/appengine/2.27.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.26.0](/cpp/docs/reference/appengine/2.26.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.25.1](/cpp/docs/reference/appengine/2.25.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.24.0](/cpp/docs/reference/appengine/2.24.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.23.0](/cpp/docs/reference/appengine/2.23.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.22.1](/cpp/docs/reference/appengine/2.22.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.21.0](/cpp/docs/reference/appengine/2.21.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.20.0](/cpp/docs/reference/appengine/2.20.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.19.0](/cpp/docs/reference/appengine/2.19.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.18.0](/cpp/docs/reference/appengine/2.18.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.17.0](/cpp/docs/reference/appengine/2.17.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.16.0](/cpp/docs/reference/appengine/2.16.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.15.1](/cpp/docs/reference/appengine/2.15.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.14.0](/cpp/docs/reference/appengine/2.14.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.13.0](/cpp/docs/reference/appengine/2.13.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.12.0](/cpp/docs/reference/appengine/2.12.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.11.0](/cpp/docs/reference/appengine/2.11.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient) \nFirewall resources are used to define a collection of access control rules for an Application. \nEach rule is defined with a position which specifies the rule's order in the sequence of rules, an IP range to be matched against requests, and an action to take upon matching requests.\n\nEvery request is evaluated against the Firewall rules in priority order. Processesing stops at the first rule which matches the request's IP address. A final rule always specifies an action that applies to all remaining IP addresses. The default final rule for a newly-created application will be set to \"allow\" if not otherwise specified by the user.\n\n###### Equality\n\nInstances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal `std::shared_ptr\u003c*Connection\u003e` objects compare equal. Objects that compare equal share the same underlying resources.\n\n###### Performance\n\nCreating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.\n\n###### Thread Safety\n\nConcurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.\n\nConstructors\n------------\n\n### FirewallClient(FirewallClient const \\&)\n\nCopy and move support\n\n### FirewallClient(FirewallClient \\&\\&)\n\nCopy and move support\n\n### FirewallClient(std::shared_ptr\\\u003c FirewallConnection \\\u003e, Options)\n\nOperators\n---------\n\n### operator=(FirewallClient const \\&)\n\nCopy and move support\n\n### operator=(FirewallClient \\&\\&)\n\nCopy and move support\n\nFunctions\n---------\n\n### ListIngressRules(google::appengine::v1::ListIngressRulesRequest, Options)\n\nLists the firewall rules of an application.\n\n### BatchUpdateIngressRules(google::appengine::v1::BatchUpdateIngressRulesRequest const \\&, Options)\n\nReplaces the entire firewall ruleset in one bulk operation. \nThis overrides and replaces the rules of an existing firewall with the new rules.\n\nIf the final rule does not match traffic with the '\\*' wildcard IP range, then an \"allow all\" rule is explicitly added to the end of the list.\n\n### CreateIngressRule(google::appengine::v1::CreateIngressRuleRequest const \\&, Options)\n\nCreates a firewall rule for the application.\n\n### GetIngressRule(google::appengine::v1::GetIngressRuleRequest const \\&, Options)\n\nGets the specified firewall rule.\n\n### UpdateIngressRule(google::appengine::v1::UpdateIngressRuleRequest const \\&, Options)\n\nUpdates the specified firewall rule.\n\n### DeleteIngressRule(google::appengine::v1::DeleteIngressRuleRequest const \\&, Options)\n\nDeletes the specified firewall rule."]]
