Firewall resources are used to define a collection of access control rules for an Application.
Each rule is defined with a position which specifies the rule's order in the sequence of rules, an IP range to be matched against requests, and an action to take upon matching requests.
Every request is evaluated against the Firewall rules in priority order. Processesing stops at the first rule which matches the request's IP address. A final rule always specifies an action that applies to all remaining IP addresses. The default final rule for a newly-created application will be set to "allow" if not otherwise specified by the user.
Equality
Instances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal std::shared_ptr<*Connection> objects compare equal. Objects that compare equal share the same underlying resources.
Performance
Creating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.
Thread Safety
Concurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.ListIngressRulesRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
a StreamRange to iterate of the results. See the documentation of this type for details. In brief, this class has begin() and end() member functions returning a iterator class meeting the input iterator requirements. The value type for this iterator is a StatusOr as the iteration may fail even after some values are retrieved successfully, for example, if there is a network disconnect. An empty set of results does not indicate an error, it indicates that there are no resources meeting the request criteria. On a successful iteration the StatusOr<T> contains elements of type google.appengine.v1.FirewallRule, or rather, the C++ class generated by Protobuf from that type. Please consult the Protobuf documentation for details on the Protobuf mapping rules.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.BatchUpdateIngressRulesRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.CreateIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.GetIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.UpdateIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Unary RPCs, such as the one wrapped by this function, receive a single request proto message which includes all the inputs for the RPC. In this case, the proto message is a google.appengine.v1.DeleteIngressRuleRequest. Proto messages are converted to C++ classes by Protobuf, using the Protobuf mapping rules.
opts
Options
Optional. Override the class-level options, such as retry and backoff policies.
Returns
Type
Description
Status
a Status object. If the request failed, the status contains the details of the failure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[[["\u003cp\u003eThis page provides documentation for the \u003ccode\u003eFirewallClient\u003c/code\u003e class in the Google Cloud C++ client library, focusing on managing firewall rules for Google App Engine applications, with the most recent version as 2.37.0-rc.\u003c/p\u003e\n"],["\u003cp\u003eFirewall rules define access control by specifying a sequence of rules, each with an IP range and an action, and the first matching rule for a request's IP address determines the outcome.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eFirewallClient\u003c/code\u003e class allows for listing, batch updating, creating, getting, updating, and deleting individual ingress firewall rules for an application.\u003c/p\u003e\n"],["\u003cp\u003eThe class utilizes copy and move operations for efficiency, and while concurrent access to different instances is safe, multiple threads accessing the same instance concurrently is not guaranteed to work.\u003c/p\u003e\n"],["\u003cp\u003eA default final rule is automatically applied to all remaining IP addresses if no rule with a wildcard IP range is defined, ensuring that all requests have a specified outcome.\u003c/p\u003e\n"]]],[],null,["# Class FirewallClient (2.36.0)\n\nVersion 2.36.0keyboard_arrow_down\n\n- [2.42.0-rc (latest)](/cpp/docs/reference/appengine/latest/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.41.0](/cpp/docs/reference/appengine/2.41.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.40.0](/cpp/docs/reference/appengine/2.40.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.39.0](/cpp/docs/reference/appengine/2.39.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.38.0](/cpp/docs/reference/appengine/2.38.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.37.0](/cpp/docs/reference/appengine/2.37.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.36.0](/cpp/docs/reference/appengine/2.36.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.35.0](/cpp/docs/reference/appengine/2.35.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.34.0](/cpp/docs/reference/appengine/2.34.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.33.0](/cpp/docs/reference/appengine/2.33.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.32.0](/cpp/docs/reference/appengine/2.32.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.31.0](/cpp/docs/reference/appengine/2.31.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.30.0](/cpp/docs/reference/appengine/2.30.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.29.0](/cpp/docs/reference/appengine/2.29.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.28.0](/cpp/docs/reference/appengine/2.28.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.27.0](/cpp/docs/reference/appengine/2.27.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.26.0](/cpp/docs/reference/appengine/2.26.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.25.1](/cpp/docs/reference/appengine/2.25.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.24.0](/cpp/docs/reference/appengine/2.24.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.23.0](/cpp/docs/reference/appengine/2.23.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.22.1](/cpp/docs/reference/appengine/2.22.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.21.0](/cpp/docs/reference/appengine/2.21.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.20.0](/cpp/docs/reference/appengine/2.20.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.19.0](/cpp/docs/reference/appengine/2.19.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.18.0](/cpp/docs/reference/appengine/2.18.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.17.0](/cpp/docs/reference/appengine/2.17.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.16.0](/cpp/docs/reference/appengine/2.16.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.15.1](/cpp/docs/reference/appengine/2.15.1/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.14.0](/cpp/docs/reference/appengine/2.14.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.13.0](/cpp/docs/reference/appengine/2.13.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.12.0](/cpp/docs/reference/appengine/2.12.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient)\n- [2.11.0](/cpp/docs/reference/appengine/2.11.0/classgoogle_1_1cloud_1_1appengine__v1_1_1FirewallClient) \nFirewall resources are used to define a collection of access control rules for an Application. \nEach rule is defined with a position which specifies the rule's order in the sequence of rules, an IP range to be matched against requests, and an action to take upon matching requests.\n\nEvery request is evaluated against the Firewall rules in priority order. Processesing stops at the first rule which matches the request's IP address. A final rule always specifies an action that applies to all remaining IP addresses. The default final rule for a newly-created application will be set to \"allow\" if not otherwise specified by the user.\n\n###### Equality\n\nInstances of this class created via copy-construction or copy-assignment always compare equal. Instances created with equal `std::shared_ptr\u003c*Connection\u003e` objects compare equal. Objects that compare equal share the same underlying resources.\n\n###### Performance\n\nCreating a new instance of this class is a relatively expensive operation, new objects establish new connections to the service. In contrast, copy-construction, move-construction, and the corresponding assignment operations are relatively efficient as the copies share all underlying resources.\n\n###### Thread Safety\n\nConcurrent access to different instances of this class, even if they compare equal, is guaranteed to work. Two or more threads operating on the same instance of this class is not guaranteed to work. Since copy-construction and move-construction is a relatively efficient operation, consider using such a copy when using this class from multiple threads.\n\nConstructors\n------------\n\n### FirewallClient(FirewallClient const \\&)\n\nCopy and move support\n\n### FirewallClient(FirewallClient \\&\\&)\n\nCopy and move support\n\n### FirewallClient(std::shared_ptr\\\u003c FirewallConnection \\\u003e, Options)\n\nOperators\n---------\n\n### operator=(FirewallClient const \\&)\n\nCopy and move support\n\n### operator=(FirewallClient \\&\\&)\n\nCopy and move support\n\nFunctions\n---------\n\n### ListIngressRules(google::appengine::v1::ListIngressRulesRequest, Options)\n\nLists the firewall rules of an application.\n\n### BatchUpdateIngressRules(google::appengine::v1::BatchUpdateIngressRulesRequest const \\&, Options)\n\nReplaces the entire firewall ruleset in one bulk operation. \nThis overrides and replaces the rules of an existing firewall with the new rules.\n\nIf the final rule does not match traffic with the '\\*' wildcard IP range, then an \"allow all\" rule is explicitly added to the end of the list.\n\n### CreateIngressRule(google::appengine::v1::CreateIngressRuleRequest const \\&, Options)\n\nCreates a firewall rule for the application.\n\n### GetIngressRule(google::appengine::v1::GetIngressRuleRequest const \\&, Options)\n\nGets the specified firewall rule.\n\n### UpdateIngressRule(google::appengine::v1::UpdateIngressRuleRequest const \\&, Options)\n\nUpdates the specified firewall rule.\n\n### DeleteIngressRule(google::appengine::v1::DeleteIngressRuleRequest const \\&, Options)\n\nDeletes the specified firewall rule."]]
