package google.events.cloud.networkmanagement.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Details of the final state "abort" and associated resource.

Used in: Step

• AbortInfo.Cause cause = 1

  Causes that the analysis is aborted.

• string resource_uri = 2

  URI of the resource that caused the abort.

• repeated string projects_missing_permission = 3

  List of project IDs that the user has specified in the request but does not have permission to access network configs. Analysis is aborted in this case with the PERMISSION_DENIED cause.

Abort cause types:

Used in: AbortInfo

• CAUSE_UNSPECIFIED = 0

  Cause is unspecified.

• UNKNOWN_NETWORK = 1

  Aborted due to unknown network. The reachability analysis cannot proceed because the user does not have access to the host project's network configurations, including firewall rules and routes. This happens when the project is a service project and the endpoints being traced are in the host project's network.

• UNKNOWN_IP = 2

  Aborted because the IP address(es) are unknown.

• UNKNOWN_PROJECT = 3

  Aborted because no project information can be derived from the test input.

• PERMISSION_DENIED = 4

  Aborted because the user lacks the permission to access all or part of the network configurations required to run the test.

• NO_SOURCE_LOCATION = 5

  Aborted because no valid source endpoint is derived from the input test request.

• INVALID_ARGUMENT = 6

  Aborted because the source and/or destination endpoint specified in the test are invalid. The possible reasons that an endpoint is invalid include: malformed IP address; nonexistent instance or network URI; IP address not in the range of specified network URI; and instance not owning the network interface in the specified network.

• NO_EXTERNAL_IP = 7

  Aborted because traffic is sent from a public IP to an instance without an external IP.

• UNINTENDED_DESTINATION = 8

  Aborted because none of the traces matches destination information specified in the input test request.

• TRACE_TOO_LONG = 9

  Aborted because the number of steps in the trace exceeding a certain limit which may be caused by routing loop.

• INTERNAL_ERROR = 10

  Aborted due to internal server error.

• SOURCE_ENDPOINT_NOT_FOUND = 11

  Aborted because the source endpoint could not be found.

• MISMATCHED_SOURCE_NETWORK = 12

  Aborted because the source network does not match the source endpoint.

• DESTINATION_ENDPOINT_NOT_FOUND = 13

  Aborted because the destination endpoint could not be found.

• MISMATCHED_DESTINATION_NETWORK = 14

  Aborted because the destination network does not match the destination endpoint.

• UNSUPPORTED = 15

  Aborted because the test scenario is not supported.

• MISMATCHED_IP_VERSION = 16

  Aborted because the source and destination resources have no common IP version.

• GKE_KONNECTIVITY_PROXY_UNSUPPORTED = 17

  Aborted because the connection between the control plane and the node of the source cluster is initiated by the node and managed by the Konnectivity proxy.

• RESOURCE_CONFIG_NOT_FOUND = 18

  Aborted because expected resource configuration was missing.

For display only. Metadata associated with an App Engine version.

Used in: Step

• string display_name = 1

  Name of an App Engine version.

• string uri = 2

  URI of an App Engine version.

• string runtime = 3

  Runtime of the App Engine version.

• string environment = 4

  App Engine execution environment for a version.

For display only. Metadata associated with a Cloud Function.

Used in: Step

• string display_name = 1

  Name of a Cloud Function.

• string uri = 2

  URI of a Cloud Function.

• string location = 3

  Location in which the Cloud Function is deployed.

• int64 version_id = 4

  Latest successfully deployed version id of the Cloud Function.

For display only. Metadata associated with a Cloud Run revision.

Used in: Step

• string display_name = 1

  Name of a Cloud Run revision.

• string uri = 2

  URI of a Cloud Run revision.

• string location = 4

  Location in which this revision is deployed.

• string service_uri = 5

  URI of Cloud Run service this revision belongs to.

For display only. Metadata associated with a Cloud SQL instance.

Used in: Step

• string display_name = 1

  Name of a Cloud SQL instance.

• string uri = 2

  URI of a Cloud SQL instance.

• string network_uri = 4

  URI of a Cloud SQL instance network or empty string if the instance does not have one.

• string internal_ip = 5

  Internal IP address of a Cloud SQL instance.

• string external_ip = 6

  External IP address of a Cloud SQL instance.

• string region = 7

  Region in which the Cloud SQL instance is running.

A Connectivity Test for a network reachability analysis.

Used in: ConnectivityTestEventData

• string name = 1

  Required. Unique name of the resource using the form: `projects/{project_id}/locations/global/connectivityTests/{test_id}`

• string description = 2

  The user-supplied description of the Connectivity Test. Maximum of 512 characters.

• optional Endpoint source = 3

  Required. Source specification of the Connectivity Test. You can use a combination of source IP address, virtual machine (VM) instance, or Compute Engine network to uniquely identify the source location. Examples: If the source IP address is an internal IP address within a Google Cloud Virtual Private Cloud (VPC) network, then you must also specify the VPC network. Otherwise, specify the VM instance, which already contains its internal IP address and VPC network information. If the source of the test is within an on-premises network, then you must provide the destination VPC network. If the source endpoint is a Compute Engine VM instance with multiple network interfaces, the instance itself is not sufficient to identify the endpoint. So, you must also specify the source IP address or VPC network. A reachability analysis proceeds even if the source location is ambiguous. However, the test result may include endpoints that you don't intend to test.

• optional Endpoint destination = 4

  Required. Destination specification of the Connectivity Test. You can use a combination of destination IP address, Compute Engine VM instance, or VPC network to uniquely identify the destination location. Even if the destination IP address is not unique, the source IP location is unique. Usually, the analysis can infer the destination endpoint from route information. If the destination you specify is a VM instance and the instance has multiple network interfaces, then you must also specify either a destination IP address or VPC network to identify the destination interface. A reachability analysis proceeds even if the destination location is ambiguous. However, the result can include endpoints that you don't intend to test.

• string protocol = 5

  IP Protocol of the test. When not provided, "TCP" is assumed.

• repeated string related_projects = 6

  Other projects that may be relevant for reachability analysis. This is applicable to scenarios where a test can cross project boundaries.

• string display_name = 7

  Output only. The display name of a Connectivity Test.

• map<string, string> labels = 8

  Resource labels to represent user-provided metadata.

• optional protobuf.Timestamp create_time = 10

  Output only. The time the test was created.

• optional protobuf.Timestamp update_time = 11

  Output only. The time the test's configuration was updated.

• optional ReachabilityDetails reachability_details = 12

  Output only. The reachability details of this test from the latest run. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.

The CloudEvent raised when a ConnectivityTest is created.

• optional ConnectivityTestEventData data = 1

  The data associated with the event.

The CloudEvent raised when a ConnectivityTest is deleted.

• optional ConnectivityTestEventData data = 1

  The data associated with the event.

The data within all ConnectivityTest events.

Used in: ConnectivityTestCreatedEvent, ConnectivityTestDeletedEvent, ConnectivityTestUpdatedEvent

• optional ConnectivityTest payload = 1

  Optional. The ConnectivityTest event payload. Unset for deletion events.

The CloudEvent raised when a ConnectivityTest is updated.

• optional ConnectivityTestEventData data = 1

  The data associated with the event.

Details of the final state "deliver" and associated resource.

Used in: Step

• DeliverInfo.Target target = 1

  Target type where the packet is delivered to.

• string resource_uri = 2

  URI of the resource that the packet is delivered to.

Deliver target types:

Used in: DeliverInfo

• TARGET_UNSPECIFIED = 0

  Target not specified.

• INSTANCE = 1

  Target is a Compute Engine instance.

• INTERNET = 2

  Target is the internet.

• GOOGLE_API = 3

  Target is a Google API.

• GKE_MASTER = 4

  Target is a Google Kubernetes Engine cluster master.

• CLOUD_SQL_INSTANCE = 5

  Target is a Cloud SQL instance.

• PSC_PUBLISHED_SERVICE = 6

  Target is a published service that uses [Private Service Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-services).

• PSC_GOOGLE_API = 7

  Target is all Google APIs that use [Private Service Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis).

• PSC_VPC_SC = 8

  Target is a VPC-SC that uses [Private Service Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis).

Details of the final state "drop" and associated resource.

Used in: Step

• DropInfo.Cause cause = 1

  Cause that the packet is dropped.

• string resource_uri = 2

  URI of the resource that caused the drop.

Drop cause types:

Used in: DropInfo

• CAUSE_UNSPECIFIED = 0

  Cause is unspecified.

• UNKNOWN_EXTERNAL_ADDRESS = 1

  Destination external address cannot be resolved to a known target. If the address is used in a Google Cloud project, provide the project ID as test input.

• FOREIGN_IP_DISALLOWED = 2

  A Compute Engine instance can only send or receive a packet with a foreign IP address if ip_forward is enabled.

• FIREWALL_RULE = 3

  Dropped due to a firewall rule, unless allowed due to connection tracking.

• NO_ROUTE = 4

  Dropped due to no routes.

• ROUTE_BLACKHOLE = 5

  Dropped due to invalid route. Route's next hop is a blackhole.

• ROUTE_WRONG_NETWORK = 6

  Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2's IP addresss to Network3.

• PRIVATE_TRAFFIC_TO_INTERNET = 7

  Packet with internal destination address sent to the internet gateway.

• PRIVATE_GOOGLE_ACCESS_DISALLOWED = 8

  Instance with only an internal IP address tries to access Google API and services, but private Google access is not enabled.

• NO_EXTERNAL_ADDRESS = 9

  Instance with only an internal IP address tries to access external hosts, but Cloud NAT is not enabled in the subnet, unless special configurations on a VM allow this connection.

• UNKNOWN_INTERNAL_ADDRESS = 10

  Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project.

• FORWARDING_RULE_MISMATCH = 11

  Forwarding rule's protocol and ports do not match the packet header.

• FORWARDING_RULE_REGION_MISMATCH = 25

  Packet could be dropped because it was sent from a different region to a regional forwarding without global access.

• FORWARDING_RULE_NO_INSTANCES = 12

  Forwarding rule does not have backends configured.

• FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK = 13

  Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. For more details, see [Health check firewall rules](https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules).

• INSTANCE_NOT_RUNNING = 14

  Packet is sent from or to a Compute Engine instance that is not in a running state.

• GKE_CLUSTER_NOT_RUNNING = 27

  Packet sent from or to a GKE cluster that is not in running state.

• CLOUD_SQL_INSTANCE_NOT_RUNNING = 28

  Packet sent from or to a Cloud SQL instance that is not in running state.

• TRAFFIC_TYPE_BLOCKED = 15

  The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See [Always blocked traffic](https://cloud.google.com/vpc/docs/firewalls#blockedtraffic) for more details.

• GKE_MASTER_UNAUTHORIZED_ACCESS = 16

  Access to Google Kubernetes Engine cluster master's endpoint is not authorized. See [Access to the cluster endpoints](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints) for more details.

• CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS = 17

  Access to the Cloud SQL instance endpoint is not authorized. See [Authorizing with authorized networks](https://cloud.google.com/sql/docs/mysql/authorize-networks) for more details.

• DROPPED_INSIDE_GKE_SERVICE = 18

  Packet was dropped inside Google Kubernetes Engine Service.

• DROPPED_INSIDE_CLOUD_SQL_SERVICE = 19

  Packet was dropped inside Cloud SQL Service.

• GOOGLE_MANAGED_SERVICE_NO_PEERING = 20

  Packet was dropped because there is no peering between the originating network and the Google Managed Services Network.

• GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT = 38

  Packet was dropped because the Google-managed service uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.

• GKE_PSC_ENDPOINT_MISSING = 36

  Packet was dropped because the GKE cluster uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.

• CLOUD_SQL_INSTANCE_NO_IP_ADDRESS = 21

  Packet was dropped because the Cloud SQL instance has neither a private nor a public IP address.

• GKE_CONTROL_PLANE_REGION_MISMATCH = 30

  Packet was dropped because a GKE cluster private endpoint is unreachable from a region different from the cluster's region.

• PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION = 31

  Packet sent from a public GKE cluster control plane to a private IP address.

• GKE_CONTROL_PLANE_NO_ROUTE = 32

  Packet was dropped because there is no route from a GKE cluster control plane to a destination network.

• CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC = 33

  Packet sent from a Cloud SQL instance to an external IP address is not allowed. The Cloud SQL instance is not configured to send packets to external IP addresses.

• PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION = 34

  Packet sent from a Cloud SQL instance with only a public IP address to a private IP address.

• CLOUD_SQL_INSTANCE_NO_ROUTE = 35

  Packet was dropped because there is no route from a Cloud SQL instance to a destination network.

• CLOUD_FUNCTION_NOT_ACTIVE = 22

  Packet could be dropped because the Cloud Function is not in an active status.

• VPC_CONNECTOR_NOT_SET = 23

  Packet could be dropped because no VPC connector is set.

• VPC_CONNECTOR_NOT_RUNNING = 24

  Packet could be dropped because the VPC connector is not in a running state.

• PSC_CONNECTION_NOT_ACCEPTED = 26

  The Private Service Connect endpoint is in a project that is not approved to connect to the service.

• CLOUD_RUN_REVISION_NOT_READY = 29

  Packet sent from a Cloud Run revision that is not ready.

• DROPPED_INSIDE_PSC_SERVICE_PRODUCER = 37

  Packet was dropped inside Private Service Connect service producer.

• LOAD_BALANCER_HAS_NO_PROXY_SUBNET = 39

  Packet sent to a load balancer, which requires a proxy-only subnet and the subnet is not found.

Source or destination of the Connectivity Test.

Used in: ConnectivityTest

• string ip_address = 1

  The IP address of the endpoint, which can be an external or internal IP. An IPv6 address is only allowed when the test's destination is a [global load balancer VIP](/load-balancing/docs/load-balancing-overview).

• int32 port = 2

  The IP protocol port of the endpoint. Only applicable when protocol is TCP or UDP.

• string instance = 3

  A Compute Engine instance URI.

• string gke_master_cluster = 7

  A cluster URI for [Google Kubernetes Engine master](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture).

• string cloud_sql_instance = 8

  A [Cloud SQL](https://cloud.google.com/sql) instance URI.

• optional Endpoint.CloudFunctionEndpoint cloud_function = 10

  A [Cloud Function](https://cloud.google.com/functions).

• optional Endpoint.AppEngineVersionEndpoint app_engine_version = 11

  An [App Engine](https://cloud.google.com/appengine) [service version](https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions).

• optional Endpoint.CloudRunRevisionEndpoint cloud_run_revision = 12

  A [Cloud Run](https://cloud.google.com/run) [revision](https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions/get)

• string network = 4

  A Compute Engine network URI.

• Endpoint.NetworkType network_type = 5

  Type of the network where the endpoint is located. Applicable only to source endpoint, as destination network type can be inferred from the source.

• string project_id = 6

  Project ID where the endpoint is located. The Project ID can be derived from the URI if you provide a VM instance or network URI. The following are two cases where you must provide the project ID: 1. Only the IP address is specified, and the IP address is within a Google Cloud project. 2. When you are using Shared VPC and the IP address that you provide is from the service project. In this case, the network that the IP address resides in is defined in the host project.

Wrapper for the App Engine service version attributes.

Used in: Endpoint

• string uri = 1

  An [App Engine](https://cloud.google.com/appengine) [service version](https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions) name.

Wrapper for Cloud Function attributes.

Used in: Endpoint

• string uri = 1

  A [Cloud Function](https://cloud.google.com/functions) name.

Wrapper for Cloud Run revision attributes.

Used in: Endpoint

• string uri = 1

  A [Cloud Run](https://cloud.google.com/run) [revision](https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions/get) URI. The format is: projects/{project}/locations/{location}/revisions/{revision}

The type definition of an endpoint's network. Use one of the following choices:

Used in: Endpoint

• NETWORK_TYPE_UNSPECIFIED = 0

  Default type if unspecified.

• GCP_NETWORK = 1

  A network hosted within Google Cloud. To receive more detailed output, specify the URI for the source or destination network.

• NON_GCP_NETWORK = 2

  A network hosted outside of Google Cloud. This can be an on-premises network, or a network hosted by another cloud provider.

For display only. The specification of the endpoints for the test. EndpointInfo is derived from source and destination Endpoint and validated by the backend data plane model.

Used in: Step, Trace

• string source_ip = 1

  Source IP address.

• string destination_ip = 2

  Destination IP address.

• string protocol = 3

  IP protocol in string format, for example: "TCP", "UDP", "ICMP".

• int32 source_port = 4

  Source port. Only valid when protocol is TCP or UDP.

• int32 destination_port = 5

  Destination port. Only valid when protocol is TCP or UDP.

• string source_network_uri = 6

  URI of the network where this packet originates from.

• string destination_network_uri = 7

  URI of the network where this packet is sent to.

For display only. Metadata associated with a VPC firewall rule, an implied VPC firewall rule, or a hierarchical firewall policy rule.

Used in: Step

• string display_name = 1

  The display name of the VPC firewall rule. This field is not applicable to hierarchical firewall policy rules.

• string uri = 2

  The URI of the VPC firewall rule. This field is not applicable to implied firewall rules or hierarchical firewall policy rules.

• string direction = 3

  Possible values: INGRESS, EGRESS

• string action = 4

  Possible values: ALLOW, DENY

• int32 priority = 5

  The priority of the firewall rule.

• string network_uri = 6

  The URI of the VPC network that the firewall rule is associated with. This field is not applicable to hierarchical firewall policy rules.

• repeated string target_tags = 7

  The target tags defined by the VPC firewall rule. This field is not applicable to hierarchical firewall policy rules.

• repeated string target_service_accounts = 8

  The target service accounts specified by the firewall rule.

• string policy = 9

  The hierarchical firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules.

• FirewallInfo.FirewallRuleType firewall_rule_type = 10

  The firewall rule's type.

The firewall rule's type.

Used in: FirewallInfo

• FIREWALL_RULE_TYPE_UNSPECIFIED = 0

  Unspecified type.

• HIERARCHICAL_FIREWALL_POLICY_RULE = 1

  Hierarchical firewall policy rule. For details, see [Hierarchical firewall policies overview](https://cloud.google.com/vpc/docs/firewall-policies).

• VPC_FIREWALL_RULE = 2

  VPC firewall rule. For details, see [VPC firewall rules overview](https://cloud.google.com/vpc/docs/firewalls).

• IMPLIED_VPC_FIREWALL_RULE = 3

  Implied VPC firewall rule. For details, see [Implied rules](https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules).

• SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE = 4

  Implicit firewall rules that are managed by serverless VPC access to allow ingress access. They are not visible in the Google Cloud console. For details, see [VPC connector's implicit rules](https://cloud.google.com/functions/docs/networking/connecting-vpc#restrict-access).

• NETWORK_FIREWALL_POLICY_RULE = 5

  Global network firewall policy rule. For details, see [Network firewall policies](https://cloud.google.com/vpc/docs/network-firewall-policies).

Details of the final state "forward" and associated resource.

Used in: Step

• ForwardInfo.Target target = 1

  Target type where this packet is forwarded to.

• string resource_uri = 2

  URI of the resource that the packet is forwarded to.

Forward target types.

Used in: ForwardInfo

• TARGET_UNSPECIFIED = 0

  Target not specified.

• PEERING_VPC = 1

  Forwarded to a VPC peering network.

• VPN_GATEWAY = 2

  Forwarded to a Cloud VPN gateway.

• INTERCONNECT = 3

  Forwarded to a Cloud Interconnect connection.

• GKE_MASTER = 4

  Forwarded to a Google Kubernetes Engine Container cluster master.

• IMPORTED_CUSTOM_ROUTE_NEXT_HOP = 5

  Forwarded to the next hop of a custom route imported from a peering VPC.

• CLOUD_SQL_INSTANCE = 6

  Forwarded to a Cloud SQL instance.

• ANOTHER_PROJECT = 7

  Forwarded to a VPC network in another project.

For display only. Metadata associated with a Compute Engine forwarding rule.

Used in: Step

• string display_name = 1

  Name of a Compute Engine forwarding rule.

• string uri = 2

  URI of a Compute Engine forwarding rule.

• string matched_protocol = 3

  Protocol defined in the forwarding rule that matches the test.

• string matched_port_range = 6

  Port range defined in the forwarding rule that matches the test.

• string vip = 4

  VIP of the forwarding rule.

• string target = 5

  Target type of the forwarding rule.

• string network_uri = 7

  Network URI. Only valid for Internal Load Balancer.

For display only. Metadata associated with a Google Kubernetes Engine (GKE) cluster master.

Used in: Step

• string cluster_uri = 2

  URI of a GKE cluster.

• string cluster_network_uri = 4

  URI of a GKE cluster network.

• string internal_ip = 5

  Internal IP address of a GKE cluster master.

• string external_ip = 6

  External IP address of a GKE cluster master.

For display only. Details of a Google Service sending packets to a VPC network. Although the source IP might be a publicly routable address, some Google Services use special routes within Google production infrastructure to reach Compute Engine Instances. https://cloud.google.com/vpc/docs/routes#special_return_paths

Used in: Step

• string source_ip = 1

  Source IP address.

• GoogleServiceInfo.GoogleServiceType google_service_type = 2

  Recognized type of a Google Service.

Recognized type of a Google Service.

Used in: GoogleServiceInfo

• GOOGLE_SERVICE_TYPE_UNSPECIFIED = 0

  Unspecified Google Service. Includes most of Google APIs and services.

• IAP = 1

  Identity aware proxy. https://cloud.google.com/iap/docs/using-tcp-forwarding

• GFE_PROXY_OR_HEALTH_CHECK_PROBER = 2

  One of two services sharing IP ranges: * Load Balancer proxy * Centralized Health Check prober https://cloud.google.com/load-balancing/docs/firewall-rules

• CLOUD_DNS = 3

  Connectivity from Cloud DNS to forwarding targets or alternate name servers that use private routing. https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules https://cloud.google.com/dns/docs/policies#firewall-rules

For display only. Metadata associated with a Compute Engine instance.

Used in: Step

• string display_name = 1

  Name of a Compute Engine instance.

• string uri = 2

  URI of a Compute Engine instance.

• string interface = 3

  Name of the network interface of a Compute Engine instance.

• string network_uri = 4

  URI of a Compute Engine network.

• string internal_ip = 5

  Internal IP address of the network interface.

• string external_ip = 6

  External IP address of the network interface.

• repeated string network_tags = 7

  Network tags configured on the instance.

• string service_account = 8

  Service account authorized for the instance.

For display only. Metadata associated with a specific load balancer backend.

Used in: LoadBalancerInfo

• string display_name = 1

  Name of a Compute Engine instance or network endpoint.

• string uri = 2

  URI of a Compute Engine instance or network endpoint.

• LoadBalancerBackend.HealthCheckFirewallState health_check_firewall_state = 3

  State of the health check firewall configuration.

• repeated string health_check_allowing_firewall_rules = 4

  A list of firewall rule URIs allowing probes from health check IP ranges.

• repeated string health_check_blocking_firewall_rules = 5

  A list of firewall rule URIs blocking probes from health check IP ranges.

State of a health check firewall configuration:

Used in: LoadBalancerBackend

• HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED = 0

  State is unspecified. Default state if not populated.

• CONFIGURED = 1

  There are configured firewall rules to allow health check probes to the backend.

• MISCONFIGURED = 2

  There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer.

For display only. Metadata associated with a load balancer.

Used in: Step

• LoadBalancerInfo.LoadBalancerType load_balancer_type = 1

  Type of the load balancer.

• string health_check_uri = 2

  URI of the health check for the load balancer.

• repeated LoadBalancerBackend backends = 3

  Information for the loadbalancer backends.

• LoadBalancerInfo.BackendType backend_type = 4

  Type of load balancer's backend configuration.

• string backend_uri = 5

  Backend configuration URI.

The type definition for a load balancer backend configuration:

Used in: LoadBalancerInfo

• BACKEND_TYPE_UNSPECIFIED = 0

  Type is unspecified.

• BACKEND_SERVICE = 1

  Backend Service as the load balancer's backend.

• TARGET_POOL = 2

  Target Pool as the load balancer's backend.

• TARGET_INSTANCE = 3

  Target Instance as the load balancer's backend.

The type definition for a load balancer:

Used in: LoadBalancerInfo

• LOAD_BALANCER_TYPE_UNSPECIFIED = 0

  Type is unspecified.

• INTERNAL_TCP_UDP = 1

  Internal TCP/UDP load balancer.

• NETWORK_TCP_UDP = 2

  Network TCP/UDP load balancer.

• HTTP_PROXY = 3

  HTTP(S) proxy load balancer.

• TCP_PROXY = 4

  TCP proxy load balancer.

• SSL_PROXY = 5

  SSL proxy load balancer.

For display only. Metadata associated with a Compute Engine network.

Used in: Step

• string display_name = 1

  Name of a Compute Engine network.

• string uri = 2

  URI of a Compute Engine network.

• string matched_ip_range = 4

  The IP range that matches the test.

Results of the configuration analysis from the last run of the test.

Used in: ConnectivityTest

• ReachabilityDetails.Result result = 1

  The overall result of the test's configuration analysis.

• optional protobuf.Timestamp verify_time = 2

  The time of the configuration analysis.

• optional rpc.Status error = 3

  The details of a failure or a cancellation of reachability analysis.

• repeated Trace traces = 5

  Result may contain a list of traces if a test has multiple possible paths in the network, such as when destination endpoint is a load balancer with multiple backends.

The overall result of the test's configuration analysis.

Used in: ReachabilityDetails

• RESULT_UNSPECIFIED = 0

  No result was specified.

• REACHABLE = 1

  Possible scenarios are: * The configuration analysis determined that a packet originating from the source is expected to reach the destination. * The analysis didn't complete because the user lacks permission for some of the resources in the trace. However, at the time the user's permission became insufficient, the trace had been successful so far.

• UNREACHABLE = 2

  A packet originating from the source is expected to be dropped before reaching the destination.

• AMBIGUOUS = 4

  The source and destination endpoints do not uniquely identify the test location in the network, and the reachability result contains multiple traces. For some traces, a packet could be delivered, and for others, it would not be.

• UNDETERMINED = 5

  The configuration analysis did not complete. Possible reasons are: * A permissions error occurred--for example, the user might not have read permission for all of the resources named in the test. * An internal error occurred. * The analyzer received an invalid or unsupported argument or was unable to identify a known endpoint.

For display only. Metadata associated with a Compute Engine route.

Used in: Step

• RouteInfo.RouteType route_type = 8

  Type of route.

• RouteInfo.NextHopType next_hop_type = 9

  Type of next hop.

• string display_name = 1

  Name of a Compute Engine route.

• string uri = 2

  URI of a Compute Engine route. Dynamic route from cloud router does not have a URI. Advertised route from Google Cloud VPC to on-premises network also does not have a URI.

• string dest_ip_range = 3

  Destination IP range of the route.

• string next_hop = 4

  Next hop of the route.

• string network_uri = 5

  URI of a Compute Engine network.

• int32 priority = 6

  Priority of the route.

• repeated string instance_tags = 7

  Instance tags of the route.

• string src_ip_range = 10

  Source IP address range of the route. Policy based routes only.

• repeated string dest_port_ranges = 11

  Destination port ranges of the route. Policy based routes only.

• repeated string src_port_ranges = 12

  Source port ranges of the route. Policy based routes only.

• repeated string protocols = 13

  Protocols of the route. Policy based routes only.

Type of next hop:

Used in: RouteInfo

• NEXT_HOP_TYPE_UNSPECIFIED = 0

  Unspecified type. Default value.

• NEXT_HOP_IP = 1

  Next hop is an IP address.

• NEXT_HOP_INSTANCE = 2

  Next hop is a Compute Engine instance.

• NEXT_HOP_NETWORK = 3

  Next hop is a VPC network gateway.

• NEXT_HOP_PEERING = 4

  Next hop is a peering VPC.

• NEXT_HOP_INTERCONNECT = 5

  Next hop is an interconnect.

• NEXT_HOP_VPN_TUNNEL = 6

  Next hop is a VPN tunnel.

• NEXT_HOP_VPN_GATEWAY = 7

  Next hop is a VPN gateway. This scenario only happens when tracing connectivity from an on-premises network to Google Cloud through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arriving at a Cloud VPN gateway.

• NEXT_HOP_INTERNET_GATEWAY = 8

  Next hop is an internet gateway.

• NEXT_HOP_BLACKHOLE = 9

  Next hop is blackhole; that is, the next hop either does not exist or is not running.

• NEXT_HOP_ILB = 10

  Next hop is the forwarding rule of an Internal Load Balancer.

• NEXT_HOP_ROUTER_APPLIANCE = 11

  Next hop is a [router appliance instance](https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/ra-overview).

Type of route:

Used in: RouteInfo

• ROUTE_TYPE_UNSPECIFIED = 0

  Unspecified type. Default value.

• SUBNET = 1

  Route is a subnet route automatically created by the system.

• STATIC = 2

  Static route created by the user, including the default route to the internet.

• DYNAMIC = 3

  Dynamic route exchanged between BGP peers.

• PEERING_SUBNET = 4

  A subnet route received from peering network.

• PEERING_STATIC = 5

  A static route received from peering network.

• PEERING_DYNAMIC = 6

  A dynamic route received from peering network.

• POLICY_BASED = 7

  Policy based route.

A simulated forwarding path is composed of multiple steps. Each step has a well-defined state and an associated configuration.

Used in: Trace

• string description = 1

  A description of the step. Usually this is a summary of the state.

• Step.State state = 2

  Each step is in one of the pre-defined states.

• bool causes_drop = 3

  This is a step that leads to the final state Drop.

• string project_id = 4

  Project ID that contains the configuration this step is validating.

• oneof step_info

  Configuration or metadata associated with each step. The configuration is filtered based on viewer's permission. If a viewer has no permission to view the configuration in this step, for non-final states a special state is populated (VIEWER_PERMISSION_MISSING), and for final state the configuration is cleared.

  • InstanceInfo instance = 5

    Display information of a Compute Engine instance.

  • FirewallInfo firewall = 6

    Display information of a Compute Engine firewall rule.

  • RouteInfo route = 7

    Display information of a Compute Engine route.

  • EndpointInfo endpoint = 8

    Display information of the source and destination under analysis. The endpoint information in an intermediate state may differ with the initial input, as it might be modified by state like NAT, or Connection Proxy.

  • GoogleServiceInfo google_service = 24

    Display information of a Google service

  • ForwardingRuleInfo forwarding_rule = 9

    Display information of a Compute Engine forwarding rule.

  • VpnGatewayInfo vpn_gateway = 10

    Display information of a Compute Engine VPN gateway.

  • VpnTunnelInfo vpn_tunnel = 11

    Display information of a Compute Engine VPN tunnel.

  • VpcConnectorInfo vpc_connector = 21

    Display information of a VPC connector.

  • DeliverInfo deliver = 12

    Display information of the final state "deliver" and reason.

  • ForwardInfo forward = 13

    Display information of the final state "forward" and reason.

  • AbortInfo abort = 14

    Display information of the final state "abort" and reason.

  • DropInfo drop = 15

    Display information of the final state "drop" and reason.

  • LoadBalancerInfo load_balancer = 16

    Display information of the load balancers.

  • NetworkInfo network = 17

    Display information of a Google Cloud network.

  • GKEMasterInfo gke_master = 18

    Display information of a Google Kubernetes Engine cluster master.

  • CloudSQLInstanceInfo cloud_sql_instance = 19

    Display information of a Cloud SQL instance.

  • CloudFunctionInfo cloud_function = 20

    Display information of a Cloud Function.

  • AppEngineVersionInfo app_engine_version = 22

    Display information of an App Engine service version.

  • CloudRunRevisionInfo cloud_run_revision = 23

    Display information of a Cloud Run revision.

Type of states that are defined in the network state machine. Each step in the packet trace is in a specific state.

Used in: Step

• STATE_UNSPECIFIED = 0

  Unspecified state.

• START_FROM_INSTANCE = 1

  Initial state: packet originating from a Compute Engine instance. An InstanceInfo is populated with starting instance information.

• START_FROM_INTERNET = 2

  Initial state: packet originating from the internet. The endpoint information is populated.

• START_FROM_GOOGLE_SERVICE = 27

  Initial state: packet originating from a Google service. Some Google services, such as health check probers or Identity Aware Proxy use special routes, outside VPC routing configuration to reach Compute Engine Instances.

• START_FROM_PRIVATE_NETWORK = 3

  Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a VPC network visible to the user, a NetworkInfo is populated with details of the network.

• START_FROM_GKE_MASTER = 21

  Initial state: packet originating from a Google Kubernetes Engine cluster master. A GKEMasterInfo is populated with starting instance information.

• START_FROM_CLOUD_SQL_INSTANCE = 22

  Initial state: packet originating from a Cloud SQL instance. A CloudSQLInstanceInfo is populated with starting instance information.

• START_FROM_CLOUD_FUNCTION = 23

  Initial state: packet originating from a Cloud Function. A CloudFunctionInfo is populated with starting function information.

• START_FROM_APP_ENGINE_VERSION = 25

  Initial state: packet originating from an App Engine service version. An AppEngineVersionInfo is populated with starting version information.

• START_FROM_CLOUD_RUN_REVISION = 26

  Initial state: packet originating from a Cloud Run revision. A CloudRunRevisionInfo is populated with starting revision information.

• APPLY_INGRESS_FIREWALL_RULE = 4

  Config checking state: verify ingress firewall rule.

• APPLY_EGRESS_FIREWALL_RULE = 5

  Config checking state: verify egress firewall rule.

• APPLY_ROUTE = 6

  Config checking state: verify route.

• APPLY_FORWARDING_RULE = 7

  Config checking state: match forwarding rule.

• SPOOFING_APPROVED = 8

  Config checking state: packet sent or received under foreign IP address and allowed.

• ARRIVE_AT_INSTANCE = 9

  Forwarding state: arriving at a Compute Engine instance.

• ARRIVE_AT_INTERNAL_LOAD_BALANCER = 10

  Forwarding state: arriving at a Compute Engine internal load balancer.

• ARRIVE_AT_EXTERNAL_LOAD_BALANCER = 11

  Forwarding state: arriving at a Compute Engine external load balancer.

• ARRIVE_AT_VPN_GATEWAY = 12

  Forwarding state: arriving at a Cloud VPN gateway.

• ARRIVE_AT_VPN_TUNNEL = 13

  Forwarding state: arriving at a Cloud VPN tunnel.

• ARRIVE_AT_VPC_CONNECTOR = 24

  Forwarding state: arriving at a VPC connector.

• NAT = 14

  Transition state: packet header translated.

• PROXY_CONNECTION = 15

  Transition state: original connection is terminated and a new proxied connection is initiated.

• DELIVER = 16

  Final state: packet could be delivered.

• DROP = 17

  Final state: packet could be dropped.

• FORWARD = 18

  Final state: packet could be forwarded to a network with an unknown configuration.

• ABORT = 19

  Final state: analysis is aborted.

• VIEWER_PERMISSION_MISSING = 20

  Special state: viewer of the test result does not have permission to see the configuration in this step.

Trace represents one simulated packet forwarding path. * Each trace contains multiple ordered steps. * Each step is in a particular state with associated configuration. * State is categorized as final or non-final states. * Each final state has a reason associated. * Each trace must end with a final state (the last step). ``` |---------------------Trace----------------------| Step1(State) Step2(State) --- StepN(State(final)) ```

Used in: ReachabilityDetails

• optional EndpointInfo endpoint_info = 1

  Derived from the source and destination endpoints definition specified by user request, and validated by the data plane model. If there are multiple traces starting from different source locations, then the endpoint_info may be different between traces.

• repeated Step steps = 2

  A trace of a test contains multiple steps from the initial state to the final state (delivered, dropped, forwarded, or aborted). The steps are ordered by the processing sequence within the simulated network state machine. It is critical to preserve the order of the steps and avoid reordering or sorting them.

For display only. Metadata associated with a VPC connector.

Used in: Step

• string display_name = 1

  Name of a VPC connector.

• string uri = 2

  URI of a VPC connector.

• string location = 3

  Location in which the VPC connector is deployed.

For display only. Metadata associated with a Compute Engine VPN gateway.

Used in: Step

• string display_name = 1

  Name of a VPN gateway.

• string uri = 2

  URI of a VPN gateway.

• string network_uri = 3

  URI of a Compute Engine network where the VPN gateway is configured.

• string ip_address = 4

  IP address of the VPN gateway.

• string vpn_tunnel_uri = 5

  A VPN tunnel that is associated with this VPN gateway. There may be multiple VPN tunnels configured on a VPN gateway, and only the one relevant to the test is displayed.

• string region = 6

  Name of a Google Cloud region where this VPN gateway is configured.

For display only. Metadata associated with a Compute Engine VPN tunnel.

Used in: Step

• string display_name = 1

  Name of a VPN tunnel.

• string uri = 2

  URI of a VPN tunnel.

• string source_gateway = 3

  URI of the VPN gateway at local end of the tunnel.

• string remote_gateway = 4

  URI of a VPN gateway at remote end of the tunnel.

• string remote_gateway_ip = 5

  Remote VPN gateway's IP address.

• string source_gateway_ip = 6

  Local VPN gateway's IP address.

• string network_uri = 7

  URI of a Compute Engine network where the VPN tunnel is configured.

• string region = 8

  Name of a Google Cloud region where this VPN tunnel is configured.

• VpnTunnelInfo.RoutingType routing_type = 9

  Type of the routing policy.

Types of VPN routing policy. For details, refer to [Networks and Tunnel routing](https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing/).

Used in: VpnTunnelInfo

• ROUTING_TYPE_UNSPECIFIED = 0

  Unspecified type. Default value.

• ROUTE_BASED = 1

  Route based VPN.

• POLICY_BASED = 2

  Policy based routing.

• DYNAMIC = 3

  Dynamic (BGP) routing.