- Resource: ConnectivityTest
- Endpoint
- NetworkType
- ReachabilityDetails
- Result
- Trace
- EndpointInfo
- Step
- State
- InstanceInfo
- FirewallInfo
- RouteInfo
- RouteType
- NextHopType
- ForwardingRuleInfo
- VpnGatewayInfo
- VpnTunnelInfo
- RoutingType
- DeliverInfo
- Target
- ForwardInfo
- Target
- AbortInfo
- Cause
- DropInfo
- Cause
- LoadBalancerInfo
- LoadBalancerType
- LoadBalancerBackend
- HealthCheckFirewallState
- BackendType
- NetworkInfo
- GKEMasterInfo
- CloudSQLInstanceInfo
- Methods
Resource: ConnectivityTest
A Connectivity Test for a network reachability analysis.
JSON representation | |
---|---|
{ "name": string, "description": string, "source": { object ( |
Fields | |
---|---|
name |
Required. Unique name of the resource using the form: |
description |
The user-supplied description of the Connectivity Test. Maximum of 512 characters. |
source |
Required. Source specification of the Connectivity Test. You can use a combination of source IP address, virtual machine (VM) instance, or Compute Engine network to uniquely identify the source location. Examples: If the source IP address is an internal IP address within a Google Cloud Virtual Private Cloud (VPC) network, then you must also specify the VPC network. Otherwise, specify the VM instance, which already contains its internal IP address and VPC network information. If the source of the test is within an on-premises network, then you must provide the destination VPC network. If the source endpoint is a Compute Engine VM instance with multiple network interfaces, the instance itself is not sufficient to identify the endpoint. So, you must also specify the source IP address or VPC network. A reachability analysis proceeds even if the source location is ambiguous. However, the test result may include endpoints that you don't intend to test. |
destination |
Required. Destination specification of the Connectivity Test. You can use a combination of destination IP address, Compute Engine VM instance, or VPC network to uniquely identify the destination location. Even if the destination IP address is not unique, the source IP location is unique. Usually, the analysis can infer the destination endpoint from route information. If the destination you specify is a VM instance and the instance has multiple network interfaces, then you must also specify either a destination IP address or VPC network to identify the destination interface. A reachability analysis proceeds even if the destination location is ambiguous. However, the result can include endpoints that you don't intend to test. |
protocol |
IP Protocol of the test. When not provided, "TCP" is assumed. |
relatedProjects[] |
Other projects that may be relevant for reachability analysis. This is applicable to scenarios where a test can cross project boundaries. |
displayName |
Output only. The display name of a Connectivity Test. |
labels |
Resource labels to represent user-provided metadata. An object containing a list of |
createTime |
Output only. The time the test was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The time the test's configuration was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
reachabilityDetails |
Output only. The reachability details of this test from the latest run. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test. |
Endpoint
Source or destination of the Connectivity Test.
JSON representation | |
---|---|
{
"ipAddress": string,
"port": integer,
"instance": string,
"gkeMasterCluster": string,
"cloudSqlInstance": string,
"network": string,
"networkType": enum ( |
Fields | |
---|---|
ipAddress |
The IP address of the endpoint, which can be an external or internal IP. An IPv6 address is only allowed when the test's destination is a global load balancer VIP. |
port |
The IP protocol port of the endpoint. Only applicable when protocol is TCP or UDP. |
instance |
A Compute Engine instance URI. |
gkeMasterCluster |
A cluster URI for Google Kubernetes Engine master. |
cloudSqlInstance |
A Cloud SQL instance URI. |
network |
A Compute Engine network URI. |
networkType |
Type of the network where the endpoint is located. Applicable only to source endpoint, as destination network type can be inferred from the source. |
projectId |
Project ID where the endpoint is located. The Project ID can be derived from the URI if you provide a VM instance or network URI. The following are two cases where you must provide the project ID: 1. Only the IP address is specified, and the IP address is within a GCP project. 2. When you are using Shared VPC and the IP address that you provide is from the service project. In this case, the network that the IP address resides in is defined in the host project. |
NetworkType
The type definition of an endpoint's network. Use one of the following choices:
NETWORK_TYPE_UNSPECIFIED
Default type if unspecified.
GCP_NETWORK
A network hosted within Google Cloud Platform. To receive more detailed output, specify the URI for the source or destination network.
NON_GCP_NETWORK
A network hosted outside of Google Cloud Platform. This can be an on-premises network, or a network hosted by another cloud provider.
Enums | |
---|---|
NETWORK_TYPE_UNSPECIFIED |
Default type if unspecified. |
GCP_NETWORK |
A network hosted within Google Cloud Platform. To receive more detailed output, specify the URI for the source or destination network. |
NON_GCP_NETWORK |
A network hosted outside of Google Cloud Platform. This can be an on-premises network, or a network hosted by another cloud provider. |
ReachabilityDetails
The details of reachability state from the latest run.
JSON representation | |
---|---|
{ "result": enum ( |
Fields | |
---|---|
result |
The overall reachability result of the test. |
verifyTime |
The time the reachability state was verified. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
error |
The details of a failure or a cancellation of reachability analysis. |
traces[] |
Result may contain a list of traces if a test has multiple possible paths in the network, such as when destination endpoint is a load balancer with multiple backends. |
Result
Overall reachability result of the test, which can be one of the following values:
RESULT_UNSPECIFIED
Result is not specified.
REACHABLE
Packet originating from source is expected to reach destination. Possible scenarios are: * Packet is traced to the destination. * Analysis is partially complete based on configurations where you have permission. The Final state indicates that the packet is forwarded.
UNREACHABLE
Packet originating from the source is expected to be dropped before reaching the destination.
UNDETERMINED
The reachability could not be determined. Possible reasons are: * Analysis is aborted due to a permission error. The user does not have read permission to the projects listed in the test. * Analysis is aborted due to invalid argument, or the analyzer is not able to identify a valid endpoint location for analysis. * Analysis is aborted due to internal errors.
AMBIGUOUS
If the source and destination endpoint does not uniquely identify the test location in the network, and the reachability result contains multiple traces with mixed reachable and unreachable states, then this result is returned.
Enums | |
---|---|
RESULT_UNSPECIFIED |
Result is not specified. |
REACHABLE |
Packet originating from source is expected to reach destination. |
UNREACHABLE |
Packet originating from source is expected to be dropped before reaching destination. |
AMBIGUOUS |
If the source and destination endpoint does not uniquely identify the test location in the network, and the reachability result contains multiple traces with mixed reachable and unreachable states, then this result is returned. |
UNDETERMINED |
The reachability could not be determined. Possible reasons are:
|
Trace
Trace represents one simulated packet forwarding path.
- Each trace contains multiple ordered steps.
- Each step is in a particular state and has an associated configuration.
- State is categorized as a final or non-final state.
- Each final state has a reason associated with it.
- Each trace must end with a final state (the last step).
|---------------------Trace----------------------|
Step1(State) Step2(State) --- StepN(State(final))
JSON representation | |
---|---|
{ "endpointInfo": { object ( |
Fields | |
---|---|
endpointInfo |
Derived from the source and destination endpoints definition, and validated by the data plane model. If there are multiple traces starting from different source locations, then the endpointInfo may be different between traces. |
steps[] |
A trace of a test contains multiple steps from the initial state to the final state (delivered, dropped, forwarded, or aborted). The steps are ordered by the processing sequence within the simulated network state machine. It is critical to preserve the order of the steps and avoid reordering or sorting them. |
EndpointInfo
For display only. The specification of the endpoints for the test. EndpointInfo is derived from source and destination Endpoint and validated by the backend data plane model.
JSON representation | |
---|---|
{ "sourceIp": string, "destinationIp": string, "protocol": string, "sourcePort": integer, "destinationPort": integer, "sourceNetworkUri": string, "destinationNetworkUri": string } |
Fields | |
---|---|
sourceIp |
Source IP address. |
destinationIp |
Destination IP address. |
protocol |
IP protocol in string format, for example: "TCP", "UDP", "ICMP". |
sourcePort |
Source port. Only valid when protocol is TCP or UDP. |
destinationPort |
Destination port. Only valid when protocol is TCP or UDP. |
sourceNetworkUri |
URI of the network where this packet originates from. |
destinationNetworkUri |
URI of the network where this packet is sent to. |
Step
A simulated forwarding path is composed of multiple steps. Each step has a well-defined state and an associated configuration.
JSON representation | |
---|---|
{ "description": string, "state": enum ( |
Fields | ||
---|---|---|
description |
A description of the step. Usually this is a summary of the state. |
|
state |
Each step is in one of the pre-defined states. |
|
causesDrop |
This is a step that leads to the final state Drop. |
|
projectId |
Project ID that contains the configuration this step is validating. |
|
Union field step_info . Configuration or metadata associated with each step. The configuration is filtered based on viewer's permission. If a viewer has no permission to view the configuration in this step, for non-final states a special state is populated (VIEWER_PERMISSION_MISSING), and for final state the configuration is cleared. step_info can be only one of the following: |
||
instance |
Display info of a Compute Engine instance. |
|
firewall |
Display info of a Compute Engine firewall rule. |
|
route |
Display info of a Compute Engine route. |
|
endpoint |
Display info of the source and destination under analysis. The endpiont info in an intermediate state may differ with the initial input, as it might be modified by state like NAT, or Connection Proxy. |
|
forwardingRule |
Display info of a Compute Engine forwarding rule. |
|
vpnGateway |
Display info of a Compute Engine VPN gateway. |
|
vpnTunnel |
Display info of a Compute Engine VPN tunnel. |
|
deliver |
Display info of the final state "deliver" and reason. |
|
forward |
Display info of the final state "forward" and reason. |
|
abort |
Display info of the final state "abort" and reason. |
|
drop |
Display info of the final state "drop" and reason. |
|
loadBalancer |
Display info of the load balancers. |
|
network |
Display info of a GCP network. |
|
gkeMaster |
Display info of a Google Kubernetes Engine cluster master. |
|
cloudSqlInstance |
Display info of a Cloud SQL instance. |
State
Type of states that are defined in the network state machine. Each step in the packet trace is in a specific state.
STATE_UNSPECIFIED
Unspecified state.
START_FROM_INSTANCE
Initial state: packet originating from a Compute Engine instance. An
InstanceInfo
will be populated with starting instance info.
START_FROM_INTERNET
Initial state: packet originating from Internet. The endpoint info will be populated.
START_FROM_PRIVATE_NETWORK
Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a Virtual Private Cloud (VPC) network visible to the user, a
NetworkInfo
will be populated with details of the network.
START_FROM_GKE_MASTER
Initial state: packet originating from a Google Kubernetes Engine cluster master. A
GKEMasterInfo
will be populated with starting instance info.
START_FROM_CLOUD_SQL_INSTANCE
Initial state: packet originating from a Cloud SQL instance. A
CloudSQLInstanceInfo
will be populated with starting instance info.
APPLY_INGRESS_FIREWALL_RULE
Config checking state: verify ingress firewall rule.
APPLY_EGRESS_FIREWALL_RULE
Config checking state: verify egress firewall rule.
APPLY_ROUTE
Config checking state: verify route.
APPLY_FORWARDING_RULE
Config checking state: match forwarding rule.
SPOOFING_APPROVED
Config checking state: packet sent or received under foreign IP address and allowed.
ARRIVE_AT_INSTANCE
Forwarding state: arriving at a Compute Engine instance.
ARRIVE_AT_INTERNAL_LOAD_BALANCER
Forwarding state: arriving at a Compute Engine internal load balancer.
ARRIVE_AT_EXTERNAL_LOAD_BALANCER
Forwarding state: arriving at a Compute Engine external load balancer.
ARRIVE_AT_VPN_GATEWAY
Forwarding state: arriving at a Cloud VPN gateway.
ARRIVE_AT_VPN_TUNNEL
Forwarding state: arriving at a Cloud VPN tunnel.
NAT
Transition state: packet header translated.
PROXY_CONNECTION
Transition state: original connection is terminated and a new proxied connection is initiated.
DELIVER
Final state: packet could be delivered.
DROP
Final state: packet could be dropped.
FORWARD
Final state: packet could be forwarded to a network with an unknown configuration.
ABORT
Final state: analysis is aborted.
VIEWER_PERMISSION_MISSING
Special state: viewer of the test result does not have permission to see the configuration in this step.
Enums | |
---|---|
STATE_UNSPECIFIED |
Unspecified state. |
START_FROM_INSTANCE |
Initial state: packet originating from a Compute Engine instance. An InstanceInfo will be populated with starting instance info. |
START_FROM_INTERNET |
Initial state: packet originating from Internet. The endpoint info will be populated. |
START_FROM_PRIVATE_NETWORK |
Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a VPC network visible to the user, a NetworkInfo will be populated with details of the network. |
START_FROM_GKE_MASTER |
Initial state: packet originating from a Google Kubernetes Engine cluster master. A GKEMasterInfo will be populated with starting instance info. |
START_FROM_CLOUD_SQL_INSTANCE |
Initial state: packet originating from a Cloud SQL instance. A CloudSQLInstanceInfo will be populated with starting instance info. |
APPLY_INGRESS_FIREWALL_RULE |
Config checking state: verify ingress firewall rule. |
APPLY_EGRESS_FIREWALL_RULE |
Config checking state: verify egress firewall rule. |
APPLY_ROUTE |
Config checking state: verify route. |
APPLY_FORWARDING_RULE |
Config checking state: match forwarding rule. |
SPOOFING_APPROVED |
Config checking state: packet sent or received under foreign IP address and allowed. |
ARRIVE_AT_INSTANCE |
Forwarding state: arriving at a Compute Engine instance. |
ARRIVE_AT_INTERNAL_LOAD_BALANCER |
Forwarding state: arriving at a Compute Engine internal load balancer. |
ARRIVE_AT_EXTERNAL_LOAD_BALANCER |
Forwarding state: arriving at a Compute Engine external load balancer. |
ARRIVE_AT_VPN_GATEWAY |
Forwarding state: arriving at a Cloud VPN gateway. |
ARRIVE_AT_VPN_TUNNEL |
Forwarding state: arriving at a Cloud VPN tunnel. |
NAT |
Transition state: packet header translated. |
PROXY_CONNECTION |
Transition state: original connection is terminated and a new proxied connection is initiated. |
DELIVER |
Final state: packet delivered. |
DROP |
Final state: packet dropped. |
FORWARD |
Final state: packet forwarded to a network with an unknown configuration. |
ABORT |
Final state: analysis is aborted. |
VIEWER_PERMISSION_MISSING |
Special state: viewer of the test result does not have permission to see the configuration in this step. |
InstanceInfo
For display only. Metadata associated with a Compute Engine instance.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "interface": string, "networkUri": string, "internalIp": string, "externalIp": string, "networkTags": [ string ], "serviceAccount": string } |
Fields | |
---|---|
displayName |
Name of a Compute Engine instance. |
uri |
URI of a Compute Engine instance. |
interface |
Name of the network interface of a Compute Engine instance. |
networkUri |
URI of a Compute Engine network. |
internalIp |
Internal IP address of the network interface. |
externalIp |
External IP address of the network interface. |
networkTags[] |
Network tags configured on the instance. |
serviceAccount |
Service account authorized for the instance. |
FirewallInfo
For display only. Metadata associated with a Compute Engine firewall rule.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "direction": string, "action": string, "priority": integer, "networkUri": string, "targetTags": [ string ], "targetServiceAccounts": [ string ] } |
Fields | |
---|---|
displayName |
Name of a Compute Engine firewall rule. |
uri |
URI of a Compute Engine firewall rule. Implied default rule does not have URI. |
direction |
Possible values: INGRESS, EGRESS |
action |
Possible values: ALLOW, DENY |
priority |
Priority of the firewall rule. |
networkUri |
URI of a Compute Engine network. |
targetTags[] |
Target tags of the firewall rule. |
targetServiceAccounts[] |
Target service accounts of the firewall rule. |
RouteInfo
For display only. Metadata associated with a Compute Engine route.
JSON representation | |
---|---|
{ "routeType": enum ( |
Fields | |
---|---|
routeType |
Type of route. |
nextHopType |
Type of next hop. |
displayName |
Name of a Compute Engine route. |
uri |
URI of a Compute Engine route. Dynamic route from cloud router does not have a URI. Advertised route from Google Cloud VPC to on-premises network also does not have a URI. |
destIpRange |
Destination IP range of the route. |
nextHop |
Next hop of the route. |
networkUri |
URI of a Compute Engine network. |
priority |
Priority of the route. |
instanceTags[] |
Instance tags of the route. |
RouteType
Type of route:
ROUTE_TYPE_UNSPECIFIED
Unspecified type. Default value.
SUBNET
Route is a subnet route automatically created by the system.
STATIC
Static route created by the user, including the default route to the Internet.
DYNAMIC
Dynamic route exchanged between BGP peers.
PEERING_SUBNET
A subnet route received from the peering network.
PEERING_STATIC
A static route received from the peering network.
PEERING_DYNAMIC
A dynamic route received from the peering network.
Enums | |
---|---|
ROUTE_TYPE_UNSPECIFIED |
Unspecified type. Default value. |
SUBNET |
Route is a subnet route automatically created by the system. |
STATIC |
Static route created by the user including the default route to the Internet. |
DYNAMIC |
Dynamic route exchanged between BGP peers. |
PEERING_SUBNET |
A subnet route received from peering network. |
PEERING_STATIC |
A static route received from peering network. |
PEERING_DYNAMIC |
A dynamic route received from peering network. |
NextHopType
Type of next hop:
NEXT_HOP_TYPE_UNSPECIFIED
Unspecified type. Default value.
NEXT_HOP_IP
Next hop is an IP address.
NEXT_HOP_INSTANCE
Next hop is a Compute Engine instance.
NEXT_HOP_NETWORK
Next hop is a VPC network gateway.
NEXT_HOP_PEERING
Next hop is a peering VPC.
NEXT_HOP_INTERCONNECT
Next hop is an interconnect.
NEXT_HOP_VPN_TUNNEL
Next hop is a VPN tunnel.
NEXT_HOP_VPN_GATEWAY
Next hop is a VPN Gateway. This scenario only happens when tracing connectivity from on premises to GCP through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arrives at a Cloud VPN gateway.
NEXT_HOP_INTERNET_GATEWAY
Next hop is an internet gateway.
NEXT_HOP_BLACKHOLE
Next hop is a blackhole; that is, the next hop either does not exist or is not running.
NEXT_HOP_ILB
Next hop is the forwarding rule of an Internal Load Balancer.
Enums | |
---|---|
NEXT_HOP_TYPE_UNSPECIFIED |
Unspecified type. Default value. |
NEXT_HOP_IP |
Next hop is an IP address. |
NEXT_HOP_INSTANCE |
Next hop is a Compute Engine instance. |
NEXT_HOP_NETWORK |
Next hop is a VPC network gateway. |
NEXT_HOP_PEERING |
Next hop is a peering VPC. |
NEXT_HOP_INTERCONNECT |
Next hop is an interconnect. |
NEXT_HOP_VPN_TUNNEL |
Next hop is a VPN tunnel. |
NEXT_HOP_VPN_GATEWAY |
Next hop is a VPN Gateway. This scenario only happens when tracing connectivity from an on-premises network to GCP through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arrives at a Cloud VPN gateway. |
NEXT_HOP_INTERNET_GATEWAY |
Next hop is an internet gateway. |
NEXT_HOP_BLACKHOLE |
Next hop is blackhole; that is, the next hop either does not exist or is not running. |
NEXT_HOP_ILB |
Next hop is the forwarding rule of an Internal Load Balancer. |
ForwardingRuleInfo
For display only. Metadata associated with a Compute Engine forwarding rule.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "matchedProtocol": string, "matchedPortRange": string, "vip": string, "target": string, "networkUri": string } |
Fields | |
---|---|
displayName |
Name of a Compute Engine forwarding rule. |
uri |
URI of a Compute Engine forwarding rule. |
matchedProtocol |
Protocol defined in the forwarding rule that matches the test. |
matchedPortRange |
Port range defined in the forwarding rule that matches the test. |
vip |
VIP of the forwarding rule. |
target |
Target type of the forwarding rule. |
networkUri |
Network URI. Only valid for Internal Load Balancer. |
VpnGatewayInfo
For display only. Metadata associated with a Compute Engine VPN gateway.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "networkUri": string, "ipAddress": string, "vpnTunnelUri": string, "region": string } |
Fields | |
---|---|
displayName |
Name of a VPN gateway. |
uri |
URI of a VPN gateway. |
networkUri |
URI of a Compute Engine network where the VPN gateway is configured. |
ipAddress |
IP address of the VPN gateway. |
vpnTunnelUri |
A VPN tunnel that is associated with this VPN gateway. There may be multiple VPN tunnels configured on a VPN gateway, and only the one relevant to the test is displayed. |
region |
Name of a GCP region where this VPN gateway is configured. |
VpnTunnelInfo
For display only. Metadata associated with a Compute Engine VPN tunnel.
JSON representation | |
---|---|
{
"displayName": string,
"uri": string,
"sourceGateway": string,
"remoteGateway": string,
"remoteGatewayIp": string,
"sourceGatewayIp": string,
"networkUri": string,
"region": string,
"routingType": enum ( |
Fields | |
---|---|
displayName |
Name of a VPN tunnel. |
uri |
URI of a VPN tunnel. |
sourceGateway |
URI of the VPN gateway at local end of the tunnel. |
remoteGateway |
URI of a VPN gateway at remote end of the tunnel. |
remoteGatewayIp |
Remote VPN gateway's IP address. |
sourceGatewayIp |
Local VPN gateway's IP address. |
networkUri |
URI of a Compute Engine network where the VPN tunnel is configured. |
region |
Name of a GCP region where this VPN tunnel is configured. |
routingType |
Type of the routing policy. |
RoutingType
Types of VPN routing policy. For details, refer to Networks and Tunnel routing.
ROUTING_TYPE_UNSPECIFIED
Unspecified type. Default value.
ROUTE_BASED
Route based VPN.
POLICY_BASED
Policy based routing.
DYNAMIC
Dynamic (BGP) routing.
Enums | |
---|---|
ROUTING_TYPE_UNSPECIFIED |
Unspecified type. Default value. |
ROUTE_BASED |
Route based VPN. |
POLICY_BASED |
Policy based routing. |
DYNAMIC |
Dynamic (BGP) routing. |
DeliverInfo
Details of the final state "deliver" and associated resource.
JSON representation | |
---|---|
{
"target": enum ( |
Fields | |
---|---|
target |
Target type where the packet is delivered to. |
resourceUri |
URI of the resource that the packet is delivered to. |
Target
Deliver target types:
TARGET_UNSPECIFIED
Target not specified.
INSTANCE
Target is a Compute Engine instance.
INTERNET
Target is the Internet.
GOOGLE_API
Target is a Google API.
GKE_MASTER
Target is a Google Kubernetes Engine cluster master.
CLOUD_SQL_INSTANCE
Target is a Cloud SQL Instance.
Enums | |
---|---|
TARGET_UNSPECIFIED |
Target not specified. |
INSTANCE |
Target is a Compute Engine instance. |
INTERNET |
Target is the Internet. |
GOOGLE_API |
Target is a Google API. |
GKE_MASTER |
Target is a Google Kubernetes Engine cluster master. |
CLOUD_SQL_INSTANCE |
Target is a Cloud SQL instance. |
ForwardInfo
Details of the final state "forward" and associated resource.
JSON representation | |
---|---|
{
"target": enum ( |
Fields | |
---|---|
target |
Target type where this packet is forwarded to. |
resourceUri |
URI of the resource that the packet is forwarded to. |
Target
Forward target types.
TARGET_UNSPECIFIED
Target not specified.
PEERING_VPC
Forwarded to a VPC peering network.
VPN_GATEWAY
Forwarded to a Cloud VPN gateway.
INTERCONNECT
Forwarded to an Cloud Interconnect connection.
GKE_MASTER
Forwarded to a Google Kubernetes Engine Container cluster master.
IMPORTED_CUSTOM_ROUTE_NEXT_HOP
Forwarded to the next hop of a custom route imported from a peering VPC.
CLOUD_SQL_INSTANCE
Forwarded to a Cloud SQL Instance.
Enums | |
---|---|
TARGET_UNSPECIFIED |
Target not specified. |
PEERING_VPC |
Forwarded to a VPC peering network. |
VPN_GATEWAY |
Forwarded to a Cloud VPN gateway. |
INTERCONNECT |
Forwarded to an Cloud Interconnect connection. |
GKE_MASTER |
Forwarded to a Google Kubernetes Engine Container cluster master. |
IMPORTED_CUSTOM_ROUTE_NEXT_HOP |
Forwarded to the next hop of a custom route imported from a peering VPC. |
CLOUD_SQL_INSTANCE |
Forwarded to a Cloud SQL Instance. |
AbortInfo
Details of the final state "abort" and associated resource.
JSON representation | |
---|---|
{
"cause": enum ( |
Fields | |
---|---|
cause |
Causes that the analysis is aborted. |
resourceUri |
URI of the resource that caused the abort. |
Cause
Abort cause types:
CAUSE_UNSPECIFIED
Cause is unspecified.
UNKNOWN_NETWORK
Aborted due to unknown network. The reachability analysis cannot proceed because the user does not have access to the host project's network configurations, including firewall rules and routes. This happens when the project is a service project and the endpoints being traced are in the host project's network.
UNKNOWN_IP
Aborted because the IP address(es) are unknown.
UNKNOWN_PROJECT
Aborted because no project information can be derived from the test input.
PERMISSION_DENIED
Aborted because the user lacks the permission to access all or part of the network configurations required to run the test.
NO_SOURCE_LOCATION
Aborted because no valid source endpoint is derived from the input test request.
INVALID_ARGUMENT
Aborted because the source and/or destination endpoint specified in the test are invalid. The possible reasons that an endpoint is invalid include: malformed IP address; nonexistent instance or network URI; IP address not in the range of specified network URI; and instance not owning the network interface in the specified network.
NO_EXTERNAL_IP
Aborted because traffic is sent from a public IP to an instance without an external IP.
UNINTENDED_DESTINATION
Aborted because none of the traces matches destination information specified in the input test request.
TRACE_TOO_LONG
Aborted because the number of steps in the trace exceeds a certain limit which may be caused by routing loop.
INTERNAL_ERROR
Aborted due to internal server error.
Enums | |
---|---|
CAUSE_UNSPECIFIED |
Cause is unspecified. |
UNKNOWN_NETWORK |
Aborted due to unknown network. The reachability analysis cannot proceed because the user does not have access to the host project's network configurations, including firewall rules and routes. This happens when the project is a service project and the endpoints being traced are in the host project's network. |
UNKNOWN_IP |
Aborted because the IP address(es) are unknown. |
UNKNOWN_PROJECT |
Aborted because no project information can be derived from the test input. |
PERMISSION_DENIED |
Aborted because the user lacks the permission to access all or part of the network configurations required to run the test. |
NO_SOURCE_LOCATION |
Aborted because no valid source endpoint is derived from the input test request. |
INVALID_ARGUMENT |
Aborted because the source and/or destination endpoint specified in the test are invalid. The possible reasons that an endpoint is invalid include: malformed IP address; nonexistent instance or network URI; IP address not in the range of specified network URI; and instance not owning the network interface in the specified network. |
NO_EXTERNAL_IP |
Aborted because traffic is sent from a public IP to an instance without an external IP. |
UNINTENDED_DESTINATION |
Aborted because none of the traces matches destination information specified in the input test request. |
TRACE_TOO_LONG |
Aborted because the number of steps in the trace exceeding a certain limit which may be caused by routing loop. |
INTERNAL_ERROR |
Aborted due to internal server error. |
DropInfo
Details of the final state "drop" and associated resource.
JSON representation | |
---|---|
{
"cause": enum ( |
Fields | |
---|---|
cause |
Cause that the packet is dropped. |
resourceUri |
URI of the resource that caused the drop. |
Cause
Drop cause types:
CAUSE_UNSPECIFIED
Cause is unspecified.
UNKNOWN_EXTERNAL_ADDRESS
Destination external address cannot be resolved to a known target. If the address is used in a GCP project, provide the project ID as test input.
FOREIGN_IP_DISALLOWED
A Compute Engine instance can only send or receive a packet with a foreign IP if
ip_forward
is enabled.
FIREWALL_RULE
Dropped due to a firewall rule, unless allowed due to connection tracking.
NO_ROUTE
Dropped due to no routes.
ROUTE_BLACKHOLE
Dropped due to invalid route. Route's next hop is a blackhole.
ROUTE_WRONG_NETWORK
Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2's IP addresss to Network3.
PRIVATE_TRAFFIC_TO_INTERNET
Packet with internal destination address sent to Internet gateway.
PRIVATE_GOOGLE_ACCESS_DISALLOWED
Instance with only internal IP tries to access Google API and Services, but private Google access is not enabled.
NO_EXTERNAL_ADDRESS
Instance with only an internal IP tries to access external hosts, but Cloud NAT is not enabled in the subnet, unless special configurations on a VM allows this connection. See Special Configurations for VM instances for details.
UNKNOWN_INTERNAL_ADDRESS
Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project.
FORWARDING_RULE_MISMATCH
Forwarding rule's protocol and ports do not match the packet header.
FORWARDING_RULE_NO_INSTANCES
Forwarding rule does not have backends configured.
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK
Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. See Health check firewall rules for more details.
INSTANCE_NOT_RUNNING
Packet sent from or to a Compute Engine instance that is not in a running state.
TRAFFIC_TYPE_BLOCKED
The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See Always blocked traffic for more details.
GKE_MASTER_UNAUTHORIZED_ACCESS
Access to the Google Kubernetes Engine cluster master's endpoint is not authorized. See Access to the master for more details.
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS
Access to the Cloud SQL instance is not authorized. See Authorizing with authorized networks for more details.
DROPPED_INSIDE_GKE_SERVICE
Packet was dropped inside Google Kubernetes Engine Service.
DROPPED_INSIDE_CLOUD_SQL_SERVICE
Packet was dropped inside Cloud SQL Service.
Enums | |
---|---|
CAUSE_UNSPECIFIED |
Cause is unspecified. |
UNKNOWN_EXTERNAL_ADDRESS |
Destination external address cannot be resolved to a known target. |
FOREIGN_IP_DISALLOWED |
a Compute Engine instance can only send or receive a packet with a foreign IP
is enabled. |
FIREWALL_RULE |
Dropped due to a firewall rule unless allowed due to connection tracking. |
NO_ROUTE |
Dropped due to no routes. |
ROUTE_BLACKHOLE |
Dropped due to invalid route. Route's next hop is a blackhole. |
ROUTE_WRONG_NETWORK |
Packet is sent to a wrong (unintended) network. Example: user traces a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2's IP addresss to Network3. |
PRIVATE_TRAFFIC_TO_INTERNET |
Packet with internal destination address sent to Internet gateway. |
PRIVATE_GOOGLE_ACCESS_DISALLOWED |
Instance with only an internal IP tries to access Google API and Services, and private Google access is not enabled. |
NO_EXTERNAL_ADDRESS |
Instance with only internal IP tries to access external hosts, but Cloud NAT is not enabled in the subnet, unless special configurations on a VM allows this connection. See Special Configurations for VM instances for details. |
UNKNOWN_INTERNAL_ADDRESS |
Destination internal address cannot be resolved to a known target. |
FORWARDING_RULE_MISMATCH |
Forwarding rule's protocol and ports do not match the packet header. |
FORWARDING_RULE_NO_INSTANCES |
Forwarding rule does not have backends configured. |
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK |
Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. See Health check firewall rules for more details. |
INSTANCE_NOT_RUNNING |
Packet is sent from or to a Compute Engine instance that is not in a running state. |
TRAFFIC_TYPE_BLOCKED |
The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See Always blocked traffic for more details. |
GKE_MASTER_UNAUTHORIZED_ACCESS |
Access to Google Kubernetes Engine cluster master's endpoint is not authorized. See Access to the master for more details. |
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS |
Access to the Cloud SQL instance endpoint is not authorized. See Authorizing with authorized networks for more details. |
DROPPED_INSIDE_GKE_SERVICE |
Packet was dropped inside Google Kubernetes Engine Service. |
DROPPED_INSIDE_CLOUD_SQL_SERVICE |
Packet was dropped inside Cloud SQL Service. |
LoadBalancerInfo
For display only. Metadata associated with a load balancer.
JSON representation | |
---|---|
{ "loadBalancerType": enum ( |
Fields | |
---|---|
loadBalancerType |
Type of the load balancer. |
healthCheckUri |
URI of the health check for the load balancer. |
backends[] |
Information for the loadbalancer backends. |
backendType |
Type of load balancer's backend configuration. |
backendUri |
Backend configuration URI. |
LoadBalancerType
The type definition for a load balancer:
LOAD_BALANCER_TYPE_UNSPECIFIED
Type is unspecified.
INTERNAL_TCP_UDP
Internal TCP/UDP load balancer.
NETWORK_TCP_UDP
Network TCP/UDP load balancer.
HTTP_PROXY
HTTP(S) proxy load balancer.
TCP_PROXY
TCP proxy load balancer.
SSL_PROXY
SSL proxy load balancer.
Enums | |
---|---|
LOAD_BALANCER_TYPE_UNSPECIFIED |
Type is unspecified. |
INTERNAL_TCP_UDP |
Internal TCP/UDP load balancer. |
NETWORK_TCP_UDP |
Network TCP/UDP load balancer. |
HTTP_PROXY |
HTTP(S) proxy load balancer. |
TCP_PROXY |
TCP proxy load balancer. |
SSL_PROXY |
SSL proxy load balancer. |
LoadBalancerBackend
For display only. Metadata associated with a specific load balancer backend.
JSON representation | |
---|---|
{
"displayName": string,
"uri": string,
"healthCheckFirewallState": enum ( |
Fields | |
---|---|
displayName |
Name of a Compute Engine instance or network endpoint. |
uri |
URI of a Compute Engine instance or network endpoint. |
healthCheckFirewallState |
State of the health check firewall configuration. |
healthCheckAllowingFirewallRules[] |
A list of firewall rule URIs allowing probes from health check IP ranges. |
healthCheckBlockingFirewallRules[] |
A list of firewall rule URIs blocking probes from health check IP ranges. |
HealthCheckFirewallState
State of a health check firewall configuration:
HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED
State is unspecified. Default state if not populated.
CONFIGURED
There are configured firewall rules to allow health check probes to the backend.
MISCONFIGURED
There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer.
Enums | |
---|---|
HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED |
State is unspecified. Default state if not populated. |
CONFIGURED |
There are configured firewall rules to allow health check probes to the backend. |
MISCONFIGURED |
There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer. |
BackendType
The type definition for a load balancer backend configuration:
BACKEND_TYPE_UNSPECIFIED
Type is unspecified.
BACKEND_SERVICE
Backend Service as the load balancer's backend.
TARGET_POOL
Target Pool as the load balancer's backend.
Enums | |
---|---|
BACKEND_TYPE_UNSPECIFIED |
Type is unspecified. |
BACKEND_SERVICE |
Backend Service as the load balancer's backend. |
TARGET_POOL |
Target Pool as the load balancer's backend. |
NetworkInfo
For display only. Metadata associated with a Compute Engine network.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "matchedIpRange": string } |
Fields | |
---|---|
displayName |
Name of a Compute Engine network. |
uri |
URI of a Compute Engine network. |
matchedIpRange |
The IP range that matches the test. |
GKEMasterInfo
For display only. Metadata associated with a Google Kubernetes Engine cluster master.
JSON representation | |
---|---|
{ "clusterUri": string, "clusterNetworkUri": string, "internalIp": string, "externalIp": string } |
Fields | |
---|---|
clusterUri |
URI of a Google Kubernetes Engine cluster. |
clusterNetworkUri |
URI of a Google Kubernetes Engine cluster network. |
internalIp |
Internal IP address of a Google Kubernetes Engine cluster master. |
externalIp |
External IP address of a Google Kubernetes Engine cluster master. |
CloudSQLInstanceInfo
For display only. Metadata associated with a Cloud SQL instance.
JSON representation | |
---|---|
{ "displayName": string, "uri": string, "networkUri": string, "internalIp": string, "externalIp": string, "region": string } |
Fields | |
---|---|
displayName |
Name of a Cloud SQL instance. |
uri |
URI of a Cloud SQL instance. |
networkUri |
URI of a Cloud SQL instance network or empty string if instance does not have one. |
internalIp |
Internal IP address of Cloud SQL instance. |
externalIp |
External IP address of Cloud SQL instance. |
region |
Region in which the Cloud SQL instance is running. |
Methods |
|
---|---|
|
Creates a new Connectivity Test. |
|
Deletes a specific ConnectivityTest . |
|
Gets the details of a specific Connectivity Test. |
|
Gets the access control policy for a resource. |
|
Lists all Connectivity Tests owned by a project. |
|
Updates the configuration of an existing ConnectivityTest . |
|
Rerun an existing ConnectivityTest . |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |