Cloud Service Mesh limitations with Envoy

This document describes limitations that apply to Cloud Service Mesh with the Google Cloud APIs, including advanced traffic management limitations. It does not apply to Cloud Service Mesh with the Istio APIs.

For information about limits, see Quotas and limits.

General limitations

The limitations of Cloud Service Mesh include the following:

  • Cloud Service Mesh with the service routing APIs only supports Google Cloud APIs.
  • You can use Cloud Service Mesh to configure the following request protocols: HTTP (HTTP/1.1 or HTTP/2), HTTPS, TCP, and gRPC.
  • When you use Envoy as the dataplane proxy, the stream_idle_timeout value defaults to 5 minutes. This is not configurable through Cloud Service Mesh.
  • When you use the TCPRoute resource to configure the TCP request protocol, you cannot use the advanced traffic management features. Advanced traffic management is only available when you configure the data plane to handle HTTP or gRPC requests.
  • Cloud Service Mesh supports VPC Network Peering with the service routing APIs.
  • Cloud Service Mesh does not support server-first protocols.
  • You cannot use Cloud Service Mesh with services running in Knative or Google Cloud Serverless Computing.
  • This document discusses Envoy proxies, but you can use any open standard API (xDS) proxy with Cloud Service Mesh. However, Google has tested Cloud Service Mesh only with the Envoy proxy.
  • To ensure that all known security vulnerabilities are mitigated, we recommend that you use the most recent Envoy version. For information about Envoy security advisories, see Envoy Security Advisories.
  • The Google Cloud console does not support hybrid connectivity network endpoint groups (NEGs). To create or delete hybrid connectivity NEGs, use the Google Cloud CLI.
  • Because your data plane handles health checks, you cannot use the Google Cloud console, API, or gcloud CLI to retrieve health check status.
  • Check iptables and ensure that it is set up correctly. For more information about how to configure iptables, see Envoy's notes about configuring HTTP filtering.

    • If you use the Google Cloud console to create virtual machine (VM) instances, some ipv6-related modules are not installed and available before a restart. As a result, iptables.sh fails due to missing dependencies. In such a case, restart the VM and rerun the run.sh script.
    • If you use the gcloud CLI to create Compute Engine VMs, you are not expected to have this problem.

Advanced traffic management limitations

The limitations of advanced traffic management include the following:

  • If the value of BackendService.sessionAffinity is not NONE, and BackendService.localityLbPolicy is set to a load-balancing policy other than MAGLEV or RING_HASH, the session affinity settings don't take effect.
  • The gcloud import command doesn't delete top-level fields of the resource, such as the backend service and the URL map. For example, if a backend service is created with settings for circuitBreakers, you can use a subsequent gcloud import command to update those settings. However, you cannot delete those settings from the backend service. You can delete and recreate the resource itself without the circuitBreakers settings.

Limitations with Service Directory

  • Service Directory and Cloud Service Mesh don't guarantee network reachability for clients.
  • A backend service can only reference one of the following:

    • Managed instance group or unmanaged instance group
    • Network endpoint group
    • Service bindings
  • Service Directory services can only be used with global backend services with load-balancing-scheme=INTERNAL_SELF_MANAGED.

  • A Service Directory service that is referenced by a service binding can be deleted. If the underlying Service Directory service to which the backend service is attached is deleted, applications that use Cloud Service Mesh cannot send traffic to this service, therefore, requests fail. See Observability and debugging for best practices.

  • When you bind a Service Directory service to a backend service, you cannot configure a health check on that backend service.

What's next