Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Set up cross-project references

This document applies only to Cloud Service Mesh with the Google Cloud service routing APIs. Don't use this document if you are configuring Cloud Service Mesh with the Istio APIs.

In some scenarios, the service mesh configuration includes services that are in different projects. For example, in Shared VPC or peered VPC deployments it is possible for each project owner to define their own set of services to make these services available to all other projects.

Cross-project configuration with Mesh resources — Cross-project configuration with `Mesh` resources (click to enlarge)

This configuration is called a cross-project configuration because multiple resources defined in different projects are combined to form a single configuration that can be served to an Envoy proxy or proxyless gRPC client.

The following instructions use the Mesh and HTTPRoute resources, but they can be applied to the Gateway resource and to the GRPCRoute and TCPRoute resources.

Configure the `Mesh` resource

Designate a project as the host project where you administer the Mesh resource. Any service account with the permissions to create, update, or delete Mesh resources in this project can control the routing configurations attached to Mesh resources in this project.

In the file shared-mesh.yaml, create a Mesh specification.
```
name: shared-mesh
interceptionPort: 15001
```

Define a Mesh resource in this project.

gcloud network-services meshes import shared-mesh \
  --source=shared-mesh.yaml \
  --location=global

Write down the full URI of the Mesh resource, because service owners need the URI to attach their routes to this Mesh.
```
/projects/[HOST_PROJECT_NUMBER]/locations/global/meshes/shared-mesh
```
Grant the networkservices.meshes.use IAM permission for this Mesh to the cross-project service accounts that should be able to attach their services information to this Mesh.
```
gcloud projects add-iam-policy-binding [HOST_PROJECT_NUMBER]
  --member='[HTTP_ROUTE_SERVICE_OWNER_ACCOUNT]'
  --role='roles/compute.networkAdmin'
```

All service owners that havenetworkservices.meshes.use permission granted to them are able to add their routing rules to this Mesh resource.

Set up routing in the service projects

Each service owner needs to create one or more backend service and Route resources in their project, similar to the example in the sidecar proxy configuration guide. The only difference is that each HTTPRoute, GRPCRoute, or TCPRoute resource must have the URI of the host project's Mesh resource in the meshes field.

Use the following to populate the meshes field. You can use either the project ID or the project number.

echo "name: sharedvpc-http-route
hostnames:
- helloworld-gce
meshes:
- /projects/[HOST_PROJECT_NUMBER]/locations/global/meshes/shared-mesh
rules:
- action:
    destinations:
    - serviceName: \"url/of/the/service\"" | \
gcloud network-services http-routes import sharedvpc-http-route \
    --source=- \
    --location=global

Create the client services in the service projects

When you configure a Cloud Service Mesh client that is located in a service project, the bootstrap configuration must specify the project number where the Mesh resource is located and the Mesh name. This requirement applies to both Envoy proxy and proxyless gRPC deployments. With Envoy deployments, use the --service-proxy:project-number option.

What's next

For information about listing route resources associated with a Mesh or Gateway resource, see List Route resources. This feature is in Preview.