Traffic Director limitations with Envoy
This document describes limitations that apply to Traffic Director, including advanced traffic management limitations. For information about limits, see Quotas and limits.
General limitations
The limitations of Traffic Director include the following:
- Traffic Director only supports Google Cloud APIs. Traffic Director does not support Istio APIs.
- You can use Traffic Director to configure the following request protocols: HTTP (HTTP/1.1 or HTTP/2), HTTPS, TCP, and gRPC.
- When you use Envoy as the dataplane proxy, the
stream_idle_timeout
value defaults to 5 minutes. This is not configurable through Traffic Director. - When you use the target TCP proxy resource to configure the TCP request protocol, you cannot use the advanced traffic management features. Advanced traffic management is only available when you configure the data plane to handle HTTP or gRPC requests.
Traffic Director supports Shared VPC. Note the following:
- With the load balancing APIs, a forwarding rule and its associated target proxy, URL map, backend service, and backend must be in a single project, which can be a host or service project. If you have multiple service projects, each service project can have its own set of these resources.
- With the load balancing APIs, by default, a forwarding rule that references
a Shared VPC network is advertised to all Envoy proxies in the host
and service projects attached to the host project, as long as these proxies
specify the Shared VPC network in their
bootstrap/sidecar.env
files. To tailor this behavior, use config filtering. - You can access Traffic Director only
by the service accounts of projects that have at least one forwarding rule
with the load-balancing scheme
INTERNAL_SELF_MANAGED
associated with the Shared VPC network.
Traffic Director supports VPC Network Peering with the service routing APIs, but not with the load balancing APIs.
Traffic Director does not support server-first protocols.
You cannot use Traffic Director with services running in Knative or Google Cloud Serverless Computing.
This document discusses Envoy proxies, but you can use any open standard API (xDS) proxy with Traffic Director. However, Google has tested Traffic Director only with the Envoy proxy.
To work with Traffic Director, use Envoy version 1.9.1 or later.
To use regular expression, use Envoy version 1.12.0 or later. Envoy versions earlier than 1.12.0 do not support regular expression.
To ensure that all known security vulnerabilities are mitigated, we recommend that you use the most recent Envoy version. For information about Envoy security advisories, see Envoy Security Advisories.
The Google Cloud console does not support hybrid connectivity network endpoint groups (NEGs). To create or delete hybrid connectivity NEGs, use the Google Cloud CLI.
Because your data plane handles health checks, you cannot use the Google Cloud console, API, or gcloud CLI to retrieve health check status.
Check
iptables
and ensure that it is set up correctly. For more information about how to configureiptables
, see Envoy's notes about configuring HTTP filtering.- If you use the Google Cloud console to create virtual machine (VM)
instances, some
ipv6
-related modules are not installed and available before a restart. As a result,iptables.sh
fails due to missing dependencies. In such a case, restart the VM and rerun therun.sh
script. - If you use the gcloud CLI to create Compute Engine VMs, you are not expected to have this problem.
- If you use the Google Cloud console to create virtual machine (VM)
instances, some
Advanced traffic management limitations
The limitations of advanced traffic management include the following:
- If the value of
BackendService.sessionAffinity
is not NONE, andBackendService.localityLbPolicy
is set to a load-balancing policy other thanMAGLEV
orRING_HASH
, the session affinity settings do not take effect. - The
gcloud import
command doesn't delete top-level fields of the resource, such as the backend service and the URL map. For example, if a backend service is created with settings forcircuitBreakers
, you can use a subsequentgcloud import
command to update those settings. However, you cannot delete those settings from the backend service. You can delete and recreate the resource itself without thecircuitBreakers
settings. - Import for forwarding rules doesn't work properly; you can't re-import an exported YAML file. The workaround is to export the configuration file, make changes, delete the forwarding rule, and import the configuration file.
Limitations with Service Directory
- Service Directory and Traffic Director do not guarantee network reachability for clients.
A backend service can only reference one of the following:
- Managed instance group or unmanaged instance group
- Network endpoint group
- Service bindings
Service Directory services can only be used with global backend services with
load-balancing-scheme=INTERNAL_SELF_MANAGED
.A Service Directory service that is referenced by a service binding can be deleted. If the underlying Service Directory service to which the backend service is attached is deleted, applications that use Traffic Director cannot send traffic to this service, therefore, requests fail. See Observability and debugging for best practices.
Health checks
When you bind a Service Directory service to a backend service, you cannot configure a health check on the backend service.
What's next
- To learn about limitations that apply to Traffic Director with proxyless gRPC applications, see Proxyless gRPC limitations.
- To learn more about Traffic Director, see the Traffic Director overview.