All existing forwarding rule, backend service, and other load balancing limits and quotas per project apply to Traffic Director deployments.
- Traffic Director only supports Google Cloud APIs. Traffic Director does not support Istio APIs.
- The following request protocols can be configured with Traffic Director: HTTP (HTTP/1.1 or HTTP/2), TCP, and gRPC.
- When you configure the TCP request protocol, using the target TCP proxy resource, you cannot use the advanced traffic management features. Advanced traffic management is only available when you configure the data plane to handle HTTP or gRPC requests.
- Traffic Director supports Shared VPC. Note
- A forwarding rule, and its associated target proxy, URL map, backend service(s), and backend(s) must be in a single project, which can be a host or service project. If you have multiple service projects, each service project can have its own set of these resources.
- By default, a forwarding rule that references a Shared VPC network
is advertised to all Envoy proxies in the host and service projects attached
to the host project so long as these proxies specify the Shared VPC
network in their bootstrap/
sidecar.envfiles. You can tailor this behavior using config filtering.
- Traffic Director can be accessed only by the service accounts of
projects that have at least one forwarding rule with the load balancing
INTERNAL_SELF_MANAGEDassociated with the Shared VPC network.
- Traffic Director does not support VPC Network Peering.
- You cannot use Traffic Director with services running in Knative or Google Cloud Serverless Computing.
- This document discusses Envoy proxies, but you can use any open standard API (xDS) proxy with Traffic Director. However, note that Google has tested Traffic Director only with the Envoy proxy.
- Envoy must be version 1.9.1 or later to work with Traffic Director.
- Regex is not supported with Envoy versions earlier than 1.12.0. To use regex, you must use version 1.12.0 or later.
- We strongly recommend using the most recent Envoy version to ensure that all known security vulnerabilities are mitigated.
- For information on Envoy security advisories, read Envoy Security Advisories.
- Hybrid connectivity network endpoint groups are not supported in the
Google Cloud Console. To create or delete hybrid connectivity NEGs, you must use
- Because your data plane handles health checks, you cannot retrieve the health
check status using the Google Cloud Console, API or
iptablesand ensure it is set up correctly. For more information about how to configure
iptables, see Envoy's notes on configuring HTTP filtering.
- If you create VM instances using the Google Cloud Console, some ipv6 related
modules are not installed and available before a restart. This will
iptables.shto fail due to missing dependencies. In such a case, restart the VM and re-run the run.sh script. Compute Engine VMs created using the
gcloudcommand-line tool are not expected to have this problem.
- If you create VM instances using the Google Cloud Console, some ipv6 related modules are not installed and available before a restart. This will cause
Advanced traffic management imitations
- If the value of
BackendService.sessionAffinityis not NONE, and
BackendService.localityLbPolicyis set to a load balancing policy other than
RING_HASH, the session affinity settings will not take effect.
gcloud importcommand doesn't delete top-level fields of the resource, such as the backend service and the URL map. For example, if a backend service is created with settings for
circuitBreakers, those settings can be updated via a subsequent
gcloud importcommand. However, those settings cannot be deleted from the backend service. The resource itself can be deleted and recreated without the
- Import for forwarding rules doesn't work properly. An exported YAML file can't be re-imported. The workaround is to export the config file, make changes, delete the forwarding rule, and import the configuration file.