This product is not supported for your selected
Datadog site. (
).
gcp_networkmanagement_connectivity_test
ancestors
Type: UNORDERED_LIST_STRING
bypass_firewall_checks
Type: BOOLEAN
Provider name: bypassFirewallChecks
Description: Whether the analysis should skip firewall checking. Default value is false.
create_time
Type: TIMESTAMP
Provider name: createTime
Description: Output only. The time the test was created.
description
Type: STRING
Provider name: description
Description: The user-supplied description of the Connectivity Test. Maximum of 512 characters.
destination
Type: STRUCT
Provider name: destination
Description: Required. Destination specification of the Connectivity Test. You can use a combination of destination IP address, URI of a supported endpoint, project ID, or VPC network to identify the destination location. Reachability analysis proceeds even if the destination location is ambiguous. However, the test result might include endpoints or use a destination that you don’t intend to test.
app_engine_version
Type: STRUCT
Provider name: appEngineVersion
Description: An App Engine service version. Applicable only to source endpoint.
cloud_function
Type: STRUCT
Provider name: cloudFunction
Description: A Cloud Function. Applicable only to source endpoint.
cloud_run_revision
Type: STRUCT
Provider name: cloudRunRevision
Description: A Cloud Run revision Applicable only to source endpoint.
service_uri
Type: STRING
Provider name: serviceUri
Description: Output only. The URI of the Cloud Run service that the revision belongs to. The format is: projects/{project}/locations/{location}/services/{service}
uri
Type: STRING
Provider name: uri
Description: A Cloud Run revision URI. The format is: projects/{project}/locations/{location}/revisions/{revision}
cloud_sql_instance
Type: STRING
Provider name: cloudSqlInstance
Description: A Cloud SQL instance URI.
forwarding_rule
Type: STRING
Provider name: forwardingRule
Description: A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer. Forwarding rules are also used for protocol forwarding, Private Service Connect and other network services to provide forwarding information in the control plane. Applicable only to destination endpoint. Format: projects/{project}/global/forwardingRules/{id} or projects/{project}/regions/{region}/forwardingRules/{id}
forwarding_rule_target
Type: STRING
Provider name: forwardingRuleTarget
Description: Output only. Specifies the type of the target of the forwarding rule.
Possible values:
FORWARDING_RULE_TARGET_UNSPECIFIED - Forwarding rule target is unknown.
INSTANCE - Compute Engine instance for protocol forwarding.
LOAD_BALANCER - Load Balancer. The specific type can be found from load_balancer_type.
VPN_GATEWAY - Classic Cloud VPN Gateway.
PSC - Forwarding Rule is a Private Service Connect endpoint.
fqdn
Type: STRING
Provider name: fqdn
Description: DNS endpoint of Google Kubernetes Engine cluster control plane. Requires gke_master_cluster to be set, can’t be used simultaneoulsly with ip_address or network. Applicable only to destination endpoint.
gke_master_cluster
Type: STRING
Provider name: gkeMasterCluster
Description: A cluster URI for Google Kubernetes Engine cluster control plane.
instance
Type: STRING
Provider name: instance
Description: A Compute Engine instance URI.
ip_address
Type: STRING
Provider name: ipAddress
Description: The IP address of the endpoint, which can be an external or internal IP.
load_balancer_id
Type: STRING
Provider name: loadBalancerId
Description: Output only. ID of the load balancer the forwarding rule points to. Empty for forwarding rules not related to load balancers.
load_balancer_type
Type: STRING
Provider name: loadBalancerType
Description: Output only. Type of the load balancer the forwarding rule points to.
Possible values:
LOAD_BALANCER_TYPE_UNSPECIFIED - Forwarding rule points to a different target than a load balancer or a load balancer type is unknown.
HTTPS_ADVANCED_LOAD_BALANCER - Global external HTTP(S) load balancer.
HTTPS_LOAD_BALANCER - Global external HTTP(S) load balancer (classic)
REGIONAL_HTTPS_LOAD_BALANCER - Regional external HTTP(S) load balancer.
INTERNAL_HTTPS_LOAD_BALANCER - Internal HTTP(S) load balancer.
SSL_PROXY_LOAD_BALANCER - External SSL proxy load balancer.
TCP_PROXY_LOAD_BALANCER - External TCP proxy load balancer.
INTERNAL_TCP_PROXY_LOAD_BALANCER - Internal regional TCP proxy load balancer.
NETWORK_LOAD_BALANCER - External TCP/UDP Network load balancer.
LEGACY_NETWORK_LOAD_BALANCER - Target-pool based external TCP/UDP Network load balancer.
TCP_UDP_INTERNAL_LOAD_BALANCER - Internal TCP/UDP load balancer.
network
Type: STRING
Provider name: network
Description: A VPC network URI.
network_type
Type: STRING
Provider name: networkType
Description: Type of the network where the endpoint is located. Applicable only to source endpoint, as destination network type can be inferred from the source.
Possible values:
NETWORK_TYPE_UNSPECIFIED - Default type if unspecified.
GCP_NETWORK - A network hosted within Google Cloud. To receive more detailed output, specify the URI for the source or destination network.
NON_GCP_NETWORK - A network hosted outside of Google Cloud. This can be an on-premises network, an internet resource or a network hosted by another cloud provider.
port
Type: INT32
Provider name: port
Description: The IP protocol port of the endpoint. Only applicable when protocol is TCP or UDP.
project_id
Type: STRING
Provider name: projectId
Description: Project ID where the endpoint is located. The project ID can be derived from the URI if you provide a endpoint or network URI. The following are two cases where you may need to provide the project ID: 1. Only the IP address is specified, and the IP address is within a Google Cloud project. 2. When you are using Shared VPC and the IP address that you provide is from the service project. In this case, the network that the IP address resides in is defined in the host project.
redis_cluster
Type: STRING
Provider name: redisCluster
Description: A Redis Cluster URI. Applicable only to destination endpoint.
redis_instance
Type: STRING
Provider name: redisInstance
Description: A Redis Instance URI. Applicable only to destination endpoint.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Output only. The display name of a Connectivity Test.
gcp_source
Type: STRUCT
Provider name: source
Description: Required. Source specification of the Connectivity Test. You can use a combination of source IP address, URI of a supported endpoint, project ID, or VPC network to identify the source location. Reachability analysis might proceed even if the source location is ambiguous. However, the test result might include endpoints or use a source that you don’t intend to test.
app_engine_version
Type: STRUCT
Provider name: appEngineVersion
Description: An App Engine service version. Applicable only to source endpoint.
cloud_function
Type: STRUCT
Provider name: cloudFunction
Description: A Cloud Function. Applicable only to source endpoint.
cloud_run_revision
Type: STRUCT
Provider name: cloudRunRevision
Description: A Cloud Run revision Applicable only to source endpoint.
service_uri
Type: STRING
Provider name: serviceUri
Description: Output only. The URI of the Cloud Run service that the revision belongs to. The format is: projects/{project}/locations/{location}/services/{service}
uri
Type: STRING
Provider name: uri
Description: A Cloud Run revision URI. The format is: projects/{project}/locations/{location}/revisions/{revision}
cloud_sql_instance
Type: STRING
Provider name: cloudSqlInstance
Description: A Cloud SQL instance URI.
forwarding_rule
Type: STRING
Provider name: forwardingRule
Description: A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer. Forwarding rules are also used for protocol forwarding, Private Service Connect and other network services to provide forwarding information in the control plane. Applicable only to destination endpoint. Format: projects/{project}/global/forwardingRules/{id} or projects/{project}/regions/{region}/forwardingRules/{id}
forwarding_rule_target
Type: STRING
Provider name: forwardingRuleTarget
Description: Output only. Specifies the type of the target of the forwarding rule.
Possible values:
FORWARDING_RULE_TARGET_UNSPECIFIED - Forwarding rule target is unknown.
INSTANCE - Compute Engine instance for protocol forwarding.
LOAD_BALANCER - Load Balancer. The specific type can be found from load_balancer_type.
VPN_GATEWAY - Classic Cloud VPN Gateway.
PSC - Forwarding Rule is a Private Service Connect endpoint.
fqdn
Type: STRING
Provider name: fqdn
Description: DNS endpoint of Google Kubernetes Engine cluster control plane. Requires gke_master_cluster to be set, can’t be used simultaneoulsly with ip_address or network. Applicable only to destination endpoint.
gke_master_cluster
Type: STRING
Provider name: gkeMasterCluster
Description: A cluster URI for Google Kubernetes Engine cluster control plane.
instance
Type: STRING
Provider name: instance
Description: A Compute Engine instance URI.
ip_address
Type: STRING
Provider name: ipAddress
Description: The IP address of the endpoint, which can be an external or internal IP.
load_balancer_id
Type: STRING
Provider name: loadBalancerId
Description: Output only. ID of the load balancer the forwarding rule points to. Empty for forwarding rules not related to load balancers.
load_balancer_type
Type: STRING
Provider name: loadBalancerType
Description: Output only. Type of the load balancer the forwarding rule points to.
Possible values:
LOAD_BALANCER_TYPE_UNSPECIFIED - Forwarding rule points to a different target than a load balancer or a load balancer type is unknown.
HTTPS_ADVANCED_LOAD_BALANCER - Global external HTTP(S) load balancer.
HTTPS_LOAD_BALANCER - Global external HTTP(S) load balancer (classic)
REGIONAL_HTTPS_LOAD_BALANCER - Regional external HTTP(S) load balancer.
INTERNAL_HTTPS_LOAD_BALANCER - Internal HTTP(S) load balancer.
SSL_PROXY_LOAD_BALANCER - External SSL proxy load balancer.
TCP_PROXY_LOAD_BALANCER - External TCP proxy load balancer.
INTERNAL_TCP_PROXY_LOAD_BALANCER - Internal regional TCP proxy load balancer.
NETWORK_LOAD_BALANCER - External TCP/UDP Network load balancer.
LEGACY_NETWORK_LOAD_BALANCER - Target-pool based external TCP/UDP Network load balancer.
TCP_UDP_INTERNAL_LOAD_BALANCER - Internal TCP/UDP load balancer.
network
Type: STRING
Provider name: network
Description: A VPC network URI.
network_type
Type: STRING
Provider name: networkType
Description: Type of the network where the endpoint is located. Applicable only to source endpoint, as destination network type can be inferred from the source.
Possible values:
NETWORK_TYPE_UNSPECIFIED - Default type if unspecified.
GCP_NETWORK - A network hosted within Google Cloud. To receive more detailed output, specify the URI for the source or destination network.
NON_GCP_NETWORK - A network hosted outside of Google Cloud. This can be an on-premises network, an internet resource or a network hosted by another cloud provider.
port
Type: INT32
Provider name: port
Description: The IP protocol port of the endpoint. Only applicable when protocol is TCP or UDP.
project_id
Type: STRING
Provider name: projectId
Description: Project ID where the endpoint is located. The project ID can be derived from the URI if you provide a endpoint or network URI. The following are two cases where you may need to provide the project ID: 1. Only the IP address is specified, and the IP address is within a Google Cloud project. 2. When you are using Shared VPC and the IP address that you provide is from the service project. In this case, the network that the IP address resides in is defined in the host project.
redis_cluster
Type: STRING
Provider name: redisCluster
Description: A Redis Cluster URI. Applicable only to destination endpoint.
redis_instance
Type: STRING
Provider name: redisInstance
Description: A Redis Instance URI. Applicable only to destination endpoint.
labels
Type: UNORDERED_LIST_STRING
name
Type: STRING
Provider name: name
Description: Identifier. Unique name of the resource using the form: projects/{project_id}/locations/global/connectivityTests/{test_id}
organization_id
Type: STRING
parent
Type: STRING
probing_details
Type: STRUCT
Provider name: probingDetails
Description: Output only. The probing details of this test from the latest run, present for applicable tests only. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.
abort_cause
Type: STRING
Provider name: abortCause
Description: The reason probing was aborted.
Possible values:
PROBING_ABORT_CAUSE_UNSPECIFIED - No reason was specified.
PERMISSION_DENIED - The user lacks permission to access some of the network resources required to run the test.
NO_SOURCE_LOCATION - No valid source endpoint could be derived from the request.
destination_egress_location
Type: STRUCT
Provider name: destinationEgressLocation
Description: The EdgeLocation from which a packet, destined to the internet, will egress the Google network. This will only be populated for a connectivity test which has an internet destination address. The absence of this field must not be used as an indication that the destination is part of the Google network.
metropolitan_area
Type: STRING
Provider name: metropolitanArea
Description: Name of the metropolitan area.
edge_responses
Type: UNORDERED_LIST_STRUCT
Provider name: edgeResponses
Description: Probing results for all edge devices.
destination_egress_location
Type: STRUCT
Provider name: destinationEgressLocation
Description: The EdgeLocation from which a packet, destined to the internet, will egress the Google network. This will only be populated for a connectivity test which has an internet destination address. The absence of this field must not be used as an indication that the destination is part of the Google network.
metropolitan_area
Type: STRING
Provider name: metropolitanArea
Description: Name of the metropolitan area.
destination_router
Type: STRING
Provider name: destinationRouter
Description: Router name in the format ‘{router}.{metroshard}’. For example: pf01.aaa01, pr02.aaa01.
probing_latency
Type: STRUCT
Provider name: probingLatency
Description: Latency as measured by active probing in one direction: from the source to the destination endpoint.
latency_percentiles
Type: UNORDERED_LIST_STRUCT
Provider name: latencyPercentiles
Description: Representative latency percentiles.
latency_micros
Type: INT64
Provider name: latencyMicros
Description: percent-th percentile of latency observed, in microseconds. Fraction of percent/100 of samples have latency lower or equal to the value of this field.
percent
Type: INT32
Provider name: percent
Description: Percentage of samples this data point applies to.
result
Type: STRING
Provider name: result
Description: The overall result of active probing for this egress device.
Possible values:
PROBING_RESULT_UNSPECIFIED - No result was specified.
REACHABLE - At least 95% of packets reached the destination.
UNREACHABLE - No packets reached the destination.
REACHABILITY_INCONSISTENT - Less than 95% of packets reached the destination.
UNDETERMINED - Reachability could not be determined. Possible reasons are: * The user lacks permission to access some of the network resources required to run the test. * No valid source endpoint could be derived from the request. * An internal error occurred.
sent_probe_count
Type: INT32
Provider name: sentProbeCount
Description: Number of probes sent.
successful_probe_count
Type: INT32
Provider name: successfulProbeCount
Description: Number of probes that reached the destination.
endpoint_info
Type: STRUCT
Provider name: endpointInfo
Description: The source and destination endpoints derived from the test input and used for active probing.
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address.
destination_network_uri
Type: STRING
Provider name: destinationNetworkUri
Description: URI of the network where this packet is sent to.
destination_port
Type: INT32
Provider name: destinationPort
Description: Destination port. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
source_agent_uri
Type: STRING
Provider name: sourceAgentUri
Description: URI of the source telemetry agent this packet originates from.
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
source_network_uri
Type: STRING
Provider name: sourceNetworkUri
Description: URI of the network where this packet originates from.
source_port
Type: INT32
Provider name: sourcePort
Description: Source port. Only valid when protocol is TCP or UDP.
error
Type: STRUCT
Provider name: error
Description: Details about an internal failure or the cancellation of active probing.
code
Type: INT32
Provider name: code
Description: The status code, which should be an enum value of google.rpc.Code.
message
Type: STRING
Provider name: message
Description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
probed_all_devices
Type: BOOLEAN
Provider name: probedAllDevices
Description: Whether all relevant edge devices were probed.
probing_latency
Type: STRUCT
Provider name: probingLatency
Description: Latency as measured by active probing in one direction: from the source to the destination endpoint.
latency_percentiles
Type: UNORDERED_LIST_STRUCT
Provider name: latencyPercentiles
Description: Representative latency percentiles.
latency_micros
Type: INT64
Provider name: latencyMicros
Description: percent-th percentile of latency observed, in microseconds. Fraction of percent/100 of samples have latency lower or equal to the value of this field.
percent
Type: INT32
Provider name: percent
Description: Percentage of samples this data point applies to.
result
Type: STRING
Provider name: result
Description: The overall result of active probing.
Possible values:
PROBING_RESULT_UNSPECIFIED - No result was specified.
REACHABLE - At least 95% of packets reached the destination.
UNREACHABLE - No packets reached the destination.
REACHABILITY_INCONSISTENT - Less than 95% of packets reached the destination.
UNDETERMINED - Reachability could not be determined. Possible reasons are: * The user lacks permission to access some of the network resources required to run the test. * No valid source endpoint could be derived from the request. * An internal error occurred.
sent_probe_count
Type: INT32
Provider name: sentProbeCount
Description: Number of probes sent.
successful_probe_count
Type: INT32
Provider name: successfulProbeCount
Description: Number of probes that reached the destination.
verify_time
Type: TIMESTAMP
Provider name: verifyTime
Description: The time that reachability was assessed through active probing.
project_id
Type: STRING
project_number
Type: STRING
protocol
Type: STRING
Provider name: protocol
Description: IP Protocol of the test. When not provided, “TCP” is assumed.
reachability_details
Type: STRUCT
Provider name: reachabilityDetails
Description: Output only. The reachability details of this test from the latest run. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.
error
Type: STRUCT
Provider name: error
Description: The details of a failure or a cancellation of reachability analysis.
code
Type: INT32
Provider name: code
Description: The status code, which should be an enum value of google.rpc.Code.
message
Type: STRING
Provider name: message
Description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
result
Type: STRING
Provider name: result
Description: The overall result of the test’s configuration analysis.
Possible values:
RESULT_UNSPECIFIED - No result was specified.
REACHABLE - Possible scenarios are: * The configuration analysis determined that a packet originating from the source is expected to reach the destination. * The analysis didn’t complete because the user lacks permission for some of the resources in the trace. However, at the time the user’s permission became insufficient, the trace had been successful so far.
UNREACHABLE - A packet originating from the source is expected to be dropped before reaching the destination.
AMBIGUOUS - The source and destination endpoints do not uniquely identify the test location in the network, and the reachability result contains multiple traces. For some traces, a packet could be delivered, and for others, it would not be. This result is also assigned to configuration analysis of return path if on its own it should be REACHABLE, but configuration analysis of forward path is AMBIGUOUS.
UNDETERMINED - The configuration analysis did not complete. Possible reasons are: * A permissions error occurred–for example, the user might not have read permission for all of the resources named in the test. * An internal error occurred. * The analyzer received an invalid or unsupported argument or was unable to identify a known endpoint.
traces
Type: UNORDERED_LIST_STRUCT
Provider name: traces
Description: Result may contain a list of traces if a test has multiple possible paths in the network, such as when destination endpoint is a load balancer with multiple backends.
endpoint_info
Type: STRUCT
Provider name: endpointInfo
Description: Derived from the source and destination endpoints definition specified by user request, and validated by the data plane model. If there are multiple traces starting from different source locations, then the endpoint_info may be different between traces.
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address.
destination_network_uri
Type: STRING
Provider name: destinationNetworkUri
Description: URI of the network where this packet is sent to.
destination_port
Type: INT32
Provider name: destinationPort
Description: Destination port. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
source_agent_uri
Type: STRING
Provider name: sourceAgentUri
Description: URI of the source telemetry agent this packet originates from.
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
source_network_uri
Type: STRING
Provider name: sourceNetworkUri
Description: URI of the network where this packet originates from.
source_port
Type: INT32
Provider name: sourcePort
Description: Source port. Only valid when protocol is TCP or UDP.
forward_trace_id
Type: INT32
Provider name: forwardTraceId
Description: ID of trace. For forward traces, this ID is unique for each trace. For return traces, it matches ID of associated forward trace. A single forward trace can be associated with none, one or more than one return trace.
steps
Type: UNORDERED_LIST_STRUCT
Provider name: steps
Description: A trace of a test contains multiple steps from the initial state to the final state (delivered, dropped, forwarded, or aborted). The steps are ordered by the processing sequence within the simulated network state machine. It is critical to preserve the order of the steps and avoid reordering or sorting them.
abort
Type: STRUCT
Provider name: abort
Description: Display information of the final state “abort” and reason.
cause
Type: STRING
Provider name: cause
Description: Causes that the analysis is aborted.
Possible values:
CAUSE_UNSPECIFIED - Cause is unspecified.
UNKNOWN_NETWORK - Aborted due to unknown network. Deprecated, not used in the new tests.
UNKNOWN_PROJECT - Aborted because no project information can be derived from the test input. Deprecated, not used in the new tests.
NO_EXTERNAL_IP - Aborted because traffic is sent from a public IP to an instance without an external IP. Deprecated, not used in the new tests.
UNINTENDED_DESTINATION - Aborted because none of the traces matches destination information specified in the input test request. Deprecated, not used in the new tests.
SOURCE_ENDPOINT_NOT_FOUND - Aborted because the source endpoint could not be found. Deprecated, not used in the new tests.
MISMATCHED_SOURCE_NETWORK - Aborted because the source network does not match the source endpoint. Deprecated, not used in the new tests.
DESTINATION_ENDPOINT_NOT_FOUND - Aborted because the destination endpoint could not be found. Deprecated, not used in the new tests.
MISMATCHED_DESTINATION_NETWORK - Aborted because the destination network does not match the destination endpoint. Deprecated, not used in the new tests.
UNKNOWN_IP - Aborted because no endpoint with the packet’s destination IP address is found.
GOOGLE_MANAGED_SERVICE_UNKNOWN_IP - Aborted because no endpoint with the packet’s destination IP is found in the Google-managed project.
SOURCE_IP_ADDRESS_NOT_IN_SOURCE_NETWORK - Aborted because the source IP address doesn’t belong to any of the subnets of the source VPC network.
PERMISSION_DENIED - Aborted because user lacks permission to access all or part of the network configurations required to run the test.
PERMISSION_DENIED_NO_CLOUD_NAT_CONFIGS - Aborted because user lacks permission to access Cloud NAT configs required to run the test.
PERMISSION_DENIED_NO_NEG_ENDPOINT_CONFIGS - Aborted because user lacks permission to access Network endpoint group endpoint configs required to run the test.
PERMISSION_DENIED_NO_CLOUD_ROUTER_CONFIGS - Aborted because user lacks permission to access Cloud Router configs required to run the test.
NO_SOURCE_LOCATION - Aborted because no valid source or destination endpoint is derived from the input test request.
INVALID_ARGUMENT - Aborted because the source or destination endpoint specified in the request is invalid. Some examples: - The request might contain malformed resource URI, project ID, or IP address. - The request might contain inconsistent information (for example, the request might include both the instance and the network, but the instance might not have a NIC in that network).
TRACE_TOO_LONG - Aborted because the number of steps in the trace exceeds a certain limit. It might be caused by a routing loop.
INTERNAL_ERROR - Aborted due to internal server error.
UNSUPPORTED - Aborted because the test scenario is not supported.
MISMATCHED_IP_VERSION - Aborted because the source and destination resources have no common IP version.
GKE_KONNECTIVITY_PROXY_UNSUPPORTED - Aborted because the connection between the control plane and the node of the source cluster is initiated by the node and managed by the Konnectivity proxy.
RESOURCE_CONFIG_NOT_FOUND - Aborted because expected resource configuration was missing.
VM_INSTANCE_CONFIG_NOT_FOUND - Aborted because expected VM instance configuration was missing.
NETWORK_CONFIG_NOT_FOUND - Aborted because expected network configuration was missing.
FIREWALL_CONFIG_NOT_FOUND - Aborted because expected firewall configuration was missing.
ROUTE_CONFIG_NOT_FOUND - Aborted because expected route configuration was missing.
GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT - Aborted because PSC endpoint selection for the Google-managed service is ambiguous (several PSC endpoints satisfy test input).
GOOGLE_MANAGED_SERVICE_AMBIGUOUS_ENDPOINT - Aborted because endpoint selection for the Google-managed service is ambiguous (several endpoints satisfy test input).
SOURCE_PSC_CLOUD_SQL_UNSUPPORTED - Aborted because tests with a PSC-based Cloud SQL instance as a source are not supported.
SOURCE_REDIS_CLUSTER_UNSUPPORTED - Aborted because tests with a Redis Cluster as a source are not supported.
SOURCE_REDIS_INSTANCE_UNSUPPORTED - Aborted because tests with a Redis Instance as a source are not supported.
SOURCE_FORWARDING_RULE_UNSUPPORTED - Aborted because tests with a forwarding rule as a source are not supported.
NON_ROUTABLE_IP_ADDRESS - Aborted because one of the endpoints is a non-routable IP address (loopback, link-local, etc).
UNKNOWN_ISSUE_IN_GOOGLE_MANAGED_PROJECT - Aborted due to an unknown issue in the Google-managed project.
UNSUPPORTED_GOOGLE_MANAGED_PROJECT_CONFIG - Aborted due to an unsupported configuration of the Google-managed project.
NO_SERVERLESS_IP_RANGES - Aborted because the source endpoint is a Cloud Run revision with direct VPC access enabled, but there are no reserved serverless IP ranges.
IP_VERSION_PROTOCOL_MISMATCH - Aborted because the used protocol is not supported for the used IP version.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address that caused the abort.
projects_missing_permission
Type: UNORDERED_LIST_STRING
Provider name: projectsMissingPermission
Description: List of project IDs the user specified in the request but lacks access to. In this case, analysis is aborted with the PERMISSION_DENIED cause.
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that caused the abort.
app_engine_version
Type: STRUCT
Provider name: appEngineVersion
Description: Display information of an App Engine service version.
environment
Type: STRING
Provider name: environment
Description: App Engine execution environment for a version.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of an App Engine version.
runtime
Type: STRING
Provider name: runtime
Description: Runtime of the App Engine version.
uri
Type: STRING
Provider name: uri
Description: URI of an App Engine version.
causes_drop
Type: BOOLEAN
Provider name: causesDrop
Description: This is a step that leads to the final state Drop.
cloud_function
Type: STRUCT
Provider name: cloudFunction
Description: Display information of a Cloud Function.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Function.
location
Type: STRING
Provider name: location
Description: Location in which the Cloud Function is deployed.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Function.
version_id
Type: INT64
Provider name: versionId
Description: Latest successfully deployed version id of the Cloud Function.
cloud_run_revision
Type: STRUCT
Provider name: cloudRunRevision
Description: Display information of a Cloud Run revision.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Run revision.
location
Type: STRING
Provider name: location
Description: Location in which this revision is deployed.
service_uri
Type: STRING
Provider name: serviceUri
Description: URI of Cloud Run service this revision belongs to.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Run revision.
cloud_sql_instance
Type: STRUCT
Provider name: cloudSqlInstance
Description: Display information of a Cloud SQL instance.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of a Cloud SQL instance.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud SQL instance.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of a Cloud SQL instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Cloud SQL instance network or empty string if the instance does not have one.
region
Type: STRING
Provider name: region
Description: Region in which the Cloud SQL instance is running.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud SQL instance.
deliver
Type: STRUCT
Provider name: deliver
Description: Display information of the final state “deliver” and reason.
google_service_type
Type: STRING
Provider name: googleServiceType
Description: Recognized type of a Google Service the packet is delivered to (if applicable).
Possible values:
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the target (if applicable).
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target the packet is delivered to (if applicable).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that the packet is delivered to.
storage_bucket
Type: STRING
Provider name: storageBucket
Description: Name of the Cloud Storage Bucket the packet is delivered to (if applicable).
target
Type: STRING
Provider name: target
Description: Target type where the packet is delivered to.
Possible values:
TARGET_UNSPECIFIED - Target not specified.
INSTANCE - Target is a Compute Engine instance.
INTERNET - Target is the internet.
GOOGLE_API - Target is a Google API.
GKE_MASTER - Target is a Google Kubernetes Engine cluster master.
CLOUD_SQL_INSTANCE - Target is a Cloud SQL instance.
PSC_PUBLISHED_SERVICE - Target is a published service that uses Private Service Connect.
PSC_GOOGLE_API - Target is Google APIs that use Private Service Connect.
PSC_VPC_SC - Target is a VPC-SC that uses Private Service Connect.
SERVERLESS_NEG - Target is a serverless network endpoint group.
STORAGE_BUCKET - Target is a Cloud Storage bucket.
PRIVATE_NETWORK - Target is a private network. Used only for return traces.
CLOUD_FUNCTION - Target is a Cloud Function. Used only for return traces.
APP_ENGINE_VERSION - Target is a App Engine service version. Used only for return traces.
CLOUD_RUN_REVISION - Target is a Cloud Run revision. Used only for return traces.
GOOGLE_MANAGED_SERVICE - Target is a Google-managed service. Used only for return traces.
REDIS_INSTANCE - Target is a Redis Instance.
REDIS_CLUSTER - Target is a Redis Cluster.
description
Type: STRING
Provider name: description
Description: A description of the step. Usually this is a summary of the state.
direct_vpc_egress_connection
Type: STRUCT
Provider name: directVpcEgressConnection
Description: Display information of a serverless direct VPC egress connection.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of direct access network.
region
Type: STRING
Provider name: region
Description: Region in which the Direct VPC egress is deployed.
selected_ip_address
Type: STRING
Provider name: selectedIpAddress
Description: Selected starting IP address, from the selected IP range.
selected_ip_range
Type: STRING
Provider name: selectedIpRange
Description: Selected IP range.
subnetwork_uri
Type: STRING
Provider name: subnetworkUri
Description: URI of direct access subnetwork.
drop
Type: STRUCT
Provider name: drop
Description: Display information of the final state “drop” and reason.
cause
Type: STRING
Provider name: cause
Description: Cause that the packet is dropped.
Possible values:
CAUSE_UNSPECIFIED - Cause is unspecified.
UNKNOWN_EXTERNAL_ADDRESS - Destination external address cannot be resolved to a known target. If the address is used in a Google Cloud project, provide the project ID as test input.
FOREIGN_IP_DISALLOWED - A Compute Engine instance can only send or receive a packet with a foreign IP address if ip_forward is enabled.
FIREWALL_RULE - Dropped due to a firewall rule, unless allowed due to connection tracking.
NO_ROUTE - Dropped due to no matching routes.
ROUTE_BLACKHOLE - Dropped due to invalid route. Route’s next hop is a blackhole.
ROUTE_WRONG_NETWORK - Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2’s IP address to Network3.
ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED - Route’s next hop IP address cannot be resolved to a GCP resource.
ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND - Route’s next hop resource is not found.
ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK - Route’s next hop instance doesn’t have a NIC in the route’s network.
ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP - Route’s next hop IP address is not a primary IP address of the next hop instance.
ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH - Route’s next hop forwarding rule doesn’t match next hop IP address.
ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED - Route’s next hop VPN tunnel is down (does not have valid IKE SAs).
ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID - Route’s next hop forwarding rule type is invalid (it’s not a forwarding rule of the internal passthrough load balancer).
NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS - Packet is sent from the Internet or Google service to the private IPv6 address.
NO_ROUTE_FROM_EXTERNAL_IPV6_SOURCE_TO_PRIVATE_IPV6_ADDRESS - Packet is sent from the external IPv6 source address of an instance to the private IPv6 address of an instance.
VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH - The packet does not match a policy-based VPN tunnel local selector.
VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH - The packet does not match a policy-based VPN tunnel remote selector.
PRIVATE_TRAFFIC_TO_INTERNET - Packet with internal destination address sent to the internet gateway.
PRIVATE_GOOGLE_ACCESS_DISALLOWED - Endpoint with only an internal IP address tries to access Google API and services, but Private Google Access is not enabled in the subnet or is not applicable.
PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED - Source endpoint tries to access Google API and services through the VPN tunnel to another network, but Private Google Access needs to be enabled in the source endpoint network.
NO_EXTERNAL_ADDRESS - Endpoint with only an internal IP address tries to access external hosts, but there is no matching Cloud NAT gateway in the subnet.
UNKNOWN_INTERNAL_ADDRESS - Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project.
FORWARDING_RULE_MISMATCH - Forwarding rule’s protocol and ports do not match the packet header.
FORWARDING_RULE_NO_INSTANCES - Forwarding rule does not have backends configured.
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK - Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. For more details, see Health check firewall rules.
INGRESS_FIREWALL_TAGS_UNSUPPORTED_BY_DIRECT_VPC_EGRESS - Matching ingress firewall rules by network tags for packets sent via serverless VPC direct egress is unsupported. Behavior is undefined. https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#limitations
INSTANCE_NOT_RUNNING - Packet is sent from or to a Compute Engine instance that is not in a running state.
GKE_CLUSTER_NOT_RUNNING - Packet sent from or to a GKE cluster that is not in running state.
CLOUD_SQL_INSTANCE_NOT_RUNNING - Packet sent from or to a Cloud SQL instance that is not in running state.
REDIS_INSTANCE_NOT_RUNNING - Packet sent from or to a Redis Instance that is not in running state.
REDIS_CLUSTER_NOT_RUNNING - Packet sent from or to a Redis Cluster that is not in running state.
TRAFFIC_TYPE_BLOCKED - The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See Always blocked traffic for more details.
GKE_MASTER_UNAUTHORIZED_ACCESS - Access to Google Kubernetes Engine cluster master’s endpoint is not authorized. See Access to the cluster endpoints for more details.
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS - Access to the Cloud SQL instance endpoint is not authorized. See Authorizing with authorized networks for more details.
DROPPED_INSIDE_GKE_SERVICE - Packet was dropped inside Google Kubernetes Engine Service.
DROPPED_INSIDE_CLOUD_SQL_SERVICE - Packet was dropped inside Cloud SQL Service.
GOOGLE_MANAGED_SERVICE_NO_PEERING - Packet was dropped because there is no peering between the originating network and the Google Managed Services Network.
GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT - Packet was dropped because the Google-managed service uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
GKE_PSC_ENDPOINT_MISSING - Packet was dropped because the GKE cluster uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
CLOUD_SQL_INSTANCE_NO_IP_ADDRESS - Packet was dropped because the Cloud SQL instance has neither a private nor a public IP address.
GKE_CONTROL_PLANE_REGION_MISMATCH - Packet was dropped because a GKE cluster private endpoint is unreachable from a region different from the cluster’s region.
PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION - Packet sent from a public GKE cluster control plane to a private IP address.
GKE_CONTROL_PLANE_NO_ROUTE - Packet was dropped because there is no route from a GKE cluster control plane to a destination network.
CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC - Packet sent from a Cloud SQL instance to an external IP address is not allowed. The Cloud SQL instance is not configured to send packets to external IP addresses.
PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION - Packet sent from a Cloud SQL instance with only a public IP address to a private IP address.
CLOUD_SQL_INSTANCE_NO_ROUTE - Packet was dropped because there is no route from a Cloud SQL instance to a destination network.
CLOUD_SQL_CONNECTOR_REQUIRED - Packet was dropped because the Cloud SQL instance requires all connections to use Cloud SQL connectors and to target the Cloud SQL proxy port (3307).
CLOUD_FUNCTION_NOT_ACTIVE - Packet could be dropped because the Cloud Function is not in an active status.
VPC_CONNECTOR_NOT_SET - Packet could be dropped because no VPC connector is set.
VPC_CONNECTOR_NOT_RUNNING - Packet could be dropped because the VPC connector is not in a running state.
VPC_CONNECTOR_SERVERLESS_TRAFFIC_BLOCKED - Packet could be dropped because the traffic from the serverless service to the VPC connector is not allowed.
VPC_CONNECTOR_HEALTH_CHECK_TRAFFIC_BLOCKED - Packet could be dropped because the health check traffic to the VPC connector is not allowed.
FORWARDING_RULE_REGION_MISMATCH - Packet could be dropped because it was sent from a different region to a regional forwarding without global access.
PSC_CONNECTION_NOT_ACCEPTED - The Private Service Connect endpoint is in a project that is not approved to connect to the service.
PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK - The packet is sent to the Private Service Connect endpoint over the peering, but it’s not supported.
PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS - The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule does not have global access enabled.
PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS - The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule has multiple ports specified.
CLOUD_SQL_PSC_NEG_UNSUPPORTED - The packet is sent to the Private Service Connect backend (network endpoint group) targeting a Cloud SQL service attachment, but this configuration is not supported.
NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT - No NAT subnets are defined for the PSC service attachment.
PSC_TRANSITIVITY_NOT_PROPAGATED - PSC endpoint is accessed via NCC, but PSC transitivity configuration is not yet propagated.
HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED - The packet sent from the hybrid NEG proxy matches a non-dynamic route, but such a configuration is not supported.
HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED - The packet sent from the hybrid NEG proxy matches a dynamic route with a next hop in a different region, but such a configuration is not supported.
CLOUD_RUN_REVISION_NOT_READY - Packet sent from a Cloud Run revision that is not ready.
DROPPED_INSIDE_PSC_SERVICE_PRODUCER - Packet was dropped inside Private Service Connect service producer.
LOAD_BALANCER_HAS_NO_PROXY_SUBNET - Packet sent to a load balancer, which requires a proxy-only subnet and the subnet is not found.
CLOUD_NAT_NO_ADDRESSES - Packet sent to Cloud Nat without active NAT IPs.
ROUTING_LOOP - Packet is stuck in a routing loop.
DROPPED_INSIDE_GOOGLE_MANAGED_SERVICE - Packet is dropped inside a Google-managed service due to being delivered in return trace to an endpoint that doesn’t match the endpoint the packet was sent from in forward trace. Used only for return traces.
LOAD_BALANCER_BACKEND_INVALID_NETWORK - Packet is dropped due to a load balancer backend instance not having a network interface in the network expected by the load balancer.
BACKEND_SERVICE_NAMED_PORT_NOT_DEFINED - Packet is dropped due to a backend service named port not being defined on the instance group level.
DESTINATION_IS_PRIVATE_NAT_IP_RANGE - Packet is dropped due to a destination IP range being part of a Private NAT IP range.
DROPPED_INSIDE_REDIS_INSTANCE_SERVICE - Generic drop cause for a packet being dropped inside a Redis Instance service project.
REDIS_INSTANCE_UNSUPPORTED_PORT - Packet is dropped due to an unsupported port being used to connect to a Redis Instance. Port 6379 should be used to connect to a Redis Instance.
REDIS_INSTANCE_CONNECTING_FROM_PUPI_ADDRESS - Packet is dropped due to connecting from PUPI address to a PSA based Redis Instance.
REDIS_INSTANCE_NO_ROUTE_TO_DESTINATION_NETWORK - Packet is dropped due to no route to the destination network.
REDIS_INSTANCE_NO_EXTERNAL_IP - Redis Instance does not have an external IP address.
REDIS_INSTANCE_UNSUPPORTED_PROTOCOL - Packet is dropped due to an unsupported protocol being used to connect to a Redis Instance. Only TCP connections are accepted by a Redis Instance.
DROPPED_INSIDE_REDIS_CLUSTER_SERVICE - Generic drop cause for a packet being dropped inside a Redis Cluster service project.
REDIS_CLUSTER_UNSUPPORTED_PORT - Packet is dropped due to an unsupported port being used to connect to a Redis Cluster. Ports 6379 and 11000 to 13047 should be used to connect to a Redis Cluster.
REDIS_CLUSTER_NO_EXTERNAL_IP - Redis Cluster does not have an external IP address.
REDIS_CLUSTER_UNSUPPORTED_PROTOCOL - Packet is dropped due to an unsupported protocol being used to connect to a Redis Cluster. Only TCP connections are accepted by a Redis Cluster.
NO_ADVERTISED_ROUTE_TO_GCP_DESTINATION - Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix advertised via BGP by the Cloud Router.
NO_TRAFFIC_SELECTOR_TO_GCP_DESTINATION - Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix included to the local traffic selector of the VPN tunnel.
NO_KNOWN_ROUTE_FROM_PEERED_NETWORK_TO_DESTINATION - Packet from the unknown peered network is dropped due to no known route from the source network to the destination IP address.
PRIVATE_NAT_TO_PSC_ENDPOINT_UNSUPPORTED - Sending packets processed by the Private NAT Gateways to the Private Service Connect endpoints is not supported.
PSC_PORT_MAPPING_PORT_MISMATCH - Packet is sent to the PSC port mapping service, but its destination port does not match any port mapping rules.
PSC_PORT_MAPPING_WITHOUT_PSC_CONNECTION_UNSUPPORTED - Sending packets directly to the PSC port mapping service without going through the PSC connection is not supported.
UNSUPPORTED_ROUTE_MATCHED_FOR_NAT64_DESTINATION - Packet with destination IP address within the reserved NAT64 range is dropped due to matching a route of an unsupported type.
TRAFFIC_FROM_HYBRID_ENDPOINT_TO_INTERNET_DISALLOWED - Packet could be dropped because hybrid endpoint like a VPN gateway or Interconnect is not allowed to send traffic to the Internet.
NO_MATCHING_NAT64_GATEWAY - Packet with destination IP address within the reserved NAT64 range is dropped due to no matching NAT gateway in the subnet.
LOAD_BALANCER_BACKEND_IP_VERSION_MISMATCH - Packet is dropped due to being sent to a backend of a passthrough load balancer that doesn’t use the same IP version as the frontend.
NO_KNOWN_ROUTE_FROM_NCC_NETWORK_TO_DESTINATION - Packet from the unknown NCC network is dropped due to no known route from the source network to the destination IP address.
CLOUD_NAT_PROTOCOL_UNSUPPORTED - Packet is dropped by Cloud NAT due to using an unsupported protocol.
destination_geolocation_code
Type: STRING
Provider name: destinationGeolocationCode
Description: Geolocation (region code) of the destination IP address (if relevant).
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address of the dropped packet (if relevant).
region
Type: STRING
Provider name: region
Description: Region of the dropped packet (if relevant).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that caused the drop.
source_geolocation_code
Type: STRING
Provider name: sourceGeolocationCode
Description: Geolocation (region code) of the source IP address (if relevant).
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address of the dropped packet (if relevant).
endpoint
Type: STRUCT
Provider name: endpoint
Description: Display information of the source and destination under analysis. The endpoint information in an intermediate state may differ with the initial input, as it might be modified by state like NAT, or Connection Proxy.
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address.
destination_network_uri
Type: STRING
Provider name: destinationNetworkUri
Description: URI of the network where this packet is sent to.
destination_port
Type: INT32
Provider name: destinationPort
Description: Destination port. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
source_agent_uri
Type: STRING
Provider name: sourceAgentUri
Description: URI of the source telemetry agent this packet originates from.
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
source_network_uri
Type: STRING
Provider name: sourceNetworkUri
Description: URI of the network where this packet originates from.
source_port
Type: INT32
Provider name: sourcePort
Description: Source port. Only valid when protocol is TCP or UDP.
firewall
Type: STRUCT
Provider name: firewall
Description: Display information of a Compute Engine firewall rule.
action
Type: STRING
Provider name: action
Description: Possible values: ALLOW, DENY, APPLY_SECURITY_PROFILE_GROUP
direction
Type: STRING
Provider name: direction
Description: Possible values: INGRESS, EGRESS
firewall_rule_type
Type: STRING
Provider name: firewallRuleType
Description: The firewall rule’s type.
Possible values:
FIREWALL_RULE_TYPE_UNSPECIFIED - Unspecified type.
HIERARCHICAL_FIREWALL_POLICY_RULE - Hierarchical firewall policy rule. For details, see Hierarchical firewall policies overview.
VPC_FIREWALL_RULE - VPC firewall rule. For details, see VPC firewall rules overview.
IMPLIED_VPC_FIREWALL_RULE - Implied VPC firewall rule. For details, see Implied rules.
SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE - Implicit firewall rules that are managed by serverless VPC access to allow ingress access. They are not visible in the Google Cloud console. For details, see VPC connector’s implicit rules.
NETWORK_FIREWALL_POLICY_RULE - Global network firewall policy rule. For details, see Network firewall policies.
NETWORK_REGIONAL_FIREWALL_POLICY_RULE - Regional network firewall policy rule. For details, see Regional network firewall policies.
UNSUPPORTED_FIREWALL_POLICY_RULE - Firewall policy rule containing attributes not yet supported in Connectivity tests. Firewall analysis is skipped if such a rule can potentially be matched. Please see the list of unsupported configurations.
TRACKING_STATE - Tracking state for response traffic created when request traffic goes through allow firewall rule. For details, see firewall rules specifications
ANALYSIS_SKIPPED - Firewall analysis was skipped due to executing Connectivity Test in the BypassFirewallChecks mode
gcp_display_name
Type: STRING
Provider name: displayName
Description: The display name of the firewall rule. This field might be empty for firewall policy rules.
network_uri
Type: STRING
Provider name: networkUri
Description: The URI of the VPC network that the firewall rule is associated with. This field is not applicable to hierarchical firewall policy rules.
policy
Type: STRING
Provider name: policy
Description: The name of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
policy_priority
Type: INT32
Provider name: policyPriority
Description: The priority of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
policy_uri
Type: STRING
Provider name: policyUri
Description: The URI of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
priority
Type: INT32
Provider name: priority
Description: The priority of the firewall rule.
target_service_accounts
Type: UNORDERED_LIST_STRING
Provider name: targetServiceAccounts
Description: The target service accounts specified by the firewall rule.
target_tags
Type: UNORDERED_LIST_STRING
Provider name: targetTags
Description: The target tags defined by the VPC firewall rule. This field is not applicable to firewall policy rules.
target_type
Type: STRING
Provider name: targetType
Description: Target type of the firewall rule.
Possible values:
TARGET_TYPE_UNSPECIFIED - Target type is not specified. In this case we treat the rule as applying to INSTANCES target type.
INSTANCES - Firewall rule applies to instances.
INTERNAL_MANAGED_LB - Firewall rule applies to internal managed load balancers.
uri
Type: STRING
Provider name: uri
Description: The URI of the firewall rule. This field is not applicable to implied VPC firewall rules.
forward
Type: STRUCT
Provider name: forward
Description: Display information of the final state “forward” and reason.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the target (if applicable).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that the packet is forwarded to.
target
Type: STRING
Provider name: target
Description: Target type where this packet is forwarded to.
Possible values:
TARGET_UNSPECIFIED - Target not specified.
PEERING_VPC - Forwarded to a VPC peering network.
VPN_GATEWAY - Forwarded to a Cloud VPN gateway.
INTERCONNECT - Forwarded to a Cloud Interconnect connection.
GKE_MASTER - Forwarded to a Google Kubernetes Engine Container cluster master.
IMPORTED_CUSTOM_ROUTE_NEXT_HOP - Forwarded to the next hop of a custom route imported from a peering VPC.
CLOUD_SQL_INSTANCE - Forwarded to a Cloud SQL instance.
ANOTHER_PROJECT - Forwarded to a VPC network in another project.
NCC_HUB - Forwarded to an NCC Hub.
ROUTER_APPLIANCE - Forwarded to a router appliance.
SECURE_WEB_PROXY_GATEWAY - Forwarded to a Secure Web Proxy Gateway.
forwarding_rule
Type: STRUCT
Provider name: forwardingRule
Description: Display information of a Compute Engine forwarding rule.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of the forwarding rule.
load_balancer_name
Type: STRING
Provider name: loadBalancerName
Description: Name of the load balancer the forwarding rule belongs to. Empty for forwarding rules not related to load balancers (like PSC forwarding rules).
matched_port_range
Type: STRING
Provider name: matchedPortRange
Description: Port range defined in the forwarding rule that matches the packet.
matched_protocol
Type: STRING
Provider name: matchedProtocol
Description: Protocol defined in the forwarding rule that matches the packet.
network_uri
Type: STRING
Provider name: networkUri
Description: Network URI.
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target this forwarding rule targets (if applicable).
psc_service_attachment_uri
Type: STRING
Provider name: pscServiceAttachmentUri
Description: URI of the PSC service attachment this forwarding rule targets (if applicable).
region
Type: STRING
Provider name: region
Description: Region of the forwarding rule. Set only for regional forwarding rules.
target
Type: STRING
Provider name: target
Description: Target type of the forwarding rule.
uri
Type: STRING
Provider name: uri
Description: URI of the forwarding rule.
vip
Type: STRING
Provider name: vip
Description: VIP of the forwarding rule.
gke_master
Type: STRUCT
Provider name: gkeMaster
Description: Display information of a Google Kubernetes Engine cluster master.
cluster_network_uri
Type: STRING
Provider name: clusterNetworkUri
Description: URI of a GKE cluster network.
cluster_uri
Type: STRING
Provider name: clusterUri
Description: URI of a GKE cluster.
dns_endpoint
Type: STRING
Provider name: dnsEndpoint
Description: DNS endpoint of a GKE cluster control plane.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of a GKE cluster control plane.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of a GKE cluster control plane.
google_service
Type: STRUCT
Provider name: googleService
Description: Display information of a Google service
google_service_type
Type: STRING
Provider name: googleServiceType
Description: Recognized type of a Google Service.
Possible values:
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
instance
Type: STRUCT
Provider name: instance
Description: Display information of a Compute Engine instance.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of the network interface.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine instance.
gcp_status
Type: STRING
Provider name: status
Description: The status of the instance.
Possible values:
STATUS_UNSPECIFIED - Default unspecified value.
RUNNING - The instance is running.
NOT_RUNNING - The instance has any status other than ‘RUNNING’.
interface
Type: STRING
Provider name: interface
Description: Name of the network interface of a Compute Engine instance.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of the network interface.
network_tags
Type: UNORDERED_LIST_STRING
Provider name: networkTags
Description: Network tags configured on the instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network.
psc_network_attachment_uri
Type: STRING
Provider name: pscNetworkAttachmentUri
Description: URI of the PSC network attachment the NIC is attached to (if relevant).
running
Type: BOOLEAN
Provider name: running
Description: Indicates whether the Compute Engine instance is running. Deprecated: use the status field instead.
service_account
Type: STRING
Provider name: serviceAccount
Description: Service account authorized for the instance.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine instance.
interconnect_attachment
Type: STRUCT
Provider name: interconnectAttachment
Description: Display information of an interconnect attachment.
cloud_router_uri
Type: STRING
Provider name: cloudRouterUri
Description: URI of the Cloud Router to be used for dynamic routing.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of an Interconnect attachment.
interconnect_uri
Type: STRING
Provider name: interconnectUri
Description: URI of the Interconnect where the Interconnect attachment is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where the Interconnect attachment is configured.
uri
Type: STRING
Provider name: uri
Description: URI of an Interconnect attachment.
load_balancer
Type: STRUCT
Provider name: loadBalancer
Description: Display information of the load balancers. Deprecated in favor of the load_balancer_backend_info field, not used in new tests.
backend_type
Type: STRING
Provider name: backendType
Description: Type of load balancer’s backend configuration.
Possible values:
BACKEND_TYPE_UNSPECIFIED - Type is unspecified.
BACKEND_SERVICE - Backend Service as the load balancer’s backend.
TARGET_POOL - Target Pool as the load balancer’s backend.
TARGET_INSTANCE - Target Instance as the load balancer’s backend.
backend_uri
Type: STRING
Provider name: backendUri
Description: Backend configuration URI.
backends
Type: UNORDERED_LIST_STRUCT
Provider name: backends
Description: Information for the loadbalancer backends.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine instance or network endpoint.
health_check_allowing_firewall_rules
Type: UNORDERED_LIST_STRING
Provider name: healthCheckAllowingFirewallRules
Description: A list of firewall rule URIs allowing probes from health check IP ranges.
health_check_blocking_firewall_rules
Type: UNORDERED_LIST_STRING
Provider name: healthCheckBlockingFirewallRules
Description: A list of firewall rule URIs blocking probes from health check IP ranges.
health_check_firewall_state
Type: STRING
Provider name: healthCheckFirewallState
Description: State of the health check firewall configuration.
Possible values:
HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED - State is unspecified. Default state if not populated.
CONFIGURED - There are configured firewall rules to allow health check probes to the backend.
MISCONFIGURED - There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine instance or network endpoint.
health_check_uri
Type: STRING
Provider name: healthCheckUri
Description: URI of the health check for the load balancer. Deprecated and no longer populated as different load balancer backends might have different health checks.
load_balancer_type
Type: STRING
Provider name: loadBalancerType
Description: Type of the load balancer.
Possible values:
LOAD_BALANCER_TYPE_UNSPECIFIED - Type is unspecified.
INTERNAL_TCP_UDP - Internal TCP/UDP load balancer.
NETWORK_TCP_UDP - Network TCP/UDP load balancer.
HTTP_PROXY - HTTP(S) proxy load balancer.
TCP_PROXY - TCP proxy load balancer.
SSL_PROXY - SSL proxy load balancer.
load_balancer_backend_info
Type: STRUCT
Provider name: loadBalancerBackendInfo
Description: Display information of a specific load balancer backend.
backend_bucket_uri
Type: STRING
Provider name: backendBucketUri
Description: URI of the backend bucket this backend targets (if applicable).
backend_service_uri
Type: STRING
Provider name: backendServiceUri
Description: URI of the backend service this backend belongs to (if applicable).
health_check_firewalls_config_state
Type: STRING
Provider name: healthCheckFirewallsConfigState
Description: Output only. Health check firewalls configuration state for the backend. This is a result of the static firewall analysis (verifying that health check traffic from required IP ranges to the backend is allowed or not). The backend might still be unhealthy even if these firewalls are configured. Please refer to the documentation for more information: https://cloud.google.com/load-balancing/docs/firewall-rules
Possible values:
HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED - Configuration state unspecified. It usually means that the backend has no health check attached, or there was an unexpected configuration error preventing Connectivity tests from verifying health check configuration.
FIREWALLS_CONFIGURED - Firewall rules (policies) allowing health check traffic from all required IP ranges to the backend are configured.
FIREWALLS_PARTIALLY_CONFIGURED - Firewall rules (policies) allow health check traffic only from a part of required IP ranges.
FIREWALLS_NOT_CONFIGURED - Firewall rules (policies) deny health check traffic from all required IP ranges to the backend.
FIREWALLS_UNSUPPORTED - The network contains firewall rules of unsupported types, so Connectivity tests were not able to verify health check configuration status. Please refer to the documentation for the list of unsupported configurations: https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs
health_check_uri
Type: STRING
Provider name: healthCheckUri
Description: URI of the health check attached to this backend (if applicable).
instance_group_uri
Type: STRING
Provider name: instanceGroupUri
Description: URI of the instance group this backend belongs to (if applicable).
instance_uri
Type: STRING
Provider name: instanceUri
Description: URI of the backend instance (if applicable). Populated for instance group backends, and zonal NEG backends.
name
Type: STRING
Provider name: name
Description: Display name of the backend. For example, it might be an instance name for the instance group backends, or an IP address and port for zonal network endpoint group backends.
network_endpoint_group_uri
Type: STRING
Provider name: networkEndpointGroupUri
Description: URI of the network endpoint group this backend belongs to (if applicable).
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target this PSC NEG backend targets (if applicable).
psc_service_attachment_uri
Type: STRING
Provider name: pscServiceAttachmentUri
Description: URI of the PSC service attachment this PSC NEG backend targets (if applicable).
nat
Type: STRUCT
Provider name: nat
Description: Display information of a NAT.
nat_gateway_name
Type: STRING
Provider name: natGatewayName
Description: The name of Cloud NAT Gateway. Only valid when type is CLOUD_NAT.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network where NAT translation takes place.
new_destination_ip
Type: STRING
Provider name: newDestinationIp
Description: Destination IP address after NAT translation.
new_destination_port
Type: INT32
Provider name: newDestinationPort
Description: Destination port after NAT translation. Only valid when protocol is TCP or UDP.
new_source_ip
Type: STRING
Provider name: newSourceIp
Description: Source IP address after NAT translation.
new_source_port
Type: INT32
Provider name: newSourcePort
Description: Source port after NAT translation. Only valid when protocol is TCP or UDP.
old_destination_ip
Type: STRING
Provider name: oldDestinationIp
Description: Destination IP address before NAT translation.
old_destination_port
Type: INT32
Provider name: oldDestinationPort
Description: Destination port before NAT translation. Only valid when protocol is TCP or UDP.
old_source_ip
Type: STRING
Provider name: oldSourceIp
Description: Source IP address before NAT translation.
old_source_port
Type: INT32
Provider name: oldSourcePort
Description: Source port before NAT translation. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
router_uri
Type: STRING
Provider name: routerUri
Description: Uri of the Cloud Router. Only valid when type is CLOUD_NAT.
type
Type: STRING
Provider name: type
Description: Type of NAT.
Possible values:
TYPE_UNSPECIFIED - Type is unspecified.
INTERNAL_TO_EXTERNAL - From Compute Engine instance’s internal address to external address.
EXTERNAL_TO_INTERNAL - From Compute Engine instance’s external address to internal address.
CLOUD_NAT - Cloud NAT Gateway.
PRIVATE_SERVICE_CONNECT - Private service connect NAT.
network
Type: STRUCT
Provider name: network
Description: Display information of a Google Cloud network.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine network.
matched_ip_range
Type: STRING
Provider name: matchedIpRange
Description: The IP range of the subnet matching the source IP address of the test.
matched_subnet_uri
Type: STRING
Provider name: matchedSubnetUri
Description: URI of the subnet matching the source IP address of the test.
region
Type: STRING
Provider name: region
Description: The region of the subnet matching the source IP address of the test.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine network.
project_id
Type: STRING
Provider name: projectId
Description: Project ID that contains the configuration this step is validating.
proxy_connection
Type: STRUCT
Provider name: proxyConnection
Description: Display information of a ProxyConnection.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network where connection is proxied.
new_destination_ip
Type: STRING
Provider name: newDestinationIp
Description: Destination IP address of a new connection.
new_destination_port
Type: INT32
Provider name: newDestinationPort
Description: Destination port of a new connection. Only valid when protocol is TCP or UDP.
new_source_ip
Type: STRING
Provider name: newSourceIp
Description: Source IP address of a new connection.
new_source_port
Type: INT32
Provider name: newSourcePort
Description: Source port of a new connection. Only valid when protocol is TCP or UDP.
old_destination_ip
Type: STRING
Provider name: oldDestinationIp
Description: Destination IP address of an original connection
old_destination_port
Type: INT32
Provider name: oldDestinationPort
Description: Destination port of an original connection. Only valid when protocol is TCP or UDP.
old_source_ip
Type: STRING
Provider name: oldSourceIp
Description: Source IP address of an original connection.
old_source_port
Type: INT32
Provider name: oldSourcePort
Description: Source port of an original connection. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
subnet_uri
Type: STRING
Provider name: subnetUri
Description: Uri of proxy subnet.
redis_cluster
Type: STRUCT
Provider name: redisCluster
Description: Display information of a Redis Cluster.
discovery_endpoint_ip_address
Type: STRING
Provider name: discoveryEndpointIpAddress
Description: Discovery endpoint IP address of a Redis Cluster.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Redis Cluster.
location
Type: STRING
Provider name: location
Description: Name of the region in which the Redis Cluster is defined. For example, “us-central1”.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network containing the Redis Cluster endpoints in format “projects/{project_id}/global/networks/{network_id}”.
secondary_endpoint_ip_address
Type: STRING
Provider name: secondaryEndpointIpAddress
Description: Secondary endpoint IP address of a Redis Cluster.
uri
Type: STRING
Provider name: uri
Description: URI of a Redis Cluster in format “projects/{project_id}/locations/{location}/clusters/{cluster_id}"
redis_instance
Type: STRUCT
Provider name: redisInstance
Description: Display information of a Redis Instance.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Redis Instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Cloud Redis Instance network.
primary_endpoint_ip
Type: STRING
Provider name: primaryEndpointIp
Description: Primary endpoint IP address of a Cloud Redis Instance.
read_endpoint_ip
Type: STRING
Provider name: readEndpointIp
Description: Read endpoint IP address of a Cloud Redis Instance (if applicable).
region
Type: STRING
Provider name: region
Description: Region in which the Cloud Redis Instance is defined.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Redis Instance.
route
Type: STRUCT
Provider name: route
Description: Display information of a Compute Engine route.
advertised_route_next_hop_uri
Type: STRING
Provider name: advertisedRouteNextHopUri
Description: For ADVERTISED routes, the URI of their next hop, i.e. the URI of the hybrid endpoint (VPN tunnel, Interconnect attachment, NCC router appliance) the advertised prefix is advertised through, or URI of the source peered network. Deprecated in favor of the next_hop_uri field, not used in new tests.
advertised_route_source_router_uri
Type: STRING
Provider name: advertisedRouteSourceRouterUri
Description: For ADVERTISED dynamic routes, the URI of the Cloud Router that advertised the corresponding IP prefix.
dest_ip_range
Type: STRING
Provider name: destIpRange
Description: Destination IP range of the route.
dest_port_ranges
Type: UNORDERED_LIST_STRING
Provider name: destPortRanges
Description: Destination port ranges of the route. POLICY_BASED routes only.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a route.
instance_tags
Type: UNORDERED_LIST_STRING
Provider name: instanceTags
Description: Instance tags of the route.
ncc_hub_route_uri
Type: STRING
Provider name: nccHubRouteUri
Description: For PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub, the URI of the corresponding route in NCC Hub’s routing table.
ncc_hub_uri
Type: STRING
Provider name: nccHubUri
Description: URI of the NCC Hub the route is advertised by. PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub only.
ncc_spoke_uri
Type: STRING
Provider name: nccSpokeUri
Description: URI of the destination NCC Spoke. PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub only.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a VPC network where route is located.
next_hop
Type: STRING
Provider name: nextHop
Description: String type of the next hop of the route (for example, “VPN tunnel”). Deprecated in favor of the next_hop_type and next_hop_uri fields, not used in new tests.
next_hop_network_uri
Type: STRING
Provider name: nextHopNetworkUri
Description: URI of a VPC network where the next hop resource is located.
next_hop_type
Type: STRING
Provider name: nextHopType
Description: Type of next hop.
Possible values:
NEXT_HOP_TYPE_UNSPECIFIED - Unspecified type. Default value.
NEXT_HOP_IP - Next hop is an IP address.
NEXT_HOP_INSTANCE - Next hop is a Compute Engine instance.
NEXT_HOP_NETWORK - Next hop is a VPC network gateway.
NEXT_HOP_PEERING - Next hop is a peering VPC. This scenario only happens when the user doesn’t have permissions to the project where the next hop resource is located.
NEXT_HOP_INTERCONNECT - Next hop is an interconnect.
NEXT_HOP_VPN_TUNNEL - Next hop is a VPN tunnel.
NEXT_HOP_VPN_GATEWAY - Next hop is a VPN gateway. This scenario only happens when tracing connectivity from an on-premises network to Google Cloud through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arriving at a Cloud VPN gateway.
NEXT_HOP_INTERNET_GATEWAY - Next hop is an internet gateway.
NEXT_HOP_BLACKHOLE - Next hop is blackhole; that is, the next hop either does not exist or is unusable.
NEXT_HOP_ILB - Next hop is the forwarding rule of an Internal Load Balancer.
NEXT_HOP_ROUTER_APPLIANCE - Next hop is a router appliance instance.
NEXT_HOP_NCC_HUB - Next hop is an NCC hub. This scenario only happens when the user doesn’t have permissions to the project where the next hop resource is located.
SECURE_WEB_PROXY_GATEWAY - Next hop is Secure Web Proxy Gateway.
next_hop_uri
Type: STRING
Provider name: nextHopUri
Description: URI of the next hop resource.
originating_route_display_name
Type: STRING
Provider name: originatingRouteDisplayName
Description: For PEERING_SUBNET, PEERING_STATIC and PEERING_DYNAMIC routes, the name of the originating SUBNET/STATIC/DYNAMIC route.
originating_route_uri
Type: STRING
Provider name: originatingRouteUri
Description: For PEERING_SUBNET and PEERING_STATIC routes, the URI of the originating SUBNET/STATIC route.
priority
Type: INT32
Provider name: priority
Description: Priority of the route.
protocols
Type: UNORDERED_LIST_STRING
Provider name: protocols
Description: Protocols of the route. POLICY_BASED routes only.
region
Type: STRING
Provider name: region
Description: Region of the route. DYNAMIC, PEERING_DYNAMIC, POLICY_BASED and ADVERTISED routes only. If set for POLICY_BASED route, this is a region of VLAN attachments for Cloud Interconnect the route applies to.
route_scope
Type: STRING
Provider name: routeScope
Description: Indicates where route is applicable. Deprecated, routes with NCC_HUB scope are not included in the trace in new tests.
Possible values:
ROUTE_SCOPE_UNSPECIFIED - Unspecified scope. Default value.
NETWORK - Route is applicable to packets in Network.
NCC_HUB - Route is applicable to packets using NCC Hub’s routing table.
route_type
Type: STRING
Provider name: routeType
Description: Type of route.
Possible values:
ROUTE_TYPE_UNSPECIFIED - Unspecified type. Default value.
SUBNET - Route is a subnet route automatically created by the system.
STATIC - Static route created by the user, including the default route to the internet.
DYNAMIC - Dynamic route exchanged between BGP peers.
PEERING_SUBNET - A subnet route received from peering network or NCC Hub.
PEERING_STATIC - A static route received from peering network.
PEERING_DYNAMIC - A dynamic route received from peering network or NCC Hub.
POLICY_BASED - Policy based route.
ADVERTISED - Advertised route. Synthetic route which is used to transition from the StartFromPrivateNetwork state in Connectivity tests.
src_ip_range
Type: STRING
Provider name: srcIpRange
Description: Source IP address range of the route. POLICY_BASED routes only.
src_port_ranges
Type: UNORDERED_LIST_STRING
Provider name: srcPortRanges
Description: Source port ranges of the route. POLICY_BASED routes only.
uri
Type: STRING
Provider name: uri
Description: URI of a route. SUBNET, STATIC, PEERING_SUBNET (only for peering network) and POLICY_BASED routes only.
serverless_external_connection
Type: STRUCT
Provider name: serverlessExternalConnection
Description: Display information of a serverless public (external) connection.
selected_ip_address
Type: STRING
Provider name: selectedIpAddress
Description: Selected starting IP address, from the Google dynamic address pool.
serverless_neg
Type: STRUCT
Provider name: serverlessNeg
Description: Display information of a Serverless network endpoint group backend. Used only for return traces.
neg_uri
Type: STRING
Provider name: negUri
Description: URI of the serverless network endpoint group.
state
Type: STRING
Provider name: state
Description: Each step is in one of the pre-defined states.
Possible values:
STATE_UNSPECIFIED - Unspecified state.
START_FROM_INSTANCE - Initial state: packet originating from a Compute Engine instance. An InstanceInfo is populated with starting instance information.
START_FROM_INTERNET - Initial state: packet originating from the internet. The endpoint information is populated.
START_FROM_GOOGLE_SERVICE - Initial state: packet originating from a Google service. The google_service information is populated.
START_FROM_PRIVATE_NETWORK - Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a VPC network visible to the user, a NetworkInfo is populated with details of the network.
START_FROM_GKE_MASTER - Initial state: packet originating from a Google Kubernetes Engine cluster master. A GKEMasterInfo is populated with starting instance information.
START_FROM_CLOUD_SQL_INSTANCE - Initial state: packet originating from a Cloud SQL instance. A CloudSQLInstanceInfo is populated with starting instance information.
START_FROM_REDIS_INSTANCE - Initial state: packet originating from a Redis instance. A RedisInstanceInfo is populated with starting instance information.
START_FROM_REDIS_CLUSTER - Initial state: packet originating from a Redis Cluster. A RedisClusterInfo is populated with starting Cluster information.
START_FROM_CLOUD_FUNCTION - Initial state: packet originating from a Cloud Function. A CloudFunctionInfo is populated with starting function information.
START_FROM_APP_ENGINE_VERSION - Initial state: packet originating from an App Engine service version. An AppEngineVersionInfo is populated with starting version information.
START_FROM_CLOUD_RUN_REVISION - Initial state: packet originating from a Cloud Run revision. A CloudRunRevisionInfo is populated with starting revision information.
START_FROM_STORAGE_BUCKET - Initial state: packet originating from a Storage Bucket. Used only for return traces. The storage_bucket information is populated.
START_FROM_PSC_PUBLISHED_SERVICE - Initial state: packet originating from a published service that uses Private Service Connect. Used only for return traces.
START_FROM_SERVERLESS_NEG - Initial state: packet originating from a serverless network endpoint group backend. Used only for return traces. The serverless_neg information is populated.
APPLY_INGRESS_FIREWALL_RULE - Config checking state: verify ingress firewall rule.
APPLY_EGRESS_FIREWALL_RULE - Config checking state: verify egress firewall rule.
APPLY_ROUTE - Config checking state: verify route.
APPLY_FORWARDING_RULE - Config checking state: match forwarding rule.
ANALYZE_LOAD_BALANCER_BACKEND - Config checking state: verify load balancer backend configuration.
SPOOFING_APPROVED - Config checking state: packet sent or received under foreign IP address and allowed.
ARRIVE_AT_INSTANCE - Forwarding state: arriving at a Compute Engine instance.
ARRIVE_AT_INTERNAL_LOAD_BALANCER - Forwarding state: arriving at a Compute Engine internal load balancer.
ARRIVE_AT_EXTERNAL_LOAD_BALANCER - Forwarding state: arriving at a Compute Engine external load balancer.
ARRIVE_AT_VPN_GATEWAY - Forwarding state: arriving at a Cloud VPN gateway.
ARRIVE_AT_VPN_TUNNEL - Forwarding state: arriving at a Cloud VPN tunnel.
ARRIVE_AT_INTERCONNECT_ATTACHMENT - Forwarding state: arriving at an interconnect attachment.
ARRIVE_AT_VPC_CONNECTOR - Forwarding state: arriving at a VPC connector.
DIRECT_VPC_EGRESS_CONNECTION - Forwarding state: for packets originating from a serverless endpoint forwarded through Direct VPC egress.
SERVERLESS_EXTERNAL_CONNECTION - Forwarding state: for packets originating from a serverless endpoint forwarded through public (external) connectivity.
NAT - Transition state: packet header translated.
PROXY_CONNECTION - Transition state: original connection is terminated and a new proxied connection is initiated.
DELIVER - Final state: packet could be delivered.
DROP - Final state: packet could be dropped.
FORWARD - Final state: packet could be forwarded to a network with an unknown configuration.
ABORT - Final state: analysis is aborted.
VIEWER_PERMISSION_MISSING - Special state: viewer of the test result does not have permission to see the configuration in this step.
storage_bucket
Type: STRUCT
Provider name: storageBucket
Description: Display information of a Storage Bucket. Used only for return traces.
bucket
Type: STRING
Provider name: bucket
Description: Cloud Storage Bucket name.
vpc_connector
Type: STRUCT
Provider name: vpcConnector
Description: Display information of a VPC connector.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPC connector.
location
Type: STRING
Provider name: location
Description: Location in which the VPC connector is deployed.
uri
Type: STRING
Provider name: uri
Description: URI of a VPC connector.
vpn_gateway
Type: STRUCT
Provider name: vpnGateway
Description: Display information of a Compute Engine VPN gateway.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPN gateway.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the VPN gateway.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network where the VPN gateway is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where this VPN gateway is configured.
uri
Type: STRING
Provider name: uri
Description: URI of a VPN gateway.
vpn_tunnel_uri
Type: STRING
Provider name: vpnTunnelUri
Description: A VPN tunnel that is associated with this VPN gateway. There may be multiple VPN tunnels configured on a VPN gateway, and only the one relevant to the test is displayed.
vpn_tunnel
Type: STRUCT
Provider name: vpnTunnel
Description: Display information of a Compute Engine VPN tunnel.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPN tunnel.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network where the VPN tunnel is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where this VPN tunnel is configured.
remote_gateway
Type: STRING
Provider name: remoteGateway
Description: URI of a VPN gateway at remote end of the tunnel.
remote_gateway_ip
Type: STRING
Provider name: remoteGatewayIp
Description: Remote VPN gateway’s IP address.
routing_type
Type: STRING
Provider name: routingType
Description: Type of the routing policy.
Possible values:
ROUTING_TYPE_UNSPECIFIED - Unspecified type. Default value.
ROUTE_BASED - Route based VPN.
POLICY_BASED - Policy based routing.
DYNAMIC - Dynamic (BGP) routing.
source_gateway
Type: STRING
Provider name: sourceGateway
Description: URI of the VPN gateway at local end of the tunnel.
source_gateway_ip
Type: STRING
Provider name: sourceGatewayIp
Description: Local VPN gateway’s IP address.
uri
Type: STRING
Provider name: uri
Description: URI of a VPN tunnel.
verify_time
Type: TIMESTAMP
Provider name: verifyTime
Description: The time of the configuration analysis.
Type: UNORDERED_LIST_STRING
Provider name: relatedProjects
Description: Other projects that may be relevant for reachability analysis. This is applicable to scenarios where a test can cross project boundaries.
resource_name
Type: STRING
return_reachability_details
Type: STRUCT
Provider name: returnReachabilityDetails
Description: Output only. The reachability details of this test from the latest run for the return path. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.
error
Type: STRUCT
Provider name: error
Description: The details of a failure or a cancellation of reachability analysis.
code
Type: INT32
Provider name: code
Description: The status code, which should be an enum value of google.rpc.Code.
message
Type: STRING
Provider name: message
Description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
result
Type: STRING
Provider name: result
Description: The overall result of the test’s configuration analysis.
Possible values:
RESULT_UNSPECIFIED - No result was specified.
REACHABLE - Possible scenarios are: * The configuration analysis determined that a packet originating from the source is expected to reach the destination. * The analysis didn’t complete because the user lacks permission for some of the resources in the trace. However, at the time the user’s permission became insufficient, the trace had been successful so far.
UNREACHABLE - A packet originating from the source is expected to be dropped before reaching the destination.
AMBIGUOUS - The source and destination endpoints do not uniquely identify the test location in the network, and the reachability result contains multiple traces. For some traces, a packet could be delivered, and for others, it would not be. This result is also assigned to configuration analysis of return path if on its own it should be REACHABLE, but configuration analysis of forward path is AMBIGUOUS.
UNDETERMINED - The configuration analysis did not complete. Possible reasons are: * A permissions error occurred–for example, the user might not have read permission for all of the resources named in the test. * An internal error occurred. * The analyzer received an invalid or unsupported argument or was unable to identify a known endpoint.
traces
Type: UNORDERED_LIST_STRUCT
Provider name: traces
Description: Result may contain a list of traces if a test has multiple possible paths in the network, such as when destination endpoint is a load balancer with multiple backends.
endpoint_info
Type: STRUCT
Provider name: endpointInfo
Description: Derived from the source and destination endpoints definition specified by user request, and validated by the data plane model. If there are multiple traces starting from different source locations, then the endpoint_info may be different between traces.
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address.
destination_network_uri
Type: STRING
Provider name: destinationNetworkUri
Description: URI of the network where this packet is sent to.
destination_port
Type: INT32
Provider name: destinationPort
Description: Destination port. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
source_agent_uri
Type: STRING
Provider name: sourceAgentUri
Description: URI of the source telemetry agent this packet originates from.
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
source_network_uri
Type: STRING
Provider name: sourceNetworkUri
Description: URI of the network where this packet originates from.
source_port
Type: INT32
Provider name: sourcePort
Description: Source port. Only valid when protocol is TCP or UDP.
forward_trace_id
Type: INT32
Provider name: forwardTraceId
Description: ID of trace. For forward traces, this ID is unique for each trace. For return traces, it matches ID of associated forward trace. A single forward trace can be associated with none, one or more than one return trace.
steps
Type: UNORDERED_LIST_STRUCT
Provider name: steps
Description: A trace of a test contains multiple steps from the initial state to the final state (delivered, dropped, forwarded, or aborted). The steps are ordered by the processing sequence within the simulated network state machine. It is critical to preserve the order of the steps and avoid reordering or sorting them.
abort
Type: STRUCT
Provider name: abort
Description: Display information of the final state “abort” and reason.
cause
Type: STRING
Provider name: cause
Description: Causes that the analysis is aborted.
Possible values:
CAUSE_UNSPECIFIED - Cause is unspecified.
UNKNOWN_NETWORK - Aborted due to unknown network. Deprecated, not used in the new tests.
UNKNOWN_PROJECT - Aborted because no project information can be derived from the test input. Deprecated, not used in the new tests.
NO_EXTERNAL_IP - Aborted because traffic is sent from a public IP to an instance without an external IP. Deprecated, not used in the new tests.
UNINTENDED_DESTINATION - Aborted because none of the traces matches destination information specified in the input test request. Deprecated, not used in the new tests.
SOURCE_ENDPOINT_NOT_FOUND - Aborted because the source endpoint could not be found. Deprecated, not used in the new tests.
MISMATCHED_SOURCE_NETWORK - Aborted because the source network does not match the source endpoint. Deprecated, not used in the new tests.
DESTINATION_ENDPOINT_NOT_FOUND - Aborted because the destination endpoint could not be found. Deprecated, not used in the new tests.
MISMATCHED_DESTINATION_NETWORK - Aborted because the destination network does not match the destination endpoint. Deprecated, not used in the new tests.
UNKNOWN_IP - Aborted because no endpoint with the packet’s destination IP address is found.
GOOGLE_MANAGED_SERVICE_UNKNOWN_IP - Aborted because no endpoint with the packet’s destination IP is found in the Google-managed project.
SOURCE_IP_ADDRESS_NOT_IN_SOURCE_NETWORK - Aborted because the source IP address doesn’t belong to any of the subnets of the source VPC network.
PERMISSION_DENIED - Aborted because user lacks permission to access all or part of the network configurations required to run the test.
PERMISSION_DENIED_NO_CLOUD_NAT_CONFIGS - Aborted because user lacks permission to access Cloud NAT configs required to run the test.
PERMISSION_DENIED_NO_NEG_ENDPOINT_CONFIGS - Aborted because user lacks permission to access Network endpoint group endpoint configs required to run the test.
PERMISSION_DENIED_NO_CLOUD_ROUTER_CONFIGS - Aborted because user lacks permission to access Cloud Router configs required to run the test.
NO_SOURCE_LOCATION - Aborted because no valid source or destination endpoint is derived from the input test request.
INVALID_ARGUMENT - Aborted because the source or destination endpoint specified in the request is invalid. Some examples: - The request might contain malformed resource URI, project ID, or IP address. - The request might contain inconsistent information (for example, the request might include both the instance and the network, but the instance might not have a NIC in that network).
TRACE_TOO_LONG - Aborted because the number of steps in the trace exceeds a certain limit. It might be caused by a routing loop.
INTERNAL_ERROR - Aborted due to internal server error.
UNSUPPORTED - Aborted because the test scenario is not supported.
MISMATCHED_IP_VERSION - Aborted because the source and destination resources have no common IP version.
GKE_KONNECTIVITY_PROXY_UNSUPPORTED - Aborted because the connection between the control plane and the node of the source cluster is initiated by the node and managed by the Konnectivity proxy.
RESOURCE_CONFIG_NOT_FOUND - Aborted because expected resource configuration was missing.
VM_INSTANCE_CONFIG_NOT_FOUND - Aborted because expected VM instance configuration was missing.
NETWORK_CONFIG_NOT_FOUND - Aborted because expected network configuration was missing.
FIREWALL_CONFIG_NOT_FOUND - Aborted because expected firewall configuration was missing.
ROUTE_CONFIG_NOT_FOUND - Aborted because expected route configuration was missing.
GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT - Aborted because PSC endpoint selection for the Google-managed service is ambiguous (several PSC endpoints satisfy test input).
GOOGLE_MANAGED_SERVICE_AMBIGUOUS_ENDPOINT - Aborted because endpoint selection for the Google-managed service is ambiguous (several endpoints satisfy test input).
SOURCE_PSC_CLOUD_SQL_UNSUPPORTED - Aborted because tests with a PSC-based Cloud SQL instance as a source are not supported.
SOURCE_REDIS_CLUSTER_UNSUPPORTED - Aborted because tests with a Redis Cluster as a source are not supported.
SOURCE_REDIS_INSTANCE_UNSUPPORTED - Aborted because tests with a Redis Instance as a source are not supported.
SOURCE_FORWARDING_RULE_UNSUPPORTED - Aborted because tests with a forwarding rule as a source are not supported.
NON_ROUTABLE_IP_ADDRESS - Aborted because one of the endpoints is a non-routable IP address (loopback, link-local, etc).
UNKNOWN_ISSUE_IN_GOOGLE_MANAGED_PROJECT - Aborted due to an unknown issue in the Google-managed project.
UNSUPPORTED_GOOGLE_MANAGED_PROJECT_CONFIG - Aborted due to an unsupported configuration of the Google-managed project.
NO_SERVERLESS_IP_RANGES - Aborted because the source endpoint is a Cloud Run revision with direct VPC access enabled, but there are no reserved serverless IP ranges.
IP_VERSION_PROTOCOL_MISMATCH - Aborted because the used protocol is not supported for the used IP version.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address that caused the abort.
projects_missing_permission
Type: UNORDERED_LIST_STRING
Provider name: projectsMissingPermission
Description: List of project IDs the user specified in the request but lacks access to. In this case, analysis is aborted with the PERMISSION_DENIED cause.
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that caused the abort.
app_engine_version
Type: STRUCT
Provider name: appEngineVersion
Description: Display information of an App Engine service version.
environment
Type: STRING
Provider name: environment
Description: App Engine execution environment for a version.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of an App Engine version.
runtime
Type: STRING
Provider name: runtime
Description: Runtime of the App Engine version.
uri
Type: STRING
Provider name: uri
Description: URI of an App Engine version.
causes_drop
Type: BOOLEAN
Provider name: causesDrop
Description: This is a step that leads to the final state Drop.
cloud_function
Type: STRUCT
Provider name: cloudFunction
Description: Display information of a Cloud Function.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Function.
location
Type: STRING
Provider name: location
Description: Location in which the Cloud Function is deployed.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Function.
version_id
Type: INT64
Provider name: versionId
Description: Latest successfully deployed version id of the Cloud Function.
cloud_run_revision
Type: STRUCT
Provider name: cloudRunRevision
Description: Display information of a Cloud Run revision.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Run revision.
location
Type: STRING
Provider name: location
Description: Location in which this revision is deployed.
service_uri
Type: STRING
Provider name: serviceUri
Description: URI of Cloud Run service this revision belongs to.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Run revision.
cloud_sql_instance
Type: STRUCT
Provider name: cloudSqlInstance
Description: Display information of a Cloud SQL instance.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of a Cloud SQL instance.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud SQL instance.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of a Cloud SQL instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Cloud SQL instance network or empty string if the instance does not have one.
region
Type: STRING
Provider name: region
Description: Region in which the Cloud SQL instance is running.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud SQL instance.
deliver
Type: STRUCT
Provider name: deliver
Description: Display information of the final state “deliver” and reason.
google_service_type
Type: STRING
Provider name: googleServiceType
Description: Recognized type of a Google Service the packet is delivered to (if applicable).
Possible values:
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the target (if applicable).
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target the packet is delivered to (if applicable).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that the packet is delivered to.
storage_bucket
Type: STRING
Provider name: storageBucket
Description: Name of the Cloud Storage Bucket the packet is delivered to (if applicable).
target
Type: STRING
Provider name: target
Description: Target type where the packet is delivered to.
Possible values:
TARGET_UNSPECIFIED - Target not specified.
INSTANCE - Target is a Compute Engine instance.
INTERNET - Target is the internet.
GOOGLE_API - Target is a Google API.
GKE_MASTER - Target is a Google Kubernetes Engine cluster master.
CLOUD_SQL_INSTANCE - Target is a Cloud SQL instance.
PSC_PUBLISHED_SERVICE - Target is a published service that uses Private Service Connect.
PSC_GOOGLE_API - Target is Google APIs that use Private Service Connect.
PSC_VPC_SC - Target is a VPC-SC that uses Private Service Connect.
SERVERLESS_NEG - Target is a serverless network endpoint group.
STORAGE_BUCKET - Target is a Cloud Storage bucket.
PRIVATE_NETWORK - Target is a private network. Used only for return traces.
CLOUD_FUNCTION - Target is a Cloud Function. Used only for return traces.
APP_ENGINE_VERSION - Target is a App Engine service version. Used only for return traces.
CLOUD_RUN_REVISION - Target is a Cloud Run revision. Used only for return traces.
GOOGLE_MANAGED_SERVICE - Target is a Google-managed service. Used only for return traces.
REDIS_INSTANCE - Target is a Redis Instance.
REDIS_CLUSTER - Target is a Redis Cluster.
description
Type: STRING
Provider name: description
Description: A description of the step. Usually this is a summary of the state.
direct_vpc_egress_connection
Type: STRUCT
Provider name: directVpcEgressConnection
Description: Display information of a serverless direct VPC egress connection.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of direct access network.
region
Type: STRING
Provider name: region
Description: Region in which the Direct VPC egress is deployed.
selected_ip_address
Type: STRING
Provider name: selectedIpAddress
Description: Selected starting IP address, from the selected IP range.
selected_ip_range
Type: STRING
Provider name: selectedIpRange
Description: Selected IP range.
subnetwork_uri
Type: STRING
Provider name: subnetworkUri
Description: URI of direct access subnetwork.
drop
Type: STRUCT
Provider name: drop
Description: Display information of the final state “drop” and reason.
cause
Type: STRING
Provider name: cause
Description: Cause that the packet is dropped.
Possible values:
CAUSE_UNSPECIFIED - Cause is unspecified.
UNKNOWN_EXTERNAL_ADDRESS - Destination external address cannot be resolved to a known target. If the address is used in a Google Cloud project, provide the project ID as test input.
FOREIGN_IP_DISALLOWED - A Compute Engine instance can only send or receive a packet with a foreign IP address if ip_forward is enabled.
FIREWALL_RULE - Dropped due to a firewall rule, unless allowed due to connection tracking.
NO_ROUTE - Dropped due to no matching routes.
ROUTE_BLACKHOLE - Dropped due to invalid route. Route’s next hop is a blackhole.
ROUTE_WRONG_NETWORK - Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2’s IP address to Network3.
ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED - Route’s next hop IP address cannot be resolved to a GCP resource.
ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND - Route’s next hop resource is not found.
ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK - Route’s next hop instance doesn’t have a NIC in the route’s network.
ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP - Route’s next hop IP address is not a primary IP address of the next hop instance.
ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH - Route’s next hop forwarding rule doesn’t match next hop IP address.
ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED - Route’s next hop VPN tunnel is down (does not have valid IKE SAs).
ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID - Route’s next hop forwarding rule type is invalid (it’s not a forwarding rule of the internal passthrough load balancer).
NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS - Packet is sent from the Internet or Google service to the private IPv6 address.
NO_ROUTE_FROM_EXTERNAL_IPV6_SOURCE_TO_PRIVATE_IPV6_ADDRESS - Packet is sent from the external IPv6 source address of an instance to the private IPv6 address of an instance.
VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH - The packet does not match a policy-based VPN tunnel local selector.
VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH - The packet does not match a policy-based VPN tunnel remote selector.
PRIVATE_TRAFFIC_TO_INTERNET - Packet with internal destination address sent to the internet gateway.
PRIVATE_GOOGLE_ACCESS_DISALLOWED - Endpoint with only an internal IP address tries to access Google API and services, but Private Google Access is not enabled in the subnet or is not applicable.
PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED - Source endpoint tries to access Google API and services through the VPN tunnel to another network, but Private Google Access needs to be enabled in the source endpoint network.
NO_EXTERNAL_ADDRESS - Endpoint with only an internal IP address tries to access external hosts, but there is no matching Cloud NAT gateway in the subnet.
UNKNOWN_INTERNAL_ADDRESS - Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project.
FORWARDING_RULE_MISMATCH - Forwarding rule’s protocol and ports do not match the packet header.
FORWARDING_RULE_NO_INSTANCES - Forwarding rule does not have backends configured.
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK - Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. For more details, see Health check firewall rules.
INGRESS_FIREWALL_TAGS_UNSUPPORTED_BY_DIRECT_VPC_EGRESS - Matching ingress firewall rules by network tags for packets sent via serverless VPC direct egress is unsupported. Behavior is undefined. https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#limitations
INSTANCE_NOT_RUNNING - Packet is sent from or to a Compute Engine instance that is not in a running state.
GKE_CLUSTER_NOT_RUNNING - Packet sent from or to a GKE cluster that is not in running state.
CLOUD_SQL_INSTANCE_NOT_RUNNING - Packet sent from or to a Cloud SQL instance that is not in running state.
REDIS_INSTANCE_NOT_RUNNING - Packet sent from or to a Redis Instance that is not in running state.
REDIS_CLUSTER_NOT_RUNNING - Packet sent from or to a Redis Cluster that is not in running state.
TRAFFIC_TYPE_BLOCKED - The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See Always blocked traffic for more details.
GKE_MASTER_UNAUTHORIZED_ACCESS - Access to Google Kubernetes Engine cluster master’s endpoint is not authorized. See Access to the cluster endpoints for more details.
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS - Access to the Cloud SQL instance endpoint is not authorized. See Authorizing with authorized networks for more details.
DROPPED_INSIDE_GKE_SERVICE - Packet was dropped inside Google Kubernetes Engine Service.
DROPPED_INSIDE_CLOUD_SQL_SERVICE - Packet was dropped inside Cloud SQL Service.
GOOGLE_MANAGED_SERVICE_NO_PEERING - Packet was dropped because there is no peering between the originating network and the Google Managed Services Network.
GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT - Packet was dropped because the Google-managed service uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
GKE_PSC_ENDPOINT_MISSING - Packet was dropped because the GKE cluster uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
CLOUD_SQL_INSTANCE_NO_IP_ADDRESS - Packet was dropped because the Cloud SQL instance has neither a private nor a public IP address.
GKE_CONTROL_PLANE_REGION_MISMATCH - Packet was dropped because a GKE cluster private endpoint is unreachable from a region different from the cluster’s region.
PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION - Packet sent from a public GKE cluster control plane to a private IP address.
GKE_CONTROL_PLANE_NO_ROUTE - Packet was dropped because there is no route from a GKE cluster control plane to a destination network.
CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC - Packet sent from a Cloud SQL instance to an external IP address is not allowed. The Cloud SQL instance is not configured to send packets to external IP addresses.
PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION - Packet sent from a Cloud SQL instance with only a public IP address to a private IP address.
CLOUD_SQL_INSTANCE_NO_ROUTE - Packet was dropped because there is no route from a Cloud SQL instance to a destination network.
CLOUD_SQL_CONNECTOR_REQUIRED - Packet was dropped because the Cloud SQL instance requires all connections to use Cloud SQL connectors and to target the Cloud SQL proxy port (3307).
CLOUD_FUNCTION_NOT_ACTIVE - Packet could be dropped because the Cloud Function is not in an active status.
VPC_CONNECTOR_NOT_SET - Packet could be dropped because no VPC connector is set.
VPC_CONNECTOR_NOT_RUNNING - Packet could be dropped because the VPC connector is not in a running state.
VPC_CONNECTOR_SERVERLESS_TRAFFIC_BLOCKED - Packet could be dropped because the traffic from the serverless service to the VPC connector is not allowed.
VPC_CONNECTOR_HEALTH_CHECK_TRAFFIC_BLOCKED - Packet could be dropped because the health check traffic to the VPC connector is not allowed.
FORWARDING_RULE_REGION_MISMATCH - Packet could be dropped because it was sent from a different region to a regional forwarding without global access.
PSC_CONNECTION_NOT_ACCEPTED - The Private Service Connect endpoint is in a project that is not approved to connect to the service.
PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK - The packet is sent to the Private Service Connect endpoint over the peering, but it’s not supported.
PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS - The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule does not have global access enabled.
PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS - The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule has multiple ports specified.
CLOUD_SQL_PSC_NEG_UNSUPPORTED - The packet is sent to the Private Service Connect backend (network endpoint group) targeting a Cloud SQL service attachment, but this configuration is not supported.
NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT - No NAT subnets are defined for the PSC service attachment.
PSC_TRANSITIVITY_NOT_PROPAGATED - PSC endpoint is accessed via NCC, but PSC transitivity configuration is not yet propagated.
HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED - The packet sent from the hybrid NEG proxy matches a non-dynamic route, but such a configuration is not supported.
HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED - The packet sent from the hybrid NEG proxy matches a dynamic route with a next hop in a different region, but such a configuration is not supported.
CLOUD_RUN_REVISION_NOT_READY - Packet sent from a Cloud Run revision that is not ready.
DROPPED_INSIDE_PSC_SERVICE_PRODUCER - Packet was dropped inside Private Service Connect service producer.
LOAD_BALANCER_HAS_NO_PROXY_SUBNET - Packet sent to a load balancer, which requires a proxy-only subnet and the subnet is not found.
CLOUD_NAT_NO_ADDRESSES - Packet sent to Cloud Nat without active NAT IPs.
ROUTING_LOOP - Packet is stuck in a routing loop.
DROPPED_INSIDE_GOOGLE_MANAGED_SERVICE - Packet is dropped inside a Google-managed service due to being delivered in return trace to an endpoint that doesn’t match the endpoint the packet was sent from in forward trace. Used only for return traces.
LOAD_BALANCER_BACKEND_INVALID_NETWORK - Packet is dropped due to a load balancer backend instance not having a network interface in the network expected by the load balancer.
BACKEND_SERVICE_NAMED_PORT_NOT_DEFINED - Packet is dropped due to a backend service named port not being defined on the instance group level.
DESTINATION_IS_PRIVATE_NAT_IP_RANGE - Packet is dropped due to a destination IP range being part of a Private NAT IP range.
DROPPED_INSIDE_REDIS_INSTANCE_SERVICE - Generic drop cause for a packet being dropped inside a Redis Instance service project.
REDIS_INSTANCE_UNSUPPORTED_PORT - Packet is dropped due to an unsupported port being used to connect to a Redis Instance. Port 6379 should be used to connect to a Redis Instance.
REDIS_INSTANCE_CONNECTING_FROM_PUPI_ADDRESS - Packet is dropped due to connecting from PUPI address to a PSA based Redis Instance.
REDIS_INSTANCE_NO_ROUTE_TO_DESTINATION_NETWORK - Packet is dropped due to no route to the destination network.
REDIS_INSTANCE_NO_EXTERNAL_IP - Redis Instance does not have an external IP address.
REDIS_INSTANCE_UNSUPPORTED_PROTOCOL - Packet is dropped due to an unsupported protocol being used to connect to a Redis Instance. Only TCP connections are accepted by a Redis Instance.
DROPPED_INSIDE_REDIS_CLUSTER_SERVICE - Generic drop cause for a packet being dropped inside a Redis Cluster service project.
REDIS_CLUSTER_UNSUPPORTED_PORT - Packet is dropped due to an unsupported port being used to connect to a Redis Cluster. Ports 6379 and 11000 to 13047 should be used to connect to a Redis Cluster.
REDIS_CLUSTER_NO_EXTERNAL_IP - Redis Cluster does not have an external IP address.
REDIS_CLUSTER_UNSUPPORTED_PROTOCOL - Packet is dropped due to an unsupported protocol being used to connect to a Redis Cluster. Only TCP connections are accepted by a Redis Cluster.
NO_ADVERTISED_ROUTE_TO_GCP_DESTINATION - Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix advertised via BGP by the Cloud Router.
NO_TRAFFIC_SELECTOR_TO_GCP_DESTINATION - Packet from the non-GCP (on-prem) or unknown GCP network is dropped due to the destination IP address not belonging to any IP prefix included to the local traffic selector of the VPN tunnel.
NO_KNOWN_ROUTE_FROM_PEERED_NETWORK_TO_DESTINATION - Packet from the unknown peered network is dropped due to no known route from the source network to the destination IP address.
PRIVATE_NAT_TO_PSC_ENDPOINT_UNSUPPORTED - Sending packets processed by the Private NAT Gateways to the Private Service Connect endpoints is not supported.
PSC_PORT_MAPPING_PORT_MISMATCH - Packet is sent to the PSC port mapping service, but its destination port does not match any port mapping rules.
PSC_PORT_MAPPING_WITHOUT_PSC_CONNECTION_UNSUPPORTED - Sending packets directly to the PSC port mapping service without going through the PSC connection is not supported.
UNSUPPORTED_ROUTE_MATCHED_FOR_NAT64_DESTINATION - Packet with destination IP address within the reserved NAT64 range is dropped due to matching a route of an unsupported type.
TRAFFIC_FROM_HYBRID_ENDPOINT_TO_INTERNET_DISALLOWED - Packet could be dropped because hybrid endpoint like a VPN gateway or Interconnect is not allowed to send traffic to the Internet.
NO_MATCHING_NAT64_GATEWAY - Packet with destination IP address within the reserved NAT64 range is dropped due to no matching NAT gateway in the subnet.
LOAD_BALANCER_BACKEND_IP_VERSION_MISMATCH - Packet is dropped due to being sent to a backend of a passthrough load balancer that doesn’t use the same IP version as the frontend.
NO_KNOWN_ROUTE_FROM_NCC_NETWORK_TO_DESTINATION - Packet from the unknown NCC network is dropped due to no known route from the source network to the destination IP address.
CLOUD_NAT_PROTOCOL_UNSUPPORTED - Packet is dropped by Cloud NAT due to using an unsupported protocol.
destination_geolocation_code
Type: STRING
Provider name: destinationGeolocationCode
Description: Geolocation (region code) of the destination IP address (if relevant).
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address of the dropped packet (if relevant).
region
Type: STRING
Provider name: region
Description: Region of the dropped packet (if relevant).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that caused the drop.
source_geolocation_code
Type: STRING
Provider name: sourceGeolocationCode
Description: Geolocation (region code) of the source IP address (if relevant).
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address of the dropped packet (if relevant).
endpoint
Type: STRUCT
Provider name: endpoint
Description: Display information of the source and destination under analysis. The endpoint information in an intermediate state may differ with the initial input, as it might be modified by state like NAT, or Connection Proxy.
destination_ip
Type: STRING
Provider name: destinationIp
Description: Destination IP address.
destination_network_uri
Type: STRING
Provider name: destinationNetworkUri
Description: URI of the network where this packet is sent to.
destination_port
Type: INT32
Provider name: destinationPort
Description: Destination port. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
source_agent_uri
Type: STRING
Provider name: sourceAgentUri
Description: URI of the source telemetry agent this packet originates from.
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
source_network_uri
Type: STRING
Provider name: sourceNetworkUri
Description: URI of the network where this packet originates from.
source_port
Type: INT32
Provider name: sourcePort
Description: Source port. Only valid when protocol is TCP or UDP.
firewall
Type: STRUCT
Provider name: firewall
Description: Display information of a Compute Engine firewall rule.
action
Type: STRING
Provider name: action
Description: Possible values: ALLOW, DENY, APPLY_SECURITY_PROFILE_GROUP
direction
Type: STRING
Provider name: direction
Description: Possible values: INGRESS, EGRESS
firewall_rule_type
Type: STRING
Provider name: firewallRuleType
Description: The firewall rule’s type.
Possible values:
FIREWALL_RULE_TYPE_UNSPECIFIED - Unspecified type.
HIERARCHICAL_FIREWALL_POLICY_RULE - Hierarchical firewall policy rule. For details, see Hierarchical firewall policies overview.
VPC_FIREWALL_RULE - VPC firewall rule. For details, see VPC firewall rules overview.
IMPLIED_VPC_FIREWALL_RULE - Implied VPC firewall rule. For details, see Implied rules.
SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE - Implicit firewall rules that are managed by serverless VPC access to allow ingress access. They are not visible in the Google Cloud console. For details, see VPC connector’s implicit rules.
NETWORK_FIREWALL_POLICY_RULE - Global network firewall policy rule. For details, see Network firewall policies.
NETWORK_REGIONAL_FIREWALL_POLICY_RULE - Regional network firewall policy rule. For details, see Regional network firewall policies.
UNSUPPORTED_FIREWALL_POLICY_RULE - Firewall policy rule containing attributes not yet supported in Connectivity tests. Firewall analysis is skipped if such a rule can potentially be matched. Please see the list of unsupported configurations.
TRACKING_STATE - Tracking state for response traffic created when request traffic goes through allow firewall rule. For details, see firewall rules specifications
ANALYSIS_SKIPPED - Firewall analysis was skipped due to executing Connectivity Test in the BypassFirewallChecks mode
gcp_display_name
Type: STRING
Provider name: displayName
Description: The display name of the firewall rule. This field might be empty for firewall policy rules.
network_uri
Type: STRING
Provider name: networkUri
Description: The URI of the VPC network that the firewall rule is associated with. This field is not applicable to hierarchical firewall policy rules.
policy
Type: STRING
Provider name: policy
Description: The name of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
policy_priority
Type: INT32
Provider name: policyPriority
Description: The priority of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
policy_uri
Type: STRING
Provider name: policyUri
Description: The URI of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.
priority
Type: INT32
Provider name: priority
Description: The priority of the firewall rule.
target_service_accounts
Type: UNORDERED_LIST_STRING
Provider name: targetServiceAccounts
Description: The target service accounts specified by the firewall rule.
target_tags
Type: UNORDERED_LIST_STRING
Provider name: targetTags
Description: The target tags defined by the VPC firewall rule. This field is not applicable to firewall policy rules.
target_type
Type: STRING
Provider name: targetType
Description: Target type of the firewall rule.
Possible values:
TARGET_TYPE_UNSPECIFIED - Target type is not specified. In this case we treat the rule as applying to INSTANCES target type.
INSTANCES - Firewall rule applies to instances.
INTERNAL_MANAGED_LB - Firewall rule applies to internal managed load balancers.
uri
Type: STRING
Provider name: uri
Description: The URI of the firewall rule. This field is not applicable to implied VPC firewall rules.
forward
Type: STRUCT
Provider name: forward
Description: Display information of the final state “forward” and reason.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the target (if applicable).
resource_uri
Type: STRING
Provider name: resourceUri
Description: URI of the resource that the packet is forwarded to.
target
Type: STRING
Provider name: target
Description: Target type where this packet is forwarded to.
Possible values:
TARGET_UNSPECIFIED - Target not specified.
PEERING_VPC - Forwarded to a VPC peering network.
VPN_GATEWAY - Forwarded to a Cloud VPN gateway.
INTERCONNECT - Forwarded to a Cloud Interconnect connection.
GKE_MASTER - Forwarded to a Google Kubernetes Engine Container cluster master.
IMPORTED_CUSTOM_ROUTE_NEXT_HOP - Forwarded to the next hop of a custom route imported from a peering VPC.
CLOUD_SQL_INSTANCE - Forwarded to a Cloud SQL instance.
ANOTHER_PROJECT - Forwarded to a VPC network in another project.
NCC_HUB - Forwarded to an NCC Hub.
ROUTER_APPLIANCE - Forwarded to a router appliance.
SECURE_WEB_PROXY_GATEWAY - Forwarded to a Secure Web Proxy Gateway.
forwarding_rule
Type: STRUCT
Provider name: forwardingRule
Description: Display information of a Compute Engine forwarding rule.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of the forwarding rule.
load_balancer_name
Type: STRING
Provider name: loadBalancerName
Description: Name of the load balancer the forwarding rule belongs to. Empty for forwarding rules not related to load balancers (like PSC forwarding rules).
matched_port_range
Type: STRING
Provider name: matchedPortRange
Description: Port range defined in the forwarding rule that matches the packet.
matched_protocol
Type: STRING
Provider name: matchedProtocol
Description: Protocol defined in the forwarding rule that matches the packet.
network_uri
Type: STRING
Provider name: networkUri
Description: Network URI.
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target this forwarding rule targets (if applicable).
psc_service_attachment_uri
Type: STRING
Provider name: pscServiceAttachmentUri
Description: URI of the PSC service attachment this forwarding rule targets (if applicable).
region
Type: STRING
Provider name: region
Description: Region of the forwarding rule. Set only for regional forwarding rules.
target
Type: STRING
Provider name: target
Description: Target type of the forwarding rule.
uri
Type: STRING
Provider name: uri
Description: URI of the forwarding rule.
vip
Type: STRING
Provider name: vip
Description: VIP of the forwarding rule.
gke_master
Type: STRUCT
Provider name: gkeMaster
Description: Display information of a Google Kubernetes Engine cluster master.
cluster_network_uri
Type: STRING
Provider name: clusterNetworkUri
Description: URI of a GKE cluster network.
cluster_uri
Type: STRING
Provider name: clusterUri
Description: URI of a GKE cluster.
dns_endpoint
Type: STRING
Provider name: dnsEndpoint
Description: DNS endpoint of a GKE cluster control plane.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of a GKE cluster control plane.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of a GKE cluster control plane.
google_service
Type: STRUCT
Provider name: googleService
Description: Display information of a Google service
google_service_type
Type: STRING
Provider name: googleServiceType
Description: Recognized type of a Google Service.
Possible values:
source_ip
Type: STRING
Provider name: sourceIp
Description: Source IP address.
instance
Type: STRUCT
Provider name: instance
Description: Display information of a Compute Engine instance.
external_ip
Type: STRING
Provider name: externalIp
Description: External IP address of the network interface.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine instance.
gcp_status
Type: STRING
Provider name: status
Description: The status of the instance.
Possible values:
STATUS_UNSPECIFIED - Default unspecified value.
RUNNING - The instance is running.
NOT_RUNNING - The instance has any status other than ‘RUNNING’.
interface
Type: STRING
Provider name: interface
Description: Name of the network interface of a Compute Engine instance.
internal_ip
Type: STRING
Provider name: internalIp
Description: Internal IP address of the network interface.
network_tags
Type: UNORDERED_LIST_STRING
Provider name: networkTags
Description: Network tags configured on the instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network.
psc_network_attachment_uri
Type: STRING
Provider name: pscNetworkAttachmentUri
Description: URI of the PSC network attachment the NIC is attached to (if relevant).
running
Type: BOOLEAN
Provider name: running
Description: Indicates whether the Compute Engine instance is running. Deprecated: use the status field instead.
service_account
Type: STRING
Provider name: serviceAccount
Description: Service account authorized for the instance.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine instance.
interconnect_attachment
Type: STRUCT
Provider name: interconnectAttachment
Description: Display information of an interconnect attachment.
cloud_router_uri
Type: STRING
Provider name: cloudRouterUri
Description: URI of the Cloud Router to be used for dynamic routing.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of an Interconnect attachment.
interconnect_uri
Type: STRING
Provider name: interconnectUri
Description: URI of the Interconnect where the Interconnect attachment is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where the Interconnect attachment is configured.
uri
Type: STRING
Provider name: uri
Description: URI of an Interconnect attachment.
load_balancer
Type: STRUCT
Provider name: loadBalancer
Description: Display information of the load balancers. Deprecated in favor of the load_balancer_backend_info field, not used in new tests.
backend_type
Type: STRING
Provider name: backendType
Description: Type of load balancer’s backend configuration.
Possible values:
BACKEND_TYPE_UNSPECIFIED - Type is unspecified.
BACKEND_SERVICE - Backend Service as the load balancer’s backend.
TARGET_POOL - Target Pool as the load balancer’s backend.
TARGET_INSTANCE - Target Instance as the load balancer’s backend.
backend_uri
Type: STRING
Provider name: backendUri
Description: Backend configuration URI.
backends
Type: UNORDERED_LIST_STRUCT
Provider name: backends
Description: Information for the loadbalancer backends.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine instance or network endpoint.
health_check_allowing_firewall_rules
Type: UNORDERED_LIST_STRING
Provider name: healthCheckAllowingFirewallRules
Description: A list of firewall rule URIs allowing probes from health check IP ranges.
health_check_blocking_firewall_rules
Type: UNORDERED_LIST_STRING
Provider name: healthCheckBlockingFirewallRules
Description: A list of firewall rule URIs blocking probes from health check IP ranges.
health_check_firewall_state
Type: STRING
Provider name: healthCheckFirewallState
Description: State of the health check firewall configuration.
Possible values:
HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED - State is unspecified. Default state if not populated.
CONFIGURED - There are configured firewall rules to allow health check probes to the backend.
MISCONFIGURED - There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine instance or network endpoint.
health_check_uri
Type: STRING
Provider name: healthCheckUri
Description: URI of the health check for the load balancer. Deprecated and no longer populated as different load balancer backends might have different health checks.
load_balancer_type
Type: STRING
Provider name: loadBalancerType
Description: Type of the load balancer.
Possible values:
LOAD_BALANCER_TYPE_UNSPECIFIED - Type is unspecified.
INTERNAL_TCP_UDP - Internal TCP/UDP load balancer.
NETWORK_TCP_UDP - Network TCP/UDP load balancer.
HTTP_PROXY - HTTP(S) proxy load balancer.
TCP_PROXY - TCP proxy load balancer.
SSL_PROXY - SSL proxy load balancer.
load_balancer_backend_info
Type: STRUCT
Provider name: loadBalancerBackendInfo
Description: Display information of a specific load balancer backend.
backend_bucket_uri
Type: STRING
Provider name: backendBucketUri
Description: URI of the backend bucket this backend targets (if applicable).
backend_service_uri
Type: STRING
Provider name: backendServiceUri
Description: URI of the backend service this backend belongs to (if applicable).
health_check_firewalls_config_state
Type: STRING
Provider name: healthCheckFirewallsConfigState
Description: Output only. Health check firewalls configuration state for the backend. This is a result of the static firewall analysis (verifying that health check traffic from required IP ranges to the backend is allowed or not). The backend might still be unhealthy even if these firewalls are configured. Please refer to the documentation for more information: https://cloud.google.com/load-balancing/docs/firewall-rules
Possible values:
HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED - Configuration state unspecified. It usually means that the backend has no health check attached, or there was an unexpected configuration error preventing Connectivity tests from verifying health check configuration.
FIREWALLS_CONFIGURED - Firewall rules (policies) allowing health check traffic from all required IP ranges to the backend are configured.
FIREWALLS_PARTIALLY_CONFIGURED - Firewall rules (policies) allow health check traffic only from a part of required IP ranges.
FIREWALLS_NOT_CONFIGURED - Firewall rules (policies) deny health check traffic from all required IP ranges to the backend.
FIREWALLS_UNSUPPORTED - The network contains firewall rules of unsupported types, so Connectivity tests were not able to verify health check configuration status. Please refer to the documentation for the list of unsupported configurations: https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs
health_check_uri
Type: STRING
Provider name: healthCheckUri
Description: URI of the health check attached to this backend (if applicable).
instance_group_uri
Type: STRING
Provider name: instanceGroupUri
Description: URI of the instance group this backend belongs to (if applicable).
instance_uri
Type: STRING
Provider name: instanceUri
Description: URI of the backend instance (if applicable). Populated for instance group backends, and zonal NEG backends.
name
Type: STRING
Provider name: name
Description: Display name of the backend. For example, it might be an instance name for the instance group backends, or an IP address and port for zonal network endpoint group backends.
network_endpoint_group_uri
Type: STRING
Provider name: networkEndpointGroupUri
Description: URI of the network endpoint group this backend belongs to (if applicable).
psc_google_api_target
Type: STRING
Provider name: pscGoogleApiTarget
Description: PSC Google API target this PSC NEG backend targets (if applicable).
psc_service_attachment_uri
Type: STRING
Provider name: pscServiceAttachmentUri
Description: URI of the PSC service attachment this PSC NEG backend targets (if applicable).
nat
Type: STRUCT
Provider name: nat
Description: Display information of a NAT.
nat_gateway_name
Type: STRING
Provider name: natGatewayName
Description: The name of Cloud NAT Gateway. Only valid when type is CLOUD_NAT.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network where NAT translation takes place.
new_destination_ip
Type: STRING
Provider name: newDestinationIp
Description: Destination IP address after NAT translation.
new_destination_port
Type: INT32
Provider name: newDestinationPort
Description: Destination port after NAT translation. Only valid when protocol is TCP or UDP.
new_source_ip
Type: STRING
Provider name: newSourceIp
Description: Source IP address after NAT translation.
new_source_port
Type: INT32
Provider name: newSourcePort
Description: Source port after NAT translation. Only valid when protocol is TCP or UDP.
old_destination_ip
Type: STRING
Provider name: oldDestinationIp
Description: Destination IP address before NAT translation.
old_destination_port
Type: INT32
Provider name: oldDestinationPort
Description: Destination port before NAT translation. Only valid when protocol is TCP or UDP.
old_source_ip
Type: STRING
Provider name: oldSourceIp
Description: Source IP address before NAT translation.
old_source_port
Type: INT32
Provider name: oldSourcePort
Description: Source port before NAT translation. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
router_uri
Type: STRING
Provider name: routerUri
Description: Uri of the Cloud Router. Only valid when type is CLOUD_NAT.
type
Type: STRING
Provider name: type
Description: Type of NAT.
Possible values:
TYPE_UNSPECIFIED - Type is unspecified.
INTERNAL_TO_EXTERNAL - From Compute Engine instance’s internal address to external address.
EXTERNAL_TO_INTERNAL - From Compute Engine instance’s external address to internal address.
CLOUD_NAT - Cloud NAT Gateway.
PRIVATE_SERVICE_CONNECT - Private service connect NAT.
network
Type: STRUCT
Provider name: network
Description: Display information of a Google Cloud network.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Compute Engine network.
matched_ip_range
Type: STRING
Provider name: matchedIpRange
Description: The IP range of the subnet matching the source IP address of the test.
matched_subnet_uri
Type: STRING
Provider name: matchedSubnetUri
Description: URI of the subnet matching the source IP address of the test.
region
Type: STRING
Provider name: region
Description: The region of the subnet matching the source IP address of the test.
uri
Type: STRING
Provider name: uri
Description: URI of a Compute Engine network.
project_id
Type: STRING
Provider name: projectId
Description: Project ID that contains the configuration this step is validating.
proxy_connection
Type: STRUCT
Provider name: proxyConnection
Description: Display information of a ProxyConnection.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network where connection is proxied.
new_destination_ip
Type: STRING
Provider name: newDestinationIp
Description: Destination IP address of a new connection.
new_destination_port
Type: INT32
Provider name: newDestinationPort
Description: Destination port of a new connection. Only valid when protocol is TCP or UDP.
new_source_ip
Type: STRING
Provider name: newSourceIp
Description: Source IP address of a new connection.
new_source_port
Type: INT32
Provider name: newSourcePort
Description: Source port of a new connection. Only valid when protocol is TCP or UDP.
old_destination_ip
Type: STRING
Provider name: oldDestinationIp
Description: Destination IP address of an original connection
old_destination_port
Type: INT32
Provider name: oldDestinationPort
Description: Destination port of an original connection. Only valid when protocol is TCP or UDP.
old_source_ip
Type: STRING
Provider name: oldSourceIp
Description: Source IP address of an original connection.
old_source_port
Type: INT32
Provider name: oldSourcePort
Description: Source port of an original connection. Only valid when protocol is TCP or UDP.
protocol
Type: STRING
Provider name: protocol
Description: IP protocol in string format, for example: “TCP”, “UDP”, “ICMP”.
subnet_uri
Type: STRING
Provider name: subnetUri
Description: Uri of proxy subnet.
redis_cluster
Type: STRUCT
Provider name: redisCluster
Description: Display information of a Redis Cluster.
discovery_endpoint_ip_address
Type: STRING
Provider name: discoveryEndpointIpAddress
Description: Discovery endpoint IP address of a Redis Cluster.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Redis Cluster.
location
Type: STRING
Provider name: location
Description: Name of the region in which the Redis Cluster is defined. For example, “us-central1”.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of the network containing the Redis Cluster endpoints in format “projects/{project_id}/global/networks/{network_id}”.
secondary_endpoint_ip_address
Type: STRING
Provider name: secondaryEndpointIpAddress
Description: Secondary endpoint IP address of a Redis Cluster.
uri
Type: STRING
Provider name: uri
Description: URI of a Redis Cluster in format “projects/{project_id}/locations/{location}/clusters/{cluster_id}"
redis_instance
Type: STRUCT
Provider name: redisInstance
Description: Display information of a Redis Instance.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a Cloud Redis Instance.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Cloud Redis Instance network.
primary_endpoint_ip
Type: STRING
Provider name: primaryEndpointIp
Description: Primary endpoint IP address of a Cloud Redis Instance.
read_endpoint_ip
Type: STRING
Provider name: readEndpointIp
Description: Read endpoint IP address of a Cloud Redis Instance (if applicable).
region
Type: STRING
Provider name: region
Description: Region in which the Cloud Redis Instance is defined.
uri
Type: STRING
Provider name: uri
Description: URI of a Cloud Redis Instance.
route
Type: STRUCT
Provider name: route
Description: Display information of a Compute Engine route.
advertised_route_next_hop_uri
Type: STRING
Provider name: advertisedRouteNextHopUri
Description: For ADVERTISED routes, the URI of their next hop, i.e. the URI of the hybrid endpoint (VPN tunnel, Interconnect attachment, NCC router appliance) the advertised prefix is advertised through, or URI of the source peered network. Deprecated in favor of the next_hop_uri field, not used in new tests.
advertised_route_source_router_uri
Type: STRING
Provider name: advertisedRouteSourceRouterUri
Description: For ADVERTISED dynamic routes, the URI of the Cloud Router that advertised the corresponding IP prefix.
dest_ip_range
Type: STRING
Provider name: destIpRange
Description: Destination IP range of the route.
dest_port_ranges
Type: UNORDERED_LIST_STRING
Provider name: destPortRanges
Description: Destination port ranges of the route. POLICY_BASED routes only.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a route.
instance_tags
Type: UNORDERED_LIST_STRING
Provider name: instanceTags
Description: Instance tags of the route.
ncc_hub_route_uri
Type: STRING
Provider name: nccHubRouteUri
Description: For PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub, the URI of the corresponding route in NCC Hub’s routing table.
ncc_hub_uri
Type: STRING
Provider name: nccHubUri
Description: URI of the NCC Hub the route is advertised by. PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub only.
ncc_spoke_uri
Type: STRING
Provider name: nccSpokeUri
Description: URI of the destination NCC Spoke. PEERING_SUBNET and PEERING_DYNAMIC routes that are advertised by NCC Hub only.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a VPC network where route is located.
next_hop
Type: STRING
Provider name: nextHop
Description: String type of the next hop of the route (for example, “VPN tunnel”). Deprecated in favor of the next_hop_type and next_hop_uri fields, not used in new tests.
next_hop_network_uri
Type: STRING
Provider name: nextHopNetworkUri
Description: URI of a VPC network where the next hop resource is located.
next_hop_type
Type: STRING
Provider name: nextHopType
Description: Type of next hop.
Possible values:
NEXT_HOP_TYPE_UNSPECIFIED - Unspecified type. Default value.
NEXT_HOP_IP - Next hop is an IP address.
NEXT_HOP_INSTANCE - Next hop is a Compute Engine instance.
NEXT_HOP_NETWORK - Next hop is a VPC network gateway.
NEXT_HOP_PEERING - Next hop is a peering VPC. This scenario only happens when the user doesn’t have permissions to the project where the next hop resource is located.
NEXT_HOP_INTERCONNECT - Next hop is an interconnect.
NEXT_HOP_VPN_TUNNEL - Next hop is a VPN tunnel.
NEXT_HOP_VPN_GATEWAY - Next hop is a VPN gateway. This scenario only happens when tracing connectivity from an on-premises network to Google Cloud through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arriving at a Cloud VPN gateway.
NEXT_HOP_INTERNET_GATEWAY - Next hop is an internet gateway.
NEXT_HOP_BLACKHOLE - Next hop is blackhole; that is, the next hop either does not exist or is unusable.
NEXT_HOP_ILB - Next hop is the forwarding rule of an Internal Load Balancer.
NEXT_HOP_ROUTER_APPLIANCE - Next hop is a router appliance instance.
NEXT_HOP_NCC_HUB - Next hop is an NCC hub. This scenario only happens when the user doesn’t have permissions to the project where the next hop resource is located.
SECURE_WEB_PROXY_GATEWAY - Next hop is Secure Web Proxy Gateway.
next_hop_uri
Type: STRING
Provider name: nextHopUri
Description: URI of the next hop resource.
originating_route_display_name
Type: STRING
Provider name: originatingRouteDisplayName
Description: For PEERING_SUBNET, PEERING_STATIC and PEERING_DYNAMIC routes, the name of the originating SUBNET/STATIC/DYNAMIC route.
originating_route_uri
Type: STRING
Provider name: originatingRouteUri
Description: For PEERING_SUBNET and PEERING_STATIC routes, the URI of the originating SUBNET/STATIC route.
priority
Type: INT32
Provider name: priority
Description: Priority of the route.
protocols
Type: UNORDERED_LIST_STRING
Provider name: protocols
Description: Protocols of the route. POLICY_BASED routes only.
region
Type: STRING
Provider name: region
Description: Region of the route. DYNAMIC, PEERING_DYNAMIC, POLICY_BASED and ADVERTISED routes only. If set for POLICY_BASED route, this is a region of VLAN attachments for Cloud Interconnect the route applies to.
route_scope
Type: STRING
Provider name: routeScope
Description: Indicates where route is applicable. Deprecated, routes with NCC_HUB scope are not included in the trace in new tests.
Possible values:
ROUTE_SCOPE_UNSPECIFIED - Unspecified scope. Default value.
NETWORK - Route is applicable to packets in Network.
NCC_HUB - Route is applicable to packets using NCC Hub’s routing table.
route_type
Type: STRING
Provider name: routeType
Description: Type of route.
Possible values:
ROUTE_TYPE_UNSPECIFIED - Unspecified type. Default value.
SUBNET - Route is a subnet route automatically created by the system.
STATIC - Static route created by the user, including the default route to the internet.
DYNAMIC - Dynamic route exchanged between BGP peers.
PEERING_SUBNET - A subnet route received from peering network or NCC Hub.
PEERING_STATIC - A static route received from peering network.
PEERING_DYNAMIC - A dynamic route received from peering network or NCC Hub.
POLICY_BASED - Policy based route.
ADVERTISED - Advertised route. Synthetic route which is used to transition from the StartFromPrivateNetwork state in Connectivity tests.
src_ip_range
Type: STRING
Provider name: srcIpRange
Description: Source IP address range of the route. POLICY_BASED routes only.
src_port_ranges
Type: UNORDERED_LIST_STRING
Provider name: srcPortRanges
Description: Source port ranges of the route. POLICY_BASED routes only.
uri
Type: STRING
Provider name: uri
Description: URI of a route. SUBNET, STATIC, PEERING_SUBNET (only for peering network) and POLICY_BASED routes only.
serverless_external_connection
Type: STRUCT
Provider name: serverlessExternalConnection
Description: Display information of a serverless public (external) connection.
selected_ip_address
Type: STRING
Provider name: selectedIpAddress
Description: Selected starting IP address, from the Google dynamic address pool.
serverless_neg
Type: STRUCT
Provider name: serverlessNeg
Description: Display information of a Serverless network endpoint group backend. Used only for return traces.
neg_uri
Type: STRING
Provider name: negUri
Description: URI of the serverless network endpoint group.
state
Type: STRING
Provider name: state
Description: Each step is in one of the pre-defined states.
Possible values:
STATE_UNSPECIFIED - Unspecified state.
START_FROM_INSTANCE - Initial state: packet originating from a Compute Engine instance. An InstanceInfo is populated with starting instance information.
START_FROM_INTERNET - Initial state: packet originating from the internet. The endpoint information is populated.
START_FROM_GOOGLE_SERVICE - Initial state: packet originating from a Google service. The google_service information is populated.
START_FROM_PRIVATE_NETWORK - Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a VPC network visible to the user, a NetworkInfo is populated with details of the network.
START_FROM_GKE_MASTER - Initial state: packet originating from a Google Kubernetes Engine cluster master. A GKEMasterInfo is populated with starting instance information.
START_FROM_CLOUD_SQL_INSTANCE - Initial state: packet originating from a Cloud SQL instance. A CloudSQLInstanceInfo is populated with starting instance information.
START_FROM_REDIS_INSTANCE - Initial state: packet originating from a Redis instance. A RedisInstanceInfo is populated with starting instance information.
START_FROM_REDIS_CLUSTER - Initial state: packet originating from a Redis Cluster. A RedisClusterInfo is populated with starting Cluster information.
START_FROM_CLOUD_FUNCTION - Initial state: packet originating from a Cloud Function. A CloudFunctionInfo is populated with starting function information.
START_FROM_APP_ENGINE_VERSION - Initial state: packet originating from an App Engine service version. An AppEngineVersionInfo is populated with starting version information.
START_FROM_CLOUD_RUN_REVISION - Initial state: packet originating from a Cloud Run revision. A CloudRunRevisionInfo is populated with starting revision information.
START_FROM_STORAGE_BUCKET - Initial state: packet originating from a Storage Bucket. Used only for return traces. The storage_bucket information is populated.
START_FROM_PSC_PUBLISHED_SERVICE - Initial state: packet originating from a published service that uses Private Service Connect. Used only for return traces.
START_FROM_SERVERLESS_NEG - Initial state: packet originating from a serverless network endpoint group backend. Used only for return traces. The serverless_neg information is populated.
APPLY_INGRESS_FIREWALL_RULE - Config checking state: verify ingress firewall rule.
APPLY_EGRESS_FIREWALL_RULE - Config checking state: verify egress firewall rule.
APPLY_ROUTE - Config checking state: verify route.
APPLY_FORWARDING_RULE - Config checking state: match forwarding rule.
ANALYZE_LOAD_BALANCER_BACKEND - Config checking state: verify load balancer backend configuration.
SPOOFING_APPROVED - Config checking state: packet sent or received under foreign IP address and allowed.
ARRIVE_AT_INSTANCE - Forwarding state: arriving at a Compute Engine instance.
ARRIVE_AT_INTERNAL_LOAD_BALANCER - Forwarding state: arriving at a Compute Engine internal load balancer.
ARRIVE_AT_EXTERNAL_LOAD_BALANCER - Forwarding state: arriving at a Compute Engine external load balancer.
ARRIVE_AT_VPN_GATEWAY - Forwarding state: arriving at a Cloud VPN gateway.
ARRIVE_AT_VPN_TUNNEL - Forwarding state: arriving at a Cloud VPN tunnel.
ARRIVE_AT_INTERCONNECT_ATTACHMENT - Forwarding state: arriving at an interconnect attachment.
ARRIVE_AT_VPC_CONNECTOR - Forwarding state: arriving at a VPC connector.
DIRECT_VPC_EGRESS_CONNECTION - Forwarding state: for packets originating from a serverless endpoint forwarded through Direct VPC egress.
SERVERLESS_EXTERNAL_CONNECTION - Forwarding state: for packets originating from a serverless endpoint forwarded through public (external) connectivity.
NAT - Transition state: packet header translated.
PROXY_CONNECTION - Transition state: original connection is terminated and a new proxied connection is initiated.
DELIVER - Final state: packet could be delivered.
DROP - Final state: packet could be dropped.
FORWARD - Final state: packet could be forwarded to a network with an unknown configuration.
ABORT - Final state: analysis is aborted.
VIEWER_PERMISSION_MISSING - Special state: viewer of the test result does not have permission to see the configuration in this step.
storage_bucket
Type: STRUCT
Provider name: storageBucket
Description: Display information of a Storage Bucket. Used only for return traces.
bucket
Type: STRING
Provider name: bucket
Description: Cloud Storage Bucket name.
vpc_connector
Type: STRUCT
Provider name: vpcConnector
Description: Display information of a VPC connector.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPC connector.
location
Type: STRING
Provider name: location
Description: Location in which the VPC connector is deployed.
uri
Type: STRING
Provider name: uri
Description: URI of a VPC connector.
vpn_gateway
Type: STRUCT
Provider name: vpnGateway
Description: Display information of a Compute Engine VPN gateway.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPN gateway.
ip_address
Type: STRING
Provider name: ipAddress
Description: IP address of the VPN gateway.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network where the VPN gateway is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where this VPN gateway is configured.
uri
Type: STRING
Provider name: uri
Description: URI of a VPN gateway.
vpn_tunnel_uri
Type: STRING
Provider name: vpnTunnelUri
Description: A VPN tunnel that is associated with this VPN gateway. There may be multiple VPN tunnels configured on a VPN gateway, and only the one relevant to the test is displayed.
vpn_tunnel
Type: STRUCT
Provider name: vpnTunnel
Description: Display information of a Compute Engine VPN tunnel.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Name of a VPN tunnel.
network_uri
Type: STRING
Provider name: networkUri
Description: URI of a Compute Engine network where the VPN tunnel is configured.
region
Type: STRING
Provider name: region
Description: Name of a Google Cloud region where this VPN tunnel is configured.
remote_gateway
Type: STRING
Provider name: remoteGateway
Description: URI of a VPN gateway at remote end of the tunnel.
remote_gateway_ip
Type: STRING
Provider name: remoteGatewayIp
Description: Remote VPN gateway’s IP address.
routing_type
Type: STRING
Provider name: routingType
Description: Type of the routing policy.
Possible values:
ROUTING_TYPE_UNSPECIFIED - Unspecified type. Default value.
ROUTE_BASED - Route based VPN.
POLICY_BASED - Policy based routing.
DYNAMIC - Dynamic (BGP) routing.
source_gateway
Type: STRING
Provider name: sourceGateway
Description: URI of the VPN gateway at local end of the tunnel.
source_gateway_ip
Type: STRING
Provider name: sourceGatewayIp
Description: Local VPN gateway’s IP address.
uri
Type: STRING
Provider name: uri
Description: URI of a VPN tunnel.
verify_time
Type: TIMESTAMP
Provider name: verifyTime
Description: The time of the configuration analysis.
round_trip
Type: BOOLEAN
Provider name: roundTrip
Description: Whether run analysis for the return path from destination to source. Default value is false.
Type: UNORDERED_LIST_STRING
update_time
Type: TIMESTAMP
Provider name: updateTime
Description: Output only. The time the test’s configuration was updated.
