REST Resource: projects.locations.global.connectivityTests

Resource: ConnectivityTest

A Connectivity Test for a network reachability analysis.

JSON representation
{
  "name": string,
  "description": string,
  "source": {
    object (Endpoint)
  },
  "destination": {
    object (Endpoint)
  },
  "protocol": string,
  "relatedProjects": [
    string
  ],
  "displayName": string,
  "labels": {
    string: string,
    ...
  },
  "createTime": string,
  "updateTime": string,
  "reachabilityDetails": {
    object (ReachabilityDetails)
  },
  "probingDetails": {
    object (ProbingDetails)
  },
  "bypassFirewallChecks": boolean
}
Fields
name

string

Identifier. Unique name of the resource using the form: projects/{projectId}/locations/global/connectivityTests/{test}

description

string

The user-supplied description of the Connectivity Test. Maximum of 512 characters.

source

object (Endpoint)

Required. Source specification of the Connectivity Test.

You can use a combination of source IP address, virtual machine (VM) instance, or Compute Engine network to uniquely identify the source location.

Examples: If the source IP address is an internal IP address within a Google Cloud Virtual Private Cloud (VPC) network, then you must also specify the VPC network. Otherwise, specify the VM instance, which already contains its internal IP address and VPC network information.

If the source of the test is within an on-premises network, then you must provide the destination VPC network.

If the source endpoint is a Compute Engine VM instance with multiple network interfaces, the instance itself is not sufficient to identify the endpoint. So, you must also specify the source IP address or VPC network.

A reachability analysis proceeds even if the source location is ambiguous. However, the test result may include endpoints that you don't intend to test.

destination

object (Endpoint)

Required. Destination specification of the Connectivity Test.

You can use a combination of destination IP address, Compute Engine VM instance, or VPC network to uniquely identify the destination location.

Even if the destination IP address is not unique, the source IP location is unique. Usually, the analysis can infer the destination endpoint from route information.

If the destination you specify is a VM instance and the instance has multiple network interfaces, then you must also specify either a destination IP address or VPC network to identify the destination interface.

A reachability analysis proceeds even if the destination location is ambiguous. However, the result can include endpoints that you don't intend to test.

protocol

string

IP Protocol of the test. When not provided, "TCP" is assumed.

relatedProjects[]

string

Other projects that may be relevant for reachability analysis. This is applicable to scenarios where a test can cross project boundaries.

displayName

string

Output only. The display name of a Connectivity Test.

labels

map (key: string, value: string)

Resource labels to represent user-provided metadata.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

createTime

string (Timestamp format)

Output only. The time the test was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time the test's configuration was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

reachabilityDetails

object (ReachabilityDetails)

Output only. The reachability details of this test from the latest run. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.

probingDetails

object (ProbingDetails)

Output only. The probing details of this test from the latest run, present for applicable tests only. The details are updated when creating a new test, updating an existing test, or triggering a one-time rerun of an existing test.

bypassFirewallChecks

boolean

Whether the test should skip firewall checking. If not provided, we assume false.

Endpoint

Source or destination of the Connectivity Test.

JSON representation
{
  "ipAddress": string,
  "port": integer,
  "instance": string,
  "forwardingRule": string,
  "gkeMasterCluster": string,
  "cloudSqlInstance": string,
  "redisInstance": string,
  "redisCluster": string,
  "cloudFunction": {
    object (CloudFunctionEndpoint)
  },
  "appEngineVersion": {
    object (AppEngineVersionEndpoint)
  },
  "cloudRunRevision": {
    object (CloudRunRevisionEndpoint)
  },
  "network": string,
  "networkType": enum (NetworkType),
  "projectId": string,
  "forwardingRuleTarget": enum (ForwardingRuleTarget),
  "loadBalancerId": string,
  "loadBalancerType": enum (LoadBalancerType)
}
Fields
ipAddress

string

The IP address of the endpoint, which can be an external or internal IP.

port

integer

The IP protocol port of the endpoint. Only applicable when protocol is TCP or UDP.

instance

string

A Compute Engine instance URI.

forwardingRule

string

A forwarding rule and its corresponding IP address represent the frontend configuration of a Google Cloud load balancer. Forwarding rules are also used for protocol forwarding, Private Service Connect and other network services to provide forwarding information in the control plane. Format: projects/{project}/global/forwardingRules/{id} or projects/{project}/regions/{region}/forwardingRules/{id}

gkeMasterCluster

string

A cluster URI for Google Kubernetes Engine master.

cloudSqlInstance

string

A Cloud SQL instance URI.

redisInstance

string

A Redis Instance URI.

redisCluster

string

A Redis Cluster URI.

cloudFunction

object (CloudFunctionEndpoint)

A Cloud Function.

appEngineVersion

object (AppEngineVersionEndpoint)

An App Engine service version.

cloudRunRevision

object (CloudRunRevisionEndpoint)

A Cloud Run revision

network

string

A Compute Engine network URI.

networkType

enum (NetworkType)

Type of the network where the endpoint is located. Applicable only to source endpoint, as destination network type can be inferred from the source.

projectId

string

Project ID where the endpoint is located. The Project ID can be derived from the URI if you provide a VM instance or network URI. The following are two cases where you must provide the project ID: 1. Only the IP address is specified, and the IP address is within a Google Cloud project. 2. When you are using Shared VPC and the IP address that you provide is from the service project. In this case, the network that the IP address resides in is defined in the host project.

forwardingRuleTarget

enum (ForwardingRuleTarget)

Output only. Specifies the type of the target of the forwarding rule.

loadBalancerId

string

Output only. ID of the load balancer the forwarding rule points to. Empty for forwarding rules not related to load balancers.

loadBalancerType

enum (LoadBalancerType)

Output only. Type of the load balancer the forwarding rule points to.

ForwardingRuleTarget

Type of the target of a forwarding rule.

Enums
FORWARDING_RULE_TARGET_UNSPECIFIED Forwarding rule target is unknown.
INSTANCE Compute Engine instance for protocol forwarding.
LOAD_BALANCER Load Balancer. The specific type can be found from loadBalancerType.
VPN_GATEWAY Classic Cloud VPN Gateway.
PSC Forwarding Rule is a Private Service Connect endpoint.

LoadBalancerType

Type of a load balancer. For more information, see Summary of Google Cloud load balancers.

Enums
LOAD_BALANCER_TYPE_UNSPECIFIED Forwarding rule points to a different target than a load balancer or a load balancer type is unknown.
HTTPS_ADVANCED_LOAD_BALANCER Global external HTTP(S) load balancer.
HTTPS_LOAD_BALANCER Global external HTTP(S) load balancer (classic)
REGIONAL_HTTPS_LOAD_BALANCER Regional external HTTP(S) load balancer.
INTERNAL_HTTPS_LOAD_BALANCER Internal HTTP(S) load balancer.
SSL_PROXY_LOAD_BALANCER External SSL proxy load balancer.
TCP_PROXY_LOAD_BALANCER External TCP proxy load balancer.
INTERNAL_TCP_PROXY_LOAD_BALANCER Internal regional TCP proxy load balancer.
NETWORK_LOAD_BALANCER External TCP/UDP Network load balancer.
LEGACY_NETWORK_LOAD_BALANCER Target-pool based external TCP/UDP Network load balancer.
TCP_UDP_INTERNAL_LOAD_BALANCER Internal TCP/UDP load balancer.

CloudFunctionEndpoint

Wrapper for Cloud Function attributes.

JSON representation
{
  "uri": string
}
Fields
uri

string

A Cloud Function name.

AppEngineVersionEndpoint

Wrapper for the App Engine service version attributes.

JSON representation
{
  "uri": string
}
Fields
uri

string

An App Engine service version name.

CloudRunRevisionEndpoint

Wrapper for Cloud Run revision attributes.

JSON representation
{
  "uri": string
}
Fields
uri

string

A Cloud Run revision URI. The format is: projects/{project}/locations/{location}/revisions/{revision}

NetworkType

The type definition of an endpoint's network. Use one of the following choices:

Enums
NETWORK_TYPE_UNSPECIFIED Default type if unspecified.
GCP_NETWORK A network hosted within Google Cloud. To receive more detailed output, specify the URI for the source or destination network.
NON_GCP_NETWORK A network hosted outside of Google Cloud. This can be an on-premises network, or a network hosted by another cloud provider.

ReachabilityDetails

Results of the configuration analysis from the last run of the test.

JSON representation
{
  "result": enum (Result),
  "verifyTime": string,
  "error": {
    object (Status)
  },
  "traces": [
    {
      object (Trace)
    }
  ]
}
Fields
result

enum (Result)

The overall result of the test's configuration analysis.

verifyTime

string (Timestamp format)

The time of the configuration analysis.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

error

object (Status)

The details of a failure or a cancellation of reachability analysis.

traces[]

object (Trace)

Result may contain a list of traces if a test has multiple possible paths in the network, such as when destination endpoint is a load balancer with multiple backends.

Result

The overall result of the test's configuration analysis.

Enums
RESULT_UNSPECIFIED No result was specified.
REACHABLE

Possible scenarios are:

  • The configuration analysis determined that a packet originating from the source is expected to reach the destination.
  • The analysis didn't complete because the user lacks permission for some of the resources in the trace. However, at the time the user's permission became insufficient, the trace had been successful so far.
UNREACHABLE A packet originating from the source is expected to be dropped before reaching the destination.
AMBIGUOUS The source and destination endpoints do not uniquely identify the test location in the network, and the reachability result contains multiple traces. For some traces, a packet could be delivered, and for others, it would not be. This result is also assigned to configuration analysis of return path if on its own it should be REACHABLE, but configuration analysis of forward path is AMBIGUOUS.
UNDETERMINED

The configuration analysis did not complete. Possible reasons are:

  • A permissions error occurred--for example, the user might not have read permission for all of the resources named in the test.
  • An internal error occurred.
  • The analyzer received an invalid or unsupported argument or was unable to identify a known endpoint.

Trace

Trace represents one simulated packet forwarding path.

  • Each trace contains multiple ordered steps.
  • Each step is in a particular state with associated configuration.
  • State is categorized as final or non-final states.
  • Each final state has a reason associated.
  • Each trace must end with a final state (the last step).
  |---------------------Trace----------------------|
  Step1(State) Step2(State) ---  StepN(State(final))
JSON representation
{
  "endpointInfo": {
    object (EndpointInfo)
  },
  "steps": [
    {
      object (Step)
    }
  ],
  "forwardTraceId": integer
}
Fields
endpointInfo

object (EndpointInfo)

Derived from the source and destination endpoints definition specified by user request, and validated by the data plane model. If there are multiple traces starting from different source locations, then the endpointInfo may be different between traces.

steps[]

object (Step)

A trace of a test contains multiple steps from the initial state to the final state (delivered, dropped, forwarded, or aborted).

The steps are ordered by the processing sequence within the simulated network state machine. It is critical to preserve the order of the steps and avoid reordering or sorting them.

forwardTraceId

integer

ID of trace. For forward traces, this ID is unique for each trace. For return traces, it matches ID of associated forward trace. A single forward trace can be associated with none, one or more than one return trace.

EndpointInfo

For display only. The specification of the endpoints for the test. EndpointInfo is derived from source and destination Endpoint and validated by the backend data plane model.

JSON representation
{
  "sourceIp": string,
  "destinationIp": string,
  "protocol": string,
  "sourcePort": integer,
  "destinationPort": integer,
  "sourceNetworkUri": string,
  "destinationNetworkUri": string,
  "sourceAgentUri": string
}
Fields
sourceIp

string

Source IP address.

destinationIp

string

Destination IP address.

protocol

string

IP protocol in string format, for example: "TCP", "UDP", "ICMP".

sourcePort

integer

Source port. Only valid when protocol is TCP or UDP.

destinationPort

integer

Destination port. Only valid when protocol is TCP or UDP.

sourceNetworkUri

string

URI of the network where this packet originates from.

destinationNetworkUri

string

URI of the network where this packet is sent to.

sourceAgentUri

string

URI of the source telemetry agent this packet originates from.

Step

A simulated forwarding path is composed of multiple steps. Each step has a well-defined state and an associated configuration.

JSON representation
{
  "description": string,
  "state": enum (State),
  "causesDrop": boolean,
  "projectId": string,

  // Union field step_info can be only one of the following:
  "instance": {
    object (InstanceInfo)
  },
  "firewall": {
    object (FirewallInfo)
  },
  "route": {
    object (RouteInfo)
  },
  "endpoint": {
    object (EndpointInfo)
  },
  "googleService": {
    object (GoogleServiceInfo)
  },
  "forwardingRule": {
    object (ForwardingRuleInfo)
  },
  "vpnGateway": {
    object (VpnGatewayInfo)
  },
  "vpnTunnel": {
    object (VpnTunnelInfo)
  },
  "vpcConnector": {
    object (VpcConnectorInfo)
  },
  "deliver": {
    object (DeliverInfo)
  },
  "forward": {
    object (ForwardInfo)
  },
  "abort": {
    object (AbortInfo)
  },
  "drop": {
    object (DropInfo)
  },
  "loadBalancer": {
    object (LoadBalancerInfo)
  },
  "network": {
    object (NetworkInfo)
  },
  "gkeMaster": {
    object (GKEMasterInfo)
  },
  "cloudSqlInstance": {
    object (CloudSQLInstanceInfo)
  },
  "cloudFunction": {
    object (CloudFunctionInfo)
  },
  "appEngineVersion": {
    object (AppEngineVersionInfo)
  },
  "cloudRunRevision": {
    object (CloudRunRevisionInfo)
  },
  "nat": {
    object (NatInfo)
  },
  "proxyConnection": {
    object (ProxyConnectionInfo)
  },
  "loadBalancerBackendInfo": {
    object (LoadBalancerBackendInfo)
  },
  "storageBucket": {
    object (StorageBucketInfo)
  },
  "serverlessNeg": {
    object (ServerlessNegInfo)
  }
  // End of list of possible types for union field step_info.
}
Fields
description

string

A description of the step. Usually this is a summary of the state.

state

enum (State)

Each step is in one of the pre-defined states.

causesDrop

boolean

This is a step that leads to the final state Drop.

projectId

string

Project ID that contains the configuration this step is validating.

Union field step_info. Configuration or metadata associated with each step. The configuration is filtered based on viewer's permission. If a viewer has no permission to view the configuration in this step, for non-final states a special state is populated (VIEWER_PERMISSION_MISSING), and for final state the configuration is cleared. step_info can be only one of the following:
instance

object (InstanceInfo)

Display information of a Compute Engine instance.

firewall

object (FirewallInfo)

Display information of a Compute Engine firewall rule.

route

object (RouteInfo)

Display information of a Compute Engine route.

endpoint

object (EndpointInfo)

Display information of the source and destination under analysis. The endpoint information in an intermediate state may differ with the initial input, as it might be modified by state like NAT, or Connection Proxy.

googleService

object (GoogleServiceInfo)

Display information of a Google service

forwardingRule

object (ForwardingRuleInfo)

Display information of a Compute Engine forwarding rule.

vpnGateway

object (VpnGatewayInfo)

Display information of a Compute Engine VPN gateway.

vpnTunnel

object (VpnTunnelInfo)

Display information of a Compute Engine VPN tunnel.

vpcConnector

object (VpcConnectorInfo)

Display information of a VPC connector.

deliver

object (DeliverInfo)

Display information of the final state "deliver" and reason.

forward

object (ForwardInfo)

Display information of the final state "forward" and reason.

abort

object (AbortInfo)

Display information of the final state "abort" and reason.

drop

object (DropInfo)

Display information of the final state "drop" and reason.

loadBalancer
(deprecated)

object (LoadBalancerInfo)

Display information of the load balancers. Deprecated in favor of the loadBalancerBackendInfo field, not used in new tests.

network

object (NetworkInfo)

Display information of a Google Cloud network.

gkeMaster

object (GKEMasterInfo)

Display information of a Google Kubernetes Engine cluster master.

cloudSqlInstance

object (CloudSQLInstanceInfo)

Display information of a Cloud SQL instance.

cloudFunction

object (CloudFunctionInfo)

Display information of a Cloud Function.

appEngineVersion

object (AppEngineVersionInfo)

Display information of an App Engine service version.

cloudRunRevision

object (CloudRunRevisionInfo)

Display information of a Cloud Run revision.

nat

object (NatInfo)

Display information of a NAT.

proxyConnection

object (ProxyConnectionInfo)

Display information of a ProxyConnection.

loadBalancerBackendInfo

object (LoadBalancerBackendInfo)

Display information of a specific load balancer backend.

storageBucket

object (StorageBucketInfo)

Display information of a Storage Bucket. Used only for return traces.

serverlessNeg

object (ServerlessNegInfo)

Display information of a Serverless network endpoint group backend. Used only for return traces.

State

Type of states that are defined in the network state machine. Each step in the packet trace is in a specific state.

Enums
STATE_UNSPECIFIED Unspecified state.
START_FROM_INSTANCE Initial state: packet originating from a Compute Engine instance. An InstanceInfo is populated with starting instance information.
START_FROM_INTERNET Initial state: packet originating from the internet. The endpoint information is populated.
START_FROM_GOOGLE_SERVICE Initial state: packet originating from a Google service. The googleService information is populated.
START_FROM_PRIVATE_NETWORK Initial state: packet originating from a VPC or on-premises network with internal source IP. If the source is a VPC network visible to the user, a NetworkInfo is populated with details of the network.
START_FROM_GKE_MASTER Initial state: packet originating from a Google Kubernetes Engine cluster master. A GKEMasterInfo is populated with starting instance information.
START_FROM_CLOUD_SQL_INSTANCE Initial state: packet originating from a Cloud SQL instance. A CloudSQLInstanceInfo is populated with starting instance information.
START_FROM_CLOUD_FUNCTION Initial state: packet originating from a Cloud Function. A CloudFunctionInfo is populated with starting function information.
START_FROM_APP_ENGINE_VERSION Initial state: packet originating from an App Engine service version. An AppEngineVersionInfo is populated with starting version information.
START_FROM_CLOUD_RUN_REVISION Initial state: packet originating from a Cloud Run revision. A CloudRunRevisionInfo is populated with starting revision information.
START_FROM_STORAGE_BUCKET Initial state: packet originating from a Storage Bucket. Used only for return traces. The storageBucket information is populated.
START_FROM_PSC_PUBLISHED_SERVICE Initial state: packet originating from a published service that uses Private Service Connect. Used only for return traces.
START_FROM_SERVERLESS_NEG Initial state: packet originating from a serverless network endpoint group backend. Used only for return traces. The serverlessNeg information is populated.
APPLY_INGRESS_FIREWALL_RULE Config checking state: verify ingress firewall rule.
APPLY_EGRESS_FIREWALL_RULE Config checking state: verify egress firewall rule.
APPLY_ROUTE Config checking state: verify route.
APPLY_FORWARDING_RULE Config checking state: match forwarding rule.
ANALYZE_LOAD_BALANCER_BACKEND Config checking state: verify load balancer backend configuration.
SPOOFING_APPROVED Config checking state: packet sent or received under foreign IP address and allowed.
ARRIVE_AT_INSTANCE Forwarding state: arriving at a Compute Engine instance.
ARRIVE_AT_INTERNAL_LOAD_BALANCER

Forwarding state: arriving at a Compute Engine internal load balancer. Deprecated in favor of the ANALYZE_LOAD_BALANCER_BACKEND state, not used in new tests.

ARRIVE_AT_EXTERNAL_LOAD_BALANCER

Forwarding state: arriving at a Compute Engine external load balancer. Deprecated in favor of the ANALYZE_LOAD_BALANCER_BACKEND state, not used in new tests.

ARRIVE_AT_VPN_GATEWAY Forwarding state: arriving at a Cloud VPN gateway.
ARRIVE_AT_VPN_TUNNEL Forwarding state: arriving at a Cloud VPN tunnel.
ARRIVE_AT_VPC_CONNECTOR Forwarding state: arriving at a VPC connector.
NAT Transition state: packet header translated.
PROXY_CONNECTION Transition state: original connection is terminated and a new proxied connection is initiated.
DELIVER Final state: packet could be delivered.
DROP Final state: packet could be dropped.
FORWARD Final state: packet could be forwarded to a network with an unknown configuration.
ABORT Final state: analysis is aborted.
VIEWER_PERMISSION_MISSING Special state: viewer of the test result does not have permission to see the configuration in this step.

InstanceInfo

For display only. Metadata associated with a Compute Engine instance.

JSON representation
{
  "displayName": string,
  "uri": string,
  "interface": string,
  "networkUri": string,
  "internalIp": string,
  "externalIp": string,
  "networkTags": [
    string
  ],
  "serviceAccount": string,
  "pscNetworkAttachmentUri": string
}
Fields
displayName

string

Name of a Compute Engine instance.

uri

string

URI of a Compute Engine instance.

interface

string

Name of the network interface of a Compute Engine instance.

networkUri

string

URI of a Compute Engine network.

internalIp

string

Internal IP address of the network interface.

externalIp

string

External IP address of the network interface.

networkTags[]

string

Network tags configured on the instance.

serviceAccount
(deprecated)

string

Service account authorized for the instance.

pscNetworkAttachmentUri

string

URI of the PSC network attachment the NIC is attached to (if relevant).

FirewallInfo

For display only. Metadata associated with a VPC firewall rule, an implied VPC firewall rule, or a firewall policy rule.

JSON representation
{
  "displayName": string,
  "uri": string,
  "direction": string,
  "action": string,
  "priority": integer,
  "networkUri": string,
  "targetTags": [
    string
  ],
  "targetServiceAccounts": [
    string
  ],
  "policy": string,
  "policyUri": string,
  "firewallRuleType": enum (FirewallRuleType)
}
Fields
displayName

string

The display name of the firewall rule. This field might be empty for firewall policy rules.

uri

string

The URI of the firewall rule. This field is not applicable to implied VPC firewall rules.

direction

string

Possible values: INGRESS, EGRESS

action

string

Possible values: ALLOW, DENY, APPLY_SECURITY_PROFILE_GROUP

priority

integer

The priority of the firewall rule.

networkUri

string

The URI of the VPC network that the firewall rule is associated with. This field is not applicable to hierarchical firewall policy rules.

targetTags[]

string

The target tags defined by the VPC firewall rule. This field is not applicable to firewall policy rules.

targetServiceAccounts[]

string

The target service accounts specified by the firewall rule.

policy

string

The name of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.

policyUri

string

The URI of the firewall policy that this rule is associated with. This field is not applicable to VPC firewall rules and implied VPC firewall rules.

firewallRuleType

enum (FirewallRuleType)

The firewall rule's type.

FirewallRuleType

The firewall rule's type.

Enums
FIREWALL_RULE_TYPE_UNSPECIFIED Unspecified type.
HIERARCHICAL_FIREWALL_POLICY_RULE Hierarchical firewall policy rule. For details, see Hierarchical firewall policies overview.
VPC_FIREWALL_RULE VPC firewall rule. For details, see VPC firewall rules overview.
IMPLIED_VPC_FIREWALL_RULE Implied VPC firewall rule. For details, see Implied rules.
SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE Implicit firewall rules that are managed by serverless VPC access to allow ingress access. They are not visible in the Google Cloud console. For details, see VPC connector's implicit rules.
NETWORK_FIREWALL_POLICY_RULE Global network firewall policy rule. For details, see Network firewall policies.
NETWORK_REGIONAL_FIREWALL_POLICY_RULE Regional network firewall policy rule. For details, see Regional network firewall policies.
UNSUPPORTED_FIREWALL_POLICY_RULE Firewall policy rule containing attributes not yet supported in Connectivity tests. Firewall analysis is skipped if such a rule can potentially be matched. Please see the list of unsupported configurations.
TRACKING_STATE Tracking state for response traffic created when request traffic goes through allow firewall rule. For details, see firewall rules specifications

RouteInfo

For display only. Metadata associated with a Compute Engine route.

JSON representation
{
  "routeType": enum (RouteType),
  "nextHopType": enum (NextHopType),
  "routeScope": enum (RouteScope),
  "displayName": string,
  "uri": string,
  "destIpRange": string,
  "nextHop": string,
  "networkUri": string,
  "priority": integer,
  "instanceTags": [
    string
  ],
  "srcIpRange": string,
  "destPortRanges": [
    string
  ],
  "srcPortRanges": [
    string
  ],
  "protocols": [
    string
  ],
  "nccHubUri": string,
  "nccSpokeUri": string
}
Fields
routeType

enum (RouteType)

Type of route.

nextHopType

enum (NextHopType)

Type of next hop.

routeScope

enum (RouteScope)

Indicates where route is applicable.

displayName

string

Name of a route.

uri

string

URI of a route. Dynamic, peering static and peering dynamic routes do not have an URI. Advertised route from Google Cloud VPC to on-premises network also does not have an URI.

destIpRange

string

Destination IP range of the route.

nextHop

string

Next hop of the route.

networkUri

string

URI of a Compute Engine network. NETWORK routes only.

priority

integer

Priority of the route.

instanceTags[]

string

Instance tags of the route.

srcIpRange

string

Source IP address range of the route. Policy based routes only.

destPortRanges[]

string

Destination port ranges of the route. Policy based routes only.

srcPortRanges[]

string

Source port ranges of the route. Policy based routes only.

protocols[]

string

Protocols of the route. Policy based routes only.

nccHubUri

string

URI of a NCC Hub. NCC_HUB routes only.

nccSpokeUri

string

URI of a NCC Spoke. NCC_HUB routes only.

RouteType

Type of route:

Enums
ROUTE_TYPE_UNSPECIFIED Unspecified type. Default value.
SUBNET Route is a subnet route automatically created by the system.
STATIC Static route created by the user, including the default route to the internet.
DYNAMIC Dynamic route exchanged between BGP peers.
PEERING_SUBNET A subnet route received from peering network.
PEERING_STATIC A static route received from peering network.
PEERING_DYNAMIC A dynamic route received from peering network.
POLICY_BASED Policy based route.

NextHopType

Type of next hop:

Enums
NEXT_HOP_TYPE_UNSPECIFIED Unspecified type. Default value.
NEXT_HOP_IP Next hop is an IP address.
NEXT_HOP_INSTANCE Next hop is a Compute Engine instance.
NEXT_HOP_NETWORK Next hop is a VPC network gateway.
NEXT_HOP_PEERING Next hop is a peering VPC.
NEXT_HOP_INTERCONNECT Next hop is an interconnect.
NEXT_HOP_VPN_TUNNEL Next hop is a VPN tunnel.
NEXT_HOP_VPN_GATEWAY Next hop is a VPN gateway. This scenario only happens when tracing connectivity from an on-premises network to Google Cloud through a VPN. The analysis simulates a packet departing from the on-premises network through a VPN tunnel and arriving at a Cloud VPN gateway.
NEXT_HOP_INTERNET_GATEWAY Next hop is an internet gateway.
NEXT_HOP_BLACKHOLE Next hop is blackhole; that is, the next hop either does not exist or is not running.
NEXT_HOP_ILB Next hop is the forwarding rule of an Internal Load Balancer.
NEXT_HOP_ROUTER_APPLIANCE Next hop is a router appliance instance.
NEXT_HOP_NCC_HUB Next hop is an NCC hub.

RouteScope

Indicates where routes are applicable.

Enums
ROUTE_SCOPE_UNSPECIFIED Unspecified scope. Default value.
NETWORK Route is applicable to packets in Network.
NCC_HUB Route is applicable to packets using NCC Hub's routing table.

GoogleServiceInfo

For display only. Details of a Google Service sending packets to a VPC network. Although the source IP might be a publicly routable address, some Google Services use special routes within Google production infrastructure to reach Compute Engine Instances. https://cloud.google.com/vpc/docs/routes#special_return_paths

JSON representation
{
  "sourceIp": string,
  "googleServiceType": enum (GoogleServiceType)
}
Fields
sourceIp

string

Source IP address.

googleServiceType

enum (GoogleServiceType)

Recognized type of a Google Service.

GoogleServiceType

Recognized type of a Google Service.

Enums
GOOGLE_SERVICE_TYPE_UNSPECIFIED Unspecified Google Service.
IAP Identity aware proxy. https://cloud.google.com/iap/docs/using-tcp-forwarding
GFE_PROXY_OR_HEALTH_CHECK_PROBER One of two services sharing IP ranges: * Load Balancer proxy * Centralized Health Check prober https://cloud.google.com/load-balancing/docs/firewall-rules
CLOUD_DNS Connectivity from Cloud DNS to forwarding targets or alternate name servers that use private routing. https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules https://cloud.google.com/dns/docs/policies#firewall-rules
GOOGLE_API private.googleapis.com and restricted.googleapis.com
GOOGLE_API_PSC Google API via Private Service Connect. https://cloud.google.com/vpc/docs/configure-private-service-connect-apis
GOOGLE_API_VPC_SC Google API via VPC Service Controls. https://cloud.google.com/vpc/docs/configure-private-service-connect-apis

ForwardingRuleInfo

For display only. Metadata associated with a Compute Engine forwarding rule.

JSON representation
{
  "displayName": string,
  "uri": string,
  "matchedProtocol": string,
  "matchedPortRange": string,
  "vip": string,
  "target": string,
  "networkUri": string,
  "region": string,
  "loadBalancerName": string,
  "pscServiceAttachmentUri": string,
  "pscGoogleApiTarget": string
}
Fields
displayName

string

Name of the forwarding rule.

uri

string

URI of the forwarding rule.

matchedProtocol

string

Protocol defined in the forwarding rule that matches the packet.

matchedPortRange

string

Port range defined in the forwarding rule that matches the packet.

vip

string

VIP of the forwarding rule.

target

string

Target type of the forwarding rule.

networkUri

string

Network URI.

region

string

Region of the forwarding rule. Set only for regional forwarding rules.

loadBalancerName

string

Name of the load balancer the forwarding rule belongs to. Empty for forwarding rules not related to load balancers (like PSC forwarding rules).

pscServiceAttachmentUri

string

URI of the PSC service attachment this forwarding rule targets (if applicable).

pscGoogleApiTarget

string

PSC Google API target this forwarding rule targets (if applicable).

VpnGatewayInfo

For display only. Metadata associated with a Compute Engine VPN gateway.

JSON representation
{
  "displayName": string,
  "uri": string,
  "networkUri": string,
  "ipAddress": string,
  "vpnTunnelUri": string,
  "region": string
}
Fields
displayName

string

Name of a VPN gateway.

uri

string

URI of a VPN gateway.

networkUri

string

URI of a Compute Engine network where the VPN gateway is configured.

ipAddress

string

IP address of the VPN gateway.

vpnTunnelUri

string

A VPN tunnel that is associated with this VPN gateway. There may be multiple VPN tunnels configured on a VPN gateway, and only the one relevant to the test is displayed.

region

string

Name of a Google Cloud region where this VPN gateway is configured.

VpnTunnelInfo

For display only. Metadata associated with a Compute Engine VPN tunnel.

JSON representation
{
  "displayName": string,
  "uri": string,
  "sourceGateway": string,
  "remoteGateway": string,
  "remoteGatewayIp": string,
  "sourceGatewayIp": string,
  "networkUri": string,
  "region": string,
  "routingType": enum (RoutingType)
}
Fields
displayName

string

Name of a VPN tunnel.

uri

string

URI of a VPN tunnel.

sourceGateway

string

URI of the VPN gateway at local end of the tunnel.

remoteGateway

string

URI of a VPN gateway at remote end of the tunnel.

remoteGatewayIp

string

Remote VPN gateway's IP address.

sourceGatewayIp

string

Local VPN gateway's IP address.

networkUri

string

URI of a Compute Engine network where the VPN tunnel is configured.

region

string

Name of a Google Cloud region where this VPN tunnel is configured.

routingType

enum (RoutingType)

Type of the routing policy.

RoutingType

Types of VPN routing policy. For details, refer to Networks and Tunnel routing.

Enums
ROUTING_TYPE_UNSPECIFIED Unspecified type. Default value.
ROUTE_BASED Route based VPN.
POLICY_BASED Policy based routing.
DYNAMIC Dynamic (BGP) routing.

VpcConnectorInfo

For display only. Metadata associated with a VPC connector.

JSON representation
{
  "displayName": string,
  "uri": string,
  "location": string
}
Fields
displayName

string

Name of a VPC connector.

uri

string

URI of a VPC connector.

location

string

Location in which the VPC connector is deployed.

DeliverInfo

Details of the final state "deliver" and associated resource.

JSON representation
{
  "target": enum (Target),
  "resourceUri": string,
  "ipAddress": string,
  "storageBucket": string,
  "pscGoogleApiTarget": string
}
Fields
target

enum (Target)

Target type where the packet is delivered to.

resourceUri

string

URI of the resource that the packet is delivered to.

ipAddress

string

IP address of the target (if applicable).

storageBucket

string

Name of the Cloud Storage Bucket the packet is delivered to (if applicable).

pscGoogleApiTarget

string

PSC Google API target the packet is delivered to (if applicable).

Target

Deliver target types:

Enums
TARGET_UNSPECIFIED Target not specified.
INSTANCE Target is a Compute Engine instance.
INTERNET Target is the internet.
GOOGLE_API Target is a Google API.
GKE_MASTER Target is a Google Kubernetes Engine cluster master.
CLOUD_SQL_INSTANCE Target is a Cloud SQL instance.
PSC_PUBLISHED_SERVICE Target is a published service that uses Private Service Connect.
PSC_GOOGLE_API Target is Google APIs that use Private Service Connect.
PSC_VPC_SC Target is a VPC-SC that uses Private Service Connect.
SERVERLESS_NEG Target is a serverless network endpoint group.
STORAGE_BUCKET Target is a Cloud Storage bucket.
PRIVATE_NETWORK Target is a private network. Used only for return traces.
CLOUD_FUNCTION Target is a Cloud Function. Used only for return traces.
APP_ENGINE_VERSION Target is a App Engine service version. Used only for return traces.
CLOUD_RUN_REVISION Target is a Cloud Run revision. Used only for return traces.
GOOGLE_MANAGED_SERVICE Target is a Google-managed service. Used only for return traces.

ForwardInfo

Details of the final state "forward" and associated resource.

JSON representation
{
  "target": enum (Target),
  "resourceUri": string,
  "ipAddress": string
}
Fields
target

enum (Target)

Target type where this packet is forwarded to.

resourceUri

string

URI of the resource that the packet is forwarded to.

ipAddress

string

IP address of the target (if applicable).

Target

Forward target types.

Enums
TARGET_UNSPECIFIED Target not specified.
PEERING_VPC Forwarded to a VPC peering network.
VPN_GATEWAY Forwarded to a Cloud VPN gateway.
INTERCONNECT Forwarded to a Cloud Interconnect connection.
GKE_MASTER

Forwarded to a Google Kubernetes Engine Container cluster master.

IMPORTED_CUSTOM_ROUTE_NEXT_HOP Forwarded to the next hop of a custom route imported from a peering VPC.
CLOUD_SQL_INSTANCE

Forwarded to a Cloud SQL instance.

ANOTHER_PROJECT Forwarded to a VPC network in another project.
NCC_HUB Forwarded to an NCC Hub.
ROUTER_APPLIANCE Forwarded to a router appliance.

AbortInfo

Details of the final state "abort" and associated resource.

JSON representation
{
  "cause": enum (Cause),
  "resourceUri": string,
  "ipAddress": string,
  "projectsMissingPermission": [
    string
  ]
}
Fields
cause

enum (Cause)

Causes that the analysis is aborted.

resourceUri

string

URI of the resource that caused the abort.

ipAddress

string

IP address that caused the abort.

projectsMissingPermission[]

string

List of project IDs the user specified in the request but lacks access to. In this case, analysis is aborted with the PERMISSION_DENIED cause.

Cause

Abort cause types:

Enums
CAUSE_UNSPECIFIED Cause is unspecified.
UNKNOWN_NETWORK

Aborted due to unknown network. Deprecated, not used in the new tests.

UNKNOWN_PROJECT

Aborted because no project information can be derived from the test input. Deprecated, not used in the new tests.

NO_EXTERNAL_IP

Aborted because traffic is sent from a public IP to an instance without an external IP. Deprecated, not used in the new tests.

UNINTENDED_DESTINATION

Aborted because none of the traces matches destination information specified in the input test request. Deprecated, not used in the new tests.

SOURCE_ENDPOINT_NOT_FOUND

Aborted because the source endpoint could not be found. Deprecated, not used in the new tests.

MISMATCHED_SOURCE_NETWORK

Aborted because the source network does not match the source endpoint. Deprecated, not used in the new tests.

DESTINATION_ENDPOINT_NOT_FOUND

Aborted because the destination endpoint could not be found. Deprecated, not used in the new tests.

MISMATCHED_DESTINATION_NETWORK

Aborted because the destination network does not match the destination endpoint. Deprecated, not used in the new tests.

UNKNOWN_IP Aborted because no endpoint with the packet's destination IP address is found.
GOOGLE_MANAGED_SERVICE_UNKNOWN_IP Aborted because no endpoint with the packet's destination IP is found in the Google-managed project.
SOURCE_IP_ADDRESS_NOT_IN_SOURCE_NETWORK Aborted because the source IP address doesn't belong to any of the subnets of the source VPC network.
PERMISSION_DENIED Aborted because user lacks permission to access all or part of the network configurations required to run the test.
PERMISSION_DENIED_NO_CLOUD_NAT_CONFIGS Aborted because user lacks permission to access Cloud NAT configs required to run the test.
PERMISSION_DENIED_NO_NEG_ENDPOINT_CONFIGS Aborted because user lacks permission to access Network endpoint group endpoint configs required to run the test.
NO_SOURCE_LOCATION Aborted because no valid source or destination endpoint is derived from the input test request.
INVALID_ARGUMENT Aborted because the source or destination endpoint specified in the request is invalid. Some examples: - The request might contain malformed resource URI, project ID, or IP address. - The request might contain inconsistent information (for example, the request might include both the instance and the network, but the instance might not have a NIC in that network).
TRACE_TOO_LONG Aborted because the number of steps in the trace exceeds a certain limit. It might be caused by a routing loop.
INTERNAL_ERROR Aborted due to internal server error.
UNSUPPORTED Aborted because the test scenario is not supported.
MISMATCHED_IP_VERSION Aborted because the source and destination resources have no common IP version.
GKE_KONNECTIVITY_PROXY_UNSUPPORTED Aborted because the connection between the control plane and the node of the source cluster is initiated by the node and managed by the Konnectivity proxy.
RESOURCE_CONFIG_NOT_FOUND Aborted because expected resource configuration was missing.
VM_INSTANCE_CONFIG_NOT_FOUND Aborted because expected VM instance configuration was missing.
NETWORK_CONFIG_NOT_FOUND Aborted because expected network configuration was missing.
FIREWALL_CONFIG_NOT_FOUND Aborted because expected firewall configuration was missing.
ROUTE_CONFIG_NOT_FOUND Aborted because expected route configuration was missing.
GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT Aborted because a PSC endpoint selection for the Google-managed service is ambiguous (several PSC endpoints satisfy test input).
SOURCE_PSC_CLOUD_SQL_UNSUPPORTED Aborted because tests with a PSC-based Cloud SQL instance as a source are not supported.
SOURCE_FORWARDING_RULE_UNSUPPORTED Aborted because tests with a forwarding rule as a source are not supported.
NON_ROUTABLE_IP_ADDRESS Aborted because one of the endpoints is a non-routable IP address (loopback, link-local, etc).
UNKNOWN_ISSUE_IN_GOOGLE_MANAGED_PROJECT Aborted due to an unknown issue in the Google-managed project.
UNSUPPORTED_GOOGLE_MANAGED_PROJECT_CONFIG Aborted due to an unsupported configuration of the Google-managed project.

DropInfo

Details of the final state "drop" and associated resource.

JSON representation
{
  "cause": enum (Cause),
  "resourceUri": string,
  "sourceIp": string,
  "destinationIp": string,
  "region": string
}
Fields
cause

enum (Cause)

Cause that the packet is dropped.

resourceUri

string

URI of the resource that caused the drop.

sourceIp

string

Source IP address of the dropped packet (if relevant).

destinationIp

string

Destination IP address of the dropped packet (if relevant).

region

string

Region of the dropped packet (if relevant).

Cause

Drop cause types:

Enums
CAUSE_UNSPECIFIED Cause is unspecified.
UNKNOWN_EXTERNAL_ADDRESS Destination external address cannot be resolved to a known target. If the address is used in a Google Cloud project, provide the project ID as test input.
FOREIGN_IP_DISALLOWED A Compute Engine instance can only send or receive a packet with a foreign IP address if ip_forward is enabled.
FIREWALL_RULE Dropped due to a firewall rule, unless allowed due to connection tracking.
NO_ROUTE Dropped due to no matching routes.
ROUTE_BLACKHOLE Dropped due to invalid route. Route's next hop is a blackhole.
ROUTE_WRONG_NETWORK Packet is sent to a wrong (unintended) network. Example: you trace a packet from VM1:Network1 to VM2:Network2, however, the route configured in Network1 sends the packet destined for VM2's IP address to Network3.
ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED Route's next hop IP address cannot be resolved to a GCP resource.
ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND Route's next hop resource is not found.
ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK Route's next hop instance doesn't have a NIC in the route's network.
ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP Route's next hop IP address is not a primary IP address of the next hop instance.
ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH Route's next hop forwarding rule doesn't match next hop IP address.
ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED Route's next hop VPN tunnel is down (does not have valid IKE SAs).
ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID Route's next hop forwarding rule type is invalid (it's not a forwarding rule of the internal passthrough load balancer).
NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS Packet is sent from the Internet to the private IPv6 address.
VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH The packet does not match a policy-based VPN tunnel local selector.
VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH The packet does not match a policy-based VPN tunnel remote selector.
PRIVATE_TRAFFIC_TO_INTERNET Packet with internal destination address sent to the internet gateway.
PRIVATE_GOOGLE_ACCESS_DISALLOWED Instance with only an internal IP address tries to access Google API and services, but private Google access is not enabled in the subnet.
PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED Source endpoint tries to access Google API and services through the VPN tunnel to another network, but Private Google Access needs to be enabled in the source endpoint network.
NO_EXTERNAL_ADDRESS Instance with only an internal IP address tries to access external hosts, but Cloud NAT is not enabled in the subnet, unless special configurations on a VM allow this connection.
UNKNOWN_INTERNAL_ADDRESS Destination internal address cannot be resolved to a known target. If this is a shared VPC scenario, verify if the service project ID is provided as test input. Otherwise, verify if the IP address is being used in the project.
FORWARDING_RULE_MISMATCH Forwarding rule's protocol and ports do not match the packet header.
FORWARDING_RULE_NO_INSTANCES Forwarding rule does not have backends configured.
FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK Firewalls block the health check probes to the backends and cause the backends to be unavailable for traffic from the load balancer. For more details, see Health check firewall rules.
INSTANCE_NOT_RUNNING Packet is sent from or to a Compute Engine instance that is not in a running state.
GKE_CLUSTER_NOT_RUNNING Packet sent from or to a GKE cluster that is not in running state.
CLOUD_SQL_INSTANCE_NOT_RUNNING Packet sent from or to a Cloud SQL instance that is not in running state.
TRAFFIC_TYPE_BLOCKED The type of traffic is blocked and the user cannot configure a firewall rule to enable it. See Always blocked traffic for more details.
GKE_MASTER_UNAUTHORIZED_ACCESS Access to Google Kubernetes Engine cluster master's endpoint is not authorized. See Access to the cluster endpoints for more details.
CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS Access to the Cloud SQL instance endpoint is not authorized. See Authorizing with authorized networks for more details.
DROPPED_INSIDE_GKE_SERVICE Packet was dropped inside Google Kubernetes Engine Service.
DROPPED_INSIDE_CLOUD_SQL_SERVICE Packet was dropped inside Cloud SQL Service.
GOOGLE_MANAGED_SERVICE_NO_PEERING Packet was dropped because there is no peering between the originating network and the Google Managed Services Network.
GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT Packet was dropped because the Google-managed service uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
GKE_PSC_ENDPOINT_MISSING Packet was dropped because the GKE cluster uses Private Service Connect (PSC), but the PSC endpoint is not found in the project.
CLOUD_SQL_INSTANCE_NO_IP_ADDRESS Packet was dropped because the Cloud SQL instance has neither a private nor a public IP address.
GKE_CONTROL_PLANE_REGION_MISMATCH Packet was dropped because a GKE cluster private endpoint is unreachable from a region different from the cluster's region.
PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION Packet sent from a public GKE cluster control plane to a private IP address.
GKE_CONTROL_PLANE_NO_ROUTE Packet was dropped because there is no route from a GKE cluster control plane to a destination network.
CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC Packet sent from a Cloud SQL instance to an external IP address is not allowed. The Cloud SQL instance is not configured to send packets to external IP addresses.
PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION Packet sent from a Cloud SQL instance with only a public IP address to a private IP address.
CLOUD_SQL_INSTANCE_NO_ROUTE Packet was dropped because there is no route from a Cloud SQL instance to a destination network.
CLOUD_SQL_CONNECTOR_REQUIRED Packet was dropped because the Cloud SQL instance requires all connections to use Cloud SQL connectors and to target the Cloud SQL proxy port (3307).
CLOUD_FUNCTION_NOT_ACTIVE Packet could be dropped because the Cloud Function is not in an active status.
VPC_CONNECTOR_NOT_SET Packet could be dropped because no VPC connector is set.
VPC_CONNECTOR_NOT_RUNNING Packet could be dropped because the VPC connector is not in a running state.
VPC_CONNECTOR_SERVERLESS_TRAFFIC_BLOCKED Packet could be dropped because the traffic from the serverless service to the VPC connector is not allowed.
VPC_CONNECTOR_HEALTH_CHECK_TRAFFIC_BLOCKED Packet could be dropped because the health check traffic to the VPC connector is not allowed.
FORWARDING_RULE_REGION_MISMATCH Packet could be dropped because it was sent from a different region to a regional forwarding without global access.
PSC_CONNECTION_NOT_ACCEPTED The Private Service Connect endpoint is in a project that is not approved to connect to the service.
PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK The packet is sent to the Private Service Connect endpoint over the peering, but it's not supported.
PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule does not have global access enabled.
PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS The packet is sent to the Private Service Connect backend (network endpoint group), but the producer PSC forwarding rule has multiple ports specified.
CLOUD_SQL_PSC_NEG_UNSUPPORTED The packet is sent to the Private Service Connect backend (network endpoint group) targeting a Cloud SQL service attachment, but this configuration is not supported.
NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT No NAT subnets are defined for the PSC service attachment.
PSC_TRANSITIVITY_NOT_PROPAGATED PSC endpoint is accessed via NCC, but PSC transitivity configuration is not yet propagated.
HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED The packet sent from the hybrid NEG proxy matches a non-dynamic route, but such a configuration is not supported.
HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED The packet sent from the hybrid NEG proxy matches a dynamic route with a next hop in a different region, but such a configuration is not supported.
CLOUD_RUN_REVISION_NOT_READY Packet sent from a Cloud Run revision that is not ready.
DROPPED_INSIDE_PSC_SERVICE_PRODUCER Packet was dropped inside Private Service Connect service producer.
LOAD_BALANCER_HAS_NO_PROXY_SUBNET Packet sent to a load balancer, which requires a proxy-only subnet and the subnet is not found.
CLOUD_NAT_NO_ADDRESSES Packet sent to Cloud Nat without active NAT IPs.
ROUTING_LOOP Packet is stuck in a routing loop.
DROPPED_INSIDE_GOOGLE_MANAGED_SERVICE Packet is dropped due to an unspecified reason inside a Google-managed service. Used only for return traces.
LOAD_BALANCER_BACKEND_INVALID_NETWORK Packet is dropped due to a load balancer backend instance not having a network interface in the network expected by the load balancer.
BACKEND_SERVICE_NAMED_PORT_NOT_DEFINED Packet is dropped due to a backend service named port not being defined on the instance group level.
DESTINATION_IS_PRIVATE_NAT_IP_RANGE Packet is dropped due to a destination IP range being part of a Private NAT IP range.

LoadBalancerInfo

For display only. Metadata associated with a load balancer.

JSON representation
{
  "loadBalancerType": enum (LoadBalancerType),
  "healthCheckUri": string,
  "backends": [
    {
      object (LoadBalancerBackend)
    }
  ],
  "backendType": enum (BackendType),
  "backendUri": string
}
Fields
loadBalancerType

enum (LoadBalancerType)

Type of the load balancer.

healthCheckUri
(deprecated)

string

URI of the health check for the load balancer. Deprecated and no longer populated as different load balancer backends might have different health checks.

backends[]

object (LoadBalancerBackend)

Information for the loadbalancer backends.

backendType

enum (BackendType)

Type of load balancer's backend configuration.

backendUri

string

Backend configuration URI.

LoadBalancerType

The type definition for a load balancer:

Enums
LOAD_BALANCER_TYPE_UNSPECIFIED Type is unspecified.
INTERNAL_TCP_UDP Internal TCP/UDP load balancer.
NETWORK_TCP_UDP Network TCP/UDP load balancer.
HTTP_PROXY HTTP(S) proxy load balancer.
TCP_PROXY TCP proxy load balancer.
SSL_PROXY SSL proxy load balancer.

LoadBalancerBackend

For display only. Metadata associated with a specific load balancer backend.

JSON representation
{
  "displayName": string,
  "uri": string,
  "healthCheckFirewallState": enum (HealthCheckFirewallState),
  "healthCheckAllowingFirewallRules": [
    string
  ],
  "healthCheckBlockingFirewallRules": [
    string
  ]
}
Fields
displayName

string

Name of a Compute Engine instance or network endpoint.

uri

string

URI of a Compute Engine instance or network endpoint.

healthCheckFirewallState

enum (HealthCheckFirewallState)

State of the health check firewall configuration.

healthCheckAllowingFirewallRules[]

string

A list of firewall rule URIs allowing probes from health check IP ranges.

healthCheckBlockingFirewallRules[]

string

A list of firewall rule URIs blocking probes from health check IP ranges.

HealthCheckFirewallState

State of a health check firewall configuration:

Enums
HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED State is unspecified. Default state if not populated.
CONFIGURED There are configured firewall rules to allow health check probes to the backend.
MISCONFIGURED There are firewall rules configured to allow partial health check ranges or block all health check ranges. If a health check probe is sent from denied IP ranges, the health check to the backend will fail. Then, the backend will be marked unhealthy and will not receive traffic sent to the load balancer.

BackendType

The type definition for a load balancer backend configuration:

Enums
BACKEND_TYPE_UNSPECIFIED Type is unspecified.
BACKEND_SERVICE Backend Service as the load balancer's backend.
TARGET_POOL Target Pool as the load balancer's backend.
TARGET_INSTANCE Target Instance as the load balancer's backend.

NetworkInfo

For display only. Metadata associated with a Compute Engine network.

JSON representation
{
  "displayName": string,
  "uri": string,
  "matchedIpRange": string
}
Fields
displayName

string

Name of a Compute Engine network.

uri

string

URI of a Compute Engine network.

matchedIpRange

string

The IP range that matches the test.

GKEMasterInfo

For display only. Metadata associated with a Google Kubernetes Engine (GKE) cluster master.

JSON representation
{
  "clusterUri": string,
  "clusterNetworkUri": string,
  "internalIp": string,
  "externalIp": string
}
Fields
clusterUri

string

URI of a GKE cluster.

clusterNetworkUri

string

URI of a GKE cluster network.

internalIp

string

Internal IP address of a GKE cluster master.

externalIp

string

External IP address of a GKE cluster master.

CloudSQLInstanceInfo

For display only. Metadata associated with a Cloud SQL instance.

JSON representation
{
  "displayName": string,
  "uri": string,
  "networkUri": string,
  "internalIp": string,
  "externalIp": string,
  "region": string
}
Fields
displayName

string

Name of a Cloud SQL instance.

uri

string

URI of a Cloud SQL instance.

networkUri

string

URI of a Cloud SQL instance network or empty string if the instance does not have one.

internalIp

string

Internal IP address of a Cloud SQL instance.

externalIp

string

External IP address of a Cloud SQL instance.

region

string

Region in which the Cloud SQL instance is running.

CloudFunctionInfo

For display only. Metadata associated with a Cloud Function.

JSON representation
{
  "displayName": string,
  "uri": string,
  "location": string,
  "versionId": string
}
Fields
displayName

string

Name of a Cloud Function.

uri

string

URI of a Cloud Function.

location

string

Location in which the Cloud Function is deployed.

versionId

string (int64 format)

Latest successfully deployed version id of the Cloud Function.

AppEngineVersionInfo

For display only. Metadata associated with an App Engine version.

JSON representation
{
  "displayName": string,
  "uri": string,
  "runtime": string,
  "environment": string
}
Fields
displayName

string

Name of an App Engine version.

uri

string

URI of an App Engine version.

runtime

string

Runtime of the App Engine version.

environment

string

App Engine execution environment for a version.

CloudRunRevisionInfo

For display only. Metadata associated with a Cloud Run revision.

JSON representation
{
  "displayName": string,
  "uri": string,
  "serviceName": string,
  "location": string,
  "serviceUri": string
}
Fields
displayName

string

Name of a Cloud Run revision.

uri

string

URI of a Cloud Run revision.

serviceName
(deprecated)

string

ID of Cloud Run Service this revision belongs to. Was never set, is not exported to v1 proto and public protos. Do not export to v1beta1 public proto.

location

string

Location in which this revision is deployed.

serviceUri

string

URI of Cloud Run service this revision belongs to.

NatInfo

For display only. Metadata associated with NAT.

JSON representation
{
  "type": enum (Type),
  "protocol": string,
  "networkUri": string,
  "oldSourceIp": string,
  "newSourceIp": string,
  "oldDestinationIp": string,
  "newDestinationIp": string,
  "oldSourcePort": integer,
  "newSourcePort": integer,
  "oldDestinationPort": integer,
  "newDestinationPort": integer,
  "routerUri": string,
  "natGatewayName": string
}
Fields
type

enum (Type)

Type of NAT.

protocol

string

IP protocol in string format, for example: "TCP", "UDP", "ICMP".

networkUri

string

URI of the network where NAT translation takes place.

oldSourceIp

string

Source IP address before NAT translation.

newSourceIp

string

Source IP address after NAT translation.

oldDestinationIp

string

Destination IP address before NAT translation.

newDestinationIp

string

Destination IP address after NAT translation.

oldSourcePort

integer

Source port before NAT translation. Only valid when protocol is TCP or UDP.

newSourcePort

integer

Source port after NAT translation. Only valid when protocol is TCP or UDP.

oldDestinationPort

integer

Destination port before NAT translation. Only valid when protocol is TCP or UDP.

newDestinationPort

integer

Destination port after NAT translation. Only valid when protocol is TCP or UDP.

routerUri

string

Uri of the Cloud Router. Only valid when type is CLOUD_NAT.

natGatewayName

string

The name of Cloud NAT Gateway. Only valid when type is CLOUD_NAT.

Type

Types of NAT.

Enums
TYPE_UNSPECIFIED Type is unspecified.
INTERNAL_TO_EXTERNAL From Compute Engine instance's internal address to external address.
EXTERNAL_TO_INTERNAL From Compute Engine instance's external address to internal address.
CLOUD_NAT Cloud NAT Gateway.
PRIVATE_SERVICE_CONNECT Private service connect NAT.

ProxyConnectionInfo

For display only. Metadata associated with ProxyConnection.

JSON representation
{
  "protocol": string,
  "oldSourceIp": string,
  "newSourceIp": string,
  "oldDestinationIp": string,
  "newDestinationIp": string,
  "oldSourcePort": integer,
  "newSourcePort": integer,
  "oldDestinationPort": integer,
  "newDestinationPort": integer,
  "subnetUri": string,
  "networkUri": string
}
Fields
protocol

string

IP protocol in string format, for example: "TCP", "UDP", "ICMP".

oldSourceIp

string

Source IP address of an original connection.

newSourceIp

string

Source IP address of a new connection.

oldDestinationIp

string

Destination IP address of an original connection

newDestinationIp

string

Destination IP address of a new connection.

oldSourcePort

integer

Source port of an original connection. Only valid when protocol is TCP or UDP.

newSourcePort

integer

Source port of a new connection. Only valid when protocol is TCP or UDP.

oldDestinationPort

integer

Destination port of an original connection. Only valid when protocol is TCP or UDP.

newDestinationPort

integer

Destination port of a new connection. Only valid when protocol is TCP or UDP.

subnetUri

string

Uri of proxy subnet.

networkUri

string

URI of the network where connection is proxied.

LoadBalancerBackendInfo

For display only. Metadata associated with the load balancer backend.

JSON representation
{
  "name": string,
  "instanceUri": string,
  "backendServiceUri": string,
  "instanceGroupUri": string,
  "networkEndpointGroupUri": string,
  "backendBucketUri": string,
  "pscServiceAttachmentUri": string,
  "pscGoogleApiTarget": string,
  "healthCheckUri": string,
  "healthCheckFirewallsConfigState": enum (HealthCheckFirewallsConfigState)
}
Fields
name

string

Display name of the backend. For example, it might be an instance name for the instance group backends, or an IP address and port for zonal network endpoint group backends.

instanceUri

string

URI of the backend instance (if applicable). Populated for instance group backends, and zonal NEG backends.

backendServiceUri

string

URI of the backend service this backend belongs to (if applicable).

instanceGroupUri

string

URI of the instance group this backend belongs to (if applicable).

networkEndpointGroupUri

string

URI of the network endpoint group this backend belongs to (if applicable).

backendBucketUri

string

URI of the backend bucket this backend targets (if applicable).

pscServiceAttachmentUri

string

URI of the PSC service attachment this PSC NEG backend targets (if applicable).

pscGoogleApiTarget

string

PSC Google API target this PSC NEG backend targets (if applicable).

healthCheckUri

string

URI of the health check attached to this backend (if applicable).

healthCheckFirewallsConfigState

enum (HealthCheckFirewallsConfigState)

Output only. Health check firewalls configuration state for the backend. This is a result of the static firewall analysis (verifying that health check traffic from required IP ranges to the backend is allowed or not). The backend might still be unhealthy even if these firewalls are configured. Please refer to the documentation for more information: https://cloud.google.com/load-balancing/docs/firewall-rules

HealthCheckFirewallsConfigState

Health check firewalls configuration state enum.

Enums
HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED Configuration state unspecified. It usually means that the backend has no health check attached, or there was an unexpected configuration error preventing Connectivity tests from verifying health check configuration.
FIREWALLS_CONFIGURED Firewall rules (policies) allowing health check traffic from all required IP ranges to the backend are configured.
FIREWALLS_PARTIALLY_CONFIGURED Firewall rules (policies) allow health check traffic only from a part of required IP ranges.
FIREWALLS_NOT_CONFIGURED Firewall rules (policies) deny health check traffic from all required IP ranges to the backend.
FIREWALLS_UNSUPPORTED The network contains firewall rules of unsupported types, so Connectivity tests were not able to verify health check configuration status. Please refer to the documentation for the list of unsupported configurations: https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs

StorageBucketInfo

For display only. Metadata associated with Storage Bucket.

JSON representation
{
  "bucket": string
}
Fields
bucket

string

Cloud Storage Bucket name.

ServerlessNegInfo

For display only. Metadata associated with the serverless network endpoint group backend.

JSON representation
{
  "negUri": string
}
Fields
negUri

string

URI of the serverless network endpoint group.

ProbingDetails

Results of active probing from the last run of the test.

JSON representation
{
  "result": enum (ProbingResult),
  "verifyTime": string,
  "error": {
    object (Status)
  },
  "abortCause": enum (ProbingAbortCause),
  "sentProbeCount": integer,
  "successfulProbeCount": integer,
  "endpointInfo": {
    object (EndpointInfo)
  },
  "probingLatency": {
    object (LatencyDistribution)
  },
  "destinationEgressLocation": {
    object (EdgeLocation)
  }
}
Fields
result

enum (ProbingResult)

The overall result of active probing.

verifyTime

string (Timestamp format)

The time that reachability was assessed through active probing.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

error

object (Status)

Details about an internal failure or the cancellation of active probing.

abortCause

enum (ProbingAbortCause)

The reason probing was aborted.

sentProbeCount

integer

Number of probes sent.

successfulProbeCount

integer

Number of probes that reached the destination.

endpointInfo

object (EndpointInfo)

The source and destination endpoints derived from the test input and used for active probing.

probingLatency

object (LatencyDistribution)

Latency as measured by active probing in one direction: from the source to the destination endpoint.

destinationEgressLocation

object (EdgeLocation)

The EdgeLocation from which a packet destined for/originating from the internet will egress/ingress the Google network. This will only be populated for a connectivity test which has an internet destination/source address. The absence of this field must not be used as an indication that the destination/source is part of the Google network.

ProbingResult

Overall probing result of the test.

Enums
PROBING_RESULT_UNSPECIFIED No result was specified.
REACHABLE At least 95% of packets reached the destination.
UNREACHABLE No packets reached the destination.
REACHABILITY_INCONSISTENT Less than 95% of packets reached the destination.
UNDETERMINED Reachability could not be determined. Possible reasons are: * The user lacks permission to access some of the network resources required to run the test. * No valid source endpoint could be derived from the request. * An internal error occurred.

ProbingAbortCause

Abort cause types.

Enums
PROBING_ABORT_CAUSE_UNSPECIFIED No reason was specified.
PERMISSION_DENIED The user lacks permission to access some of the network resources required to run the test.
NO_SOURCE_LOCATION No valid source endpoint could be derived from the request.

LatencyDistribution

Describes measured latency distribution.

JSON representation
{
  "latencyPercentiles": [
    {
      object (LatencyPercentile)
    }
  ]
}
Fields
latencyPercentiles[]

object (LatencyPercentile)

Representative latency percentiles.

LatencyPercentile

Latency percentile rank and value.

JSON representation
{
  "percent": integer,
  "latencyMicros": string
}
Fields
percent

integer

Percentage of samples this data point applies to.

latencyMicros

string (int64 format)

percent-th percentile of latency observed, in microseconds. Fraction of percent/100 of samples have latency lower or equal to the value of this field.

EdgeLocation

Representation of a network edge location as per https://cloud.google.com/vpc/docs/edge-locations.

JSON representation
{
  "metropolitanArea": string
}
Fields
metropolitanArea

string

Name of the metropolitan area.

Methods

create

Creates a new Connectivity Test.

delete

Deletes a specific ConnectivityTest.

get

Gets the details of a specific Connectivity Test.

getIamPolicy

Gets the access control policy for a resource.

list

Lists all Connectivity Tests owned by a project.

patch

Updates the configuration of an existing ConnectivityTest.

rerun

Rerun an existing ConnectivityTest.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.