Forwarding rules for Cloud Service Mesh

This document applies only to Cloud Service Mesh with the load balancing APIs. We strongly recommend that you use the service routing APIs to deploy Cloud Service Mesh.

Cloud Service Mesh uses the forwarding rule to determine the target proxy to which traffic in the mesh is routed.

Each forwarding rule provides a single global IPv4 address for a service. You can use that address to create internal DNS records for your service (for example, by using a Cloud DNS managed private zone). Metadata filters in the forwarding rule specify the criteria for which an xDS-compliant sidecar proxy receives the configuration.

For the Cloud Service Mesh control plane, the internal, self-managed, and global forwarding rule routes traffic by IP address, port, and protocol to a target proxy. The target proxy points to a URL map that contains rules that determine the destination of the traffic. The URL map also specifies the default backend service. This backend service specifies a health check and determines the appropriate backend, such as a managed instance group (MIG) that contains virtual machine (VM) instances or a network endpoint group (NEG) that contains Google Kubernetes Engine (GKE) backend Pods.

The following diagram shows how a forwarding rule fits into the Cloud Service Mesh architecture.

Cloud Service Mesh forwarding rule highlighted.
Cloud Service Mesh forwarding rule highlighted (click to enlarge)

Forwarding rule properties

A forwarding rule resource contains the following properties that apply to Cloud Service Mesh. The forwarding rule handles traffic that matches the destination IP address, protocol, and port number.

A IP address in a forwarding rule is one of the options when using Cloud Service Mesh. A IP address means any IP address.

  • With a proxy deployment, a IP address lets a proxy match any incoming traffic if no other specific match is found.

  • With a proxyless deployment, a IP address provides a way to specify that an IP address is not required. More details follow about using IP addresses with a target gRPC proxy.

The following table describes forwarding rule properties in more detail.

Property Required Description

The name of the forwarding rule.

The name must be unique in this project, from 1 to 63 characters, and match the regular expression: [a-z]([-a-z0-9]*[a-z0-9])?

This means that the first character must be a lowercase letter, and all the following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.


One of the following: or, or any RFC 1918 address.

IP addresses for Cloud Service Mesh forwarding rules don't need to correspond to IP address ranges of subnets in the Virtual Private Cloud (VPC) network. For a given VPC network, IP address, and port, you can have only one internal, self-managed forwarding rule.

For example, in the same VPC network, you cannot create two forwarding rules that use the IP address and port 80.

IPAddress with a target gRPC proxy

A forwarding rule that references a target gRPC proxy with the validateForProxyless field set to TRUE and its IP address set to

A gRPC client that uses the xds scheme does not perform DNS lookup to resolve the hostname in the channel URI. Instead, such a client resolves the hostname[:port] in the target URI by sending a Listener discovery service (LDS) request to Cloud Service Mesh. There is no DNS lookup involved, and a DNS entry for the hostname is not required.

As a result, Cloud Service Mesh uses the IP address and the port (default 80) specified in the URI to look up the forwarding rule. Then, Cloud Service Mesh looks for a matching host rule in the URL map of the target proxy referenced by the forwarding rule.


The target proxy that this forwarding rule directs traffic to. Cloud Service Mesh supports target-http-proxy, target-https-proxy, and target-grpc-proxy.

When you use the Google Cloud console to configure the forwarding rule, the target proxy is configured automatically. When you use the Google Cloud CLI or the API, the target proxy must exist before you create your forwarding rule. You can use more than one forwarding rule with a given proxy.

IPProtocol The type of protocol that this forwarding rule matches. The only supported value is TCP.
loadBalancingScheme Specifies how the forwarding rule is used. The valid value for Cloud Service Mesh is INTERNAL_SELF_MANAGED.

A port or a port range joined by a dash.

Packets of the specified protocol sent to these ports are forwarded to the appropriate backend. You can specify a single number of a range—for example, 80 or 80-8080.

For a given VPC network, IP address, and port, you can have only one internal, self-managed forwarding rule. For example, in the same VPC network, you cannot create two forwarding rules that use the IP address and port 80.

With proxyless gRPC services, the port in the forwarding rule is matched with the port specified in the URI that a gRPC application uses to connect to a service. If a port is not specified in the URI, then 80 is the default port.


Specifies the VPC network where the Google Cloud VMs running Envoy proxies are located.

The Envoy proxies read the Cloud Service Mesh configuration that you define for the same network where the proxies are deployed. You can use the VPC network named default or a custom network.

Cloud Service Mesh supports load balancing for clients only within the Google Cloud network. You specify the network name in the forwarding rule. VPC Network Peering isn't supported.

Add a global forwarding rule

To learn how to configure a forwarding rule within the overall Cloud Service Mesh setup with the load balancing APIS, see the following:

What's next