| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="compute_alpha.html">Compute Engine API</a> . <a href="compute_alpha.backendServices.html">backendServices</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#addSignedUrlKey">addSignedUrlKey(project, backendService, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Adds a key for validating requests with signed URLs for this backend</p> |
| <p class="toc_element"> |
| <code><a href="#aggregatedList">aggregatedList(project, filter=None, includeAllScopes=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, serviceProjectNumber=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Retrieves the list of all BackendService resources, regional and global,</p> |
| <p class="toc_element"> |
| <code><a href="#aggregatedList_next">aggregatedList_next()</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#close">close()</a></code></p> |
| <p class="firstline">Close httplib2 connections.</p> |
| <p class="toc_element"> |
| <code><a href="#delete">delete(project, backendService, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes the specified BackendService resource.</p> |
| <p class="toc_element"> |
| <code><a href="#deleteSignedUrlKey">deleteSignedUrlKey(project, backendService, keyName, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes a key for validating requests with signed URLs for this backend</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(project, backendService, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns the specified BackendService resource.</p> |
| <p class="toc_element"> |
| <code><a href="#getEffectiveSecurityPolicies">getEffectiveSecurityPolicies(project, backendService, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns effective security policies applied to this backend service.</p> |
| <p class="toc_element"> |
| <code><a href="#getHealth">getHealth(project, backendService, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the most recent health check results for this</p> |
| <p class="toc_element"> |
| <code><a href="#getIamPolicy">getIamPolicy(project, resource, optionsRequestedPolicyVersion=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets the access control policy for a resource. May be empty if no such</p> |
| <p class="toc_element"> |
| <code><a href="#insert">insert(project, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Creates a BackendService resource in the specified project using</p> |
| <p class="toc_element"> |
| <code><a href="#list">list(project, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Retrieves the list of BackendService resources available to the specified</p> |
| <p class="toc_element"> |
| <code><a href="#listUsable">listUsable(project, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Retrieves a list of all usable backend services in the specified project.</p> |
| <p class="toc_element"> |
| <code><a href="#listUsable_next">listUsable_next()</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#list_next">list_next()</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#patch">patch(project, backendService, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Patches the specified BackendService resource with the data included in the</p> |
| <p class="toc_element"> |
| <code><a href="#setEdgeSecurityPolicy">setEdgeSecurityPolicy(project, backendService, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the edge security policy for the specified backend service.</p> |
| <p class="toc_element"> |
| <code><a href="#setIamPolicy">setIamPolicy(project, resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the access control policy on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#setSecurityPolicy">setSecurityPolicy(project, backendService, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Sets the Google Cloud Armor security policy for the specified backend</p> |
| <p class="toc_element"> |
| <code><a href="#testIamPermissions">testIamPermissions(project, resource, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Returns permissions that a caller has on the specified resource.</p> |
| <p class="toc_element"> |
| <code><a href="#update">update(project, backendService, body=None, requestId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the specified BackendService resource with the data included in the</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="addSignedUrlKey">addSignedUrlKey(project, backendService, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Adds a key for validating requests with signed URLs for this backend |
| service. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to which the Signed URL Key should be |
| added. The name should conform to RFC1035. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a customer-supplied Signing Key used by Cloud CDN Signed URLs |
| "keyName": "A String", # Name of the key. The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "keyValue": "A String", # 128-bit key value used for signing the URL. The key value must be a validRFC |
| # 4648 Section 5 base64url encoded string. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="aggregatedList">aggregatedList(project, filter=None, includeAllScopes=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, serviceProjectNumber=None, x__xgafv=None)</code> |
| <pre>Retrieves the list of all BackendService resources, regional and global, |
| available to the specified project. |
| |
| To prevent failure, it is recommended that you set the |
| `returnPartialSuccess` parameter to `true`. |
| |
| Args: |
| project: string, Name of the project scoping this request. (required) |
| filter: string, A filter expression that filters resources listed in the response. Most |
| Compute resources support two types of filter expressions: |
| expressions that support regular expressions and expressions that follow |
| API improvement proposal AIP-160. |
| These two types of filter expressions cannot be mixed in one request. |
| |
| If you want to use AIP-160, your expression must specify the field name, an |
| operator, and the value that you want to use for filtering. The value |
| must be a string, a number, or a boolean. The operator |
| must be either `=`, `!=`, `>`, `<`, `<=`, `>=` or `:`. |
| |
| For example, if you are filtering Compute Engine instances, you can |
| exclude instances named `example-instance` by specifying |
| `name != example-instance`. |
| |
| The `:*` comparison can be used to test whether a key has been defined. |
| For example, to find all objects with `owner` label use: |
| ``` |
| labels.owner:* |
| ``` |
| |
| You can also filter nested fields. For example, you could specify |
| `scheduling.automaticRestart = false` to include instances only |
| if they are not scheduled for automatic restarts. You can use filtering |
| on nested fields to filter based onresource labels. |
| |
| To filter on multiple expressions, provide each separate expression within |
| parentheses. For example: |
| ``` |
| (scheduling.automaticRestart = true) |
| (cpuPlatform = "Intel Skylake") |
| ``` |
| By default, each expression is an `AND` expression. However, you |
| can include `AND` and `OR` expressions explicitly. |
| For example: |
| ``` |
| (cpuPlatform = "Intel Skylake") OR |
| (cpuPlatform = "Intel Broadwell") AND |
| (scheduling.automaticRestart = true) |
| ``` |
| |
| If you want to use a regular expression, use the `eq` (equal) or `ne` |
| (not equal) operator against a single un-parenthesized expression with or |
| without quotes or against multiple parenthesized expressions. Examples: |
| |
| `fieldname eq unquoted literal` |
| `fieldname eq 'single quoted literal'` |
| `fieldname eq "double quoted literal"` |
| `(fieldname1 eq literal) (fieldname2 ne "literal")` |
| |
| The literal value is interpreted as a regular expression using GoogleRE2 library syntax. |
| The literal value must match the entire field. |
| |
| For example, to filter for instances that do not end with name "instance", |
| you would use `name ne .*instance`. |
| |
| You cannot combine constraints on multiple fields using regular |
| expressions. |
| includeAllScopes: boolean, Indicates whether every visible scope for each scope type (zone, region, |
| global) should be included in the response. For new resource types added |
| after this field, the flag has no effect as new resource types will always |
| include every visible scope for each scope type in response. For resource |
| types which predate this field, if this flag is omitted or false, only |
| scopes of the scope types where the resource type is expected to be found |
| will be included. |
| maxResults: integer, The maximum number of results per page that should be returned. |
| If the number of available results is larger than `maxResults`, |
| Compute Engine returns a `nextPageToken` that can be used to get |
| the next page of results in subsequent list requests. Acceptable values are |
| `0` to `500`, inclusive. (Default: `500`) |
| orderBy: string, Sorts list results by a certain order. By default, results |
| are returned in alphanumerical order based on the resource name. |
| |
| You can also sort results in descending order based on the creation |
| timestamp using `orderBy="creationTimestamp desc"`. This sorts |
| results based on the `creationTimestamp` field in |
| reverse chronological order (newest result first). Use this to sort |
| resources like operations so that the newest operation is returned first. |
| |
| Currently, only sorting by `name` or |
| `creationTimestamp desc` is supported. |
| pageToken: string, Specifies a page token to use. Set `pageToken` to the |
| `nextPageToken` returned by a previous list request to get |
| the next page of results. |
| returnPartialSuccess: boolean, Opt-in for partial success behavior which provides partial results in case |
| of failure. The default value is false. |
| |
| For example, when partial success behavior is enabled, aggregatedList for a |
| single zone scope either returns all resources in the zone or no resources, |
| with an error code. |
| serviceProjectNumber: string, The Shared VPC service project id or service project number for which |
| aggregated list request is invoked for subnetworks list-usable api. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Contains a list of BackendServicesScopedList. |
| "id": "A String", # [Output Only] Unique identifier for the resource; defined by the server. |
| "items": { # A list of BackendServicesScopedList resources. |
| "a_key": { # Name of the scope containing this set of BackendServices. |
| "backendServices": [ # A list of BackendServices contained in this scope. |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| }, |
| ], |
| "warning": { # Informational warning which replaces the list of |
| # backend services when the list is empty. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }, |
| }, |
| "kind": "compute#backendServiceAggregatedList", # Type of resource. |
| "nextPageToken": "A String", # [Output Only] This token allows you to get the next page of results for |
| # list requests. If the number of results is larger thanmaxResults, use the nextPageToken as a value for |
| # the query parameter pageToken in the next list request. |
| # Subsequent list requests will have their own nextPageToken to |
| # continue paging through the results. |
| "selfLink": "A String", # [Output Only] Server-defined URL for this resource. |
| "unreachables": [ # [Output Only] Unreachable resources. |
| "A String", |
| ], |
| "warning": { # [Output Only] Informational warning message. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="aggregatedList_next">aggregatedList_next()</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="close">close()</code> |
| <pre>Close httplib2 connections.</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="delete">delete(project, backendService, requestId=None, x__xgafv=None)</code> |
| <pre>Deletes the specified BackendService resource. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to delete. (required) |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="deleteSignedUrlKey">deleteSignedUrlKey(project, backendService, keyName, requestId=None, x__xgafv=None)</code> |
| <pre>Deletes a key for validating requests with signed URLs for this backend |
| service. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to which the Signed URL Key should be |
| added. The name should conform to RFC1035. (required) |
| keyName: string, The name of the Signed URL Key to delete. (required) |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(project, backendService, x__xgafv=None)</code> |
| <pre>Returns the specified BackendService resource. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to return. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getEffectiveSecurityPolicies">getEffectiveSecurityPolicies(project, backendService, x__xgafv=None)</code> |
| <pre>Returns effective security policies applied to this backend service. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the Backend Service for this request. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "securityPolicies": [ # Effective security policies for the backend service. |
| { # Represents a Google Cloud Armor security policy resource. |
| # |
| # Only external backend services that use load balancers can |
| # reference a security policy. For more information, see |
| # Google Cloud Armor security policy overview. |
| "adaptiveProtectionConfig": { # Configuration options for Cloud Armor Adaptive Protection (CAAP). |
| "autoDeployConfig": { # Configuration options for Adaptive Protection auto-deploy feature. |
| "confidenceThreshold": 3.14, |
| "expirationSec": 42, |
| "impactedBaselineThreshold": 3.14, |
| "loadThreshold": 3.14, |
| }, |
| "layer7DdosDefenseConfig": { # Configuration options for L7 DDoS detection. # If set to true, enables Cloud Armor Machine Learning. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "enable": True or False, # If set to true, enables CAAP for L7 DDoS detection. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "ruleVisibility": "A String", # Rule visibility can be one of the following: |
| # STANDARD - opaque rules. (default) |
| # PREMIUM - transparent rules. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "thresholdConfigs": [ # Configuration options for layer7 adaptive protection for various |
| # customizable thresholds. |
| { |
| "autoDeployConfidenceThreshold": 3.14, |
| "autoDeployExpirationSec": 42, |
| "autoDeployImpactedBaselineThreshold": 3.14, |
| "autoDeployLoadThreshold": 3.14, |
| "detectionAbsoluteQps": 3.14, |
| "detectionLoadThreshold": 3.14, |
| "detectionRelativeToBaselineQps": 3.14, |
| "name": "A String", # The name must be 1-63 characters long, and comply withRFC1035. |
| # The name must be unique within the security policy. |
| "trafficGranularityConfigs": [ # Configuration options for enabling Adaptive Protection to operate |
| # on specified granular traffic units. |
| { # Configurations to specifc granular traffic units processed by |
| # Adaptive Protection. |
| "enableEachUniqueValue": True or False, # If enabled, traffic matching each unique value for the specified |
| # type constitutes a separate traffic unit. |
| # It can only be set to true if `value` is empty. |
| "type": "A String", # Type of this configuration. |
| "value": "A String", # Requests that match this value constitute a granular traffic unit. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "advancedOptionsConfig": { |
| "jsonCustomConfig": { # Custom configuration to apply the JSON parsing. Only applicable when |
| # json_parsing is set to STANDARD. |
| "contentTypes": [ # A list of custom Content-Type header values to apply the JSON parsing. |
| # |
| # As per RFC 1341, a Content-Type header value has the following format: |
| # |
| # Content-Type := type "/" subtype *[";" parameter] |
| # |
| # When configuring a custom Content-Type header value, only the |
| # type/subtype needs to be specified, and the parameters should be |
| # excluded. |
| "A String", |
| ], |
| }, |
| "jsonParsing": "A String", |
| "logLevel": "A String", |
| "requestBodyInspectionSize": "A String", # The maximum request size chosen by the customer with Waf enabled. |
| # Values supported are "8KB", "16KB, "32KB", "48KB" and "64KB". |
| # Values are case insensitive. |
| "userIpRequestHeaders": [ # An optional list of case-insensitive request header names to use for |
| # resolving the callers client IP address. |
| "A String", |
| ], |
| }, |
| "associations": [ # A list of associations that belong to this policy. |
| { |
| "attachmentId": "A String", # The resource that the security policy is attached to. |
| "displayName": "A String", # [Output Only] The display name of the security policy of the association. |
| "excludedFolders": [ # A list of folders to exclude from the security policy. |
| "A String", |
| ], |
| "excludedProjects": [ # A list of projects to exclude from the security policy. |
| "A String", |
| ], |
| "name": "A String", # The name for an association. |
| "securityPolicyId": "A String", # [Output Only] The security policy ID of the association. |
| "shortName": "A String", # [Output Only] The short name of the security policy of the association. |
| }, |
| ], |
| "cloudArmorConfig": { # Configuration options for Cloud Armor. |
| "enableMl": True or False, # If set to true, enables Cloud Armor Machine Learning. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "ddosProtectionConfig": { |
| "ddosAdaptiveProtection": "A String", |
| "ddosImpactedBaselineThreshold": 3.14, # Adaptive Protection for Network Load Balancers (and VMs with public IPs) |
| # builds DDos mitigations that minimize collateral damage. It quantifies |
| # this as the fraction of a non-abuse baseline that's inadvertently |
| # blocked. |
| # |
| # Rules whose collateral damage exceeds |
| # ddosAdaptiveImpactedBaselineThreshold will not be deployed. Using a lower |
| # value will prioritize keeping collateral damage low, possibly at the cost |
| # of its effectiveness in rate limiting some or all of the attack. |
| # It should typically be between 0.01 and 0.10. |
| "ddosProtection": "A String", |
| }, |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "displayName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is FIREWALL. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "fingerprint": "A String", # Specifies a fingerprint for this resource, which is essentially a hash of |
| # the metadata's contents and used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update metadata. You must always provide an |
| # up-to-date fingerprint hash in order to update or change metadata, |
| # otherwise the request will fail with error412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "kind": "compute#securityPolicy", # [Output only] Type of the resource. Alwayscompute#securityPolicyfor security policies |
| "labelFingerprint": "A String", # A fingerprint for the labels being applied to this security policy, which |
| # is essentially a hash of the labels set used for optimistic locking. The |
| # fingerprint is initially generated by Compute Engine and changes after |
| # every request to modify or update labels. You must always provide an |
| # up-to-date fingerprint hash in order to update or change labels. |
| # |
| # To see the latest fingerprint, make get() request to the |
| # security policy. |
| "labels": { # Labels for this resource. These can only be added or modified by thesetLabels method. Each label key/value pair must comply withRFC1035. |
| # Label values may be empty. |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "parent": "A String", # [Output Only] The parent of the security policy. |
| "recaptchaOptionsConfig": { |
| "redirectSiteKey": "A String", # An optional field to supply a reCAPTCHA site key to be used for all the |
| # rules using the redirect action with the type of GOOGLE_RECAPTCHA under |
| # the security policy. The specified site key needs to be created from the |
| # reCAPTCHA API. The user is responsible for the validity of the specified |
| # site key. If not specified, a Google-managed site key is used. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| }, |
| "region": "A String", # [Output Only] URL of the region where the regional security policy |
| # resides. This field is not applicable to global security policies. |
| "ruleTupleCount": 42, # [Output Only] Total count of all security policy rule tuples. A security |
| # policy can not exceed a set number of tuples. |
| "rules": [ # A list of rules that belong to this policy. |
| # There must always be a default rule which is a rule with priority |
| # 2147483647 and match all condition (for the match condition this means |
| # match "*" for srcIpRanges and for the networkMatch condition every field |
| # must be either match "*" or not set). If no rules are provided when |
| # creating a security policy, a default rule with action "allow" will be |
| # added. |
| { # Represents a rule that describes one or more match conditions along with |
| # the action to be taken when traffic matches this condition (allow or deny). |
| "action": "A String", # The Action to perform when the rule is matched. |
| # The following are the valid actions: |
| # |
| # - allow: allow access to target. |
| # - deny(STATUS): deny access to target, returns the |
| # HTTP response code specified. Valid values for `STATUS` |
| # are 403, 404, and 502. |
| # - rate_based_ban: limit client traffic to the configured |
| # threshold and ban the client if the traffic exceeds the threshold. |
| # Configure parameters for this action in RateLimitOptions. Requires |
| # rate_limit_options to be set. |
| # - redirect: redirect to a different target. This can |
| # either be an internal reCAPTCHA redirect, or an external URL-based |
| # redirect via a 302 response. Parameters for this action can be configured |
| # via redirectOptions. This action is only supported in Global Security |
| # Policies of type CLOUD_ARMOR. |
| # - throttle: limit |
| # client traffic to the configured threshold. Configure parameters for this |
| # action in rateLimitOptions. Requires rate_limit_options to be set for |
| # this. |
| # - fairshare (preview only): when traffic reaches the |
| # threshold limit, requests from the clients matching this rule begin to be |
| # rate-limited using the Fair Share algorithm. This action is only allowed |
| # in security policies of type `CLOUD_ARMOR_INTERNAL_SERVICE`. |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "direction": "A String", # The direction in which this rule applies. This field may only be |
| # specified when versioned_expr is set to FIREWALL. |
| "enableLogging": True or False, # Denotes whether to enable logging for a particular rule. If logging is |
| # enabled, logs will be exported to the configured export destination in |
| # Stackdriver. Logs may be exported to BigQuery or Pub/Sub. Note: you |
| # cannot enable logging on "goto_next" rules. |
| # |
| # This field may only be specified when the versioned_expr is set to |
| # FIREWALL. |
| "headerAction": { # Optional, additional actions that are performed on headers. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "requestHeadersToAdds": [ # The list of request headers to add or overwrite if they're already |
| # present. |
| { |
| "headerName": "A String", # The name of the header to set. |
| "headerValue": "A String", # The value to set the named header to. |
| }, |
| ], |
| }, |
| "kind": "compute#securityPolicyRule", # [Output only] Type of the resource. Alwayscompute#securityPolicyRule for security policy rules |
| "match": { # Represents a match condition that incoming traffic is evaluated against. # A match condition that incoming traffic is evaluated against. |
| # If it evaluates to true, the corresponding 'action' is enforced. |
| # Exactly one field must be specified. |
| "config": { # The configuration options available when specifying versioned_expr. |
| # This field must be specified if versioned_expr is specified and cannot |
| # be specified if versioned_expr is not specified. |
| "destIpRanges": [ # CIDR IP address range. |
| # |
| # This field may only be specified when versioned_expr is set to |
| # FIREWALL. |
| "A String", |
| ], |
| "destPorts": [ # Pairs of IP protocols and ports that the rule should match. |
| # |
| # This field may only be specified when versioned_expr is set to |
| # FIREWALL. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| # |
| # This field may only be specified when versioned_expr is set to |
| # FIREWALL. |
| "A String", |
| ], |
| }, |
| ], |
| "layer4Configs": [ # Pairs of IP protocols and ports that the rule should match. |
| # |
| # This field may only be specified when versioned_expr is set to |
| # FIREWALL. |
| { |
| "ipProtocol": "A String", # The IP protocol to which this rule applies. The protocol type is |
| # required when creating a firewall rule. This value can either be |
| # one of the following well known protocol strings (tcp,udp, icmp, esp,ah, ipip, sctp), or the IP |
| # protocol number. |
| "ports": [ # An optional list of ports to which this rule applies. This field is |
| # only applicable for UDP or TCP protocol. Each entry must be either |
| # an integer or a range. If not specified, this rule applies to |
| # connections through any port. |
| # |
| # Example inputs include: ["22"],["80","443"], and ["12345-12349"]. |
| # |
| # This field may only be specified when versioned_expr is set to |
| # FIREWALL. |
| "A String", |
| ], |
| }, |
| ], |
| "srcIpRanges": [ # CIDR IP address range. |
| # Maximum number of src_ip_ranges allowed is 10. |
| "A String", |
| ], |
| }, |
| "expr": { # Represents a textual expression in the Common Expression Language (CEL) # User defined CEVAL expression. |
| # A CEVAL expression is used to specify match criteria such as origin.ip, |
| # source.region_code and contents in the request header. |
| # Expressions containing `evaluateThreatIntelligence` require a Cloud |
| # Armor Enterprise subscription and are not supported in Edge Policies |
| # nor in Regional Policies. Expressions containing |
| # `evaluatePreconfiguredExpr('sourceiplist-*')` require a Cloud Armor |
| # Enterprise subscription and are only supported in Global Security |
| # Policies. |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "exprOptions": { # The configuration options available when specifying a user defined |
| # CEVAL expression (i.e., 'expr'). |
| "recaptchaOptions": { # reCAPTCHA configuration options to be applied for the rule. If the |
| # rule does not evaluate reCAPTCHA tokens, this field has no effect. |
| "actionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # action-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| "sessionTokenSiteKeys": [ # A list of site keys to be used during the validation of reCAPTCHA |
| # session-tokens. The provided site keys need to be created from |
| # reCAPTCHA API under the same project where the security policy is |
| # created. |
| "A String", |
| ], |
| }, |
| }, |
| "versionedExpr": "A String", # Preconfigured versioned expression. |
| # If this field is specified, config must also be specified. |
| # Available preconfigured expressions along with their requirements are: |
| # SRC_IPS_V1 - must specify the corresponding src_ip_range field in |
| # config. |
| }, |
| "networkMatch": { # Represents a match condition that incoming network traffic is evaluated # A match condition that incoming packets are evaluated against for |
| # CLOUD_ARMOR_NETWORK security policies. If it matches, the corresponding |
| # 'action' is enforced. |
| # |
| # The match criteria for a rule consists of built-in match fields (like |
| # 'srcIpRanges') and potentially multiple user-defined match fields |
| # ('userDefinedFields'). |
| # |
| # Field values may be extracted directly from the packet or derived from it |
| # (e.g. 'srcRegionCodes'). Some fields may not be present in every packet |
| # (e.g. 'srcPorts'). A user-defined field is only present if the base |
| # header is found in the packet and the entire field is in bounds. |
| # |
| # Each match field may specify which values can match it, listing one or |
| # more ranges, prefixes, or exact values that are considered a match for |
| # the field. A field value must be present in order to match a specified |
| # match field. If no match values are specified for a match field, then any |
| # field value is considered to match it, and it's not required to be |
| # present. For strings specifying '*' is also equivalent to match all. |
| # |
| # For a packet to match a rule, all specified match fields must match the |
| # corresponding field values derived from the packet. |
| # |
| # Example: |
| # |
| # networkMatch: |
| # srcIpRanges: |
| # - "192.0.2.0/24" |
| # - "198.51.100.0/24" |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # values: |
| # - "1-0x1fff" |
| # |
| # The above match condition matches packets with a source IP in |
| # 192.0.2.0/24 or 198.51.100.0/24 and a user-defined field named |
| # "ipv4_fragment_offset" with a value between 1 and 0x1fff inclusive. |
| # against. |
| "destIpRanges": [ # Destination IPv4/IPv6 addresses or CIDR prefixes, in standard text |
| # format. |
| "A String", |
| ], |
| "destPorts": [ # Destination port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "ipProtocols": [ # IPv4 protocol / IPv6 next header (after extension headers). Each |
| # element can be an 8-bit unsigned decimal number (e.g. "6"), range (e.g. |
| # "253-254"), or one of the following protocol names: "tcp", "udp", |
| # "icmp", "esp", "ah", "ipip", or "sctp". |
| "A String", |
| ], |
| "srcAsns": [ # BGP Autonomous System Number associated with the source IP address. |
| 42, |
| ], |
| "srcIpRanges": [ # Source IPv4/IPv6 addresses or CIDR prefixes, in standard text format. |
| "A String", |
| ], |
| "srcPorts": [ # Source port numbers for TCP/UDP/SCTP. Each element can be a 16-bit |
| # unsigned decimal number (e.g. "80") or range (e.g. "0-1023"). |
| "A String", |
| ], |
| "srcRegionCodes": [ # Two-letter ISO 3166-1 alpha-2 country code associated with the source |
| # IP address. |
| "A String", |
| ], |
| "userDefinedFields": [ # User-defined fields. Each element names a defined field and lists the |
| # matching values for that field. |
| { |
| "name": "A String", # Name of the user-defined field, as given in the definition. |
| "values": [ # Matching values of the field. Each element can be a 32-bit unsigned |
| # decimal or hexadecimal (starting with "0x") number (e.g. "64") or |
| # range (e.g. "0x400-0x7ff"). |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| "preconfiguredWafConfig": { # Preconfigured WAF configuration to be applied for the rule. If the rule |
| # does not evaluate preconfigured WAF rules, i.e., if |
| # evaluatePreconfiguredWaf() is not used, this field will have no effect. |
| "exclusions": [ # A list of exclusions to apply during preconfigured WAF evaluation. |
| { |
| "requestCookiesToExclude": [ # A list of request cookie names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestHeadersToExclude": [ # A list of request header names whose value will be excluded from |
| # inspection during preconfigured WAF evaluation. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestQueryParamsToExclude": [ # A list of request query parameter names whose value will be excluded |
| # from inspection during preconfigured WAF evaluation. Note that the |
| # parameter can be in the query string or in the POST body. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "requestUrisToExclude": [ # A list of request URIs from the request line to be excluded from |
| # inspection during preconfigured WAF evaluation. When specifying this |
| # field, the query or fragment part should be excluded. |
| { |
| "op": "A String", # The match operator for the field. |
| "val": "A String", # The value of the field. |
| }, |
| ], |
| "targetRuleIds": [ # A list of target rule IDs under the WAF rule set to apply the |
| # preconfigured WAF exclusion. If omitted, it refers to all the rule |
| # IDs under the WAF rule set. |
| "A String", |
| ], |
| "targetRuleSet": "A String", # Target WAF rule set to apply the preconfigured WAF exclusion. |
| }, |
| ], |
| }, |
| "preview": True or False, # If set to true, the specified action is not enforced. |
| "priority": 42, # An integer indicating the priority of a rule in the list. The priority |
| # must be a positive value between 0 and 2147483647. |
| # Rules are evaluated from highest to lowest priority where 0 is the |
| # highest priority and 2147483647 is the lowest priority. |
| "rateLimitOptions": { # Must be specified if the action is "rate_based_ban" or "throttle" or |
| # "fairshare". Cannot be specified for any other actions. |
| "banDurationSec": 42, # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, determines the time (in seconds) |
| # the traffic will continue to be banned by the rate limit after the |
| # rate falls below the threshold. |
| "banThreshold": { # Can only be specified if the action for the rule is |
| # "rate_based_ban". If specified, the key will be banned for the |
| # configured 'ban_duration_sec' when the number of requests that exceed |
| # the 'rate_limit_threshold' also exceed this 'ban_threshold'. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| "conformAction": "A String", # Action to take for requests that are under the configured rate limit |
| # threshold. Valid option is "allow" only. |
| "enforceOnKey": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKey" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the value |
| # is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of the |
| # HTTPS request. The key value is truncated to the first 128 bytes. The |
| # key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the request |
| # originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration or |
| # an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # For "fairshare" action, this value is limited to ALL i.e. a single rate |
| # limit threshold is enforced for all the requests matching the rule. |
| "enforceOnKeyConfigs": [ # If specified, any combination of values of |
| # enforce_on_key_type/enforce_on_key_name is treated as the key on which |
| # ratelimit threshold/action is enforced. You can specify up to 3 |
| # enforce_on_key_configs. If enforce_on_key_configs is specified, |
| # enforce_on_key must not be specified. |
| { |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the |
| # key value. HTTP_COOKIE -- Name of the HTTP cookie whose value is |
| # taken as the key value. |
| "enforceOnKeyType": "A String", # Determines the key to enforce the rate_limit_threshold on. Possible |
| # values are: |
| # |
| # - ALL: A single rate limit threshold is applied to all |
| # the requests matching this rule. This is the default value if |
| # "enforceOnKeyConfigs" is not configured. |
| # - IP: The source IP address of |
| # the request is the key. Each IP has this limit enforced |
| # separately. |
| # - HTTP_HEADER: The value of the HTTP |
| # header whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the header value. If no |
| # such header is present in the request, the key type defaults toALL. |
| # - XFF_IP: The first IP address (i.e. the |
| # originating client IP address) specified in the list of IPs under |
| # X-Forwarded-For HTTP header. If no such header is present or the |
| # value is not a valid IP, the key defaults to the source IP address of |
| # the request i.e. key type IP. |
| # - HTTP_COOKIE: The value of the HTTP |
| # cookie whose name is configured under "enforceOnKeyName". The key |
| # value is truncated to the first 128 bytes of the cookie value. If no |
| # such cookie is present in the request, the key type defaults toALL. |
| # - HTTP_PATH: The URL path of the HTTP request. The key |
| # value is truncated to the first 128 bytes. |
| # - SNI: Server name indication in the TLS session of |
| # the HTTPS request. The key value is truncated to the first 128 bytes. |
| # The key type defaults to ALL on a HTTP session. |
| # - REGION_CODE: The country/region from which the |
| # request originates. |
| # - TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| # - USER_IP: The IP address of the originating client, |
| # which is resolved based on "userIpRequestHeaders" configured with the |
| # security policy. If there is no "userIpRequestHeaders" configuration |
| # or an IP address cannot be resolved from it, the key type defaults toIP. |
| # |
| # - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the |
| # client connects using HTTPS, HTTP/2 or HTTP/3. If not available, the |
| # key type defaults to ALL. |
| }, |
| ], |
| "enforceOnKeyName": "A String", # Rate limit key name applicable only for the following key types: |
| # HTTP_HEADER -- Name of the HTTP header whose value is taken as the key |
| # value. |
| # HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the key |
| # value. |
| "exceedAction": "A String", # Action to take for requests that are above the configured rate limit |
| # threshold, to either deny with a specified HTTP response code, or |
| # redirect to a different endpoint. |
| # Valid options are `deny(STATUS)`, where valid values for |
| # `STATUS` are 403, 404, 429, and 502, and |
| # `redirect`, where the redirect parameters come from |
| # `exceedRedirectOptions` below. |
| # The `redirect` action is only supported in Global Security Policies of |
| # type CLOUD_ARMOR. |
| "exceedActionRpcStatus": { # Simplified google.rpc.Status type (omitting details). # Specified gRPC response status for proxyless gRPC requests that are |
| # above the configured rate limit threshold |
| "code": 42, # The status code, which should be an enum value of |
| # google.rpc.Code. |
| "message": "A String", # A developer-facing error message, which should be in English. |
| }, |
| "exceedRedirectOptions": { # Parameters defining the redirect action that is used as the exceed |
| # action. Cannot be specified if the exceed action is not redirect. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "rateLimitThreshold": { # Threshold at which to begin ratelimiting. |
| "count": 42, # Number of HTTP(S) requests for calculating the threshold. |
| "intervalSec": 42, # Interval over which the threshold is computed. |
| }, |
| }, |
| "redirectOptions": { # Parameters defining the redirect action. Cannot be specified for any |
| # other actions. |
| # This field is only supported in Global Security Policies of type |
| # CLOUD_ARMOR. |
| "target": "A String", # Target for the redirect action. This is required if the type is |
| # EXTERNAL_302 and cannot be specified for GOOGLE_RECAPTCHA. |
| "type": "A String", # Type of the redirect action. Possible values are: |
| # |
| # - GOOGLE_RECAPTCHA: redirect to reCAPTCHA for manual |
| # challenge assessment. |
| # - EXTERNAL_302: redirect to a different URL via a 302 |
| # response. |
| }, |
| "redirectTarget": "A String", # This must be specified for redirect actions. Cannot be specified for any |
| # other actions. |
| "ruleManagedProtectionTier": "A String", # [Output Only] The minimum Cloud Armor subscription required for this |
| # rule. |
| # [Deprecated] Use requiredManagedProtectionTiers instead. |
| "ruleNumber": "A String", # Identifier for the rule. This is only unique within the given security |
| # policy. This can only be set during rule creation, if rule number is not |
| # specified it will be generated by the server. |
| "ruleTupleCount": 42, # [Output Only] Calculation of the complexity of a single firewall security |
| # policy rule. |
| "targetResources": [ # A list of network resource URLs to which this rule applies. This field |
| # allows you to control which network's VMs get this rule. If this field |
| # is left blank, all VMs within the organization will receive the rule. |
| # |
| # This field may only be specified when versioned_expr is set to FIREWALL. |
| "A String", |
| ], |
| "targetServiceAccounts": [ # A list of service accounts indicating the sets of instances that are |
| # applied with this rule. |
| "A String", |
| ], |
| }, |
| ], |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "shortName": "A String", # User-provided name of the organization security policy. The name should be |
| # unique in the organization in which the security policy is created. This |
| # should only be used when SecurityPolicyType is CLOUD_ARMOR. |
| # The name must be 1-63 characters long, and comply with |
| # https://www.ietf.org/rfc/rfc1035.txt. Specifically, the name must be 1-63 |
| # characters long and match the regular expression |
| # `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a |
| # lowercase letter, and all following characters must be a dash, lowercase |
| # letter, or digit, except the last character, which cannot be a dash. |
| "type": "A String", # The type indicates the intended use of the security policy. |
| # |
| # - CLOUD_ARMOR: Cloud Armor backend security policies can |
| # be configured to filter incoming HTTP requests targeting backend services. |
| # They filter requests before they hit the origin servers. |
| # - CLOUD_ARMOR_EDGE: Cloud Armor edge security policies can |
| # be configured to filter incoming HTTP requests targeting backend services |
| # (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). |
| # They filter requests before the request is served from Google's cache. |
| # - CLOUD_ARMOR_INTERNAL_SERVICE (preview only): Cloud Armor |
| # internal service policies can be configured to filter HTTP requests |
| # targeting services managed by Traffic Director in a service mesh. They |
| # filter requests before the request is served from the application. |
| # |
| # - CLOUD_ARMOR_NETWORK: Cloud Armor network policies |
| # can be configured to filter packets targeting network load balancing |
| # resources such as backend services, target pools, target instances, and |
| # instances with external IPs. They filter requests before the request is |
| # served from the application. |
| # |
| # |
| # This field can be set only at resource creation time. |
| "userDefinedFields": [ # Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A |
| # user-defined field consists of up to 4 bytes extracted from a fixed offset |
| # in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an |
| # optional mask to select certain bits. Rules may then specify matching |
| # values for these fields. |
| # |
| # Example: |
| # |
| # userDefinedFields: |
| # - name: "ipv4_fragment_offset" |
| # base: IPV4 |
| # offset: 6 |
| # size: 2 |
| # mask: "0x1fff" |
| { |
| "base": "A String", # The base relative to which 'offset' is measured. Possible values are: |
| # |
| # - IPV4: Points to the beginning of the IPv4 header. |
| # - IPV6: Points to the beginning of the IPv6 header. |
| # - TCP: Points to the beginning of the TCP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # - UDP: Points to the beginning of the UDP header, skipping |
| # over any IPv4 options or IPv6 extension headers. Not present for |
| # non-first fragments. |
| # |
| # |
| # required |
| "mask": "A String", # If specified, apply this mask (bitwise AND) to the field to ignore bits |
| # before matching. Encoded as a hexadecimal number (starting with "0x"). |
| # The last byte of the field (in network byte order) corresponds to the |
| # least significant byte of the mask. |
| "name": "A String", # The name of this field. Must be unique within the policy. |
| "offset": 42, # Offset of the first byte of the field (in network byte order) relative to |
| # 'base'. |
| "size": 42, # Size of the field in bytes. Valid values: 1-4. |
| }, |
| ], |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getHealth">getHealth(project, backendService, body=None, x__xgafv=None)</code> |
| <pre>Gets the most recent health check results for this |
| BackendService. |
| |
| Example request body: |
| |
| { |
| "group": "/zones/us-east1-b/instanceGroups/lb-backend-example" |
| } |
| |
| Args: |
| project: string, A parameter (required) |
| backendService: string, Name of the BackendService resource to which the queried instance belongs. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "group": "A String", # A URI referencing one of the instance groups or network endpoint groups |
| # listed in the backend service. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "annotations": { # Metadata defined as annotations on the network endpoint group. |
| "a_key": "A String", |
| }, |
| "healthStatus": [ # Health state of the backend instances or endpoints in requested instance or |
| # network endpoint group, determined based on configured health checks. |
| { |
| "annotations": { # Metadata defined as annotations for network endpoint. |
| "a_key": "A String", |
| }, |
| "forwardingRule": "A String", # URL of the forwarding rule associated with the health status of the |
| # instance. |
| "forwardingRuleIp": "A String", # A forwarding rule IP address assigned to this instance. |
| "healthState": "A String", # Health state of the IPv4 address of the instance. |
| "instance": "A String", # URL of the instance resource. |
| "ipAddress": "A String", # For target pool based Network Load Balancing, it indicates the forwarding |
| # rule's IP address assigned to this instance. For other types of load |
| # balancing, the field indicates VM internal ip. |
| "ipv6Address": "A String", |
| "ipv6HealthState": "A String", # Health state of the IPv6 address of the instance. |
| "port": 42, # The named port of the instance group, not necessarily the port that is |
| # health-checked. |
| "weight": "A String", |
| "weightError": "A String", |
| }, |
| ], |
| "kind": "compute#backendServiceGroupHealth", # [Output Only] Type of resource. Alwayscompute#backendServiceGroupHealth for the health of backend |
| # services. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="getIamPolicy">getIamPolicy(project, resource, optionsRequestedPolicyVersion=None, x__xgafv=None)</code> |
| <pre>Gets the access control policy for a resource. May be empty if no such |
| policy or resource exists. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| optionsRequestedPolicyVersion: integer, Requested IAM Policy version. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # An Identity and Access Management (IAM) policy, which specifies access |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="insert">insert(project, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Creates a BackendService resource in the specified project using |
| the data included in the request. For more information, see |
| Backend services overview. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list">list(project, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</code> |
| <pre>Retrieves the list of BackendService resources available to the specified |
| project. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| filter: string, A filter expression that filters resources listed in the response. Most |
| Compute resources support two types of filter expressions: |
| expressions that support regular expressions and expressions that follow |
| API improvement proposal AIP-160. |
| These two types of filter expressions cannot be mixed in one request. |
| |
| If you want to use AIP-160, your expression must specify the field name, an |
| operator, and the value that you want to use for filtering. The value |
| must be a string, a number, or a boolean. The operator |
| must be either `=`, `!=`, `>`, `<`, `<=`, `>=` or `:`. |
| |
| For example, if you are filtering Compute Engine instances, you can |
| exclude instances named `example-instance` by specifying |
| `name != example-instance`. |
| |
| The `:*` comparison can be used to test whether a key has been defined. |
| For example, to find all objects with `owner` label use: |
| ``` |
| labels.owner:* |
| ``` |
| |
| You can also filter nested fields. For example, you could specify |
| `scheduling.automaticRestart = false` to include instances only |
| if they are not scheduled for automatic restarts. You can use filtering |
| on nested fields to filter based onresource labels. |
| |
| To filter on multiple expressions, provide each separate expression within |
| parentheses. For example: |
| ``` |
| (scheduling.automaticRestart = true) |
| (cpuPlatform = "Intel Skylake") |
| ``` |
| By default, each expression is an `AND` expression. However, you |
| can include `AND` and `OR` expressions explicitly. |
| For example: |
| ``` |
| (cpuPlatform = "Intel Skylake") OR |
| (cpuPlatform = "Intel Broadwell") AND |
| (scheduling.automaticRestart = true) |
| ``` |
| |
| If you want to use a regular expression, use the `eq` (equal) or `ne` |
| (not equal) operator against a single un-parenthesized expression with or |
| without quotes or against multiple parenthesized expressions. Examples: |
| |
| `fieldname eq unquoted literal` |
| `fieldname eq 'single quoted literal'` |
| `fieldname eq "double quoted literal"` |
| `(fieldname1 eq literal) (fieldname2 ne "literal")` |
| |
| The literal value is interpreted as a regular expression using GoogleRE2 library syntax. |
| The literal value must match the entire field. |
| |
| For example, to filter for instances that do not end with name "instance", |
| you would use `name ne .*instance`. |
| |
| You cannot combine constraints on multiple fields using regular |
| expressions. |
| maxResults: integer, The maximum number of results per page that should be returned. |
| If the number of available results is larger than `maxResults`, |
| Compute Engine returns a `nextPageToken` that can be used to get |
| the next page of results in subsequent list requests. Acceptable values are |
| `0` to `500`, inclusive. (Default: `500`) |
| orderBy: string, Sorts list results by a certain order. By default, results |
| are returned in alphanumerical order based on the resource name. |
| |
| You can also sort results in descending order based on the creation |
| timestamp using `orderBy="creationTimestamp desc"`. This sorts |
| results based on the `creationTimestamp` field in |
| reverse chronological order (newest result first). Use this to sort |
| resources like operations so that the newest operation is returned first. |
| |
| Currently, only sorting by `name` or |
| `creationTimestamp desc` is supported. |
| pageToken: string, Specifies a page token to use. Set `pageToken` to the |
| `nextPageToken` returned by a previous list request to get |
| the next page of results. |
| returnPartialSuccess: boolean, Opt-in for partial success behavior which provides partial results in case |
| of failure. The default value is false. |
| |
| For example, when partial success behavior is enabled, aggregatedList for a |
| single zone scope either returns all resources in the zone or no resources, |
| with an error code. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Contains a list of BackendService resources. |
| "id": "A String", # [Output Only] Unique identifier for the resource; defined by the server. |
| "items": [ # A list of BackendService resources. |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| }, |
| ], |
| "kind": "compute#backendServiceList", # [Output Only] Type of resource. Alwayscompute#backendServiceList for lists of backend services. |
| "nextPageToken": "A String", # [Output Only] This token allows you to get the next page of results for |
| # list requests. If the number of results is larger thanmaxResults, use the nextPageToken as a value for |
| # the query parameter pageToken in the next list request. |
| # Subsequent list requests will have their own nextPageToken to |
| # continue paging through the results. |
| "selfLink": "A String", # [Output Only] Server-defined URL for this resource. |
| "warning": { # [Output Only] Informational warning message. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listUsable">listUsable(project, filter=None, maxResults=None, orderBy=None, pageToken=None, returnPartialSuccess=None, x__xgafv=None)</code> |
| <pre>Retrieves a list of all usable backend services in the specified project. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| filter: string, A filter expression that filters resources listed in the response. Most |
| Compute resources support two types of filter expressions: |
| expressions that support regular expressions and expressions that follow |
| API improvement proposal AIP-160. |
| These two types of filter expressions cannot be mixed in one request. |
| |
| If you want to use AIP-160, your expression must specify the field name, an |
| operator, and the value that you want to use for filtering. The value |
| must be a string, a number, or a boolean. The operator |
| must be either `=`, `!=`, `>`, `<`, `<=`, `>=` or `:`. |
| |
| For example, if you are filtering Compute Engine instances, you can |
| exclude instances named `example-instance` by specifying |
| `name != example-instance`. |
| |
| The `:*` comparison can be used to test whether a key has been defined. |
| For example, to find all objects with `owner` label use: |
| ``` |
| labels.owner:* |
| ``` |
| |
| You can also filter nested fields. For example, you could specify |
| `scheduling.automaticRestart = false` to include instances only |
| if they are not scheduled for automatic restarts. You can use filtering |
| on nested fields to filter based onresource labels. |
| |
| To filter on multiple expressions, provide each separate expression within |
| parentheses. For example: |
| ``` |
| (scheduling.automaticRestart = true) |
| (cpuPlatform = "Intel Skylake") |
| ``` |
| By default, each expression is an `AND` expression. However, you |
| can include `AND` and `OR` expressions explicitly. |
| For example: |
| ``` |
| (cpuPlatform = "Intel Skylake") OR |
| (cpuPlatform = "Intel Broadwell") AND |
| (scheduling.automaticRestart = true) |
| ``` |
| |
| If you want to use a regular expression, use the `eq` (equal) or `ne` |
| (not equal) operator against a single un-parenthesized expression with or |
| without quotes or against multiple parenthesized expressions. Examples: |
| |
| `fieldname eq unquoted literal` |
| `fieldname eq 'single quoted literal'` |
| `fieldname eq "double quoted literal"` |
| `(fieldname1 eq literal) (fieldname2 ne "literal")` |
| |
| The literal value is interpreted as a regular expression using GoogleRE2 library syntax. |
| The literal value must match the entire field. |
| |
| For example, to filter for instances that do not end with name "instance", |
| you would use `name ne .*instance`. |
| |
| You cannot combine constraints on multiple fields using regular |
| expressions. |
| maxResults: integer, The maximum number of results per page that should be returned. |
| If the number of available results is larger than `maxResults`, |
| Compute Engine returns a `nextPageToken` that can be used to get |
| the next page of results in subsequent list requests. Acceptable values are |
| `0` to `500`, inclusive. (Default: `500`) |
| orderBy: string, Sorts list results by a certain order. By default, results |
| are returned in alphanumerical order based on the resource name. |
| |
| You can also sort results in descending order based on the creation |
| timestamp using `orderBy="creationTimestamp desc"`. This sorts |
| results based on the `creationTimestamp` field in |
| reverse chronological order (newest result first). Use this to sort |
| resources like operations so that the newest operation is returned first. |
| |
| Currently, only sorting by `name` or |
| `creationTimestamp desc` is supported. |
| pageToken: string, Specifies a page token to use. Set `pageToken` to the |
| `nextPageToken` returned by a previous list request to get |
| the next page of results. |
| returnPartialSuccess: boolean, Opt-in for partial success behavior which provides partial results in case |
| of failure. The default value is false. |
| |
| For example, when partial success behavior is enabled, aggregatedList for a |
| single zone scope either returns all resources in the zone or no resources, |
| with an error code. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Contains a list of usable BackendService resources. |
| "id": "A String", # [Output Only] Unique identifier for the resource; defined by the server. |
| "items": [ # A list of BackendService resources. |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| }, |
| ], |
| "kind": "compute#usableBackendServiceList", # [Output Only] Type of resource. Alwayscompute#usableBackendServiceList for lists of usable backend |
| # services. |
| "nextPageToken": "A String", # [Output Only] This token allows you to get the next page of results for |
| # list requests. If the number of results is larger thanmaxResults, use the nextPageToken as a value for |
| # the query parameter pageToken in the next list request. |
| # Subsequent list requests will have their own nextPageToken to |
| # continue paging through the results. |
| "selfLink": "A String", # [Output Only] Server-defined URL for this resource. |
| "warning": { # [Output Only] Informational warning message. |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="listUsable_next">listUsable_next()</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list_next">list_next()</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patch">patch(project, backendService, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Patches the specified BackendService resource with the data included in the |
| request. For more information, see |
| Backend services overview. This method |
| supports PATCH semantics and uses the JSON merge |
| patch format and processing rules. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to patch. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setEdgeSecurityPolicy">setEdgeSecurityPolicy(project, backendService, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Sets the edge security policy for the specified backend service. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to which the edge security policy |
| should be set. The name should conform to RFC1035. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "securityPolicy": "A String", |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setIamPolicy">setIamPolicy(project, resource, body=None, x__xgafv=None)</code> |
| <pre>Sets the access control policy on the specified resource. |
| Replaces any existing policy. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "bindings": [ # Flatten Policy to create a backward compatible wire-format. |
| # Deprecated. Use 'policy' to specify bindings. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # Flatten Policy to create a backward compatible wire-format. |
| # Deprecated. Use 'policy' to specify the etag. |
| "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the 'resource'. The size of |
| # the policy is limited to a few 10s of KB. An empty policy is in general a |
| # valid policy but certain services (like Projects) might reject them. |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # An Identity and Access Management (IAM) policy, which specifies access |
| # controls for Google Cloud resources. |
| # |
| # |
| # A `Policy` is a collection of `bindings`. A `binding` binds one or more |
| # `members`, or principals, to a single `role`. Principals can be user |
| # accounts, service accounts, Google groups, and domains (such as G Suite). A |
| # `role` is a named list of permissions; each `role` can be an IAM predefined |
| # role or a user-created custom role. |
| # |
| # For some types of Google Cloud resources, a `binding` can also specify a |
| # `condition`, which is a logical expression that allows access to a resource |
| # only if the expression evaluates to `true`. A condition can add constraints |
| # based on attributes of the request, the resource, or both. To learn which |
| # resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # |
| # **JSON example:** |
| # |
| # ``` |
| # { |
| # "bindings": [ |
| # { |
| # "role": "roles/resourcemanager.organizationAdmin", |
| # "members": [ |
| # "user:[email protected]", |
| # "group:[email protected]", |
| # "domain:google.com", |
| # "serviceAccount:[email protected]" |
| # ] |
| # }, |
| # { |
| # "role": "roles/resourcemanager.organizationViewer", |
| # "members": [ |
| # "user:[email protected]" |
| # ], |
| # "condition": { |
| # "title": "expirable access", |
| # "description": "Does not grant access after Sep 2020", |
| # "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", |
| # } |
| # } |
| # ], |
| # "etag": "BwWWja0YfJA=", |
| # "version": 3 |
| # } |
| # ``` |
| # |
| # **YAML example:** |
| # |
| # ``` |
| # bindings: |
| # - members: |
| # - user:[email protected] |
| # - group:[email protected] |
| # - domain:google.com |
| # - serviceAccount:[email protected] |
| # role: roles/resourcemanager.organizationAdmin |
| # - members: |
| # - user:[email protected] |
| # role: roles/resourcemanager.organizationViewer |
| # condition: |
| # title: expirable access |
| # description: Does not grant access after Sep 2020 |
| # expression: request.time < timestamp('2020-10-01T00:00:00.000Z') |
| # etag: BwWWja0YfJA= |
| # version: 3 |
| # ``` |
| # |
| # For a description of IAM and its features, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/). |
| "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. |
| { # Specifies the audit configuration for a service. |
| # The configuration determines which permission types are logged, and what |
| # identities, if any, are exempted from logging. |
| # An AuditConfig must have one or more AuditLogConfigs. |
| # |
| # If there are AuditConfigs for both `allServices` and a specific service, |
| # the union of the two AuditConfigs is used for that service: the log_types |
| # specified in each AuditConfig are enabled, and the exempted_members in each |
| # AuditLogConfig are exempted. |
| # |
| # Example Policy with multiple AuditConfigs: |
| # |
| # { |
| # "audit_configs": [ |
| # { |
| # "service": "allServices", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # }, |
| # { |
| # "log_type": "ADMIN_READ" |
| # } |
| # ] |
| # }, |
| # { |
| # "service": "sampleservice.googleapis.com", |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ" |
| # }, |
| # { |
| # "log_type": "DATA_WRITE", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # } |
| # ] |
| # } |
| # ] |
| # } |
| # |
| # For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ |
| # logging. It also exempts `[email protected]` from DATA_READ logging, and |
| # `[email protected]` from DATA_WRITE logging. |
| "auditLogConfigs": [ # The configuration for logging of each type of permission. |
| { # Provides the configuration for logging a type of permissions. |
| # Example: |
| # |
| # { |
| # "audit_log_configs": [ |
| # { |
| # "log_type": "DATA_READ", |
| # "exempted_members": [ |
| # "user:[email protected]" |
| # ] |
| # }, |
| # { |
| # "log_type": "DATA_WRITE" |
| # } |
| # ] |
| # } |
| # |
| # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting |
| # [email protected] from DATA_READ logging. |
| "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of |
| # permission. |
| # Follows the same format of Binding.members. |
| "A String", |
| ], |
| "logType": "A String", # The log type that this config enables. |
| }, |
| ], |
| "service": "A String", # Specifies a service that will be enabled for audit logging. |
| # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. |
| # `allServices` is a special value that covers all services. |
| }, |
| ], |
| "bindings": [ # Associates a list of `members`, or principals, with a `role`. Optionally, |
| # may specify a `condition` that determines how and when the `bindings` are |
| # applied. Each of the `bindings` must contain at least one principal. |
| # |
| # The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250 |
| # of these principals can be Google groups. Each occurrence of a principal |
| # counts towards these limits. For example, if the `bindings` grant 50 |
| # different roles to `user:[email protected]`, and not to any other |
| # principal, then you can add another 1,450 principals to the `bindings` in |
| # the `Policy`. |
| { # Associates `members`, or principals, with a `role`. |
| "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding. |
| # |
| # If the condition evaluates to `true`, then this binding applies to the |
| # current request. |
| # |
| # If the condition evaluates to `false`, then this binding does not apply to |
| # the current request. However, a different role binding might grant the same |
| # role to one or more of the principals in this binding. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM |
| # documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| # syntax. CEL is a C-like expression language. The syntax and semantics of CEL |
| # are documented at https://github.com/google/cel-spec. |
| # |
| # Example (Comparison): |
| # |
| # title: "Summary size limit" |
| # description: "Determines if a summary is less than 100 chars" |
| # expression: "document.summary.size() < 100" |
| # |
| # Example (Equality): |
| # |
| # title: "Requestor is owner" |
| # description: "Determines if requestor is the document owner" |
| # expression: "document.owner == request.auth.claims.email" |
| # |
| # Example (Logic): |
| # |
| # title: "Public documents" |
| # description: "Determine whether the document should be publicly visible" |
| # expression: "document.type != 'private' && document.type != 'internal'" |
| # |
| # Example (Data Manipulation): |
| # |
| # title: "Notification string" |
| # description: "Create a notification string with a timestamp." |
| # expression: "'New message received at ' + string(document.create_time)" |
| # |
| # The exact variables and functions that may be referenced within an expression |
| # are determined by the service that evaluates it. See the service |
| # documentation for additional information. |
| "description": "A String", # Optional. Description of the expression. This is a longer text which |
| # describes the expression, e.g. when hovered over it in a UI. |
| "expression": "A String", # Textual representation of an expression in Common Expression Language |
| # syntax. |
| "location": "A String", # Optional. String indicating the location of the expression for error |
| # reporting, e.g. a file name and a position in the file. |
| "title": "A String", # Optional. Title for the expression, i.e. a short string describing |
| # its purpose. This can be used e.g. in UIs which allow to enter the |
| # expression. |
| }, |
| "members": [ # Specifies the principals requesting access for a Google Cloud resource. |
| # `members` can have the following values: |
| # |
| # * `allUsers`: A special identifier that represents anyone who is |
| # on the internet; with or without a Google account. |
| # |
| # * `allAuthenticatedUsers`: A special identifier that represents anyone |
| # who is authenticated with a Google account or a service account. |
| # Does not include identities that come from external identity providers |
| # (IdPs) through identity federation. |
| # |
| # * `user:{emailid}`: An email address that represents a specific Google |
| # account. For example, `[email protected]` . |
| # |
| # |
| # * `serviceAccount:{emailid}`: An email address that represents a Google |
| # service account. For example, |
| # `[email protected]`. |
| # |
| # * `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An |
| # identifier for a |
| # [Kubernetes service |
| # account](https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). |
| # For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. |
| # |
| # * `group:{emailid}`: An email address that represents a Google group. |
| # For example, `[email protected]`. |
| # |
| # |
| # * `domain:{domain}`: The G Suite domain (primary) that represents all the |
| # users of that domain. For example, `google.com` or `example.com`. |
| # |
| # |
| # |
| # |
| # * `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workforce identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/group/{group_id}`: |
| # All workforce identities in a group. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All workforce identities with a specific attribute value. |
| # |
| # * `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/*`: |
| # All identities in a workforce identity pool. |
| # |
| # * `principal://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: |
| # A single identity in a workload identity pool. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/group/{group_id}`: |
| # A workload identity pool group. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value}`: |
| # All identities in a workload identity pool with a certain attribute. |
| # |
| # * `principalSet://iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/*`: |
| # All identities in a workload identity pool. |
| # |
| # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a user that has been recently deleted. For |
| # example, `[email protected]?uid=123456789012345678901`. If the user is |
| # recovered, this value reverts to `user:{emailid}` and the recovered user |
| # retains the role in the binding. |
| # |
| # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus |
| # unique identifier) representing a service account that has been recently |
| # deleted. For example, |
| # `[email protected]?uid=123456789012345678901`. |
| # If the service account is undeleted, this value reverts to |
| # `serviceAccount:{emailid}` and the undeleted service account retains the |
| # role in the binding. |
| # |
| # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique |
| # identifier) representing a Google group that has been recently |
| # deleted. For example, `[email protected]?uid=123456789012345678901`. If |
| # the group is recovered, this value reverts to `group:{emailid}` and the |
| # recovered group retains the role in the binding. |
| # |
| # * `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/subject/{subject_attribute_value}`: |
| # Deleted single identity in a workforce identity pool. For example, |
| # `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-pool-id/subject/my-subject-attribute-value`. |
| "A String", |
| ], |
| "role": "A String", # Role that is assigned to the list of `members`, or principals. |
| # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. |
| # |
| # For an overview of the IAM roles and permissions, see the |
| # [IAM documentation](https://cloud.google.com/iam/docs/roles-overview). For |
| # a list of the available pre-defined roles, see |
| # [here](https://cloud.google.com/iam/docs/understanding-roles). |
| }, |
| ], |
| "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help |
| # prevent simultaneous updates of a policy from overwriting each other. |
| # It is strongly suggested that systems make use of the `etag` in the |
| # read-modify-write cycle to perform policy updates in order to avoid race |
| # conditions: An `etag` is returned in the response to `getIamPolicy`, and |
| # systems are expected to put that etag in the request to `setIamPolicy` to |
| # ensure that their change will be applied to the same version of the policy. |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| "version": 42, # Specifies the format of the policy. |
| # |
| # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value |
| # are rejected. |
| # |
| # Any operation that affects conditional role bindings must specify version |
| # `3`. This requirement applies to the following operations: |
| # |
| # * Getting a policy that includes a conditional role binding |
| # * Adding a conditional role binding to a policy |
| # * Changing a conditional role binding in a policy |
| # * Removing any role binding, with or without a condition, from a policy |
| # that includes conditions |
| # |
| # **Important:** If you use IAM Conditions, you must include the `etag` field |
| # whenever you call `setIamPolicy`. If you omit this field, then IAM allows |
| # you to overwrite a version `3` policy with a version `1` policy, and all of |
| # the conditions in the version `3` policy are lost. |
| # |
| # If a policy does not include any conditions, operations on that policy may |
| # specify any valid version or leave the field unset. |
| # |
| # To learn which resources support conditions in their IAM policies, see the |
| # [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="setSecurityPolicy">setSecurityPolicy(project, backendService, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Sets the Google Cloud Armor security policy for the specified backend |
| service. For more information, seeGoogle |
| Cloud Armor Overview |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to which the security policy should be |
| set. The name should conform to RFC1035. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "securityPolicy": "A String", |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="testIamPermissions">testIamPermissions(project, resource, body=None, x__xgafv=None)</code> |
| <pre>Returns permissions that a caller has on the specified resource. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| resource: string, Name or id of the resource for this request. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { |
| "permissions": [ # The set of permissions to check for the 'resource'. Permissions with |
| # wildcards (such as '*' or 'storage.*') are not allowed. |
| "A String", |
| ], |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { |
| "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is |
| # allowed. |
| "A String", |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="update">update(project, backendService, body=None, requestId=None, x__xgafv=None)</code> |
| <pre>Updates the specified BackendService resource with the data included in the |
| request. For more information, seeBackend |
| services overview. |
| |
| Args: |
| project: string, Project ID for this request. (required) |
| backendService: string, Name of the BackendService resource to update. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Represents a Backend Service resource. |
| # |
| # A backend service defines how Google Cloud load balancers distribute traffic. |
| # The backend service configuration contains a set of values, such as the |
| # protocol used to connect to backends, various distribution and session |
| # settings, health checks, and timeouts. These settings provide fine-grained |
| # control over how your load balancer behaves. Most of the settings have |
| # default values that allow for easy configuration if you need to get started |
| # quickly. |
| # |
| # Backend services in Google Compute Engine can be either regionally or |
| # globally scoped. |
| # |
| # * [Global](https://cloud.google.com/compute/docs/reference/rest/alpha/backendServices) |
| # * [Regional](https://cloud.google.com/compute/docs/reference/rest/alpha/regionBackendServices) |
| # |
| # For more information, seeBackend |
| # Services. |
| "affinityCookieTtlSec": 42, # Lifetime of cookies in seconds. This setting is applicable to Application |
| # Load Balancers and Traffic Director and requires |
| # GENERATED_COOKIE or HTTP_COOKIE session affinity. |
| # |
| # If set to 0, the cookie is non-persistent and lasts only until |
| # the end of the browser session (or equivalent). The maximum allowed value |
| # is two weeks (1,209,600). |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "allowMultinetwork": True or False, # A boolean flag enabling multi-network mesh. This field is only allowed with |
| # load balancing scheme set to INTERNAL_SELF_MANAGED. |
| "backends": [ # The list of backends that serve this BackendService. |
| { # Message containing information of one individual backend. |
| "balancingMode": "A String", # Specifies how to determine whether the backend of a load balancer can |
| # handle additional traffic or is fully loaded. For usage guidelines, see |
| # Connection balancing mode. |
| # |
| # Backends must use compatible balancing modes. For more information, see |
| # Supported balancing modes and target capacity settings and |
| # Restrictions and guidance for instance groups. |
| # |
| # Note: Currently, if you use the API to configure incompatible balancing |
| # modes, the configuration might be accepted even though it has no impact |
| # and is ignored. Specifically, Backend.maxUtilization is ignored when |
| # Backend.balancingMode is RATE. In the future, this incompatible combination |
| # will be rejected. |
| "capacityScaler": 3.14, # A multiplier applied to the backend's target capacity of its balancing |
| # mode. |
| # The default value is 1, which means the group serves up to |
| # 100% of its configured capacity (depending onbalancingMode). A setting of 0 means the group is |
| # completely drained, offering 0% of its available capacity. The valid ranges |
| # are 0.0 and [0.1,1.0]. |
| # You cannot configure a setting larger than 0 and smaller than0.1. |
| # You cannot configure a setting of 0 when there is only one |
| # backend attached to the backend service. |
| # |
| # Not available with backends that don't support using abalancingMode. This includes backends such as global |
| # internet NEGs, regional serverless NEGs, and PSC NEGs. |
| "customMetrics": [ # List of custom metrics that are used for CUSTOM_METRICS |
| # BalancingMode. |
| { # Custom Metrics are used for CUSTOM_METRICS balancing_mode. |
| "dryRun": True or False, # If true, the metric data is collected and reported to Cloud |
| # Monitoring, but is not used for load balancing. |
| "maxUtilization": 3.14, # Optional parameter to define a target utilization for the Custom Metrics |
| # balancing mode. The valid range is [0.0, 1.0]. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "failover": True or False, # This field designates whether this is a failover backend. More than one |
| # failover backend can be configured for a given BackendService. |
| "group": "A String", # The fully-qualified URL of aninstance |
| # group or network endpoint |
| # group (NEG) resource. To determine what types of backends a load |
| # balancer supports, see the [Backend services |
| # overview](https://cloud.google.com/load-balancing/docs/backend-service#backends). |
| # |
| # You must use the *fully-qualified* URL (starting withhttps://www.googleapis.com/) to specify the instance group |
| # or NEG. Partial URLs are not supported. |
| # |
| # If haPolicy is specified, backends must refer to NEG resources of type |
| # GCE_VM_IP. |
| "maxConnections": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. Not available if the backend'sbalancingMode is RATE. |
| "maxConnectionsPerEndpoint": 42, # Defines a target maximum number of simultaneous connections. For usage |
| # guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxConnectionsPerInstance": 42, # Defines a target maximum number of simultaneous connections. |
| # For usage guidelines, seeConnection |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isRATE. |
| "maxInFlightRequests": 42, # Defines a maximum number of in-flight requests for the whole NEG or |
| # instance group. Not available if backend's balancingMode isRATE or CONNECTION. |
| "maxInFlightRequestsPerEndpoint": 42, # Defines a maximum number of in-flight requests for a single endpoint. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxInFlightRequestsPerInstance": 42, # Defines a maximum number of in-flight requests for a single VM. |
| # Not available if backend's balancingMode is RATE |
| # or CONNECTION. |
| "maxRate": 42, # Defines a maximum number of HTTP requests per second (RPS). For |
| # usage guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerEndpoint": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxRatePerInstance": 3.14, # Defines a maximum target for requests per second (RPS). For usage |
| # guidelines, seeRate |
| # balancing mode and Utilization |
| # balancing mode. |
| # |
| # Not available if the backend's balancingMode isCONNECTION. |
| "maxUtilization": 3.14, # Optional parameter to define a target capacity for theUTILIZATION balancing mode. The valid range is[0.0, 1.0]. |
| # |
| # For usage guidelines, seeUtilization |
| # balancing mode. |
| "preference": "A String", # This field indicates whether this backend should be fully utilized before |
| # sending traffic to backends with default preference. The possible values |
| # are: |
| # |
| # - PREFERRED: Backends with this preference level will be |
| # filled up to their capacity limits first, based on RTT. |
| # - DEFAULT: If preferred backends don't have enough |
| # capacity, backends in this layer would be used and traffic would be |
| # assigned based on the load balancing algorithm you use. This is the |
| # default |
| "trafficDuration": "A String", |
| }, |
| ], |
| "cdnPolicy": { # Message containing Cloud CDN configuration for a backend service. # Cloud CDN configuration for this BackendService. Only available for |
| # specified load balancer types. |
| "bypassCacheOnRequestHeaders": [ # Bypass the cache when the specified request headers are matched - e.g. |
| # Pragma or Authorization headers. Up to 5 headers can be specified. |
| # The cache is bypassed for all cdnPolicy.cacheMode settings. |
| { # Bypass the cache when the specified request headers are present, |
| # e.g. Pragma or Authorization headers. Values are case insensitive. |
| # The presence of such a header overrides the cache_mode setting. |
| "headerName": "A String", # The header field name to match on when bypassing cache. |
| # Values are case-insensitive. |
| }, |
| ], |
| "cacheKeyPolicy": { # Message containing what to include in the cache key for a request for Cloud # The CacheKeyPolicy for this CdnPolicy. |
| # CDN. |
| "includeHost": True or False, # If true, requests to different hosts will be cached separately. |
| "includeHttpHeaders": [ # Allows HTTP request headers (by name) to be used in the cache key. |
| "A String", |
| ], |
| "includeNamedCookies": [ # Allows HTTP cookies (by name) to be used in the cache key. |
| # The name=value pair will be used in the cache key Cloud CDN generates. |
| "A String", |
| ], |
| "includeProtocol": True or False, # If true, http and https requests will be cached separately. |
| "includeQueryString": True or False, # If true, include query string parameters in the cache key according to |
| # query_string_whitelist and query_string_blacklist. If neither is set, the |
| # entire query string will be included. If false, the query string will be |
| # excluded from the cache key entirely. |
| "queryStringBlacklist": [ # Names of query string parameters to exclude in cache keys. All other |
| # parameters will be included. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| "queryStringWhitelist": [ # Names of query string parameters to include in cache keys. All other |
| # parameters will be excluded. Either specify query_string_whitelist or |
| # query_string_blacklist, not both. '&' and '=' will be percent encoded and |
| # not treated as delimiters. |
| "A String", |
| ], |
| }, |
| "cacheMode": "A String", # Specifies the cache setting for all responses from this backend. |
| # The possible values are:USE_ORIGIN_HEADERS Requires the origin to set valid caching |
| # headers to cache content. Responses without these headers will not be |
| # cached at Google's edge, and will require a full trip to the origin on |
| # every request, potentially impacting performance and increasing load on |
| # the origin server.FORCE_CACHE_ALL Cache all content, ignoring any "private", |
| # "no-store" or "no-cache" directives in Cache-Control response headers. |
| # Warning: this may result in Cloud CDN caching private, |
| # per-user (user identifiable) content.CACHE_ALL_STATIC Automatically cache static content, |
| # including common image formats, media (video and audio), and web assets |
| # (JavaScript and CSS). Requests and responses that are marked as |
| # uncacheable, as well as dynamic content (including HTML), will not be |
| # cached. |
| # |
| # If no value is provided for cdnPolicy.cacheMode, it defaults |
| # to CACHE_ALL_STATIC. |
| "clientTtl": 42, # Specifies a separate client (e.g. browser client) maximum TTL. This is |
| # used to clamp the max-age (or Expires) value sent to the client. With |
| # FORCE_CACHE_ALL, the lesser of client_ttl and default_ttl is used for the |
| # response max-age directive, along with a "public" directive. For |
| # cacheable content in CACHE_ALL_STATIC mode, client_ttl clamps the max-age |
| # from the origin (if specified), or else sets the response max-age |
| # directive to the lesser of the client_ttl and default_ttl, and also |
| # ensures a "public" cache-control directive is present. |
| # If a client TTL is not specified, a default value (1 hour) will be used. |
| # The maximum allowed value is 31,622,400s (1 year). |
| "defaultTtl": 42, # Specifies the default TTL for cached content served by this origin for |
| # responses that do not have an existing valid TTL (max-age or s-maxage). |
| # Setting a TTL of "0" means "always revalidate". |
| # The value of defaultTTL cannot be set to a value greater than that of |
| # maxTTL, but can be equal. |
| # When the cacheMode is set to FORCE_CACHE_ALL, the defaultTTL |
| # will overwrite the TTL set in all responses. The maximum allowed value is |
| # 31,622,400s (1 year), noting that infrequently accessed objects may be |
| # evicted from the cache before the defined TTL. |
| "maxTtl": 42, # Specifies the maximum allowed TTL for cached content served by this |
| # origin. |
| # Cache directives that attempt to set a max-age or s-maxage higher than |
| # this, or an Expires header more than maxTTL seconds in the future will |
| # be capped at the value of maxTTL, as if it were the value of an |
| # s-maxage Cache-Control directive. |
| # Headers sent to the client will not be modified. |
| # Setting a TTL of "0" means "always revalidate". |
| # The maximum allowed value is 31,622,400s (1 year), noting that |
| # infrequently accessed objects may be evicted from the cache before |
| # the defined TTL. |
| "negativeCaching": True or False, # Negative caching allows per-status code TTLs to be set, in order |
| # to apply fine-grained caching for common errors or redirects. |
| # This can reduce the load on your origin and improve end-user |
| # experience by reducing response latency. |
| # When the cache mode is set to CACHE_ALL_STATIC or USE_ORIGIN_HEADERS, |
| # negative caching applies to responses with the specified response code |
| # that lack any Cache-Control, Expires, or Pragma: no-cache directives. |
| # When the cache mode is set to FORCE_CACHE_ALL, negative caching applies |
| # to all responses with the specified response code, and override any |
| # caching headers. |
| # By default, Cloud CDN will apply the following default TTLs to these |
| # status codes: |
| # HTTP 300 (Multiple Choice), 301, 308 (Permanent Redirects): 10m |
| # HTTP 404 (Not Found), 410 (Gone), |
| # 451 (Unavailable For Legal Reasons): 120s |
| # HTTP 405 (Method Not Found), 501 (Not Implemented): 60s. |
| # These defaults can be overridden in negative_caching_policy. |
| "negativeCachingPolicy": [ # Sets a cache TTL for the specified HTTP status code. |
| # negative_caching must be enabled to configure negative_caching_policy. |
| # Omitting the policy and leaving negative_caching enabled will use |
| # Cloud CDN's default cache TTLs. |
| # Note that when specifying an explicit negative_caching_policy, you |
| # should take care to specify a cache TTL for all response codes |
| # that you wish to cache. Cloud CDN will not apply any default |
| # negative caching when a policy exists. |
| { # Specify CDN TTLs for response error codes. |
| "code": 42, # The HTTP status code to define a TTL against. Only HTTP status codes |
| # 300, 301, 302, 307, 308, 404, 405, 410, 421, 451 and 501 can be |
| # specified as values, and you cannot specify a status code more than |
| # once. |
| "ttl": 42, # The TTL (in seconds) for which to cache responses with the |
| # corresponding status code. |
| # The maximum allowed value is 1800s (30 minutes), noting that |
| # infrequently accessed objects may be evicted from the cache before the |
| # defined TTL. |
| }, |
| ], |
| "requestCoalescing": True or False, # If true then Cloud CDN will combine multiple concurrent cache fill |
| # requests into a small number of requests to the origin. |
| "serveWhileStale": 42, # Serve existing content from the cache (if available) when revalidating |
| # content with the origin, or when an error is encountered when refreshing |
| # the cache. |
| # This setting defines the default "max-stale" duration for any cached |
| # responses that do not specify a max-stale directive. Stale responses that |
| # exceed the TTL configured here will not be served. The default limit |
| # (max-stale) is 86400s (1 day), which will allow stale content to be |
| # served up to this limit beyond the max-age (or s-maxage) of a cached |
| # response. |
| # The maximum allowed value is 604800 (1 week). |
| # Set this to zero (0) to disable serve-while-stale. |
| "signedUrlCacheMaxAgeSec": "A String", # Maximum number of seconds the response to a signed URL request will be |
| # considered fresh. After this time period, the response will be |
| # revalidated before being served. Defaults to 1hr (3600s). When serving |
| # responses to signed URL requests, Cloud CDN will internally behave as |
| # though all responses from this backend had a "Cache-Control: |
| # public, max-age=[TTL]" header, regardless of any existing |
| # Cache-Control header. The actual headers served in responses will not be |
| # altered. |
| "signedUrlKeyNames": [ # [Output Only] Names of the keys for signing request URLs. |
| "A String", |
| ], |
| }, |
| "circuitBreakers": { # Settings controlling the volume of requests, connections and retries to this |
| # backend service. |
| "connectTimeout": { # A Duration represents a fixed-length span of time represented # The timeout for new network connections to hosts. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxConnections": 42, # The maximum number of connections to the backend service. If not specified, |
| # there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxPendingRequests": 42, # The maximum number of pending requests allowed to the backend service. If |
| # not specified, there is no limit. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRequests": 42, # The maximum number of parallel requests that allowed to the backend |
| # service. If not specified, there is no limit. |
| "maxRequestsPerConnection": 42, # Maximum requests for a single connection to the backend service. |
| # This parameter is respected by both the HTTP/1.1 and HTTP/2 |
| # implementations. If not specified, there is no limit. Setting this |
| # parameter to 1 will effectively disable keep alive. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| "maxRetries": 42, # The maximum number of parallel retries allowed to the backend cluster. If |
| # not specified, the default is 1. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| }, |
| "compressionMode": "A String", # Compress text responses using Brotli or gzip compression, based on |
| # the client's Accept-Encoding header. |
| "connectionDraining": { # Message containing connection draining configuration. # connectionDraining cannot be specified with haPolicy. |
| "drainingTimeoutSec": 42, # Configures a duration timeout for existing requests on a removed backend |
| # instance. For supported load balancers and protocols, as described inEnabling |
| # connection draining. |
| }, |
| "connectionTrackingPolicy": { # Connection Tracking configuration for this BackendService. # Connection Tracking configuration for this BackendService. Connection |
| # tracking policy settings are only available for external passthrough |
| # Network Load Balancers and internal passthrough Network Load Balancers. |
| # |
| # connectionTrackingPolicy cannot be specified with haPolicy. |
| "connectionPersistenceOnUnhealthyBackends": "A String", # Specifies connection persistence when backends are unhealthy. The default |
| # value is DEFAULT_FOR_PROTOCOL. |
| # |
| # If set to DEFAULT_FOR_PROTOCOL, the existing connections |
| # persist on unhealthy backends only for connection-oriented protocols |
| # (TCP and SCTP) and only if the Tracking Mode isPER_CONNECTION (default tracking mode) or the Session |
| # Affinity is configured for 5-tuple. They do not persist forUDP. |
| # |
| # If set to NEVER_PERSIST, after a backend becomes unhealthy, |
| # the existing connections on the unhealthy backend are never persisted on |
| # the unhealthy backend. They are always diverted to newly selected healthy |
| # backends (unless all backends are unhealthy). |
| # |
| # If set to ALWAYS_PERSIST, existing connections always |
| # persist on unhealthy backends regardless of protocol and session |
| # affinity. It is generally not recommended to use this mode overriding the |
| # default. |
| # |
| # For more details, see [Connection Persistence for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-persistence) |
| # and [Connection Persistence for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-persistence). |
| "enableStrongAffinity": True or False, # Enable Strong Session Affinity for external passthrough Network Load |
| # Balancers. This option is not available publicly. |
| "idleTimeoutSec": 42, # Specifies how long to keep a Connection Tracking entry while there is no |
| # matching traffic (in seconds). |
| # |
| # For internal passthrough Network Load Balancers: |
| # |
| # - The minimum (default) is 10 minutes and the maximum is 16 hours. |
| # - It can be set only if Connection Tracking is less than 5-tuple |
| # (i.e. Session Affinity is CLIENT_IP_NO_DESTINATION,CLIENT_IP or CLIENT_IP_PROTO, and Tracking |
| # Mode is PER_SESSION). |
| # |
| # |
| # |
| # For external passthrough Network Load Balancers the default is 60 |
| # seconds. This option is not available publicly. |
| "trackingMode": "A String", # Specifies the key used for connection tracking. There are two |
| # options: |
| # |
| # - PER_CONNECTION: This is the default mode. The Connection |
| # Tracking is performed as per the Connection Key (default Hash Method) for |
| # the specific protocol. |
| # - PER_SESSION: The Connection Tracking is performed as per |
| # the configured Session Affinity. It matches the configured Session |
| # Affinity. |
| # |
| # |
| # |
| # For more details, see [Tracking Mode for Network Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#tracking-mode) |
| # and [Tracking Mode for Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal#tracking-mode). |
| }, |
| "consistentHash": { # This message defines settings for a consistent hash style load balancer. # Consistent Hash-based load balancing can be used to provide soft session |
| # affinity based on HTTP headers, cookies or other properties. This load |
| # balancing policy is applicable only for HTTP connections. The affinity to a |
| # particular destination host will be lost when one or more hosts are |
| # added/removed from the destination service. This field specifies parameters |
| # that control consistent hashing. This field is only applicable whenlocalityLbPolicy is set to MAGLEV orRING_HASH. |
| # |
| # This field is applicable to either: |
| # |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "httpCookie": { # The information about the HTTP Cookie on which the hash function is based # Hash is based on HTTP Cookie. This field describes a HTTP cookie that will |
| # be used as the hash key for the consistent hash load balancer. If the |
| # cookie is not present, it will be generated. This field is applicable if |
| # the sessionAffinity is set to HTTP_COOKIE. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # for load balancing policies that use a consistent hash. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "httpHeaderName": "A String", # The hash based on the value of the specified header field. This field is |
| # applicable if the sessionAffinity is set toHEADER_FIELD. |
| "minimumRingSize": "A String", # The minimum number of virtual nodes to use for the hash ring. Defaults to |
| # 1024. Larger ring sizes result in more granular load distributions. If the |
| # number of hosts in the load balancing pool is larger than the ring size, |
| # each host will be assigned a single virtual node. |
| }, |
| "creationTimestamp": "A String", # [Output Only] Creation timestamp inRFC3339 |
| # text format. |
| "customMetrics": [ # List of custom metrics that are used for theWEIGHTED_ROUND_ROBIN locality_lb_policy. |
| { # Custom Metrics are used for WEIGHTED_ROUND_ROBIN |
| # locality_lb_policy. |
| "dryRun": True or False, # If true, the metric data is not used for load balancing. |
| "name": "A String", # Name of a custom utilization signal. The name must be 1-64 characters |
| # long and match the regular expression |
| # `[a-z]([-_.a-z0-9]*[a-z0-9])?` which means that the |
| # first character must be a lowercase letter, and all following |
| # characters must be a dash, period, underscore, lowercase letter, or |
| # digit, except the last character, which cannot be a dash, period, or |
| # underscore. For usage guidelines, see Custom Metrics balancing mode. This |
| # field can only be used for a global or regional backend service with the |
| # loadBalancingScheme set to EXTERNAL_MANAGED,INTERNAL_MANAGED INTERNAL_SELF_MANAGED. |
| }, |
| ], |
| "customRequestHeaders": [ # Headers that the load balancer adds to proxied requests. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "customResponseHeaders": [ # Headers that the load balancer adds to proxied responses. See [Creating |
| # custom |
| # headers](https://cloud.google.com/load-balancing/docs/custom-headers). |
| "A String", |
| ], |
| "description": "A String", # An optional description of this resource. Provide this property when you |
| # create the resource. |
| "dynamicForwarding": { # Defines a dynamic forwarding configuration for the backend service. # Dynamic forwarding configuration. This field is used to configure the |
| # backend service with dynamic forwarding feature which together with Service |
| # Extension allows customized and complex routing logic. |
| "ipPortSelection": { # Defines a IP:PORT based dynamic forwarding configuration for the backend # IP:PORT based dynamic forwarding configuration. |
| # service. Some ranges are restricted: Restricted |
| # ranges. |
| "enabled": True or False, # A boolean flag enabling IP:PORT based dynamic forwarding. |
| }, |
| }, |
| "edgeSecurityPolicy": "A String", # [Output Only] The resource URL for the edge security policy associated with |
| # this backend service. |
| "enableCDN": True or False, # If true, enables Cloud CDN for the backend service of a |
| # global external Application Load Balancer. |
| "externalManagedMigrationState": "A String", # Specifies the canary migration state. Possible values are PREPARE, |
| # TEST_BY_PERCENTAGE, and TEST_ALL_TRAFFIC. |
| # |
| # To begin the migration from EXTERNAL to EXTERNAL_MANAGED, the state must be |
| # changed to PREPARE. The state must be changed to TEST_ALL_TRAFFIC before |
| # the loadBalancingScheme can be changed to EXTERNAL_MANAGED. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate traffic by percentage using |
| # externalManagedMigrationTestingPercentage. |
| # |
| # Rolling back a migration requires the states to be set in reverse order. So |
| # changing the scheme from EXTERNAL_MANAGED to EXTERNAL requires the state to |
| # be set to TEST_ALL_TRAFFIC at the same time. Optionally, the |
| # TEST_BY_PERCENTAGE state can be used to migrate some traffic back to |
| # EXTERNAL or PREPARE can be used to migrate all traffic back to EXTERNAL. |
| "externalManagedMigrationTestingPercentage": 3.14, # Determines the fraction of requests that should be processed by the Global |
| # external Application Load Balancer. |
| # |
| # The value of this field must be in the range [0, 100]. |
| # |
| # Session affinity options will slightly affect this routing behavior, for |
| # more details, see:Session |
| # Affinity. |
| # |
| # This value can only be set if the loadBalancingScheme in the BackendService |
| # is set to EXTERNAL (when using the classic Application Load Balancer) and |
| # the migration state is TEST_BY_PERCENTAGE. |
| "failoverPolicy": { # For load balancers that have configurable # Requires at least one backend instance group to be defined |
| # as a backup (failover) backend. |
| # For load balancers that have configurable failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # |
| # failoverPolicy cannot be specified with haPolicy. |
| # failover: |
| # [Internal passthrough Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # On failover or failback, this field indicates whether connection draining |
| # will be honored. Google Cloud has a fixed connection draining timeout of |
| # 10 minutes. A setting of true terminates existing TCP |
| # connections to the active pool during failover and failback, immediately |
| # draining traffic. A setting of false allows existing TCP |
| # connections to persist, even on VMs no longer in the active pool, for up |
| # to the duration of the connection draining timeout (10 minutes). |
| "disableConnectionDrainOnFailover": True or False, # This can be set to true only if the protocol isTCP. |
| # |
| # The default is false. |
| "dropTrafficIfUnhealthy": True or False, # If set to true, connections to the |
| # load balancer are dropped when all primary and all backup backend VMs are |
| # unhealthy.If set to false, connections are distributed |
| # among all primary VMs when all primary and all backup backend VMs are |
| # unhealthy. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external passthrough |
| # Network Load |
| # Balancers](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| # The default is false. |
| "failoverRatio": 3.14, # The value of the field must be in the range[0, 1]. If the value is 0, the load balancer performs a |
| # failover when the number of healthy primary VMs equals zero. |
| # For all other values, the load balancer performs a failover when the |
| # total number of healthy primary VMs is less than this ratio. |
| # For load balancers that have configurable |
| # failover: |
| # [Internal TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/internal/failover-overview) |
| # and [external TCP/UDP Load |
| # Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-failover-overview). |
| }, |
| "fingerprint": "A String", # Fingerprint of this resource. A hash of the contents stored in this object. |
| # This field is used in optimistic locking. This field will be ignored when |
| # inserting a BackendService. An up-to-date fingerprint must be provided in |
| # order to update the BackendService, otherwise the request will |
| # fail with error 412 conditionNotMet. |
| # |
| # To see the latest fingerprint, make a get() request to |
| # retrieve a BackendService. |
| "haPolicy": { # Configures self-managed High Availability (HA) for External and Internal |
| # Protocol Forwarding. |
| # |
| # The backends of this regional backend service must only specify zonal |
| # network endpoint groups (NEGs) of type GCE_VM_IP. |
| # |
| # When haPolicy is set for an Internal Passthrough Network Load Balancer, the |
| # regional backend service must set the network field. All zonal NEGs must |
| # belong to the same network. However, individual NEGs can |
| # belong to different subnetworks of that network. |
| # |
| # When haPolicy is specified, the set of attached network endpoints across |
| # all backends comprise an High Availability domain from which one endpoint |
| # is selected as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # haPolicy can be added only at backend service creation time. Once set up, |
| # it cannot be deleted. |
| # |
| # Note that haPolicy is not for load balancing, and therefore cannot be |
| # specified with sessionAffinity, connectionTrackingPolicy, and |
| # failoverPolicy. |
| # |
| # haPolicy requires customers to be responsible for tracking backend |
| # endpoint health and electing a leader among the healthy endpoints. |
| # Therefore, haPolicy cannot be specified with healthChecks. |
| # |
| # haPolicy can only be specified for External Passthrough Network Load |
| # Balancers and Internal Passthrough Network Load Balancers. |
| "fastIPMove": "A String", # Specifies whether fast IP move is enabled, and if so, the mechanism to |
| # achieve it. |
| # |
| # Supported values are: |
| # |
| # - DISABLED: Fast IP Move is disabled. You can only use the |
| # haPolicy.leader API to update the leader. |
| # - >GARP_RA: Provides a method to very quickly define a new network |
| # endpoint as the leader. This method is faster than updating the leader |
| # using the haPolicy.leader API. Fast IP move works as follows: The VM |
| # hosting the network endpoint that should become the new leader sends |
| # either a Gratuitous ARP (GARP) packet (IPv4) or an ICMPv6 Router |
| # Advertisement(RA) packet (IPv6). Google Cloud immediately but |
| # temporarily associates the forwarding rule IP address with that VM, and |
| # both new and in-flight packets are quickly delivered to that VM. |
| # |
| # |
| # |
| # Note the important properties of the Fast IP Move functionality: |
| # |
| # - The GARP/RA-initiated re-routing stays active for approximately 20 |
| # minutes. After triggering fast failover, you must also |
| # appropriately set the haPolicy.leader. |
| # - The new leader instance should continue to send GARP/RA packets |
| # periodically every 10 seconds until at least 10 minutes after updating |
| # the haPolicy.leader (but stop immediately if it is no longer the leader). |
| # - After triggering a fast failover, we recommend that you wait at least |
| # 3 seconds before sending another GARP/RA packet from a different VM |
| # instance to avoid race conditions. |
| # - Don't send GARP/RA packets from different VM |
| # instances at the same time. If multiple instances continue to send |
| # GARP/RA packets, traffic might be routed to different destinations in an |
| # alternating order. This condition ceases when a single instance |
| # issues a GARP/RA packet. |
| # - The GARP/RA request always takes priority over the leader API. |
| # Using the haPolicy.leader API to change the leader to a different |
| # instance will have no effect until the GARP/RA request becomes |
| # inactive. |
| # - The GARP/RA packets should follow the GARP/RA |
| # Packet Specifications.. |
| # - When multiple forwarding rules refer to a regional backend service, |
| # you need only send a GARP or RA packet for a single forwarding rule |
| # virtual IP. The virtual IPs for all forwarding rules targeting the same |
| # backend service will also be moved to the sender of the GARP or RA |
| # packet. |
| # |
| # |
| # |
| # The following are the Fast IP Move limitations (that is, when fastIPMove |
| # is not DISABLED): |
| # |
| # - Multiple forwarding rules cannot use the same IP address if one of |
| # them refers to a regional backend service with fastIPMove. |
| # - The regional backend service must set the network field, and all |
| # NEGs must belong to that network. However, individual |
| # NEGs can belong to different subnetworks of that network. |
| # - The maximum number of network endpoints across all backends of a |
| # backend service with fastIPMove is 32. |
| # - The maximum number of backend services with fastIPMove that can have |
| # the same network endpoint attached to one of its backends is 64. |
| # - The maximum number of backend services with fastIPMove in a VPC in a |
| # region is 64. |
| # - The network endpoints that are attached to a backend of a backend |
| # service with fastIPMove cannot resolve to Gen3+ machines for IPv6. |
| # - Traffic directed to the leader by a static route next hop will not be |
| # redirected to a new leader by fast failover. Such traffic will only be |
| # redirected once an haPolicy.leader update has taken effect. Only traffic |
| # to the forwarding rule's virtual IP will be redirected to a new leader by |
| # fast failover. |
| # |
| # |
| # haPolicy.fastIPMove can be set only at backend service creation time. |
| # Once set, it cannot be updated. |
| # |
| # By default, fastIpMove is set to DISABLED. |
| "leader": { # Selects one of the network endpoints attached to the backend NEGs of |
| # this service as the active endpoint (the leader) that receives all |
| # traffic. |
| # |
| # When the leader changes, there is no connection draining to persist |
| # existing connections on the old leader. |
| # |
| # You are responsible for selecting a suitable endpoint as the |
| # leader. For example, preferring a healthy endpoint over unhealthy ones. |
| # Note that this service does not track backend endpoint health, and |
| # selects the configured leader unconditionally. |
| "backendGroup": "A String", # A fully-qualified URL (starting with https://www.googleapis.com/) |
| # of the zonal Network Endpoint Group (NEG) with `GCE_VM_IP` endpoints |
| # that the leader is attached to. |
| # |
| # The leader's backendGroup must already be specified as a backend of |
| # this backend service. Removing a backend that is designated as the |
| # leader's backendGroup is not permitted. |
| "networkEndpoint": { # The network endpoint within the leader.backendGroup that is |
| # designated as the leader. |
| # |
| # This network endpoint cannot be detached from the NEG specified in |
| # the haPolicy.leader.backendGroup until the leader is updated with |
| # another network endpoint, or the leader is removed from the haPolicy. |
| "instance": "A String", # The name of the VM instance of the leader network endpoint. The |
| # instance must already be attached to the NEG specified in the |
| # haPolicy.leader.backendGroup. |
| # |
| # The name must be 1-63 characters long, and comply with RFC1035. |
| # Authorization requires the following IAM permission on the |
| # specified resource instance: compute.instances.use |
| }, |
| }, |
| }, |
| "healthChecks": [ # The list of URLs to the healthChecks, httpHealthChecks (legacy), or |
| # httpsHealthChecks (legacy) resource for health checking this backend |
| # service. Not all backend services support legacy health checks. See |
| # Load balancer guide. Currently, at most one health check can be |
| # specified for each backend service. Backend services with |
| # instance group or zonal NEG backends must have a health check unless |
| # haPolicy is specified. Backend services with internet or serverless NEG |
| # backends must not have a health check. |
| # |
| # healthChecks[] cannot be specified with haPolicy. |
| "A String", |
| ], |
| "iap": { # Identity-Aware Proxy # The configurations for Identity-Aware Proxy on this resource. |
| # Not available for internal passthrough Network Load Balancers and external |
| # passthrough Network Load Balancers. |
| "enabled": True or False, # Whether the serving infrastructure will authenticate and authorize all |
| # incoming requests. |
| "oauth2ClientId": "A String", # OAuth2 client ID to use for the authentication flow. |
| "oauth2ClientInfo": { # [Input Only] OAuth client info required to generate client id to be used |
| # for IAP. |
| "applicationName": "A String", # Application name to be used in OAuth consent screen. |
| "clientName": "A String", # Name of the client to be generated. |
| # Optional - If not provided, the name will be autogenerated by the |
| # backend. |
| "developerEmailAddress": "A String", # Developer's information to be used in OAuth consent screen. |
| }, |
| "oauth2ClientSecret": "A String", # OAuth2 client secret to use for the authentication flow. |
| # For security reasons, this value cannot be retrieved via the API. |
| # Instead, the SHA-256 hash of the value is returned in the |
| # oauth2ClientSecretSha256 field. |
| # |
| # @InputOnly |
| "oauth2ClientSecretSha256": "A String", # [Output Only] SHA256 hash value for the field oauth2_client_secret above. |
| }, |
| "id": "A String", # [Output Only] The unique identifier for the resource. This identifier is |
| # defined by the server. |
| "ipAddressSelectionPolicy": "A String", # Specifies a preference for traffic sent from the proxy to the backend (or |
| # from the client to the backend for proxyless gRPC). |
| # The possible values are: |
| # |
| # - IPV4_ONLY: Only send IPv4 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv4 |
| # health checks are used to check the health of the backends. This is the |
| # default setting. |
| # - PREFER_IPV6: Prioritize the connection to the endpoint's |
| # IPv6 address over its IPv4 address (provided there is a healthy IPv6 |
| # address). |
| # - IPV6_ONLY: Only send IPv6 traffic to the backends of the |
| # backend service (Instance Group, Managed Instance Group, Network Endpoint |
| # Group), regardless of traffic from the client to the proxy. Only IPv6 |
| # health checks are used to check the health of the backends. |
| # |
| # |
| # |
| # This field is applicable to either: |
| # |
| # - Advanced global external Application Load Balancer (load balancing |
| # scheme EXTERNAL_MANAGED), |
| # - Regional external Application Load |
| # Balancer, |
| # - Internal proxy Network Load Balancer (load balancing |
| # scheme INTERNAL_MANAGED), |
| # - Regional internal Application Load |
| # Balancer (load balancing scheme INTERNAL_MANAGED), |
| # - Traffic |
| # Director with Envoy proxies and proxyless gRPC (load balancing scheme |
| # INTERNAL_SELF_MANAGED). |
| "kind": "compute#backendService", # [Output Only] Type of resource. Always compute#backendService |
| # for backend services. |
| "loadBalancingScheme": "A String", # Specifies the load balancer type. A backend service |
| # created for one type of load balancer cannot be used with another. |
| # For more information, refer toChoosing |
| # a load balancer. |
| "localityLbPolicies": [ # A list of locality load-balancing policies to be used in order of |
| # preference. When you use localityLbPolicies, you must set at least one |
| # value for either the localityLbPolicies[].policy or the |
| # localityLbPolicies[].customPolicy field. localityLbPolicies overrides any |
| # value set in the localityLbPolicy field. |
| # |
| # For an example of how to use this field, seeDefine |
| # a list of preferred policies. |
| # |
| # Caution: This field and its children are intended for use in a service mesh |
| # that includes gRPC clients only. Envoy proxies can't use backend services |
| # that have this configuration. |
| { # Container for either a built-in LB policy supported by gRPC or Envoy or |
| # a custom one implemented by the end user. |
| "customPolicy": { # The configuration for a custom policy implemented by the user and |
| # deployed with the client. |
| "data": "A String", # An optional, arbitrary JSON object with configuration data, understood |
| # by a locally installed custom policy implementation. |
| "name": "A String", # Identifies the custom policy. |
| # |
| # The value should match the name of a custom implementation registered |
| # on the gRPC clients. It should follow protocol buffer message naming |
| # conventions and include the full path (for example, |
| # myorg.CustomLbPolicy). The maximum length is 256 characters. |
| # |
| # Do not specify the same custom policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| # |
| # For an example of how to use this field, seeUse |
| # a custom policy. |
| }, |
| "policy": { # The configuration for a built-in load balancing policy. |
| "name": "A String", # The name of a locality load-balancing policy. Valid values include |
| # ROUND_ROBIN and, for Java clients, LEAST_REQUEST. For information |
| # about these values, see the description of localityLbPolicy. |
| # |
| # Do not specify the same policy more than once for a |
| # backend. If you do, the configuration is rejected. |
| }, |
| }, |
| ], |
| "localityLbPolicy": "A String", # The load balancing algorithm used within the scope of the locality. The |
| # possible values are: |
| # |
| # - ROUND_ROBIN: This is a simple policy in which each healthy |
| # backend is selected in round robin order. This is the default. |
| # - LEAST_REQUEST: An O(1) algorithm which |
| # selects two random healthy hosts and picks the host which has fewer active |
| # requests. |
| # - RING_HASH: The ring/modulo hash load balancer implements |
| # consistent hashing to backends. The algorithm has the property that the |
| # addition/removal of a host from a set of N hosts only affects 1/N of the |
| # requests. |
| # - RANDOM: The load balancer selects a random healthy |
| # host. |
| # - ORIGINAL_DESTINATION: Backend host is selected |
| # based on the client connection metadata, i.e., connections are opened to |
| # the same address as the destination address of the incoming connection |
| # before the connection was redirected to the load balancer. |
| # - MAGLEV: used as a drop in replacement for the ring hash |
| # load balancer. Maglev is not as stable as ring hash but has faster table |
| # lookup build times and host selection times. For more information about |
| # Maglev, see Maglev: |
| # A Fast and Reliable Software Network Load Balancer. |
| # - WEIGHTED_ROUND_ROBIN: Per-endpoint Weighted Round Robin |
| # Load Balancing using weights computed from Backend reported Custom Metrics. |
| # If set, the Backend Service responses are expected to contain non-standard |
| # HTTP response header field Endpoint-Load-Metrics. The reported |
| # metrics to use for computing the weights are specified via thecustomMetrics field. |
| # |
| # This field is applicable to either: |
| # - A regional backend service with the service_protocol set to HTTP, |
| # HTTPS, HTTP2 or H2C, and load_balancing_scheme set to |
| # INTERNAL_MANAGED. |
| # - A global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED, INTERNAL_MANAGED, or |
| # EXTERNAL_MANAGED. |
| # |
| # |
| # If sessionAffinity is not configured—that is, if session |
| # affinity remains at the default value of NONE—then the |
| # default value for localityLbPolicy |
| # is ROUND_ROBIN. If session affinity is set to a value other |
| # than NONE, |
| # then the default value for localityLbPolicy isMAGLEV. |
| # |
| # Only ROUND_ROBIN and RING_HASH are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # localityLbPolicy cannot be specified with haPolicy. |
| "logConfig": { # The available logging options for the load balancer traffic served by this # This field denotes the logging options for the load balancer traffic served |
| # by this backend service. If logging is enabled, logs will be exported to |
| # Stackdriver. |
| # backend service. |
| "enable": True or False, # Denotes whether to enable logging for the load balancer |
| # traffic served by this backend service. The default value is false. |
| "optional": "A String", # Deprecated in favor of optionalMode. |
| # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "optionalFields": [ # This field can only be specified if logging is enabled for this backend |
| # service and "logConfig.optionalMode" was set to CUSTOM. Contains a list |
| # of optional fields you want to include in the logs. For example: |
| # serverInstance, serverGkeDetails.cluster, |
| # serverGkeDetails.pod.podNamespace |
| "A String", |
| ], |
| "optionalMode": "A String", # This field can only be specified if logging is enabled for this backend |
| # service. Configures whether all, none or a subset of optional fields |
| # should be added to the reported logs. One of [INCLUDE_ALL_OPTIONAL, |
| # EXCLUDE_ALL_OPTIONAL, CUSTOM]. Default is EXCLUDE_ALL_OPTIONAL. |
| "sampleRate": 3.14, # This field can only be specified if logging is enabled for this backend |
| # service. The value of the field must be in [0, 1]. This configures the |
| # sampling rate of requests to the load balancer where 1.0 means all logged |
| # requests are reported and 0.0 means no logged requests are reported. The |
| # default value is 1.0. |
| }, |
| "maxStreamDuration": { # A Duration represents a fixed-length span of time represented # Specifies the default maximum duration (timeout) for streams to this |
| # service. Duration is computed from the beginning of the stream until the |
| # response has been completely processed, including all retries. A stream |
| # that does not complete in this duration is closed. |
| # |
| # If not specified, there will be no timeout limit, i.e. the maximum |
| # duration is infinite. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # This field is only allowed when the loadBalancingScheme of |
| # the backend service is INTERNAL_SELF_MANAGED. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "metadatas": { # Deployment metadata associated with the resource to be set by a GKE hub |
| # controller and read by the backend RCTH |
| "a_key": "A String", |
| }, |
| "name": "A String", # Name of the resource. Provided by the client when the resource is created. |
| # The name must be 1-63 characters long, and comply withRFC1035. |
| # Specifically, the name must be 1-63 characters long and match the regular |
| # expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first |
| # character must be a lowercase letter, and all following characters must |
| # be a dash, lowercase letter, or digit, except the last character, which |
| # cannot be a dash. |
| "network": "A String", # The URL of the network to which this backend service belongs. |
| # |
| # This field must be set for Internal Passthrough Network Load Balancers when |
| # the haPolicy is enabled, and for External Passthrough Network Load |
| # Balancers when the haPolicy fastIpMove is enabled. |
| # |
| # This field can only be specified when the load balancing scheme is set toINTERNAL, or when the load balancing scheme is set toEXTERNAL and haPolicy fastIpMove is enabled. |
| "networkPassThroughLbTrafficPolicy": { # Configures traffic steering properties of internal passthrough Network |
| # Load Balancers. |
| # |
| # networkPassThroughLbTrafficPolicy cannot be specified with haPolicy. |
| "zonalAffinity": { # When configured, new connections are load balanced across healthy backend |
| # endpoints in the local zone. |
| "spillover": "A String", # This field indicates whether zonal affinity is enabled or not. The |
| # possible values are: |
| # |
| # - ZONAL_AFFINITY_DISABLED: Default Value. Zonal Affinity |
| # is disabled. The load balancer distributes new connections to all |
| # healthy backend endpoints across all zones. |
| # - ZONAL_AFFINITY_STAY_WITHIN_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there are no healthy |
| # backend endpoints in the local zone, the load balancer distributes |
| # new connections to all backend endpoints in the local zone. |
| # - ZONAL_AFFINITY_SPILL_CROSS_ZONE: Zonal Affinity is |
| # enabled. The load balancer distributes new connections to all healthy |
| # backend endpoints in the local zone only. If there aren't enough |
| # healthy backend endpoints in the local zone, the load balancer |
| # distributes new connections to all healthy backend endpoints across all |
| # zones. |
| "spilloverRatio": 3.14, # The value of the field must be in [0, 1]. When the ratio of the count |
| # of healthy backend endpoints in a zone to the count of backend |
| # endpoints in that same zone is equal to or above this threshold, the |
| # load balancer distributes new connections to all healthy endpoints in |
| # the local zone only. When the ratio of the count of healthy backend |
| # endpoints in a zone to the count of backend endpoints in that same |
| # zone is below this threshold, the load balancer distributes all new |
| # connections to all healthy endpoints across all zones. |
| }, |
| }, |
| "outlierDetection": { # Settings controlling the eviction of unhealthy hosts from the load balancing # Settings controlling the ejection of unhealthy backend endpoints from the |
| # load balancing pool of each individual proxy instance that processes the |
| # traffic for the given backend service. If not set, this feature is |
| # considered disabled. |
| # |
| # Results of the outlier detection algorithm (ejection of endpoints from the |
| # load balancing pool and returning them back to the pool) are executed |
| # independently by each proxy instance of the load balancer. In most cases, |
| # more than one proxy instance handles the traffic received by a backend |
| # service. Thus, it is possible that an unhealthy endpoint is detected and |
| # ejected by only some of the proxies, and while this happens, other proxies |
| # may continue to send requests to the same unhealthy endpoint until they |
| # detect and eject the unhealthy endpoint. |
| # |
| # Applicable backend endpoints can be: |
| # |
| # - VM instances in an Instance Group |
| # - Endpoints in a Zonal NEG (GCE_VM_IP, GCE_VM_IP_PORT) |
| # - Endpoints in a Hybrid Connectivity NEG (NON_GCP_PRIVATE_IP_PORT) |
| # - Serverless NEGs, that resolve to Cloud Run, App Engine, or Cloud |
| # Functions Services |
| # - Private Service Connect NEGs, that resolve to |
| # Google-managed regional API endpoints or managed services published using |
| # Private Service Connect |
| # |
| # |
| # |
| # Applicable backend service types can be: |
| # |
| # - A global backend service with the loadBalancingScheme set to |
| # INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED. |
| # - A regional backend |
| # service with the serviceProtocol set to HTTP, HTTPS, HTTP2 or H2C, and |
| # loadBalancingScheme set to INTERNAL_MANAGED or EXTERNAL_MANAGED. Not |
| # supported for Serverless NEGs. |
| # |
| # |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # pool for the backend service. |
| "baseEjectionTime": { # A Duration represents a fixed-length span of time represented # The base time that a backend endpoint is ejected for. Defaults to 30000ms |
| # or 30s. |
| # |
| # After a backend endpoint is returned back to the load balancing pool, it |
| # can be ejected again in another ejection analysis. Thus, the total ejection |
| # time is equal to the base ejection time multiplied by the number of times |
| # the backend endpoint has been ejected. Defaults to 30000ms or 30s. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "consecutiveErrors": 42, # Number of consecutive errors before a backend endpoint is ejected from the |
| # load balancing pool. When the backend endpoint is accessed over HTTP, a 5xx |
| # return code qualifies as an error. Defaults to 5. |
| "consecutiveGatewayFailure": 42, # The number of consecutive gateway failures (502, 503, 504 status or |
| # connection errors that are mapped to one of those status codes) before a |
| # consecutive gateway failure ejection occurs. Defaults to 3. |
| "enforcingConsecutiveErrors": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive 5xx. This setting can be |
| # used to disable ejection or to ramp it up slowly. Defaults to 0. |
| "enforcingConsecutiveGatewayFailure": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through consecutive gateway failures. This |
| # setting can be used to disable ejection or to ramp it up slowly. Defaults |
| # to 100. |
| "enforcingSuccessRate": 42, # The percentage chance that a backend endpoint will be ejected when an |
| # outlier status is detected through success rate statistics. This setting |
| # can be used to disable ejection or to ramp it up slowly. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "interval": { # A Duration represents a fixed-length span of time represented # Time interval between ejection analysis sweeps. This can result in both new |
| # ejections and backend endpoints being returned to service. The interval is |
| # equal to the number of seconds as defined in |
| # outlierDetection.interval.seconds plus the number of nanoseconds as defined |
| # in outlierDetection.interval.nanos. Defaults to 1 second. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| "maxEjectionPercent": 42, # Maximum percentage of backend endpoints in the load balancing pool for the |
| # backend service that can be ejected if the ejection conditions are met. |
| # Defaults to 50%. |
| "successRateMinimumHosts": 42, # The number of backend endpoints in the load balancing pool that must have |
| # enough request volume to detect success rate outliers. If the number of |
| # backend endpoints is fewer than this setting, outlier detection via success |
| # rate statistics is not performed for any backend endpoint in the load |
| # balancing pool. Defaults to 5. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateRequestVolume": 42, # The minimum number of total requests that must be collected in one interval |
| # (as defined by the interval duration above) to include this backend |
| # endpoint in success rate based outlier detection. If the volume is lower |
| # than this setting, outlier detection via success rate statistics is not |
| # performed for that backend endpoint. Defaults to 100. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| "successRateStdevFactor": 42, # This factor is used to determine the ejection threshold for success rate |
| # outlier ejection. The ejection threshold is the difference between the mean |
| # success rate, and the product of this factor and the standard deviation of |
| # the mean success rate: mean - (stdev * successRateStdevFactor). This factor |
| # is divided by a thousand to get a double. That is, if the desired factor |
| # is 1.9, the runtime value should be 1900. Defaults to 1900. |
| # |
| # Not supported when the backend service uses Serverless NEG. |
| }, |
| "params": { # Additional Backend Service parameters. # Input only. [Input Only] Additional params passed with the request, but not persisted |
| # as part of resource payload. |
| "resourceManagerTags": { # Tag keys/values directly bound to this resource. |
| # Tag keys and values have the same definition as resource |
| # manager tags. The field is allowed for INSERT |
| # only. The keys/values to set on the resource should be specified in |
| # either ID { : } or Namespaced format |
| # { : }. |
| # For example the following are valid inputs: |
| # * {"tagKeys/333" : "tagValues/444", "tagKeys/123" : "tagValues/456"} |
| # * {"123/environment" : "production", "345/abc" : "xyz"} |
| # Note: |
| # * Invalid combinations of ID & namespaced format is not supported. For |
| # instance: {"123/environment" : "tagValues/444"} is invalid. |
| "a_key": "A String", |
| }, |
| }, |
| "port": 42, # Deprecated in favor of portName. The TCP port to connect on |
| # the backend. The default value is 80. |
| # For internal passthrough Network Load Balancers and external passthrough |
| # Network Load Balancers, omit port. |
| "portName": "A String", # A named port on a backend instance group representing the port for |
| # communication to the backend VMs in that group. The |
| # named port must be [defined on each backend instance |
| # group](https://cloud.google.com/load-balancing/docs/backend-service#named_ports). |
| # This parameter has no meaning if the backends are NEGs. For internal |
| # passthrough Network Load Balancers and external passthrough Network Load |
| # Balancers, omit port_name. |
| "protocol": "A String", # The protocol this BackendService uses to communicate |
| # with backends. |
| # |
| # Possible values are HTTP, HTTPS, HTTP2, H2C, TCP, SSL, UDP or GRPC. |
| # depending on the chosen load balancer or Traffic Director configuration. |
| # Refer to the documentation for the load balancers or for Traffic Director |
| # for more information. |
| # |
| # Must be set to GRPC when the backend service is referenced by a URL map |
| # that is bound to target gRPC proxy. |
| "region": "A String", # [Output Only] URL of the region where the regional backend service |
| # resides. This field is not applicable to global backend services. |
| # You must specify this field as part of the HTTP request URL. It is |
| # not settable as a field in the request body. |
| "securityPolicy": "A String", # [Output Only] The resource URL for the security policy associated with this |
| # backend service. |
| "securitySettings": { # The authentication and authorization settings for a BackendService. # This field specifies the security settings that apply to this backend |
| # service. This field is applicable to a global backend service with the |
| # load_balancing_scheme set to INTERNAL_SELF_MANAGED. |
| "authentication": "A String", # [Deprecated] Use clientTlsPolicy instead. |
| "authenticationPolicy": { # [Deprecated] The authentication settings for the backend service. # [Deprecated] Authentication policy defines what authentication methods can |
| # be accepted on backends, and if authenticated, which method/certificate |
| # will set the request principal. |
| # request principal. |
| # The authentication settings for the backend service. |
| "origins": [ # List of authentication methods that can be used for origin authentication. |
| # Similar to peers, these will be evaluated in order the first valid one |
| # will be used to set origin identity. If none of these methods pass, the |
| # request will be rejected with authentication failed error (401). Leave the |
| # list empty if origin authentication is not required. |
| { # [Deprecated] Configuration for the origin authentication method. |
| # Configuration for the origin authentication method. |
| "jwt": { # [Deprecated] JWT configuration for origin authentication. |
| # JWT configuration for origin authentication. |
| "audiences": [ # A JWT containing any of these audiences will be accepted. The service name |
| # will be accepted if audiences is empty. |
| # Examples: bookstore_android.apps.googleusercontent.com, |
| # bookstore_web.apps.googleusercontent.com |
| "A String", |
| ], |
| "issuer": "A String", # Identifies the issuer that issued the JWT, which is usually a URL or an |
| # email address. |
| # Examples: https://securetoken.google.com, |
| # [email protected] |
| "jwksPublicKeys": "A String", # The provider's public key set to validate the signature of the JWT. |
| "jwtHeaders": [ # jwt_headers and jwt_params define where to extract the JWT from an HTTP |
| # request. If no explicit location is specified, the following default |
| # locations are tried in order: |
| # |
| # 1. The Authorization header using the Bearer schema. See `here |
| # `_. Example: |
| # |
| # Authorization: Bearer . |
| # |
| # 2. `access_token` query parameter. See `this |
| # `_ |
| # |
| # Multiple JWTs can be verified for a request. Each JWT has to be extracted |
| # from the locations its issuer specified or from the default locations. |
| # |
| # This field is set if JWT is sent in a request header. This field specifies |
| # the header name. For example, if `header=x-goog-iap-jwt-assertion`, the |
| # header format will be x-goog-iap-jwt-assertion: . |
| { # [Deprecated] This message specifies a header location to extract JWT token. |
| # This message specifies a header location to extract JWT token. |
| "name": "A String", # The HTTP header name. |
| "valuePrefix": "A String", # The value prefix. The value format is "value_prefix" |
| # For example, for "Authorization: Bearer ", value_prefix="Bearer " |
| # with a space at the end. |
| }, |
| ], |
| "jwtParams": [ # This field is set if JWT is sent in a query parameter. This field specifies |
| # the query parameter name. For example, if jwt_params[0] is jwt_token, the |
| # JWT format in the query parameter is /path?jwt_token=. |
| "A String", |
| ], |
| }, |
| }, |
| ], |
| "peers": [ # List of authentication methods that can be used for peer authentication. |
| # They will be evaluated in order the first valid one will be used to set |
| # peer identity. If none of these methods pass, the request will be rejected |
| # with authentication failed error (401). Leave the list empty if peer |
| # authentication is not required. |
| { # [Deprecated] Configuration for the peer authentication method. |
| # Configuration for the peer authentication method. |
| "mtls": { # [Deprecated] Configuration for the mutual Tls mode for peer authentication. # Set if mTLS is used for peer authentication. |
| # Configuration for the mutual Tls mode for peer authentication. |
| "mode": "A String", # Specifies if the server TLS is configured to be strict or permissive. This |
| # field can be set to one of the following: |
| # STRICT: Client certificate must be presented, connection is in TLS. |
| # PERMISSIVE: Client certificate can be omitted, connection can be either |
| # plaintext or TLS. |
| }, |
| }, |
| ], |
| "principalBinding": "A String", # Define whether peer or origin identity should be used for principal. |
| # Default value is USE_PEER. If peer (or origin) identity is not available, |
| # either because peer/origin authentication is not defined, or failed, |
| # principal will be left unset. In other words, binding rule does not affect |
| # the decision to accept or reject request. This field can be set to one of |
| # the following: |
| # USE_PEER: Principal will be set to the identity from peer authentication. |
| # USE_ORIGIN: Principal will be set to the identity from origin |
| # authentication. |
| "serverTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain server-side security certificates and |
| # identity information. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| }, |
| "authorizationConfig": { # [Deprecated] Authorization configuration provides service-level and # [Deprecated] Authorization config defines the Role Based Access Control |
| # (RBAC) config. |
| # Authorization config defines the Role Based Access Control (RBAC) config. |
| # method-level access control for a service. |
| # control for a service. |
| "policies": [ # List of RbacPolicies. |
| { |
| "name": "A String", # Name of the RbacPolicy. |
| "permissions": [ # The list of permissions. |
| { # [Deprecated] All fields defined in a permission are ANDed. |
| "constraints": [ # Extra custom constraints. The constraints are ANDed together. |
| { # Custom constraint that specifies a key and a list of allowed values for |
| # Istio attributes. |
| "key": "A String", # Key of the constraint. |
| "values": [ # A list of allowed values. |
| "A String", |
| ], |
| }, |
| ], |
| "hosts": [ # Used in Ingress or Egress Gateway cases to specify hosts that the policy |
| # applies to. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "methods": [ # HTTP method. |
| "A String", |
| ], |
| "notHosts": [ # Negate of hosts. Specifies exclusions. |
| "A String", |
| ], |
| "notMethods": [ # Negate of methods. Specifies exclusions. |
| "A String", |
| ], |
| "notPaths": [ # Negate of paths. Specifies exclusions. |
| "A String", |
| ], |
| "notPorts": [ # Negate of ports. Specifies exclusions. |
| "A String", |
| ], |
| "paths": [ # HTTP request paths or gRPC methods. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ports": [ # Port names or numbers. |
| "A String", |
| ], |
| }, |
| ], |
| "principals": [ # The list of principals. |
| { # [Deprecated] All fields defined in a principal are ANDed. |
| "condition": "A String", # An expression to specify custom condition. |
| "groups": [ # The groups the principal belongs to. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "ips": [ # IPv4 or IPv6 address or range (In CIDR format) |
| "A String", |
| ], |
| "namespaces": [ # The namespaces. Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| "notGroups": [ # Negate of groups. Specifies exclusions. |
| "A String", |
| ], |
| "notIps": [ # Negate of IPs. Specifies exclusions. |
| "A String", |
| ], |
| "notNamespaces": [ # Negate of namespaces. Specifies exclusions. |
| "A String", |
| ], |
| "notUsers": [ # Negate of users. Specifies exclusions. |
| "A String", |
| ], |
| "properties": { # A map of Istio attribute to expected values. Exact match, prefix match, and |
| # suffix match are supported for values. For example, |
| # `request.headers[version]: "v1"`. The properties are ANDed together. |
| "a_key": "A String", |
| }, |
| "users": [ # The user names/IDs or service accounts. |
| # Exact match, prefix match, and suffix match are supported. |
| "A String", |
| ], |
| }, |
| ], |
| }, |
| ], |
| }, |
| "awsV4Authentication": { # Contains the configurations necessary to generate a signature for access to # The configuration needed to generate a signature for access to private |
| # storage buckets that support AWS's Signature Version 4 for authentication. |
| # Allowed only for INTERNET_IP_PORT and INTERNET_FQDN_PORT NEG backends. |
| # private storage buckets that support Signature Version 4 for authentication. |
| # The service name for generating the authentication header will always default |
| # to 's3'. |
| "accessKey": "A String", # The access key used for s3 bucket authentication. Required for updating or |
| # creating a backend that uses AWS v4 signature authentication, but will not |
| # be returned as part of the configuration when queried with a REST API GET |
| # request. |
| # |
| # @InputOnly |
| "accessKeyId": "A String", # The identifier of an access key used for s3 bucket authentication. |
| "accessKeyVersion": "A String", # The optional version identifier for the access key. You can use this to |
| # keep track of different iterations of your access key. |
| "originRegion": "A String", # The name of the cloud region of your origin. This is a free-form field with |
| # the name of the region your cloud uses to host your origin. For example, |
| # "us-east-1" for AWS or "us-ashburn-1" for OCI. |
| }, |
| "clientTlsPolicy": "A String", # Optional. A URL referring to a networksecurity.ClientTlsPolicy resource |
| # that describes how clients should authenticate with this service's |
| # backends. |
| # |
| # clientTlsPolicy only applies to a globalBackendService with the loadBalancingScheme set |
| # to INTERNAL_SELF_MANAGED. |
| # |
| # If left blank, communications are not encrypted. |
| "clientTlsSettings": { # [Deprecated] The client side authentication settings for connection # [Deprecated] TLS Settings for the backend service. |
| # originating from the backend service. |
| # the backend service. |
| "clientTlsContext": { # [Deprecated] The TLS settings for the client or server. # Configures the mechanism to obtain client-side security certificates and |
| # identity information. This field is only applicable when mode is set to |
| # MUTUAL. |
| # The TLS settings for the client or server. |
| "certificateContext": { # [Deprecated] Defines the mechanism to obtain the client or server # Defines the mechanism to obtain the client or server certificate. |
| # certificate. |
| # Defines the mechanism to obtain the client or server certificate. |
| "certificatePaths": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # Specifies the certificate and private key paths. This field is |
| # applicable only if tlsCertificateSource is set to USE_PATH. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "certificateSource": "A String", # Defines how TLS certificates are obtained. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| }, |
| "validationContext": { # [Deprecated] Defines the mechanism to obtain the Certificate Authority # Defines the mechanism to obtain the Certificate Authority certificate to |
| # validate the client/server certificate. If omitted, the proxy will not |
| # validate the server or client certificate. |
| # certificate to validate the client/server certificate. |
| # validate the client/server certificate. |
| "certificatePath": "A String", # The path to the file holding the CA certificate to validate the |
| # client or server certificate. |
| "sdsConfig": { # [Deprecated] The configuration to access the SDS server. # Specifies the config to retrieve certificates through SDS. This field |
| # is applicable only if tlsCertificateSource is set to USE_SDS. |
| # The configuration to access the SDS server. |
| "grpcServiceConfig": { # [Deprecated] gRPC config to access the SDS server. # The configuration to access the SDS server over GRPC. |
| # gRPC config to access the SDS server. |
| "callCredentials": { # [Deprecated] gRPC call credentials to access the SDS server. # The call credentials to access the SDS server. |
| # gRPC call credentials to access the SDS server. |
| "callCredentialType": "A String", # The type of call credentials to use for GRPC requests to the SDS server. |
| # This field can be set to one of the following: |
| # |
| # - GCE_VM: The local GCE VM service account credentials are used to access |
| # the SDS server. |
| # - FROM_PLUGIN: Custom authenticator credentials are used to access the |
| # SDS server. |
| "fromPlugin": { # [Deprecated] Custom authenticator credentials. # Custom authenticator credentials. Valid if callCredentialType is |
| # FROM_PLUGIN. |
| # Custom authenticator credentials. |
| "name": "A String", # Plugin name. |
| "structConfig": "A String", # A text proto that conforms to a Struct type definition interpreted by the |
| # plugin. |
| }, |
| }, |
| "channelCredentials": { # [Deprecated] gRPC channel credentials to access the SDS server. # The channel credentials to access the SDS server. |
| # gRPC channel credentials to access the SDS server. |
| "certificates": { # [Deprecated] The paths to the mounted TLS Certificates and private key. # The call credentials to access the SDS server. |
| # The paths to the mounted TLS Certificates and private key. |
| "certificatePath": "A String", # The path to the file holding the client or server TLS certificate to use. |
| "privateKeyPath": "A String", # The path to the file holding the client or server private key. |
| }, |
| "channelCredentialType": "A String", # The channel credentials to access the SDS server. This field can be set |
| # to one of the following: |
| # CERTIFICATES: Use TLS certificates to access the SDS server. |
| # GCE_VM: Use local GCE VM credentials to access the SDS server. |
| }, |
| "targetUri": "A String", # The target URI of the SDS server. |
| }, |
| }, |
| "validationSource": "A String", # Defines how TLS certificates are obtained. |
| }, |
| }, |
| "mode": "A String", # Indicates whether connections to this port should be secured using TLS. |
| # The value of this field determines how TLS is enforced. This can be set |
| # to one of the following values: DISABLE: Do not setup a TLS connection to |
| # the backends. |
| # SIMPLE: Originate a TLS connection to the backends. |
| # MUTUAL: Secure connections to the backends using mutual TLS by presenting |
| # client certificates for authentication. |
| "sni": "A String", # SNI string to present to the server during TLS handshake. This field is |
| # applicable only when mode is SIMPLE or MUTUAL. |
| "subjectAltNames": [ # A list of alternate names to verify the subject identity in the |
| # certificate.If specified, |
| # the proxy will verify that the server certificate's subject alt name |
| # matches one of the specified values. This field is applicable only when |
| # mode is SIMPLE or MUTUAL. |
| "A String", |
| ], |
| }, |
| "subjectAltNames": [ # Optional. A list of Subject Alternative Names (SANs) that the client |
| # verifies during a mutual TLS handshake with an server/endpoint for thisBackendService. When the server presents its X.509 certificate |
| # to the client, the client inspects the certificate'ssubjectAltName field. If the field contains one of the |
| # specified values, the communication continues. Otherwise, it fails. This |
| # additional check enables the client to verify that the server is authorized |
| # to run the requested service. |
| # |
| # Note that the contents of the server |
| # certificate's subjectAltName field are configured by the |
| # Public Key Infrastructure which provisions server identities. |
| # |
| # Only applies to a global BackendService withloadBalancingScheme set to INTERNAL_SELF_MANAGED. |
| # Only applies when BackendService has an attachedclientTlsPolicy with clientCertificate (mTLS |
| # mode). |
| "A String", |
| ], |
| }, |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "serviceBindings": [ # URLs of networkservices.ServiceBinding resources. |
| # |
| # Can only be set if load balancing scheme is INTERNAL_SELF_MANAGED. |
| # If set, lists of backends and health checks must be both empty. |
| "A String", |
| ], |
| "serviceLbPolicy": "A String", # URL to networkservices.ServiceLbPolicy resource. |
| # |
| # Can only be set if load balancing scheme is EXTERNAL_MANAGED, |
| # INTERNAL_MANAGED or INTERNAL_SELF_MANAGED and the scope is global. |
| "sessionAffinity": "A String", # Type of session affinity to use. The default is NONE. |
| # |
| # Only NONE and HEADER_FIELD are supported |
| # when the backend service is referenced by a URL map that is bound to |
| # target gRPC proxy that has validateForProxyless field set to true. |
| # |
| # For more details, see: |
| # [Session |
| # Affinity](https://cloud.google.com/load-balancing/docs/backend-service#session_affinity). |
| # |
| # sessionAffinity cannot be specified with haPolicy. |
| "strongSessionAffinityCookie": { # The HTTP cookie used for stateful session affinity. # Describes the HTTP cookie used for stateful session affinity. This field is |
| # applicable and required if the sessionAffinity is set toSTRONG_COOKIE_AFFINITY. |
| "name": "A String", # Name of the cookie. |
| "path": "A String", # Path to set for the cookie. |
| "ttl": { # A Duration represents a fixed-length span of time represented # Lifetime of the cookie. |
| # as a count of seconds and fractions of seconds at nanosecond |
| # resolution. It is independent of any calendar and concepts like "day" |
| # or "month". Range is approximately 10,000 years. |
| "nanos": 42, # Span of time that's a fraction of a second at nanosecond resolution. |
| # Durations less than one second are represented with a 0 |
| # `seconds` field and a positive `nanos` field. Must be from 0 |
| # to 999,999,999 inclusive. |
| "seconds": "A String", # Span of time at a resolution of a second. Must be from 0 |
| # to 315,576,000,000 inclusive. Note: these bounds are computed from: |
| # 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
| }, |
| }, |
| "subsetting": { # Subsetting configuration for this BackendService. # subsetting cannot be specified with haPolicy. |
| # Currently this is applicable only for Internal TCP/UDP load balancing, |
| # Internal HTTP(S) load balancing and Traffic Director. |
| "policy": "A String", |
| "subsetSize": 42, # The number of backends per backend group assigned to each proxy instance or |
| # each service mesh client. |
| # |
| # An input parameter to the `CONSISTENT_HASH_SUBSETTING` algorithm. |
| # Can only be set if `policy` is set to `CONSISTENT_HASH_SUBSETTING`. |
| # Can only be set if load balancing scheme is `INTERNAL_MANAGED` or |
| # `INTERNAL_SELF_MANAGED`. |
| # |
| # `subset_size` is optional for Internal HTTP(S) load balancing |
| # and required for Traffic Director. |
| # |
| # If you do not provide this value, Cloud Load Balancing will calculate it |
| # dynamically to optimize the number of proxies/clients visible to each |
| # backend and vice versa. |
| # |
| # Must be greater than 0. If `subset_size` is larger than the number of |
| # backends/endpoints, then subsetting is disabled. |
| }, |
| "timeoutSec": 42, # The backend service timeout has a different meaning depending on the |
| # type of load balancer. For more information see, |
| # Backend service settings. |
| # The default is 30 seconds. |
| # The full range of timeout values allowed goes from 1 |
| # through 2,147,483,647 seconds. |
| # |
| # This value can be overridden in the PathMatcher configuration of the |
| # UrlMap that references this backend service. |
| # |
| # Not supported when the backend service is referenced by a URL map that is |
| # bound to target gRPC proxy that has validateForProxyless field set to true. |
| # Instead, use maxStreamDuration. |
| "tlsSettings": { # Configuration for Backend Authenticated TLS and mTLS. May only be specified |
| # when the backend protocol is SSL, HTTPS or HTTP2. |
| "authenticationConfig": "A String", # Reference to the BackendAuthenticationConfig resource from the |
| # networksecurity.googleapis.com namespace. Can be used in authenticating |
| # TLS connections to the backend, as specified by the authenticationMode |
| # field. Can only be specified if authenticationMode is not NONE. |
| "identity": "A String", # Assigns the Managed Identity for the BackendService Workload. |
| # |
| # |
| # Use this property to configure the load balancer back-end to use |
| # certificates and roots of trust provisioned by the Managed Workload |
| # Identity system. |
| # |
| # The `identity` property is the |
| # fully-specified SPIFFE ID to use in the SVID presented by the Load |
| # Balancer Workload. |
| # |
| # The SPIFFE ID must be a resource starting with the |
| # `trustDomain` property value, followed by the path to the Managed |
| # Workload Identity. |
| # |
| # Supported SPIFFE ID format: |
| # |
| # - //<trust_domain>/ns/<namespace>/sa/<subject> |
| # |
| # |
| # The Trust Domain within the Managed Identity must refer to a valid |
| # Workload Identity Pool. The TrustConfig and CertificateIssuanceConfig |
| # will be inherited from the Workload Identity Pool. |
| # |
| # Restrictions: |
| # |
| # - If you set the `identity` property, you cannot manually set |
| # the following fields: |
| # - tlsSettings.sni |
| # - tlsSettings.subjectAltNames |
| # - tlsSettings.authenticationConfig |
| # |
| # |
| # When defining a `identity` for a RegionBackendServices, the |
| # corresponding Workload Identity Pool must have a ca_pool |
| # configured in the same region. |
| # |
| # The system will set up a read-onlytlsSettings.authenticationConfig for the Managed Identity. |
| "sni": "A String", # Server Name Indication - see RFC3546 section 3.1. If set, the load |
| # balancer sends this string as the SNI hostname in the TLS connection to |
| # the backend, and requires that this string match a Subject Alternative |
| # Name (SAN) in the backend's server certificate. With a Regional Internet |
| # NEG backend, if the SNI is specified here, the load balancer uses it |
| # regardless of whether the Regional Internet NEG is specified with FQDN or |
| # IP address and port. When both sni and subjectAltNames[] are specified, |
| # the load balancer matches the backend certificate's SAN only to |
| # subjectAltNames[]. |
| "subjectAltNames": [ # A list of Subject Alternative Names (SANs) that the Load Balancer |
| # verifies during a TLS handshake with the backend. When the server |
| # presents its X.509 certificate to the Load Balancer, the Load Balancer |
| # inspects the certificate's SAN field, and requires that at least one SAN |
| # match one of the subjectAltNames in the list. This field is limited to 5 |
| # entries. When both sni and subjectAltNames[] are specified, the load |
| # balancer matches the backend certificate's SAN only to subjectAltNames[]. |
| { # A Subject Alternative Name that the load balancer matches against the SAN |
| # field in the TLS certificate provided by the backend, specified as either |
| # a DNS name or a URI, in accordance with RFC 5280 4.2.1.6 |
| "dnsName": "A String", # The SAN specified as a DNS Name. |
| "uniformResourceIdentifier": "A String", # The SAN specified as a URI. |
| }, |
| ], |
| }, |
| "usedBy": [ # [Output Only] List of resources referencing given backend service. |
| { |
| "reference": "A String", # [Output Only] Server-defined URL for resources referencing given |
| # BackendService like UrlMaps, TargetTcpProxies, TargetSslProxies |
| # and ForwardingRule. |
| }, |
| ], |
| "vpcNetworkScope": "A String", # The network scope of the backends that can be added to the backend |
| # service. This field can be either GLOBAL_VPC_NETWORK orREGIONAL_VPC_NETWORK. |
| # |
| # A backend service with the VPC scope set to GLOBAL_VPC_NETWORK |
| # is only allowed to have backends in global VPC networks. |
| # |
| # When the VPC scope is set to REGIONAL_VPC_NETWORK the backend |
| # service is only allowed to have backends in regional networks in the same |
| # scope as the backend service. |
| # Note: if not specified then GLOBAL_VPC_NETWORK will be used. |
| } |
| |
| requestId: string, An optional request ID to identify requests. Specify a unique request ID so |
| that if you must retry your request, the server will know to ignore the |
| request if it has already been completed. |
| |
| For example, consider a situation where you make an initial request and |
| the request times out. If you make the request again with the same |
| request ID, the server can check if original operation with the same |
| request ID was received, and if so, will ignore the second request. This |
| prevents clients from accidentally creating duplicate commitments. |
| |
| The request ID must be |
| a valid UUID with the exception that zero UUID is not supported |
| (00000000-0000-0000-0000-000000000000). |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Represents an Operation resource. |
| # |
| # Google Compute Engine has three Operation resources: |
| # |
| # * [Global](/compute/docs/reference/rest/alpha/globalOperations) |
| # * [Regional](/compute/docs/reference/rest/alpha/regionOperations) |
| # * [Zonal](/compute/docs/reference/rest/alpha/zoneOperations) |
| # |
| # You can use an operation resource to manage asynchronous API requests. |
| # For more information, readHandling |
| # API responses. |
| # |
| # Operations can be global, regional or zonal. |
| # |
| # - For global operations, use the `globalOperations` |
| # resource. |
| # - For regional operations, use the |
| # `regionOperations` resource. |
| # - For zonal operations, use |
| # the `zoneOperations` resource. |
| # |
| # |
| # |
| # For more information, read |
| # Global, Regional, and Zonal Resources. |
| # |
| # Note that completed Operation resources have a limited |
| # retention period. |
| "clientOperationId": "A String", # [Output Only] The value of `requestId` if you provided it in the request. |
| # Not present otherwise. |
| "creationTimestamp": "A String", # [Deprecated] This field is deprecated. |
| "description": "A String", # [Output Only] A textual description of the operation, which is |
| # set when the operation is created. |
| "endTime": "A String", # [Output Only] The time that this operation was completed. This value is inRFC3339 |
| # text format. |
| "error": { # [Output Only] If errors are generated during processing of the operation, |
| # this field will be populated. |
| "errors": [ # [Output Only] The array of errors encountered while processing this |
| # operation. |
| { |
| "code": "A String", # [Output Only] The error type identifier for this error. |
| "errorDetails": [ # [Output Only] An optional list of messages that contain the error |
| # details. There is a set of defined message types to use for providing |
| # details.The syntax depends on the error code. For example, |
| # QuotaExceededInfo will have details when the error code is |
| # QUOTA_EXCEEDED. |
| { |
| "errorInfo": { # Describes the cause of the error with structured details. |
| # |
| # Example of an error when contacting the "pubsub.googleapis.com" API when it |
| # is not enabled: |
| # |
| # { "reason": "API_DISABLED" |
| # "domain": "googleapis.com" |
| # "metadata": { |
| # "resource": "projects/123", |
| # "service": "pubsub.googleapis.com" |
| # } |
| # } |
| # |
| # This response indicates that the pubsub.googleapis.com API is not enabled. |
| # |
| # Example of an error that is returned when attempting to create a Spanner |
| # instance in a region that is out of stock: |
| # |
| # { "reason": "STOCKOUT" |
| # "domain": "spanner.googleapis.com", |
| # "metadata": { |
| # "availableRegions": "us-central1,us-east2" |
| # } |
| # } |
| "domain": "A String", # The logical grouping to which the "reason" belongs. The error domain |
| # is typically the registered service name of the tool or product that |
| # generates the error. Example: "pubsub.googleapis.com". If the error is |
| # generated by some common infrastructure, the error domain must be a |
| # globally unique value that identifies the infrastructure. For Google API |
| # infrastructure, the error domain is "googleapis.com". |
| "metadatas": { # Additional structured details about this error. |
| # |
| # Keys must match a regular expression of `a-z+` but should |
| # ideally be lowerCamelCase. Also, they must be limited to 64 characters in |
| # length. When identifying the current value of an exceeded limit, the units |
| # should be contained in the key, not the value. For example, rather than |
| # `{"instanceLimit": "100/request"}`, should be returned as, |
| # `{"instanceLimitPerRequest": "100"}`, if the client exceeds the number of |
| # instances that can be created in a single (batch) request. |
| "a_key": "A String", |
| }, |
| "reason": "A String", # The reason of the error. This is a constant value that identifies the |
| # proximate cause of the error. Error reasons are unique within a particular |
| # domain of errors. This should be at most 63 characters and match a |
| # regular expression of `A-Z+[A-Z0-9]`, which represents |
| # UPPER_SNAKE_CASE. |
| }, |
| "help": { # Provides links to documentation or for performing an out of band action. |
| # |
| # For example, if a quota check failed with an error indicating the calling |
| # project hasn't enabled the accessed service, this can contain a URL pointing |
| # directly to the right place in the developer console to flip the bit. |
| "links": [ # URL(s) pointing to additional information on handling the current error. |
| { # Describes a URL link. |
| "description": "A String", # Describes what the link offers. |
| "url": "A String", # The URL of the link. |
| }, |
| ], |
| }, |
| "localizedMessage": { # Provides a localized error message that is safe to return to the user |
| # which can be attached to an RPC error. |
| "locale": "A String", # The locale used following the specification defined at |
| # https://www.rfc-editor.org/rfc/bcp/bcp47.txt. |
| # Examples are: "en-US", "fr-CH", "es-MX" |
| "message": "A String", # The localized error message in the above locale. |
| }, |
| "quotaInfo": { # Additional details for quota exceeded error for resource quota. |
| "dimensions": { # The map holding related quota dimensions. |
| "a_key": "A String", |
| }, |
| "futureLimit": 3.14, # Future quota limit being rolled out. The limit's unit depends on the quota |
| # type or metric. |
| "limit": 3.14, # Current effective quota limit. The limit's unit depends on the quota type |
| # or metric. |
| "limitName": "A String", # The name of the quota limit. |
| "metricName": "A String", # The Compute Engine quota metric name. |
| "rolloutStatus": "A String", # Rollout status of the future quota limit. |
| }, |
| }, |
| ], |
| "location": "A String", # [Output Only] Indicates the field in the request that caused the error. |
| # This property is optional. |
| "message": "A String", # [Output Only] An optional, human-readable error message. |
| }, |
| ], |
| }, |
| "httpErrorMessage": "A String", # [Output Only] If the operation fails, this field contains the HTTP error |
| # message that was returned, such as `NOT FOUND`. |
| "httpErrorStatusCode": 42, # [Output Only] If the operation fails, this field contains the HTTP error |
| # status code that was returned. For example, a `404` means the |
| # resource was not found. |
| "id": "A String", # [Output Only] The unique identifier for the operation. This identifier is |
| # defined by the server. |
| "insertTime": "A String", # [Output Only] The time that this operation was requested. |
| # This value is inRFC3339 |
| # text format. |
| "instancesBulkInsertOperationMetadata": { |
| "perLocationStatus": { # Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "createdVmCount": 42, # [Output Only] Count of VMs successfully created so far. |
| "deletedVmCount": 42, # [Output Only] Count of VMs that got deleted during rollback. |
| "failedToCreateVmCount": 42, # [Output Only] Count of VMs that started creating but encountered an |
| # error. |
| "status": "A String", # [Output Only] Creation status of BulkInsert operation - information |
| # if the flow is rolling forward or rolling back. |
| "targetVmCount": 42, # [Output Only] Count of VMs originally planned to be created. |
| }, |
| }, |
| }, |
| "kind": "compute#operation", # [Output Only] Type of the resource. Always `compute#operation` for |
| # Operation resources. |
| "name": "A String", # [Output Only] Name of the operation. |
| "operationGroupId": "A String", # [Output Only] An ID that represents a group of operations, such as when a |
| # group of operations results from a `bulkInsert` API request. |
| "operationType": "A String", # [Output Only] The type of operation, such as `insert`, |
| # `update`, or `delete`, and so on. |
| "progress": 42, # [Output Only] An optional progress indicator that ranges from 0 to 100. |
| # There is no requirement that this be linear or support any granularity of |
| # operations. This should not be used to guess when the operation will be |
| # complete. This number should monotonically increase as the operation |
| # progresses. |
| "region": "A String", # [Output Only] The URL of the region where the operation resides. Only |
| # applicable when performing regional operations. |
| "selfLink": "A String", # [Output Only] Server-defined URL for the resource. |
| "selfLinkWithId": "A String", # [Output Only] Server-defined URL for this resource with the resource id. |
| "setCommonInstanceMetadataOperationMetadata": { # [Output Only] If the operation is for projects.setCommonInstanceMetadata, |
| # this field will contain information on all underlying zonal actions and |
| # their state. |
| "clientOperationId": "A String", # [Output Only] The client operation id. |
| "perLocationOperations": { # [Output Only] Status information per location (location name is key). |
| # Example key: zones/us-central1-a |
| "a_key": { |
| "error": { # The `Status` type defines a logical error model that is suitable for # [Output Only] If state is `ABANDONED` or `FAILED`, this field is |
| # populated. |
| # different programming environments, including REST APIs and RPC APIs. It is |
| # used by [gRPC](https://github.com/grpc). Each `Status` message contains |
| # three pieces of data: error code, error message, and error details. |
| # |
| # You can find out more about this error model and how to work with it in the |
| # [API Design Guide](https://cloud.google.com/apis/design/errors). |
| "code": 42, # The status code, which should be an enum value of google.rpc.Code. |
| "details": [ # A list of messages that carry the error details. There is a common set of |
| # message types for APIs to use. |
| { |
| "a_key": "", # Properties of the object. Contains field @type with type URL. |
| }, |
| ], |
| "message": "A String", # A developer-facing error message, which should be in English. Any |
| # user-facing error message should be localized and sent in the |
| # google.rpc.Status.details field, or localized by the client. |
| }, |
| "state": "A String", # [Output Only] Status of the action, which can be one of the following: |
| # `PROPAGATING`, `PROPAGATED`, `ABANDONED`, `FAILED`, or `DONE`. |
| }, |
| }, |
| }, |
| "startTime": "A String", # [Output Only] The time that this operation was started by the server. |
| # This value is inRFC3339 |
| # text format. |
| "status": "A String", # [Output Only] The status of the operation, which can be one of the |
| # following: |
| # `PENDING`, `RUNNING`, or `DONE`. |
| "statusMessage": "A String", # [Output Only] An optional textual description of the current status of the |
| # operation. |
| "targetId": "A String", # [Output Only] The unique target ID, which identifies a specific incarnation |
| # of the target resource. |
| "targetLink": "A String", # [Output Only] The URL of the resource that the operation modifies. For |
| # operations related to creating a snapshot, this points to the disk |
| # that the snapshot was created from. |
| "user": "A String", # [Output Only] User who requested the operation, for example: |
| # `[email protected]` or |
| # `alice_smith_identifier (global/workforcePools/example-com-us-employees)`. |
| "warnings": [ # [Output Only] If warning messages are generated during processing of the |
| # operation, this field will be populated. |
| { |
| "code": "A String", # [Output Only] A warning code, if applicable. For example, Compute |
| # Engine returns NO_RESULTS_ON_PAGE if there |
| # are no results in the response. |
| "data": [ # [Output Only] Metadata about this warning in key: |
| # value format. For example: |
| # |
| # "data": [ |
| # { |
| # "key": "scope", |
| # "value": "zones/us-east1-d" |
| # } |
| { |
| "key": "A String", # [Output Only] A key that provides more detail on the warning being |
| # returned. For example, for warnings where there are no results in a list |
| # request for a particular zone, this key might be scope and |
| # the key value might be the zone name. Other examples might be a key |
| # indicating a deprecated resource and a suggested replacement, or a |
| # warning about invalid network settings (for example, if an instance |
| # attempts to perform IP forwarding but is not enabled for IP forwarding). |
| "value": "A String", # [Output Only] A warning data value corresponding to the key. |
| }, |
| ], |
| "message": "A String", # [Output Only] A human-readable description of the warning code. |
| }, |
| ], |
| "zone": "A String", # [Output Only] The URL of the zone where the operation resides. Only |
| # applicable when performing per-zone operations. |
| }</pre> |
| </div> |
| |
| </body></html> |
