From 6cfc5530a5198d6b509d7045cb8f632e289cb547 Mon Sep 17 00:00:00 2001 From: Google APIs Date: Fri, 15 Mar 2024 11:10:38 -0700 Subject: [PATCH] feat: add new final state fields to Network Management API version v1 docs: update final state comments in Network Management API version v1 PiperOrigin-RevId: 616187354 --- google/cloud/networkmanagement/v1/BUILD.bazel | 1 + google/cloud/networkmanagement/v1/trace.proto | 320 +++++++++++++----- 2 files changed, 236 insertions(+), 85 deletions(-) diff --git a/google/cloud/networkmanagement/v1/BUILD.bazel b/google/cloud/networkmanagement/v1/BUILD.bazel index 5093ac2aa37e1..12e4cac64acde 100644 --- a/google/cloud/networkmanagement/v1/BUILD.bazel +++ b/google/cloud/networkmanagement/v1/BUILD.bazel @@ -32,6 +32,7 @@ proto_library( "//google/api:annotations_proto", "//google/api:client_proto", "//google/api:field_behavior_proto", + "//google/api:field_info_proto", "//google/api:resource_proto", "//google/longrunning:operations_proto", "//google/rpc:status_proto", diff --git a/google/cloud/networkmanagement/v1/trace.proto b/google/cloud/networkmanagement/v1/trace.proto index 1fcbd6daa9368..2204e1e5c2eb0 100644 --- a/google/cloud/networkmanagement/v1/trace.proto +++ b/google/cloud/networkmanagement/v1/trace.proto @@ -17,6 +17,7 @@ syntax = "proto3"; package google.cloud.networkmanagement.v1; import "google/api/field_behavior.proto"; +import "google/api/field_info.proto"; option csharp_namespace = "Google.Cloud.NetworkManagement.V1"; option go_package = "cloud.google.com/go/networkmanagement/apiv1/networkmanagementpb;networkmanagementpb"; @@ -801,6 +802,18 @@ message DeliverInfo { // Target is a Cloud Storage bucket. STORAGE_BUCKET = 10; + + // Target is a private network. Used only for return traces. + PRIVATE_NETWORK = 11; + + // Target is a Cloud Function. Used only for return traces. + CLOUD_FUNCTION = 12; + + // Target is a App Engine service version. Used only for return traces. + APP_ENGINE_VERSION = 13; + + // Target is a Cloud Run revision. Used only for return traces. + CLOUD_RUN_REVISION = 14; } // Target type where the packet is delivered to. @@ -808,6 +821,9 @@ message DeliverInfo { // URI of the resource that the packet is delivered to. string resource_uri = 2; + + // IP address of the target (if applicable). + string ip_address = 3 [(google.api.field_info).format = IPV4_OR_IPV6]; } // Details of the final state "forward" and associated resource. @@ -827,19 +843,22 @@ message ForwardInfo { INTERCONNECT = 3; // Forwarded to a Google Kubernetes Engine Container cluster master. - GKE_MASTER = 4; + GKE_MASTER = 4 [deprecated = true]; // Forwarded to the next hop of a custom route imported from a peering VPC. IMPORTED_CUSTOM_ROUTE_NEXT_HOP = 5; // Forwarded to a Cloud SQL instance. - CLOUD_SQL_INSTANCE = 6; + CLOUD_SQL_INSTANCE = 6 [deprecated = true]; // Forwarded to a VPC network in another project. ANOTHER_PROJECT = 7; // Forwarded to an NCC Hub. NCC_HUB = 8; + + // Forwarded to a router appliance. + ROUTER_APPLIANCE = 9; } // Target type where this packet is forwarded to. @@ -847,6 +866,9 @@ message ForwardInfo { // URI of the resource that the packet is forwarded to. string resource_uri = 2; + + // IP address of the target (if applicable). + string ip_address = 3 [(google.api.field_info).format = IPV4_OR_IPV6]; } // Details of the final state "abort" and associated resource. @@ -856,63 +878,78 @@ message AbortInfo { // Cause is unspecified. CAUSE_UNSPECIFIED = 0; - // Aborted due to unknown network. - // The reachability analysis cannot proceed because the user does not have - // access to the host project's network configurations, including firewall - // rules and routes. This happens when the project is a service project and - // the endpoints being traced are in the host project's network. - UNKNOWN_NETWORK = 1; + // Aborted due to unknown network. Deprecated, not used in the new tests. + UNKNOWN_NETWORK = 1 [deprecated = true]; + + // Aborted because no project information can be derived from the test + // input. Deprecated, not used in the new tests. + UNKNOWN_PROJECT = 3 [deprecated = true]; + + // Aborted because traffic is sent from a public IP to an instance without + // an external IP. Deprecated, not used in the new tests. + NO_EXTERNAL_IP = 7 [deprecated = true]; + + // Aborted because none of the traces matches destination information + // specified in the input test request. Deprecated, not used in the new + // tests. + UNINTENDED_DESTINATION = 8 [deprecated = true]; + + // Aborted because the source endpoint could not be found. Deprecated, not + // used in the new tests. + SOURCE_ENDPOINT_NOT_FOUND = 11 [deprecated = true]; + + // Aborted because the source network does not match the source endpoint. + // Deprecated, not used in the new tests. + MISMATCHED_SOURCE_NETWORK = 12 [deprecated = true]; - // Aborted because the IP address(es) are unknown. + // Aborted because the destination endpoint could not be found. Deprecated, + // not used in the new tests. + DESTINATION_ENDPOINT_NOT_FOUND = 13 [deprecated = true]; + + // Aborted because the destination network does not match the destination + // endpoint. Deprecated, not used in the new tests. + MISMATCHED_DESTINATION_NETWORK = 14 [deprecated = true]; + + // Aborted because no endpoint with the packet's destination IP address is + // found. UNKNOWN_IP = 2; - // Aborted because no project information can be derived from the test - // input. - UNKNOWN_PROJECT = 3; + // Aborted because the source IP address doesn't belong to any of the + // subnets of the source VPC network. + SOURCE_IP_ADDRESS_NOT_IN_SOURCE_NETWORK = 23; - // Aborted because the user lacks the permission to access all or part of - // the network configurations required to run the test. + // Aborted because user lacks permission to access all or part of the + // network configurations required to run the test. PERMISSION_DENIED = 4; - // Aborted because no valid source endpoint is derived from the input test - // request. - NO_SOURCE_LOCATION = 5; + // Aborted because user lacks permission to access Cloud NAT configs + // required to run the test. + PERMISSION_DENIED_NO_CLOUD_NAT_CONFIGS = 28; - // Aborted because the source and/or destination endpoint specified in - // the test are invalid. The possible reasons that an endpoint is - // invalid include: malformed IP address; nonexistent instance or - // network URI; IP address not in the range of specified network URI; and - // instance not owning the network interface in the specified network. - INVALID_ARGUMENT = 6; + // Aborted because user lacks permission to access Network endpoint group + // endpoint configs required to run the test. + PERMISSION_DENIED_NO_NEG_ENDPOINT_CONFIGS = 29; - // Aborted because traffic is sent from a public IP to an instance without - // an external IP. - NO_EXTERNAL_IP = 7; + // Aborted because no valid source or destination endpoint is derived from + // the input test request. + NO_SOURCE_LOCATION = 5; - // Aborted because none of the traces matches destination information - // specified in the input test request. - UNINTENDED_DESTINATION = 8; + // Aborted because the source or destination endpoint specified in + // the request is invalid. Some examples: + // - The request might contain malformed resource URI, project ID, or IP + // address. + // - The request might contain inconsistent information (for example, the + // request might include both the instance and the network, but the instance + // might not have a NIC in that network). + INVALID_ARGUMENT = 6; - // Aborted because the number of steps in the trace exceeding a certain - // limit which may be caused by routing loop. + // Aborted because the number of steps in the trace exceeds a certain + // limit. It might be caused by a routing loop. TRACE_TOO_LONG = 9; // Aborted due to internal server error. INTERNAL_ERROR = 10; - // Aborted because the source endpoint could not be found. - SOURCE_ENDPOINT_NOT_FOUND = 11; - - // Aborted because the source network does not match the source endpoint. - MISMATCHED_SOURCE_NETWORK = 12; - - // Aborted because the destination endpoint could not be found. - DESTINATION_ENDPOINT_NOT_FOUND = 13; - - // Aborted because the destination network does not match the destination - // endpoint. - MISMATCHED_DESTINATION_NETWORK = 14; - // Aborted because the test scenario is not supported. UNSUPPORTED = 15; @@ -928,6 +965,18 @@ message AbortInfo { // Aborted because expected resource configuration was missing. RESOURCE_CONFIG_NOT_FOUND = 18; + // Aborted because expected VM instance configuration was missing. + VM_INSTANCE_CONFIG_NOT_FOUND = 24; + + // Aborted because expected network configuration was missing. + NETWORK_CONFIG_NOT_FOUND = 25; + + // Aborted because expected firewall configuration was missing. + FIREWALL_CONFIG_NOT_FOUND = 26; + + // Aborted because expected route configuration was missing. + ROUTE_CONFIG_NOT_FOUND = 27; + // Aborted because a PSC endpoint selection for the Google-managed service // is ambiguous (several PSC endpoints satisfy test input). GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT = 19; @@ -939,6 +988,17 @@ message AbortInfo { // Aborted because tests with a forwarding rule as a source are not // supported. SOURCE_FORWARDING_RULE_UNSUPPORTED = 21; + + // Aborted because one of the endpoints is a non-routable IP address + // (loopback, link-local, etc). + NON_ROUTABLE_IP_ADDRESS = 22; + + // Aborted due to an unknown issue in the Google-managed project. + UNKNOWN_ISSUE_IN_GOOGLE_MANAGED_PROJECT = 30; + + // Aborted due to an unsupported configuration of the Google-managed + // project. + UNSUPPORTED_GOOGLE_MANAGED_PROJECT_CONFIG = 31; } // Causes that the analysis is aborted. @@ -947,9 +1007,11 @@ message AbortInfo { // URI of the resource that caused the abort. string resource_uri = 2; - // List of project IDs that the user has specified in the request but does - // not have permission to access network configs. Analysis is aborted in this - // case with the PERMISSION_DENIED cause. + // IP address that caused the abort. + string ip_address = 4 [(google.api.field_info).format = IPV4_OR_IPV6]; + + // List of project IDs the user specified in the request but lacks access to. + // In this case, analysis is aborted with the PERMISSION_DENIED cause. repeated string projects_missing_permission = 3; } @@ -973,7 +1035,7 @@ message DropInfo { // tracking. FIREWALL_RULE = 3; - // Dropped due to no routes. + // Dropped due to no matching routes. NO_ROUTE = 4; // Dropped due to invalid route. Route's next hop is a blackhole. @@ -981,16 +1043,53 @@ message DropInfo { // Packet is sent to a wrong (unintended) network. Example: you trace a // packet from VM1:Network1 to VM2:Network2, however, the route configured - // in Network1 sends the packet destined for VM2's IP addresss to Network3. + // in Network1 sends the packet destined for VM2's IP address to Network3. ROUTE_WRONG_NETWORK = 6; + // Route's next hop IP address cannot be resolved to a GCP resource. + ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED = 42; + + // Route's next hop resource is not found. + ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND = 43; + + // Route's next hop instance doesn't hace a NIC in the route's network. + ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK = 49; + + // Route's next hop IP address is not a primary IP address of the next hop + // instance. + ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP = 50; + + // Route's next hop forwarding rule doesn't match next hop IP address. + ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH = 51; + + // Route's next hop VPN tunnel is down (does not have valid IKE SAs). + ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED = 52; + + // Route's next hop forwarding rule type is invalid (it's not a forwarding + // rule of the internal passthrough load balancer). + ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID = 53; + + // Packet is sent from the Internet to the private IPv6 address. + NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS = 44; + + // The packet does not match a policy-based VPN tunnel local selector. + VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH = 45; + + // The packet does not match a policy-based VPN tunnel remote selector. + VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH = 46; + // Packet with internal destination address sent to the internet gateway. PRIVATE_TRAFFIC_TO_INTERNET = 7; // Instance with only an internal IP address tries to access Google API and - // services, but private Google access is not enabled. + // services, but private Google access is not enabled in the subnet. PRIVATE_GOOGLE_ACCESS_DISALLOWED = 8; + // Source endpoint tries to access Google API and services through the VPN + // tunnel to another network, but Private Google Access needs to be enabled + // in the source endpoint network. + PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED = 47; + // Instance with only an internal IP address tries to access external hosts, // but Cloud NAT is not enabled in the subnet, unless special configurations // on a VM allow this connection. @@ -1005,10 +1104,6 @@ message DropInfo { // Forwarding rule's protocol and ports do not match the packet header. FORWARDING_RULE_MISMATCH = 11; - // Packet could be dropped because it was sent from a different region - // to a regional forwarding without global access. - FORWARDING_RULE_REGION_MISMATCH = 25; - // Forwarding rule does not have backends configured. FORWARDING_RULE_NO_INSTANCES = 12; @@ -1104,10 +1199,46 @@ message DropInfo { // state. VPC_CONNECTOR_NOT_RUNNING = 24; + // Packet could be dropped because it was sent from a different region + // to a regional forwarding without global access. + FORWARDING_RULE_REGION_MISMATCH = 25; + // The Private Service Connect endpoint is in a project that is not approved // to connect to the service. PSC_CONNECTION_NOT_ACCEPTED = 26; + // The packet is sent to the Private Service Connect endpoint over the + // peering, but [it's not + // supported](https://cloud.google.com/vpc/docs/configure-private-service-connect-services#on-premises). + PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK = 41; + + // The packet is sent to the Private Service Connect backend (network + // endpoint group), but the producer PSC forwarding rule does not have + // global access enabled. + PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS = 48; + + // The packet is sent to the Private Service Connect backend (network + // endpoint group), but the producer PSC forwarding rule has multiple ports + // specified. + PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS = 54; + + // The packet is sent to the Private Service Connect backend (network + // endpoint group) targeting a Cloud SQL service attachment, but this + // configuration is not supported. + CLOUD_SQL_PSC_NEG_UNSUPPORTED = 58; + + // No NAT subnets are defined for the PSC service attachment. + NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT = 57; + + // The packet sent from the hybrid NEG proxy matches a non-dynamic route, + // but such a configuration is not supported. + HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED = 55; + + // The packet sent from the hybrid NEG proxy matches a dynamic route with a + // next hop in a different region, but such a configuration is not + // supported. + HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED = 56; + // Packet sent from a Cloud Run revision that is not ready. CLOUD_RUN_REVISION_NOT_READY = 29; @@ -1117,6 +1248,12 @@ message DropInfo { // Packet sent to a load balancer, which requires a proxy-only subnet and // the subnet is not found. LOAD_BALANCER_HAS_NO_PROXY_SUBNET = 39; + + // Packet sent to Cloud Nat without active NAT IPs. + CLOUD_NAT_NO_ADDRESSES = 40; + + // Packet is stuck in a routing loop. + ROUTING_LOOP = 59; } // Cause that the packet is dropped. @@ -1124,6 +1261,15 @@ message DropInfo { // URI of the resource that caused the drop. string resource_uri = 2; + + // Source IP address of the dropped packet (if relevant). + string source_ip = 3; + + // Destination IP address of the dropped packet (if relevant). + string destination_ip = 4; + + // Region of the dropped packet (if relevant). + string region = 5; } // For display only. Metadata associated with a Google Kubernetes Engine (GKE) @@ -1227,12 +1373,16 @@ message NatInfo { enum Type { // Type is unspecified. TYPE_UNSPECIFIED = 0; + // From Compute Engine instance's internal address to external address. INTERNAL_TO_EXTERNAL = 1; + // From Compute Engine instance's external address to internal address. EXTERNAL_TO_INTERNAL = 2; + // Cloud NAT Gateway. CLOUD_NAT = 3; + // Private service connect NAT. PRIVATE_SERVICE_CONNECT = 4; } @@ -1320,6 +1470,32 @@ message ProxyConnectionInfo { // For display only. Metadata associated with the load balancer backend. message LoadBalancerBackendInfo { + // Health check firewalls configuration state enum. + enum HealthCheckFirewallsConfigState { + // Configuration state unspecified. It usually means that the backend has + // no health check attached, or there was an unexpected configuration error + // preventing Connectivity tests from verifying health check configuration. + HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED = 0; + + // Firewall rules (policies) allowing health check traffic from all required + // IP ranges to the backend are configured. + FIREWALLS_CONFIGURED = 1; + + // Firewall rules (policies) allow health check traffic only from a part of + // required IP ranges. + FIREWALLS_PARTIALLY_CONFIGURED = 2; + + // Firewall rules (policies) deny health check traffic from all required + // IP ranges to the backend. + FIREWALLS_NOT_CONFIGURED = 3; + + // The network contains firewall rules of unsupported types, so Connectivity + // tests were not able to verify health check configuration status. Please + // refer to the documentation for the list of unsupported configurations: + // https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs + FIREWALLS_UNSUPPORTED = 4; + } + // Display name of the backend. For example, it might be an instance name for // the instance group backends, or an IP address and port for zonal network // endpoint group backends. @@ -1351,37 +1527,11 @@ message LoadBalancerBackendInfo { // URI of the health check attached to this backend (if applicable). string health_check_uri = 6; - // Health check firewalls configuration state enum. - enum HealthCheckFirewallsConfigState { - // Configuration state unspecified. It usually means that the backend has - // no health check attached, or there was an unexpected configuration error - // preventing Connectivity tests from verifying health check configuration. - HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED = 0; - - // Firewall rules (policies) allowing health check traffic from all required - // IP ranges to the backend are configured. - FIREWALLS_CONFIGURED = 1; - - // Firewall rules (policies) allow health check traffic only from a part of - // required IP ranges. - FIREWALLS_PARTIALLY_CONFIGURED = 2; - - // Firewall rules (policies) deny health check traffic from all required - // IP ranges to the backend. - FIREWALLS_NOT_CONFIGURED = 3; - - // The network contains firewall rules of unsupported types, so Connectivity - // tests were not able to verify health check configuration status. Please - // refer to the documentation for the list of unsupported configurations: - // https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs - FIREWALLS_UNSUPPORTED = 4; - } - - // Health check firewalls configuration state for the backend. This is a - // result of the static firewall analysis (verifying that health check traffic - // from required IP ranges to the backend is allowed or not). The backend - // might still be unhealthy even if these firewalls are configured. Please - // refer to the documentation for more information: + // Output only. Health check firewalls configuration state for the backend. + // This is a result of the static firewall analysis (verifying that health + // check traffic from required IP ranges to the backend is allowed or not). + // The backend might still be unhealthy even if these firewalls are + // configured. Please refer to the documentation for more information: // https://cloud.google.com/load-balancing/docs/firewall-rules HealthCheckFirewallsConfigState health_check_firewalls_config_state = 7 [(google.api.field_behavior) = OUTPUT_ONLY];