Proxyless gRPC limitations

This document describes limitations that apply to Cloud Service Mesh withproxyless gRPC applications. For information aboutlimits, seeQuotas and limits.

Limitations on forwarding rules, URL maps, and target proxies apply only toCloud Service Mesh with the Google Cloud load balancing APIs.

General limitations

The limitations of Cloud Service Mesh with proxyless gRPC applicationsinclude the following:

• You cannot configure backend services and routing rule maps with the gRPCprotocol in the Google Cloud console. For these resources, theGoogle Cloud console is read-only.

• Proxyless gRPC supports endpoint discovery, routing, load balancing, loadreporting, and many advanced traffic management features.

  • For the minimum gRPC version required to support someadvanced traffic managementfeatures, seeSupported gRPC versions and languages.

  • For your gRPC applications that need unsupported advanced trafficmanagement features, use the DNS name resolver instead of the xDS resolverand deploy with sidecar proxies that are supported with Cloud Service Mesh.In your target gRPC proxy, set thevalidateForProxyless field toFALSEso that you can configure features that are not yet supported by gRPC butthat are available in Cloud Service Mesh with the use of sidecar proxies.

• Proxyless gRPC supports only round-robin and ring hash load balancingpolicies. Otherload-balancing policiesare not supported.

  • Cloud Service Mesh provides a prioritized weighted list oflocalities—one instance group or one network endpoint group(NEG)—to the gRPC client. Cloud Service Mesh calculates this list basedon the closest available zone, its capacity, and thebalancing mode of the backend service.
  • For a particular request, the gRPCclient picks one or more localities based on the priority and weight anddoes round-robin or ring hash-based load balancing to the backends withinthose localities.

• The failover from one zone (locality) to another starts whenthe current zone capacity falls under 50%. You can't configure this threshold.

• In some cases, the configuration commands related to a target gRPC proxy anda forwarding rule that references a target gRPC proxy might take up to aminute.

• Hybrid connectivity NEGs (NON_GCP_PRIVATE_IP_PORT NEGs)are not supported with proxyless gRPC clients.

URL map limitations

The followingURL map trafficmanagement features are supported with proxyless gRPC services.

Features supported in thepathMatcher ofhostRules:

pathMatchernamedescriptiondefaultServicedefaultRouteActionweightedBackendServicesbackendServiceweightretryPolicyretryConditionsnumRetriesfaultInjectionPolicymaxStreamDurationpathRulesservicerouteActionweightedBackendServicesbackendServiceweightretryPolicyretryConditionsnumRetriesfaultInjectionPolicymaxStreamDurationpathsrouteRulesprioritydescriptionmatchRulesprefixMatchfullPathMatchheaderMatchesmetadataFiltersservicerouteActionweightedBackendServicesbackendServiceweightretryPolicyretryConditionsnumRetriesfaultInjectionPolicymaxStreamDuration

The following URL map limitations apply when you use proxyless gRPC services:

• Wildcard characters in the host rules and default rules of a URL map,including the implicitly created* host rule of a URL map, are not supported.Such entries are skipped when host matching is done.

• The following features are not supported:

  • queryParameterMatches inrouteRules
  • headerAction,urlRewrite,requestMirrorPolicy,corsPolicy, andurlRedirect route actions
  • timeout route action; usemaxStreamDuration instead oftimeout
  • perTryTimeout inretryPolicy
  • retryConditions inretryPolicy except one or more conditions ofcancelled,deadline-exceeded,internal,resource-exhausted,andunavailable
  • ThedefaultService,defaultRouteAction,defaultUrlRedirect, andheaderAction of the URL map are not used by proxyless gRPC services. If amatching host rule is not found when a proxyless gRPC client looks up aservice name, Cloud Service Mesh returns a name lookup error instead ofusing the default service or action of the URL map.
  • headerAction inweightedBackendServices

• In URL map header match rules, only non-binary user-specifiedcustom metadata and thecontent-type header are supported. The following transport-levelheaders cannot be used in header matching rules::authority,:method,:path,:scheme,user-agent,accept-encoding,content-encoding,grpc-accept-encoding,grpc-encoding,grpc-previous-rpc-attempts,grpc-tags-bin,grpc-timeout, andgrpc-trace-bin.

• When you update a URL map host rule to change from one backend service toanother, traffic might be dropped momentarily while the new configurationis pushed to the clients. To avoid this limitation, configuretraffic splitting with weighted backend services.After configuring traffic splitting, slowly shift traffic from the old backendservice to the new backend service.

Target gRPC proxy limitations

When a target gRPC proxy references a URL map, you cannot configure thefollowing URL map features. This is true whether you are using a sidecarproxy or a proxyless gRPC service because these HTTP protocol-specificfeatures don't apply to the gRPC protocol:

• queryParameterMatches match rule
• urlRewrite route action
• urlRedirect route action
• corsPolicy action

Backend service limitations

The following backend service features are not supported with proxylessgRPC services with a sidecar proxy:

• localityLbPolicy exceptLEAST_REQUEST (with Java clients only),ROUND_ROBIN, andRING_HASH
• sessionAffinity exceptHEADER_FIELD andNONE
• consistentHash except thehttpHeaderName andminimumRingSize fields
• affinityCookieTtlSec
• timeoutSec; usemaxStreamDuration instead
• circuitBreakers except themaxRequests field

Note that a gRPC client will NACK the configuration from Cloud Service Meshwhen unsupported values are configured. This will cause configuration for allbackend services to be rejected by the client because the xDS protocol requiresrejecting all resources in a given response, rather than being able to rejectonly an individual resource from the response. This will cause the clientchannel to go into a transient error state until the configuration is fixed. Dueto this limitation, you must ensure that all clients support the required valuebefore configuring a feature for a service. For example, if you change theROUND_ROBIN policy toRING_HASH, you must ensure that all the clients areupgraded to a version that supportsRING_HASH.

Advanced traffic management limitations

You can't configure some advanced traffic management features for proxylessgRPC services with Cloud Service Mesh. For supported features, see thefollowing:

• Supported gRPC versions and languages
• Cloud Service Mesh features, includingload balancing

Limitations with Service Directory

• Service Directory and Cloud Service Mesh don'tguarantee network reachability for clients.

• A backend service can only reference one of the following:

  • Managed instance group or unmanaged instance group
  • Network endpoint group
  • Service bindings

• Service Directory services can only be used with globalbackend services withload-balancing-scheme=INTERNAL_SELF_MANAGED.

• A Service Directory service that is referenced by a servicebinding can be deleted. If the underlying Service Directoryservice to which the backend service is attached is deleted, applicationsthat use Cloud Service Mesh cannot send traffic to this service, therefore,requests fail. SeeObservability and debugging for best practices.

• When you bind a Service Directory service to a backendservice, you cannot configure a health check on that backend service.

What's next

• To learn about limitations that apply to Cloud Service Mesh, including advancedtraffic management limitations, seeCloud Service Mesh limitations.
• To find uses cases and architecture patterns for proxyless gRPC services, seetheProxyless gRPC services overview.