Target proxies for Cloud Service Mesh
Note: This guide only supports Cloud Service Mesh with Google Cloud APIs anddoes not support Istio APIs. For more information see,Cloud Service Mesh overview.This document applies only to Cloud Service Mesh with the load balancing APIs. Westrongly recommend that you use theservice routing APIsto deploy Cloud Service Mesh.
When you configure Cloud Service Mesh, one of the resources that you configure is thetarget proxy. In the context of Cloud Service Mesh, target proxies serve twoprimary purposes:
Defining the protocol that Cloud Service Mesh clients use when theyopen a connection to the backends or endpoints associated with a service.
Working with forwarding rules and URL maps to create a routing rule map. Therouting rule map provides additional capabilities, such as routing rules,depending on the type of target proxy. Invalid selections are either hiddenin the user interface or rejected by the API.
Target proxy types and request protocols
Cloud Service Mesh generates different configurations for its clients based onthe type of target proxy that you configure. When you configure a targetproxy type, the Cloud Service Mesh client uses a specific request protocol.
| Target proxy | Request protocol |
|---|---|
| HTTPS | Clients initiate HTTPS connections |
| HTTP | Clients initiate HTTP connections |
| gRPC | Clients initiate gRPC connections |
| TCP | Clients initiate TCP connections |
You aren't restricted to choosing only one type. For example, yourapplication might want to use HTTP when addressing some services but use TCPwhen addressing other services. For such a use case, you need to create both atarget HTTP proxy and a target TCP proxy.
Valid resource combinations in a routing rule map
To avoid misconfigurations, Cloud Service Mesh only lets you create routing rulemaps that look like the following:
- Forwarding rule> global target HTTPS proxy> URL map>one or more backend services
- Forwarding rule> global target HTTP proxy> URL map>one or more backend services
- Forwarding rule> global target gRPC proxy> URL map>one or more backend services
- Forwarding rule> global target TCP proxy>one backend service
If you're using the Google Cloud console to set up a target HTTP proxy, thetarget proxy is set up implicitly as part of your routing rule mapconfiguration. TCP proxy setup is not yet supported in theGoogle Cloud console.
If you're using the Google Cloud CLI or the APIs, you need to configure thetarget proxy explicitly.
Note: Target proxies are also used forcertain Google Cloud loadbalancers. This page only discusses targetproxies in the context of Cloud Service Mesh.Traffic handling
The following sections describe ways to handle traffic depending on thetype of target proxy that you use.
Using a target HTTP or HTTPS proxy
When you configure HTTP- or HTTPS-based services, each service instancegenerally has an Envoy proxy deployed alongside it. Cloud Service Mesh configuresthis Envoy proxy. It is part of your service mesh data plane and handles trafficas follows.
The Envoy proxy receives the outbound request. It then compares the request'sdestination IP address and port to the IP address and port configured in eachforwarding rule that references a target HTTP or HTTPS proxy. If a match isfound, the Envoy proxy evaluates the request according to the target proxy'scorresponding URL map.
Using a target TCP proxy
When you configure TCP-based services, each service instance generallyhas an Envoy proxy deployed alongside it. Cloud Service Mesh configuresthis Envoy proxy. It is part of your service mesh data plane and handles trafficas follows.
The Envoy proxy receives the outbound request. It then compares the request'sdestination IP address and port to the IP address and port configured in eachforwarding rule that references a target TCP proxy. Each forwarding rule routesTCP traffic to a target proxy that points to a default backend service. Thebackend service specifies a health check and determines the appropriate backend.
Using a target gRPC proxy
When you configure gRPC-based services, your service instances generally don'thave Envoy proxies deployed alongside them. Instead, Cloud Service Meshconfigures the gRPC library. The library is part of your service mesh data planeand handles traffic as follows.
The gRPC library compares thehostname[:port] specified in the URI to the hostrules in all URL maps that a target gRPC proxy references. If a match isfound, the gRPC library evaluates the request according to the path rulesassociated with the matching host rule.
Target proxy resources
To add, delete, list, and get information about target proxies,you can use the REST API or the gcloud CLI.
In addition, to get information about a target proxy, you can use the followinggcloud commands:
gcloud compute [target-http-proxies | target-tcp-proxies | target-grpc-proxies] list
gcloud compute [target-http-proxies | target-tcp-proxies | target-grpc-proxies] describeTARGET_PROXY_NAME
APIs
For descriptions of the properties and methods available to you whenworking with target proxies through theREST API, see the followingresources that Cloud Service Mesh supports:
gcloud CLI
For theGoogle Cloud CLI, see the following resources:
What's next
- To learn more about Cloud Service Mesh, see theCloud Service Mesh overview.
- To deploy Cloud Service Mesh, see theGuide to Cloud Service Mesh deployment documentation.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.