You are viewing archived v1.24 Service Mesh documentation.
Available versions
Cloud Service Mesh latest
Cloud Service Mesh 1.26 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.23 archive
Cloud Service Mesh 1.22 archive
Cloud Service Mesh 1.21 archive
Cloud Service Mesh 1.20 archive
Anthos Service Mesh 1.19 archive
In-cluster control plane supported features
This page describes features that are supported in Cloud Service Mesh1.24.6 with an in-cluster control plane. To see the supportedfeatures for Cloud Service Mesh 1.24.6 with a managed controlplane instead, seeManaged control plane.
Supported versions
Support for Cloud Service Mesh follows theGKE Enterprise Version Support Policy.
Formanaged Cloud Service Mesh with aTRAFFIC_DIRECTOR control plane implementation, Google always supports this control plane.
Formanaged Cloud Service Mesh with anISTIOD control plane implementation, Google supports the current Cloud Service Meshversions available in eachrelease channel.
Forself-installed in-cluster Cloud Service Mesh, Google supports the current andprevious two (n-2) minor versions of Cloud Service Mesh.
The following table shows the supported versions ofself-installed in-clusterCloud Service Mesh and the earliest end-of-life (EOL) date for a version.
| Release version | Release date | Earliest end of life date |
|---|---|---|
| 1.26 | July 16, 2025 | April 16, 2026 |
| 1.25 | April 4, 2025 | January 4, 2026 |
| 1.24 | January 16, 2025 | October 15, 2025 |
If you are on an unsupported version of Cloud Service Mesh, then you must upgrade toCloud Service Mesh 1.22 or later. For information on how toupgrade, seeUpgrade Cloud Service Mesh.
The following table shows the unsupported versions of Cloud Service Mesh and theirend-of-life (EOL) date.
| Release version | Release date | End-of-life date |
|---|---|---|
| 1.23 | September 19, 2024 | June 19, 2025 |
| 1.22 | July 25, 2024 | April 25, 2025 |
| 1.21 | June 4, 2024 | March 31, 2025 |
| 1.20 | February 8, 2024 | Unsupported (November 12, 2024) |
| 1.19 | October 31, 2023 | Unsupported (July 31, 2024) |
| 1.18 | August 3, 2023 | Unsupported (June 4, 2024) |
| 1.17 | April 4, 2023 | Unsupported (February 8, 2024) |
| 1.16 | February 21, 2023 | Unsupported (December 11, 2023) |
| 1.15 | October 25, 2022 | Unsupported (August 4, 2023) |
| 1.14 | July 20, 2022 | Unsupported (April 20, 2023) |
| 1.13 | March 30, 2022 | Unsupported (February 8, 2023) |
| 1.12 | December 9, 2021 | Unsupported (October 25, 2022) |
| 1.11 | October 6, 2021 | Unsupported (July 20, 2022) |
| 1.10 | June 24, 2021 | Unsupported (March 30, 2022) |
| 1.9 | March 4, 2021 | Unsupported (December 14, 2021) |
| 1.8 | December 15, 2020 | Unsupported (December 14, 2021) |
| 1.7 | November 3, 2020 | Unsupported (December 14, 2021) |
| 1.6 | June 30, 2020 | Unsupported (March 30, 2021) |
| 1.5 | May 20, 2020 | Unsupported (February 17, 2021) |
| 1.4 | December 20, 2019 | Unsupported (September 18, 2020) |
For more information about our support policies, refer toGetting support.
Platform differences
There are differences in supported features betweensupported platforms.
TheOther GKE Enterprise clusters columns refer to clustersthat are outside of Google Cloud, for example:
Google Distributed Cloud:
- Google Distributed Cloud (software only) for VMware
- Google Distributed Cloud (software only) for bare metal
This page uses Google Distributed Cloud where the same support is available onboth Google Distributed Cloud (software only) for VMware andGoogle Distributed Cloud (software only) for bare metal, and the specificplatform where there are differences between the platforms.
GKE Enterprise on other public clouds:
GKE attached clusters - Third-party Kubernetes clusters that havebeen registered to a fleet. Cloud Service Mesh is supported on the followingcluster types:
- Amazon EKS clusters
- Microsoft AKS clusters
In the following tables:
- – indicates the feature is enabled bydefault.
- * – indicates the feature is supported forthe platform and can be enabled, as described inEnabling optional featuresor the feature guide linked in the feature table.
- Compatible – indicates the feature or third-party tool will integrate orwork with Cloud Service Mesh, but is not fully supported by Google Cloud Supportand a feature guide is not available.
- – indicates either the feature isn'tavailable or it isn't supported in Cloud Service Mesh 1.24.6.
The default and optional features are fully supported by Google CloudSupport. Features not explicitly listed in the tables receive best-effortsupport.
Base Images
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Distroless proxy image |
Security
Certificate distribution/rotation mechanisms
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Workload certificate management | ||
| External certificate management on ingress andegress gateways. |
Certificate authority (CA) support
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | Other GKE Enterprise clusters |
|---|---|---|---|
| Cloud Service Mesh certificate authority | |||
| Certificate Authority Service | * | * | |
| Istio CA (previously known as Citadel) | * | * | |
| Plug in your own CA certificates | Supported by CA service and Istio CA | Supported by CA service and Istio CA | Supported by Istio CA |
Cloud Service Mesh security features
In addition to supporting Istio security features, Cloud Service Mesh provides evenmore capabilities to help you secure your applications.
| Feature | GKE clusters on Google Cloud | Distributed Cloud | GKE Multi-Cloud | Other GKE Enterprise clusters |
|---|---|---|---|---|
| IAP integration | ||||
| End-user authentication | ||||
| Audit policies (preview) | * | |||
| Dry-run mode | ||||
| Denial logging |
Authorization policy
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Authorization v1beta1 policy | ||
| Path templating |
Authentication policy
Peer authentication
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Auto-mTLS | ||
| mTLS PERMISSIVE mode |
For information on enabling mTLS STRICT mode, seeConfiguring transport security.
Request authentication
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| JWT authentication(Note 1) |
Notes:
- Third-party JWT is enabled by default.
Telemetry
Metrics
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | Other GKE Enterprise clusters |
|---|---|---|---|
| Cloud Monitoring (HTTP in-proxy metrics) | |||
| Cloud Monitoring (TCP in-proxy metrics) | |||
| Istio Telemetry API | |||
| Custom adapters/backends, in or out of process | |||
| Arbitrary telemetry and logging backends | |||
| Prometheus metrics export to customer-installed Prometheus, Grafana, and Kiali dashboards | Compatible | Compatible | Compatible |
| Google Cloud Managed Service for Prometheus, not including the Cloud Service Mesh dashboard | |||
| The topology graph in the Google Cloud console no longer uses the Mesh telemetry service as its data source. Although the data source for the topology graph has changed, the UI remains the same. | |||
Proxy request logging
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | Other GKE Enterprise clusters |
|---|---|---|---|
| Traffic logs | |||
| Access logs | * | * | * |
Tracing
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | Other GKE Enterprise clusters |
|---|---|---|---|
| Cloud Trace | * | * | |
| Jaeger tracing (allows use of customer-managed Jaeger) | Compatible | Compatible | Compatible |
| Zipkin tracing (allows use of customer-managed Zipkin) | Compatible | Compatible | Compatible |
Networking
Destination rule
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| credentialName |
Traffic interception/redirection mechanism
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
Traditional use ofiptables usinginit containers withCAP_NET_ADMIN | ||
| Container Network Interface (CNI) | * | * |
Protocol support
Services that are configured with Layer 7 capabilities forthe following protocols are not supported: WebSocket, MongoDB, Redis, Kafka,Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol workby using TCP byte stream support. If TCP byte stream cannot support the protocol(for example, Kafka sends a redirect address in a protocol-specific reply andthis redirect is incompatible with Cloud Service Mesh's routing logic), then theprotocol isn't supported.
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| IPv4 | ||
| HTTP/1.1 | ||
| HTTP/2 | ||
| TCP byte streams(Note 1) | ||
| gRPC | ||
| IPv6 | ||
| Istio DualStack |
Notes:
- Although TCP is a supported protocol for networking, TCPmetrics aren't collected or reported. Metrics are displayed only for HTTPservices in the Google Cloud console.
Envoy deployments
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Sidecars | ||
| Ingress gateway | ||
| Egress directly out from sidecars | ||
| Egress using egress gateways | * | * |
CRD support
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Istio API support (exceptions below) | ||
| custom Envoy filters |
Load balancer for the Istio ingress gateway
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Third-party external load balancer | ||
| Google Cloud Internal load balancer | * | Not supported. See the links below. |
For information on configuring load balancers, see the following:
- Setting up your load balancer for Google Distributed Cloud (software only) for VMware
- GKE on AWS:Creating a load balancer
- Expose an ingress gateway using an external load balancer
Kubernetes Gateway API (preview)
In Cloud Service Mesh v1.20 the Kubernetes Gateway API is available as a publicpreview.
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Ingress | ||
Gateway withclass: istio | ||
HttpRoute usingparentRef | ||
| Mesh traffic | ||
Configuring Istio CRDs using thetargetRef fieldincluding AuthorizationPolicy, RequestAuthentication, Telemetry and WasmPlugin |
If you are using Microsoft AKS attached clusters orGKE on Azure clusters, you must set the following annotationfor the gateway resource to configure health checks over TCP:
service.beta.kubernetes.io/port_80_health-probe_protocol:tcpOtherwise, HTTP traffic won't be accepted.
Kubernetes Gateway API preview requirements
The Kubernetes Gateway API preview has the following requirements:
Use the default automated deployments behavior for Gateways.
Use the
HttpRouteCRD for routing configurations. TheHttpRoutemust haveaparentRefpointing to a Gateway.Don't useIstio GatewayCRs andKubernetes Gateway API CRson the same cluster.
Load balancing policies
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Round robin | ||
| Least connections | ||
| Random | ||
| Passthrough | ||
| Consistent hash | ||
| Locality |
For more information on load balancing policies, seeDestination Rules.
Data plane
| Feature | GKE clusters on Google Cloud | Other GKE Enterprise clusters |
|---|---|---|
| Sidecar | ||
| Ambient |
Multi-cluster support
For multi-primary deployments of GKE clusters in differentprojects, all the clusters must be in ashared Virtual Private Cloud (VPC).
Network
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | GKE on AWS | GKE on Azure | Attached clusters |
|---|---|---|---|---|---|
| Single network | |||||
| Multi-network |
Notes:
- For attached clusters, only multi-cluster meshes spanning a single platform(Microsoft AKS, Amazon EKS) are supported at this time.
Deployment model
| Feature | GKE clusters on Google Cloud | GKE Enterprise clusters on-premises | GKE Enterprise on other public clouds | Attached clusters |
|---|---|---|---|---|
| Multi-primary | ||||
| Primary-remote |
Notes on terminology:
A primary cluster is a cluster with a control plane. A single mesh can havemore than one primary cluster for high availability or to reduce latency.In the Istio 1.7 documentation, a multi-primary deployment is referred toas a replicated control plane.
A remote cluster is a cluster that connects to a control plane residingoutside of the cluster. A remote cluster can connect to a control planerunning in a primary cluster or to an external control plane.
Cloud Service Mesh uses a simplified definition of network based on generalconnectivity. Workload instances are on the same network if they are able tocommunicate directly, without a gateway.
User interface
| Feature | GKE clusters on Google Cloud | Google Distributed Cloud | Other GKE Enterprise clusters |
|---|---|---|---|
| Cloud Service Mesh dashboards in the Google Cloud console | * | * | |
| Cloud Monitoring | * | ||
| Cloud Logging | * | ||
| Cloud Trace | * |
Note: On-premises clusters require GKE Enterprise version 1.11 or later.For more information on upgrading seeUpgrading Google Distributed Cloud (software only) for VMwareorUpgrading Google Distributed Cloud (software only) for bare metal.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.