You are viewing archived v1.24 Service Mesh documentation.
Available versions
Cloud Service Mesh latest
Cloud Service Mesh 1.26 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.24 archive
Cloud Service Mesh 1.23 archive
Cloud Service Mesh 1.22 archive
Cloud Service Mesh 1.21 archive
Cloud Service Mesh 1.20 archive
Anthos Service Mesh 1.19 archive
Understand Cloud Service Mesh API Resources
Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.When you use Gateway API and Istio API to configure your service mesh on GKE,the KRM-based API resources you managed on GKE will be automatically translatedto a set of Google Cloud API resources:
- They don't incur any additional billing to you.
- They are managed exclusively by the managed Cloud Service Mesh infrastructure(based on theAPI resources you create in your GKE clusters). You won't be able to modify or delete these Google Cloud API resources. Changes to the KRM API would triggerupdate or removal of the corresponding Google Cloud API resources. And theGoogle Cloud API resources will be automatically removed when you deprovisionyour Cloud Service Mesh service mesh.
- They are functionally equivalent to the API resources you managed on GKE. TheCloud Service Mesh infrastructure programs the dataplane in your GKE clusters based on these Google Cloud API resources.
- They are subjected to the standard Google CloudAPI quota control. You can view the currentquota usage in your Google Cloud project. Config propagation to the dataplane will be stalled when Google Cloud resource quota is exceeded. Note that Google Cloud enforcesresource quota at project level and these Google Cloud API resources share quota with the same type of Google Cloud API resource managed by yourself.
The following is a high-level overview of how API resources on GKE are mapped to Google Cloud API resources. In most cases, understanding the API mapping is nota requirement to use your service mesh on GKE, as you will be managing yourservice mesh on GKE using Gateway API or Istio API. On the other hand, having a high level understanding of the API mapping helps you plan and manage yourGoogle Cloud API quota more efficiently as your service mesh scales.
Understand API resources
The API resources you manage on GKE will be mapped to a set of Google Cloud APIresources that control different aspects of the behaviors of the traffic in the dataplane. We recommend that you set upquota alerts for these resources.
Istio API with Managed Cloud Service Mesh
| Item | Istio API Resources | Google Cloud API Resources | Scope | Quotas and Limits | Upper Bound |
|---|---|---|---|---|---|
| Traffic routing | VirtualService | HTTPRoute TCPRoute TLSRoute | Global | HTTPRoute Quota TCPRoute Quota TLSRoute Quota | 1 per service port, and for each of Istio VirtualService HTTPRoute, TCPRoute, and TLSRoute. |
| Service representation(for route / policy attachment) | Service ServiceEntry | BackendService | Global | BackendService Quota | 1 per service port (include Istio ServiceEntry). |
| Workload properties(such as IP:port, locality) | Service ServiceEntry | NetworkEndpointGroup | Zonal | NetworkEndpointGroup Quota | 1 per (service port, zone). In a regional GKE cluster, a NetworkEndpointGroup is created in every single zone where the cluster has at least a node in, for a given service port. |
| Workload health monitoring | Service | HealthCheck | Global | HealthCheck Quota | 1 per GKE cluster. |
| Workload policy attachment point | PeerAuthentication AuthorizationPolicy RequestAuthenticationEnvoyFilter | EndpointPolicy | Global | EndpointPolicy Quota | 1 per service port and for each of the workload policies. |
| Authentication | PeerAuthentication | ClientTlsPolicy ServerTlsPolicy | Global | ClientTlsPolicy Quota ServerTlsPolicy Quota | 1 ClientTlsPolicy per service port. 1 ServerTlsPolicy for every TLS Gateway. |
| Authorization | AuthorizationPolicy | HttpFilter | Global | HttpFilter Quota | 1 per Istio AuthorizationPolicy |
| Gateway | Gateway | Gateway | Global | Gateway Quota | 1 per Istio Gateway server port |
| Traffic distribution policy | GCPTrafficDistributionPolicy1 | ServiceLbPolicy | Global | ServiceLbPolicy Quota | 1 per GCPTrafficDistributionPolicy |
If your service mesh spans across multiple clusters in different projects, allGoogle Cloud resources will be created in the fleet project.
1GCPTrafficDistributionPolicy is not an Istio API. It enhances the Istio API to provide advanced traffic management.
Kubernetes Gateway API with Managed Cloud Service Mesh
| Item | Kubernetes Gateway API Resources | Google Cloud API Resources | Scope | Quotas and Limits | Upper Bound |
|---|---|---|---|---|---|
| Traffic routing | HTTPRoute GRPCRoute | HTTPRoute GRPCRoute | Global | HTTPRoute Quota GRPCRoute Quota | 1 per service port, and for each of HTTPRoute and GRPCRoute. |
| Service representation(for route / policy attachment) | Service | BackendService | Global | BackendService Quota | 1 per service port attached by HTTPRoute and GRPCRoute. |
| Workload properties(such as IP:port, locality) | Service | NetworkEndpointGroup | Zonal | NetworkEndpointGroup Quota | 1 per (service port, zone). In a regional GKE cluster, a NetworkEndpointGroup is created in every single zone where the cluster has at least a node in, for a given service port. |
| Workload health monitoring | Service | HealthCheck | Global | HealthCheck Quota | 1 per service port attached by HTTPRoute and GRPCRoute. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.