From 21671675f4e0d4640d8d8bca63ca251ad66adea6 Mon Sep 17 00:00:00 2001 From: "copybara-service[bot]" <56741989+copybara-service[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 10:00:13 -0400 Subject: [PATCH] feat: new Network Management event types added (#539) PiperOrigin-RevId: 539981762 Co-authored-by: Copybara Bot --- json/audit/service_catalog.json | 1 + .../cloud/networkmanagement/v1/data.proto | 1379 +++++++++++++++++ .../cloud/networkmanagement/v1/events.proto | 59 + 3 files changed, 1439 insertions(+) create mode 100644 proto/google/events/cloud/networkmanagement/v1/data.proto create mode 100644 proto/google/events/cloud/networkmanagement/v1/events.proto diff --git a/json/audit/service_catalog.json b/json/audit/service_catalog.json index e82bcaa9..134da9a2 100644 --- a/json/audit/service_catalog.json +++ b/json/audit/service_catalog.json @@ -5275,6 +5275,7 @@ }, { "serviceName": "batch.googleapis.com", + "displayName": "Batch", "methods": [ { "methodName": "google.cloud.batch.v1.BatchService.CreateJob" diff --git a/proto/google/events/cloud/networkmanagement/v1/data.proto b/proto/google/events/cloud/networkmanagement/v1/data.proto new file mode 100644 index 00000000..0d77711c --- /dev/null +++ b/proto/google/events/cloud/networkmanagement/v1/data.proto @@ -0,0 +1,1379 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.events.cloud.networkmanagement.v1; + +import "google/protobuf/timestamp.proto"; +import "google/rpc/status.proto"; + +option csharp_namespace = "Google.Events.Protobuf.Cloud.NetworkManagement.V1"; +option php_namespace = "Google\\Events\\Cloud\\NetworkManagement\\V1"; +option ruby_package = "Google::Events::Cloud::NetworkManagement::V1"; + +// Trace represents one simulated packet forwarding path. +// +// * Each trace contains multiple ordered steps. +// * Each step is in a particular state with associated configuration. +// * State is categorized as final or non-final states. +// * Each final state has a reason associated. +// * Each trace must end with a final state (the last step). +// ``` +// |---------------------Trace----------------------| +// Step1(State) Step2(State) --- StepN(State(final)) +// ``` +message Trace { + // Derived from the source and destination endpoints definition specified by + // user request, and validated by the data plane model. + // If there are multiple traces starting from different source locations, then + // the endpoint_info may be different between traces. + EndpointInfo endpoint_info = 1; + + // A trace of a test contains multiple steps from the initial state to the + // final state (delivered, dropped, forwarded, or aborted). + // + // The steps are ordered by the processing sequence within the simulated + // network state machine. It is critical to preserve the order of the steps + // and avoid reordering or sorting them. + repeated Step steps = 2; +} + +// A simulated forwarding path is composed of multiple steps. +// Each step has a well-defined state and an associated configuration. +message Step { + // Type of states that are defined in the network state machine. + // Each step in the packet trace is in a specific state. + enum State { + // Unspecified state. + STATE_UNSPECIFIED = 0; + + // Initial state: packet originating from a Compute Engine instance. + // An InstanceInfo is populated with starting instance information. + START_FROM_INSTANCE = 1; + + // Initial state: packet originating from the internet. + // The endpoint information is populated. + START_FROM_INTERNET = 2; + + // Initial state: packet originating from a Google service. Some Google + // services, such as health check probers or Identity Aware Proxy use + // special routes, outside VPC routing configuration to reach Compute Engine + // Instances. + START_FROM_GOOGLE_SERVICE = 27; + + // Initial state: packet originating from a VPC or on-premises network + // with internal source IP. + // If the source is a VPC network visible to the user, a NetworkInfo + // is populated with details of the network. + START_FROM_PRIVATE_NETWORK = 3; + + // Initial state: packet originating from a Google Kubernetes Engine cluster + // master. A GKEMasterInfo is populated with starting instance information. + START_FROM_GKE_MASTER = 21; + + // Initial state: packet originating from a Cloud SQL instance. + // A CloudSQLInstanceInfo is populated with starting instance information. + START_FROM_CLOUD_SQL_INSTANCE = 22; + + // Initial state: packet originating from a Cloud Function. + // A CloudFunctionInfo is populated with starting function information. + START_FROM_CLOUD_FUNCTION = 23; + + // Initial state: packet originating from an App Engine service version. + // An AppEngineVersionInfo is populated with starting version information. + START_FROM_APP_ENGINE_VERSION = 25; + + // Initial state: packet originating from a Cloud Run revision. + // A CloudRunRevisionInfo is populated with starting revision information. + START_FROM_CLOUD_RUN_REVISION = 26; + + // Config checking state: verify ingress firewall rule. + APPLY_INGRESS_FIREWALL_RULE = 4; + + // Config checking state: verify egress firewall rule. + APPLY_EGRESS_FIREWALL_RULE = 5; + + // Config checking state: verify route. + APPLY_ROUTE = 6; + + // Config checking state: match forwarding rule. + APPLY_FORWARDING_RULE = 7; + + // Config checking state: packet sent or received under foreign IP + // address and allowed. + SPOOFING_APPROVED = 8; + + // Forwarding state: arriving at a Compute Engine instance. + ARRIVE_AT_INSTANCE = 9; + + // Forwarding state: arriving at a Compute Engine internal load balancer. + ARRIVE_AT_INTERNAL_LOAD_BALANCER = 10; + + // Forwarding state: arriving at a Compute Engine external load balancer. + ARRIVE_AT_EXTERNAL_LOAD_BALANCER = 11; + + // Forwarding state: arriving at a Cloud VPN gateway. + ARRIVE_AT_VPN_GATEWAY = 12; + + // Forwarding state: arriving at a Cloud VPN tunnel. + ARRIVE_AT_VPN_TUNNEL = 13; + + // Forwarding state: arriving at a VPC connector. + ARRIVE_AT_VPC_CONNECTOR = 24; + + // Transition state: packet header translated. + NAT = 14; + + // Transition state: original connection is terminated and a new proxied + // connection is initiated. + PROXY_CONNECTION = 15; + + // Final state: packet could be delivered. + DELIVER = 16; + + // Final state: packet could be dropped. + DROP = 17; + + // Final state: packet could be forwarded to a network with an unknown + // configuration. + FORWARD = 18; + + // Final state: analysis is aborted. + ABORT = 19; + + // Special state: viewer of the test result does not have permission to + // see the configuration in this step. + VIEWER_PERMISSION_MISSING = 20; + } + + // A description of the step. Usually this is a summary of the state. + string description = 1; + + // Each step is in one of the pre-defined states. + State state = 2; + + // This is a step that leads to the final state Drop. + bool causes_drop = 3; + + // Project ID that contains the configuration this step is validating. + string project_id = 4; + + // Configuration or metadata associated with each step. + // The configuration is filtered based on viewer's permission. If a viewer + // has no permission to view the configuration in this step, for non-final + // states a special state is populated (VIEWER_PERMISSION_MISSING), and for + // final state the configuration is cleared. + oneof step_info { + // Display information of a Compute Engine instance. + InstanceInfo instance = 5; + + // Display information of a Compute Engine firewall rule. + FirewallInfo firewall = 6; + + // Display information of a Compute Engine route. + RouteInfo route = 7; + + // Display information of the source and destination under analysis. + // The endpoint information in an intermediate state may differ with the + // initial input, as it might be modified by state like NAT, + // or Connection Proxy. + EndpointInfo endpoint = 8; + + // Display information of a Google service + GoogleServiceInfo google_service = 24; + + // Display information of a Compute Engine forwarding rule. + ForwardingRuleInfo forwarding_rule = 9; + + // Display information of a Compute Engine VPN gateway. + VpnGatewayInfo vpn_gateway = 10; + + // Display information of a Compute Engine VPN tunnel. + VpnTunnelInfo vpn_tunnel = 11; + + // Display information of a VPC connector. + VpcConnectorInfo vpc_connector = 21; + + // Display information of the final state "deliver" and reason. + DeliverInfo deliver = 12; + + // Display information of the final state "forward" and reason. + ForwardInfo forward = 13; + + // Display information of the final state "abort" and reason. + AbortInfo abort = 14; + + // Display information of the final state "drop" and reason. + DropInfo drop = 15; + + // Display information of the load balancers. + LoadBalancerInfo load_balancer = 16; + + // Display information of a Google Cloud network. + NetworkInfo network = 17; + + // Display information of a Google Kubernetes Engine cluster master. + GKEMasterInfo gke_master = 18; + + // Display information of a Cloud SQL instance. + CloudSQLInstanceInfo cloud_sql_instance = 19; + + // Display information of a Cloud Function. + CloudFunctionInfo cloud_function = 20; + + // Display information of an App Engine service version. + AppEngineVersionInfo app_engine_version = 22; + + // Display information of a Cloud Run revision. + CloudRunRevisionInfo cloud_run_revision = 23; + } +} + +// For display only. Metadata associated with a Compute Engine instance. +message InstanceInfo { + // Name of a Compute Engine instance. + string display_name = 1; + + // URI of a Compute Engine instance. + string uri = 2; + + // Name of the network interface of a Compute Engine instance. + string interface = 3; + + // URI of a Compute Engine network. + string network_uri = 4; + + // Internal IP address of the network interface. + string internal_ip = 5; + + // External IP address of the network interface. + string external_ip = 6; + + // Network tags configured on the instance. + repeated string network_tags = 7; + + // Service account authorized for the instance. + string service_account = 8; +} + +// For display only. Metadata associated with a Compute Engine network. +message NetworkInfo { + // Name of a Compute Engine network. + string display_name = 1; + + // URI of a Compute Engine network. + string uri = 2; + + // The IP range that matches the test. + string matched_ip_range = 4; +} + +// For display only. Metadata associated with a VPC firewall rule, an implied +// VPC firewall rule, or a hierarchical firewall policy rule. +message FirewallInfo { + // The firewall rule's type. + enum FirewallRuleType { + // Unspecified type. + FIREWALL_RULE_TYPE_UNSPECIFIED = 0; + + // Hierarchical firewall policy rule. For details, see + // [Hierarchical firewall policies + // overview](https://cloud.google.com/vpc/docs/firewall-policies). + HIERARCHICAL_FIREWALL_POLICY_RULE = 1; + + // VPC firewall rule. For details, see + // [VPC firewall rules + // overview](https://cloud.google.com/vpc/docs/firewalls). + VPC_FIREWALL_RULE = 2; + + // Implied VPC firewall rule. For details, see + // [Implied + // rules](https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules). + IMPLIED_VPC_FIREWALL_RULE = 3; + + // Implicit firewall rules that are managed by serverless VPC access to + // allow ingress access. They are not visible in the Google Cloud console. + // For details, see [VPC connector's implicit + // rules](https://cloud.google.com/functions/docs/networking/connecting-vpc#restrict-access). + SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE = 4; + + // Global network firewall policy rule. + // For details, see [Network firewall + // policies](https://cloud.google.com/vpc/docs/network-firewall-policies). + NETWORK_FIREWALL_POLICY_RULE = 5; + } + + // The display name of the VPC firewall rule. This field is not applicable + // to hierarchical firewall policy rules. + string display_name = 1; + + // The URI of the VPC firewall rule. This field is not applicable to + // implied firewall rules or hierarchical firewall policy rules. + string uri = 2; + + // Possible values: INGRESS, EGRESS + string direction = 3; + + // Possible values: ALLOW, DENY + string action = 4; + + // The priority of the firewall rule. + int32 priority = 5; + + // The URI of the VPC network that the firewall rule is associated with. + // This field is not applicable to hierarchical firewall policy rules. + string network_uri = 6; + + // The target tags defined by the VPC firewall rule. This field is not + // applicable to hierarchical firewall policy rules. + repeated string target_tags = 7; + + // The target service accounts specified by the firewall rule. + repeated string target_service_accounts = 8; + + // The hierarchical firewall policy that this rule is associated with. + // This field is not applicable to VPC firewall rules. + string policy = 9; + + // The firewall rule's type. + FirewallRuleType firewall_rule_type = 10; +} + +// For display only. Metadata associated with a Compute Engine route. +message RouteInfo { + // Type of route: + enum RouteType { + // Unspecified type. Default value. + ROUTE_TYPE_UNSPECIFIED = 0; + + // Route is a subnet route automatically created by the system. + SUBNET = 1; + + // Static route created by the user, including the default route to the + // internet. + STATIC = 2; + + // Dynamic route exchanged between BGP peers. + DYNAMIC = 3; + + // A subnet route received from peering network. + PEERING_SUBNET = 4; + + // A static route received from peering network. + PEERING_STATIC = 5; + + // A dynamic route received from peering network. + PEERING_DYNAMIC = 6; + + // Policy based route. + POLICY_BASED = 7; + } + + // Type of next hop: + enum NextHopType { + // Unspecified type. Default value. + NEXT_HOP_TYPE_UNSPECIFIED = 0; + + // Next hop is an IP address. + NEXT_HOP_IP = 1; + + // Next hop is a Compute Engine instance. + NEXT_HOP_INSTANCE = 2; + + // Next hop is a VPC network gateway. + NEXT_HOP_NETWORK = 3; + + // Next hop is a peering VPC. + NEXT_HOP_PEERING = 4; + + // Next hop is an interconnect. + NEXT_HOP_INTERCONNECT = 5; + + // Next hop is a VPN tunnel. + NEXT_HOP_VPN_TUNNEL = 6; + + // Next hop is a VPN gateway. This scenario only happens when tracing + // connectivity from an on-premises network to Google Cloud through a VPN. + // The analysis simulates a packet departing from the on-premises network + // through a VPN tunnel and arriving at a Cloud VPN gateway. + NEXT_HOP_VPN_GATEWAY = 7; + + // Next hop is an internet gateway. + NEXT_HOP_INTERNET_GATEWAY = 8; + + // Next hop is blackhole; that is, the next hop either does not exist or is + // not running. + NEXT_HOP_BLACKHOLE = 9; + + // Next hop is the forwarding rule of an Internal Load Balancer. + NEXT_HOP_ILB = 10; + + // Next hop is a + // [router appliance + // instance](https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/ra-overview). + NEXT_HOP_ROUTER_APPLIANCE = 11; + } + + // Type of route. + RouteType route_type = 8; + + // Type of next hop. + NextHopType next_hop_type = 9; + + // Name of a Compute Engine route. + string display_name = 1; + + // URI of a Compute Engine route. + // Dynamic route from cloud router does not have a URI. + // Advertised route from Google Cloud VPC to on-premises network also does + // not have a URI. + string uri = 2; + + // Destination IP range of the route. + string dest_ip_range = 3; + + // Next hop of the route. + string next_hop = 4; + + // URI of a Compute Engine network. + string network_uri = 5; + + // Priority of the route. + int32 priority = 6; + + // Instance tags of the route. + repeated string instance_tags = 7; + + // Source IP address range of the route. Policy based routes only. + string src_ip_range = 10; + + // Destination port ranges of the route. Policy based routes only. + repeated string dest_port_ranges = 11; + + // Source port ranges of the route. Policy based routes only. + repeated string src_port_ranges = 12; + + // Protocols of the route. Policy based routes only. + repeated string protocols = 13; +} + +// For display only. Details of a Google Service sending packets to a +// VPC network. Although the source IP might be a publicly routable address, +// some Google Services use special routes within Google production +// infrastructure to reach Compute Engine Instances. +// https://cloud.google.com/vpc/docs/routes#special_return_paths +message GoogleServiceInfo { + // Recognized type of a Google Service. + enum GoogleServiceType { + // Unspecified Google Service. Includes most of Google APIs and services. + GOOGLE_SERVICE_TYPE_UNSPECIFIED = 0; + + // Identity aware proxy. + // https://cloud.google.com/iap/docs/using-tcp-forwarding + IAP = 1; + + // One of two services sharing IP ranges: + // * Load Balancer proxy + // * Centralized Health Check prober + // https://cloud.google.com/load-balancing/docs/firewall-rules + GFE_PROXY_OR_HEALTH_CHECK_PROBER = 2; + + // Connectivity from Cloud DNS to forwarding targets or alternate name + // servers that use private routing. + // https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules + // https://cloud.google.com/dns/docs/policies#firewall-rules + CLOUD_DNS = 3; + } + + // Source IP address. + string source_ip = 1; + + // Recognized type of a Google Service. + GoogleServiceType google_service_type = 2; +} + +// For display only. Metadata associated with a Compute Engine forwarding rule. +message ForwardingRuleInfo { + // Name of a Compute Engine forwarding rule. + string display_name = 1; + + // URI of a Compute Engine forwarding rule. + string uri = 2; + + // Protocol defined in the forwarding rule that matches the test. + string matched_protocol = 3; + + // Port range defined in the forwarding rule that matches the test. + string matched_port_range = 6; + + // VIP of the forwarding rule. + string vip = 4; + + // Target type of the forwarding rule. + string target = 5; + + // Network URI. Only valid for Internal Load Balancer. + string network_uri = 7; +} + +// For display only. Metadata associated with a load balancer. +message LoadBalancerInfo { + // The type definition for a load balancer: + enum LoadBalancerType { + // Type is unspecified. + LOAD_BALANCER_TYPE_UNSPECIFIED = 0; + + // Internal TCP/UDP load balancer. + INTERNAL_TCP_UDP = 1; + + // Network TCP/UDP load balancer. + NETWORK_TCP_UDP = 2; + + // HTTP(S) proxy load balancer. + HTTP_PROXY = 3; + + // TCP proxy load balancer. + TCP_PROXY = 4; + + // SSL proxy load balancer. + SSL_PROXY = 5; + } + + // The type definition for a load balancer backend configuration: + enum BackendType { + // Type is unspecified. + BACKEND_TYPE_UNSPECIFIED = 0; + + // Backend Service as the load balancer's backend. + BACKEND_SERVICE = 1; + + // Target Pool as the load balancer's backend. + TARGET_POOL = 2; + + // Target Instance as the load balancer's backend. + TARGET_INSTANCE = 3; + } + + // Type of the load balancer. + LoadBalancerType load_balancer_type = 1; + + // URI of the health check for the load balancer. + string health_check_uri = 2; + + // Information for the loadbalancer backends. + repeated LoadBalancerBackend backends = 3; + + // Type of load balancer's backend configuration. + BackendType backend_type = 4; + + // Backend configuration URI. + string backend_uri = 5; +} + +// For display only. Metadata associated with a specific load balancer backend. +message LoadBalancerBackend { + // State of a health check firewall configuration: + enum HealthCheckFirewallState { + // State is unspecified. Default state if not populated. + HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED = 0; + + // There are configured firewall rules to allow health check probes to the + // backend. + CONFIGURED = 1; + + // There are firewall rules configured to allow partial health check ranges + // or block all health check ranges. + // If a health check probe is sent from denied IP ranges, + // the health check to the backend will fail. Then, the backend will be + // marked unhealthy and will not receive traffic sent to the load balancer. + MISCONFIGURED = 2; + } + + // Name of a Compute Engine instance or network endpoint. + string display_name = 1; + + // URI of a Compute Engine instance or network endpoint. + string uri = 2; + + // State of the health check firewall configuration. + HealthCheckFirewallState health_check_firewall_state = 3; + + // A list of firewall rule URIs allowing probes from health check IP ranges. + repeated string health_check_allowing_firewall_rules = 4; + + // A list of firewall rule URIs blocking probes from health check IP ranges. + repeated string health_check_blocking_firewall_rules = 5; +} + +// For display only. Metadata associated with a Compute Engine VPN gateway. +message VpnGatewayInfo { + // Name of a VPN gateway. + string display_name = 1; + + // URI of a VPN gateway. + string uri = 2; + + // URI of a Compute Engine network where the VPN gateway is configured. + string network_uri = 3; + + // IP address of the VPN gateway. + string ip_address = 4; + + // A VPN tunnel that is associated with this VPN gateway. + // There may be multiple VPN tunnels configured on a VPN gateway, and only + // the one relevant to the test is displayed. + string vpn_tunnel_uri = 5; + + // Name of a Google Cloud region where this VPN gateway is configured. + string region = 6; +} + +// For display only. Metadata associated with a Compute Engine VPN tunnel. +message VpnTunnelInfo { + // Types of VPN routing policy. For details, refer to [Networks and Tunnel + // routing](https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing/). + enum RoutingType { + // Unspecified type. Default value. + ROUTING_TYPE_UNSPECIFIED = 0; + + // Route based VPN. + ROUTE_BASED = 1; + + // Policy based routing. + POLICY_BASED = 2; + + // Dynamic (BGP) routing. + DYNAMIC = 3; + } + + // Name of a VPN tunnel. + string display_name = 1; + + // URI of a VPN tunnel. + string uri = 2; + + // URI of the VPN gateway at local end of the tunnel. + string source_gateway = 3; + + // URI of a VPN gateway at remote end of the tunnel. + string remote_gateway = 4; + + // Remote VPN gateway's IP address. + string remote_gateway_ip = 5; + + // Local VPN gateway's IP address. + string source_gateway_ip = 6; + + // URI of a Compute Engine network where the VPN tunnel is configured. + string network_uri = 7; + + // Name of a Google Cloud region where this VPN tunnel is configured. + string region = 8; + + // Type of the routing policy. + RoutingType routing_type = 9; +} + +// For display only. The specification of the endpoints for the test. +// EndpointInfo is derived from source and destination Endpoint and validated +// by the backend data plane model. +message EndpointInfo { + // Source IP address. + string source_ip = 1; + + // Destination IP address. + string destination_ip = 2; + + // IP protocol in string format, for example: "TCP", "UDP", "ICMP". + string protocol = 3; + + // Source port. Only valid when protocol is TCP or UDP. + int32 source_port = 4; + + // Destination port. Only valid when protocol is TCP or UDP. + int32 destination_port = 5; + + // URI of the network where this packet originates from. + string source_network_uri = 6; + + // URI of the network where this packet is sent to. + string destination_network_uri = 7; +} + +// Details of the final state "deliver" and associated resource. +message DeliverInfo { + // Deliver target types: + enum Target { + // Target not specified. + TARGET_UNSPECIFIED = 0; + + // Target is a Compute Engine instance. + INSTANCE = 1; + + // Target is the internet. + INTERNET = 2; + + // Target is a Google API. + GOOGLE_API = 3; + + // Target is a Google Kubernetes Engine cluster master. + GKE_MASTER = 4; + + // Target is a Cloud SQL instance. + CLOUD_SQL_INSTANCE = 5; + + // Target is a published service that uses [Private Service + // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-services). + PSC_PUBLISHED_SERVICE = 6; + + // Target is all Google APIs that use [Private Service + // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis). + PSC_GOOGLE_API = 7; + + // Target is a VPC-SC that uses [Private Service + // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis). + PSC_VPC_SC = 8; + } + + // Target type where the packet is delivered to. + Target target = 1; + + // URI of the resource that the packet is delivered to. + string resource_uri = 2; +} + +// Details of the final state "forward" and associated resource. +message ForwardInfo { + // Forward target types. + enum Target { + // Target not specified. + TARGET_UNSPECIFIED = 0; + + // Forwarded to a VPC peering network. + PEERING_VPC = 1; + + // Forwarded to a Cloud VPN gateway. + VPN_GATEWAY = 2; + + // Forwarded to a Cloud Interconnect connection. + INTERCONNECT = 3; + + // Forwarded to a Google Kubernetes Engine Container cluster master. + GKE_MASTER = 4; + + // Forwarded to the next hop of a custom route imported from a peering VPC. + IMPORTED_CUSTOM_ROUTE_NEXT_HOP = 5; + + // Forwarded to a Cloud SQL instance. + CLOUD_SQL_INSTANCE = 6; + + // Forwarded to a VPC network in another project. + ANOTHER_PROJECT = 7; + } + + // Target type where this packet is forwarded to. + Target target = 1; + + // URI of the resource that the packet is forwarded to. + string resource_uri = 2; +} + +// Details of the final state "abort" and associated resource. +message AbortInfo { + // Abort cause types: + enum Cause { + // Cause is unspecified. + CAUSE_UNSPECIFIED = 0; + + // Aborted due to unknown network. + // The reachability analysis cannot proceed because the user does not have + // access to the host project's network configurations, including firewall + // rules and routes. This happens when the project is a service project and + // the endpoints being traced are in the host project's network. + UNKNOWN_NETWORK = 1; + + // Aborted because the IP address(es) are unknown. + UNKNOWN_IP = 2; + + // Aborted because no project information can be derived from the test + // input. + UNKNOWN_PROJECT = 3; + + // Aborted because the user lacks the permission to access all or part of + // the network configurations required to run the test. + PERMISSION_DENIED = 4; + + // Aborted because no valid source endpoint is derived from the input test + // request. + NO_SOURCE_LOCATION = 5; + + // Aborted because the source and/or destination endpoint specified in + // the test are invalid. The possible reasons that an endpoint is + // invalid include: malformed IP address; nonexistent instance or + // network URI; IP address not in the range of specified network URI; and + // instance not owning the network interface in the specified network. + INVALID_ARGUMENT = 6; + + // Aborted because traffic is sent from a public IP to an instance without + // an external IP. + NO_EXTERNAL_IP = 7; + + // Aborted because none of the traces matches destination information + // specified in the input test request. + UNINTENDED_DESTINATION = 8; + + // Aborted because the number of steps in the trace exceeding a certain + // limit which may be caused by routing loop. + TRACE_TOO_LONG = 9; + + // Aborted due to internal server error. + INTERNAL_ERROR = 10; + + // Aborted because the source endpoint could not be found. + SOURCE_ENDPOINT_NOT_FOUND = 11; + + // Aborted because the source network does not match the source endpoint. + MISMATCHED_SOURCE_NETWORK = 12; + + // Aborted because the destination endpoint could not be found. + DESTINATION_ENDPOINT_NOT_FOUND = 13; + + // Aborted because the destination network does not match the destination + // endpoint. + MISMATCHED_DESTINATION_NETWORK = 14; + + // Aborted because the test scenario is not supported. + UNSUPPORTED = 15; + + // Aborted because the source and destination resources have no common IP + // version. + MISMATCHED_IP_VERSION = 16; + + // Aborted because the connection between the control plane and the node of + // the source cluster is initiated by the node and managed by the + // Konnectivity proxy. + GKE_KONNECTIVITY_PROXY_UNSUPPORTED = 17; + + // Aborted because expected resource configuration was missing. + RESOURCE_CONFIG_NOT_FOUND = 18; + } + + // Causes that the analysis is aborted. + Cause cause = 1; + + // URI of the resource that caused the abort. + string resource_uri = 2; + + // List of project IDs that the user has specified in the request but does + // not have permission to access network configs. Analysis is aborted in this + // case with the PERMISSION_DENIED cause. + repeated string projects_missing_permission = 3; +} + +// Details of the final state "drop" and associated resource. +message DropInfo { + // Drop cause types: + enum Cause { + // Cause is unspecified. + CAUSE_UNSPECIFIED = 0; + + // Destination external address cannot be resolved to a known target. If + // the address is used in a Google Cloud project, provide the project ID + // as test input. + UNKNOWN_EXTERNAL_ADDRESS = 1; + + // A Compute Engine instance can only send or receive a packet with a + // foreign IP address if ip_forward is enabled. + FOREIGN_IP_DISALLOWED = 2; + + // Dropped due to a firewall rule, unless allowed due to connection + // tracking. + FIREWALL_RULE = 3; + + // Dropped due to no routes. + NO_ROUTE = 4; + + // Dropped due to invalid route. Route's next hop is a blackhole. + ROUTE_BLACKHOLE = 5; + + // Packet is sent to a wrong (unintended) network. Example: you trace a + // packet from VM1:Network1 to VM2:Network2, however, the route configured + // in Network1 sends the packet destined for VM2's IP addresss to Network3. + ROUTE_WRONG_NETWORK = 6; + + // Packet with internal destination address sent to the internet gateway. + PRIVATE_TRAFFIC_TO_INTERNET = 7; + + // Instance with only an internal IP address tries to access Google API and + // services, but private Google access is not enabled. + PRIVATE_GOOGLE_ACCESS_DISALLOWED = 8; + + // Instance with only an internal IP address tries to access external hosts, + // but Cloud NAT is not enabled in the subnet, unless special configurations + // on a VM allow this connection. + NO_EXTERNAL_ADDRESS = 9; + + // Destination internal address cannot be resolved to a known target. If + // this is a shared VPC scenario, verify if the service project ID is + // provided as test input. Otherwise, verify if the IP address is being + // used in the project. + UNKNOWN_INTERNAL_ADDRESS = 10; + + // Forwarding rule's protocol and ports do not match the packet header. + FORWARDING_RULE_MISMATCH = 11; + + // Packet could be dropped because it was sent from a different region + // to a regional forwarding without global access. + FORWARDING_RULE_REGION_MISMATCH = 25; + + // Forwarding rule does not have backends configured. + FORWARDING_RULE_NO_INSTANCES = 12; + + // Firewalls block the health check probes to the backends and cause + // the backends to be unavailable for traffic from the load balancer. + // For more details, see [Health check firewall + // rules](https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules). + FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK = 13; + + // Packet is sent from or to a Compute Engine instance that is not in a + // running state. + INSTANCE_NOT_RUNNING = 14; + + // Packet sent from or to a GKE cluster that is not in running state. + GKE_CLUSTER_NOT_RUNNING = 27; + + // Packet sent from or to a Cloud SQL instance that is not in running state. + CLOUD_SQL_INSTANCE_NOT_RUNNING = 28; + + // The type of traffic is blocked and the user cannot configure a firewall + // rule to enable it. See [Always blocked + // traffic](https://cloud.google.com/vpc/docs/firewalls#blockedtraffic) for + // more details. + TRAFFIC_TYPE_BLOCKED = 15; + + // Access to Google Kubernetes Engine cluster master's endpoint is not + // authorized. See [Access to the cluster + // endpoints](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints) + // for more details. + GKE_MASTER_UNAUTHORIZED_ACCESS = 16; + + // Access to the Cloud SQL instance endpoint is not authorized. + // See [Authorizing with authorized + // networks](https://cloud.google.com/sql/docs/mysql/authorize-networks) for + // more details. + CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS = 17; + + // Packet was dropped inside Google Kubernetes Engine Service. + DROPPED_INSIDE_GKE_SERVICE = 18; + + // Packet was dropped inside Cloud SQL Service. + DROPPED_INSIDE_CLOUD_SQL_SERVICE = 19; + + // Packet was dropped because there is no peering between the originating + // network and the Google Managed Services Network. + GOOGLE_MANAGED_SERVICE_NO_PEERING = 20; + + // Packet was dropped because the Google-managed service uses Private + // Service Connect (PSC), but the PSC endpoint is not found in the project. + GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT = 38; + + // Packet was dropped because the GKE cluster uses Private Service Connect + // (PSC), but the PSC endpoint is not found in the project. + GKE_PSC_ENDPOINT_MISSING = 36; + + // Packet was dropped because the Cloud SQL instance has neither a private + // nor a public IP address. + CLOUD_SQL_INSTANCE_NO_IP_ADDRESS = 21; + + // Packet was dropped because a GKE cluster private endpoint is + // unreachable from a region different from the cluster's region. + GKE_CONTROL_PLANE_REGION_MISMATCH = 30; + + // Packet sent from a public GKE cluster control plane to a private + // IP address. + PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION = 31; + + // Packet was dropped because there is no route from a GKE cluster + // control plane to a destination network. + GKE_CONTROL_PLANE_NO_ROUTE = 32; + + // Packet sent from a Cloud SQL instance to an external IP address is not + // allowed. The Cloud SQL instance is not configured to send packets to + // external IP addresses. + CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC = 33; + + // Packet sent from a Cloud SQL instance with only a public IP address to a + // private IP address. + PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION = 34; + + // Packet was dropped because there is no route from a Cloud SQL + // instance to a destination network. + CLOUD_SQL_INSTANCE_NO_ROUTE = 35; + + // Packet could be dropped because the Cloud Function is not in an active + // status. + CLOUD_FUNCTION_NOT_ACTIVE = 22; + + // Packet could be dropped because no VPC connector is set. + VPC_CONNECTOR_NOT_SET = 23; + + // Packet could be dropped because the VPC connector is not in a running + // state. + VPC_CONNECTOR_NOT_RUNNING = 24; + + // The Private Service Connect endpoint is in a project that is not approved + // to connect to the service. + PSC_CONNECTION_NOT_ACCEPTED = 26; + + // Packet sent from a Cloud Run revision that is not ready. + CLOUD_RUN_REVISION_NOT_READY = 29; + + // Packet was dropped inside Private Service Connect service producer. + DROPPED_INSIDE_PSC_SERVICE_PRODUCER = 37; + + // Packet sent to a load balancer, which requires a proxy-only subnet and + // the subnet is not found. + LOAD_BALANCER_HAS_NO_PROXY_SUBNET = 39; + } + + // Cause that the packet is dropped. + Cause cause = 1; + + // URI of the resource that caused the drop. + string resource_uri = 2; +} + +// For display only. Metadata associated with a Google Kubernetes Engine (GKE) +// cluster master. +message GKEMasterInfo { + // URI of a GKE cluster. + string cluster_uri = 2; + + // URI of a GKE cluster network. + string cluster_network_uri = 4; + + // Internal IP address of a GKE cluster master. + string internal_ip = 5; + + // External IP address of a GKE cluster master. + string external_ip = 6; +} + +// For display only. Metadata associated with a Cloud SQL instance. +message CloudSQLInstanceInfo { + // Name of a Cloud SQL instance. + string display_name = 1; + + // URI of a Cloud SQL instance. + string uri = 2; + + // URI of a Cloud SQL instance network or empty string if the instance does + // not have one. + string network_uri = 4; + + // Internal IP address of a Cloud SQL instance. + string internal_ip = 5; + + // External IP address of a Cloud SQL instance. + string external_ip = 6; + + // Region in which the Cloud SQL instance is running. + string region = 7; +} + +// For display only. Metadata associated with a Cloud Function. +message CloudFunctionInfo { + // Name of a Cloud Function. + string display_name = 1; + + // URI of a Cloud Function. + string uri = 2; + + // Location in which the Cloud Function is deployed. + string location = 3; + + // Latest successfully deployed version id of the Cloud Function. + int64 version_id = 4; +} + +// For display only. Metadata associated with a Cloud Run revision. +message CloudRunRevisionInfo { + // Name of a Cloud Run revision. + string display_name = 1; + + // URI of a Cloud Run revision. + string uri = 2; + + // Location in which this revision is deployed. + string location = 4; + + // URI of Cloud Run service this revision belongs to. + string service_uri = 5; +} + +// For display only. Metadata associated with an App Engine version. +message AppEngineVersionInfo { + // Name of an App Engine version. + string display_name = 1; + + // URI of an App Engine version. + string uri = 2; + + // Runtime of the App Engine version. + string runtime = 3; + + // App Engine execution environment for a version. + string environment = 4; +} + +// For display only. Metadata associated with a VPC connector. +message VpcConnectorInfo { + // Name of a VPC connector. + string display_name = 1; + + // URI of a VPC connector. + string uri = 2; + + // Location in which the VPC connector is deployed. + string location = 3; +} + +// A Connectivity Test for a network reachability analysis. +message ConnectivityTest { + // Required. Unique name of the resource using the form: + // `projects/{project_id}/locations/global/connectivityTests/{test_id}` + string name = 1; + + // The user-supplied description of the Connectivity Test. + // Maximum of 512 characters. + string description = 2; + + // Required. Source specification of the Connectivity Test. + // + // You can use a combination of source IP address, virtual machine + // (VM) instance, or Compute Engine network to uniquely identify + // the source location. + // + // Examples: + // If the source IP address is an internal IP address within a Google Cloud + // Virtual Private Cloud (VPC) network, then you must also specify the VPC + // network. Otherwise, specify the VM instance, which already contains its + // internal IP address and VPC network information. + // + // If the source of the test is within an on-premises network, then you must + // provide the destination VPC network. + // + // If the source endpoint is a Compute Engine VM instance with multiple + // network interfaces, the instance itself is not sufficient to identify the + // endpoint. So, you must also specify the source IP address or VPC network. + // + // A reachability analysis proceeds even if the source location is + // ambiguous. However, the test result may include endpoints that you don't + // intend to test. + Endpoint source = 3; + + // Required. Destination specification of the Connectivity Test. + // + // You can use a combination of destination IP address, Compute Engine + // VM instance, or VPC network to uniquely identify the destination + // location. + // + // Even if the destination IP address is not unique, the source IP + // location is unique. Usually, the analysis can infer the destination + // endpoint from route information. + // + // If the destination you specify is a VM instance and the instance has + // multiple network interfaces, then you must also specify either + // a destination IP address or VPC network to identify the destination + // interface. + // + // A reachability analysis proceeds even if the destination location is + // ambiguous. However, the result can include endpoints that you don't + // intend to test. + Endpoint destination = 4; + + // IP Protocol of the test. When not provided, "TCP" is assumed. + string protocol = 5; + + // Other projects that may be relevant for reachability analysis. + // This is applicable to scenarios where a test can cross project boundaries. + repeated string related_projects = 6; + + // Output only. The display name of a Connectivity Test. + string display_name = 7; + + // Resource labels to represent user-provided metadata. + map labels = 8; + + // Output only. The time the test was created. + google.protobuf.Timestamp create_time = 10; + + // Output only. The time the test's configuration was updated. + google.protobuf.Timestamp update_time = 11; + + // Output only. The reachability details of this test from the latest run. + // The details are updated when creating a new test, updating an + // existing test, or triggering a one-time rerun of an existing test. + ReachabilityDetails reachability_details = 12; +} + +// Source or destination of the Connectivity Test. +message Endpoint { + // Wrapper for Cloud Function attributes. + message CloudFunctionEndpoint { + // A [Cloud Function](https://cloud.google.com/functions) name. + string uri = 1; + } + + // Wrapper for the App Engine service version attributes. + message AppEngineVersionEndpoint { + // An [App Engine](https://cloud.google.com/appengine) [service + // version](https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions) + // name. + string uri = 1; + } + + // Wrapper for Cloud Run revision attributes. + message CloudRunRevisionEndpoint { + // A [Cloud Run](https://cloud.google.com/run) + // [revision](https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions/get) + // URI. The format is: + // projects/{project}/locations/{location}/revisions/{revision} + string uri = 1; + } + + // The type definition of an endpoint's network. Use one of the + // following choices: + enum NetworkType { + // Default type if unspecified. + NETWORK_TYPE_UNSPECIFIED = 0; + + // A network hosted within Google Cloud. + // To receive more detailed output, specify the URI for the source or + // destination network. + GCP_NETWORK = 1; + + // A network hosted outside of Google Cloud. + // This can be an on-premises network, or a network hosted by another cloud + // provider. + NON_GCP_NETWORK = 2; + } + + // The IP address of the endpoint, which can be an external or internal IP. + // An IPv6 address is only allowed when the test's destination is a + // [global load balancer VIP](/load-balancing/docs/load-balancing-overview). + string ip_address = 1; + + // The IP protocol port of the endpoint. + // Only applicable when protocol is TCP or UDP. + int32 port = 2; + + // A Compute Engine instance URI. + string instance = 3; + + // A cluster URI for [Google Kubernetes Engine + // master](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture). + string gke_master_cluster = 7; + + // A [Cloud SQL](https://cloud.google.com/sql) instance URI. + string cloud_sql_instance = 8; + + // A [Cloud Function](https://cloud.google.com/functions). + CloudFunctionEndpoint cloud_function = 10; + + // An [App Engine](https://cloud.google.com/appengine) [service + // version](https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.services.versions). + AppEngineVersionEndpoint app_engine_version = 11; + + // A [Cloud Run](https://cloud.google.com/run) + // [revision](https://cloud.google.com/run/docs/reference/rest/v1/namespaces.revisions/get) + CloudRunRevisionEndpoint cloud_run_revision = 12; + + // A Compute Engine network URI. + string network = 4; + + // Type of the network where the endpoint is located. + // Applicable only to source endpoint, as destination network type can be + // inferred from the source. + NetworkType network_type = 5; + + // Project ID where the endpoint is located. + // The Project ID can be derived from the URI if you provide a VM instance or + // network URI. + // The following are two cases where you must provide the project ID: + // 1. Only the IP address is specified, and the IP address is within a Google + // Cloud project. + // 2. When you are using Shared VPC and the IP address that you provide is + // from the service project. In this case, the network that the IP address + // resides in is defined in the host project. + string project_id = 6; +} + +// Results of the configuration analysis from the last run of the test. +message ReachabilityDetails { + // The overall result of the test's configuration analysis. + enum Result { + // No result was specified. + RESULT_UNSPECIFIED = 0; + + // Possible scenarios are: + // + // * The configuration analysis determined that a packet originating from + // the source is expected to reach the destination. + // * The analysis didn't complete because the user lacks permission for + // some of the resources in the trace. However, at the time the user's + // permission became insufficient, the trace had been successful so far. + REACHABLE = 1; + + // A packet originating from the source is expected to be dropped before + // reaching the destination. + UNREACHABLE = 2; + + // The source and destination endpoints do not uniquely identify + // the test location in the network, and the reachability result contains + // multiple traces. For some traces, a packet could be delivered, and for + // others, it would not be. + AMBIGUOUS = 4; + + // The configuration analysis did not complete. Possible reasons are: + // + // * A permissions error occurred--for example, the user might not have + // read permission for all of the resources named in the test. + // * An internal error occurred. + // * The analyzer received an invalid or unsupported argument or was unable + // to identify a known endpoint. + UNDETERMINED = 5; + } + + // The overall result of the test's configuration analysis. + Result result = 1; + + // The time of the configuration analysis. + google.protobuf.Timestamp verify_time = 2; + + // The details of a failure or a cancellation of reachability analysis. + google.rpc.Status error = 3; + + // Result may contain a list of traces if a test has multiple possible + // paths in the network, such as when destination endpoint is a load balancer + // with multiple backends. + repeated Trace traces = 5; +} + +// The data within all ConnectivityTest events. +message ConnectivityTestEventData { + // Optional. The ConnectivityTest event payload. Unset for deletion events. + optional ConnectivityTest payload = 1; +} diff --git a/proto/google/events/cloud/networkmanagement/v1/events.proto b/proto/google/events/cloud/networkmanagement/v1/events.proto new file mode 100644 index 00000000..4711238a --- /dev/null +++ b/proto/google/events/cloud/networkmanagement/v1/events.proto @@ -0,0 +1,59 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.events.cloud.networkmanagement.v1; + +import "google/events/cloud/networkmanagement/v1/data.proto"; +import "google/events/cloudevent.proto"; + +option csharp_namespace = "Google.Events.Protobuf.Cloud.NetworkManagement.V1"; +option php_namespace = "Google\\Events\\Cloud\\NetworkManagement\\V1"; +option ruby_package = "Google::Events::Cloud::NetworkManagement::V1"; +option (google.events.cloud_event_product) = "Network Management"; +option (google.events.cloud_event_extension_attribute) = { + name: "test" + description: "The resource ID of the Test triggering the event." +}; + +// The CloudEvent raised when a ConnectivityTest is created. +message ConnectivityTestCreatedEvent { + option (google.events.cloud_event_type) = + "google.cloud.networkmanagement.connectivityTest.v1.created"; + option (google.events.cloud_event_extension_name) = "test"; + + // The data associated with the event. + ConnectivityTestEventData data = 1; +} + +// The CloudEvent raised when a ConnectivityTest is updated. +message ConnectivityTestUpdatedEvent { + option (google.events.cloud_event_type) = + "google.cloud.networkmanagement.connectivityTest.v1.updated"; + option (google.events.cloud_event_extension_name) = "test"; + + // The data associated with the event. + ConnectivityTestEventData data = 1; +} + +// The CloudEvent raised when a ConnectivityTest is deleted. +message ConnectivityTestDeletedEvent { + option (google.events.cloud_event_type) = + "google.cloud.networkmanagement.connectivityTest.v1.deleted"; + option (google.events.cloud_event_extension_name) = "test"; + + // The data associated with the event. + ConnectivityTestEventData data = 1; +}