xref: /aosp_15_r20/external/googleapis/google/cloud/networkmanagement/v1/trace.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9)

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.networkmanagement.v1;

import "google/api/field_behavior.proto";
import "google/api/field_info.proto";

option csharp_namespace = "Google.Cloud.NetworkManagement.V1";
option go_package = "cloud.google.com/go/networkmanagement/apiv1/networkmanagementpb;networkmanagementpb";
option java_multiple_files = true;
option java_outer_classname = "TraceProto";
option java_package = "com.google.cloud.networkmanagement.v1";
option php_namespace = "Google\\Cloud\\NetworkManagement\\V1";
option ruby_package = "Google::Cloud::NetworkManagement::V1";

// Trace represents one simulated packet forwarding path.
//
//   * Each trace contains multiple ordered steps.
//   * Each step is in a particular state with associated configuration.
//   * State is categorized as final or non-final states.
//   * Each final state has a reason associated.
//   * Each trace must end with a final state (the last step).
// ```
//   |---------------------Trace----------------------|
//   Step1(State) Step2(State) ---  StepN(State(final))
// ```
message Trace {
  // Derived from the source and destination endpoints definition specified by
  // user request, and validated by the data plane model.
  // If there are multiple traces starting from different source locations, then
  // the endpoint_info may be different between traces.
  EndpointInfo endpoint_info = 1;

  // A trace of a test contains multiple steps from the initial state to the
  // final state (delivered, dropped, forwarded, or aborted).
  //
  // The steps are ordered by the processing sequence within the simulated
  // network state machine. It is critical to preserve the order of the steps
  // and avoid reordering or sorting them.
  repeated Step steps = 2;

  // ID of trace. For forward traces, this ID is unique for each trace. For
  // return traces, it matches ID of associated forward trace. A single forward
  // trace can be associated with none, one or more than one return trace.
  int32 forward_trace_id = 4;
}

// A simulated forwarding path is composed of multiple steps.
// Each step has a well-defined state and an associated configuration.
message Step {
  // Type of states that are defined in the network state machine.
  // Each step in the packet trace is in a specific state.
  enum State {
    // Unspecified state.
    STATE_UNSPECIFIED = 0;

    // Initial state: packet originating from a Compute Engine instance.
    // An InstanceInfo is populated with starting instance information.
    START_FROM_INSTANCE = 1;

    // Initial state: packet originating from the internet.
    // The endpoint information is populated.
    START_FROM_INTERNET = 2;

    // Initial state: packet originating from a Google service.
    // The google_service information is populated.
    START_FROM_GOOGLE_SERVICE = 27;

    // Initial state: packet originating from a VPC or on-premises network
    // with internal source IP.
    // If the source is a VPC network visible to the user, a NetworkInfo
    // is populated with details of the network.
    START_FROM_PRIVATE_NETWORK = 3;

    // Initial state: packet originating from a Google Kubernetes Engine cluster
    // master. A GKEMasterInfo is populated with starting instance information.
    START_FROM_GKE_MASTER = 21;

    // Initial state: packet originating from a Cloud SQL instance.
    // A CloudSQLInstanceInfo is populated with starting instance information.
    START_FROM_CLOUD_SQL_INSTANCE = 22;

    // Initial state: packet originating from a Cloud Function.
    // A CloudFunctionInfo is populated with starting function information.
    START_FROM_CLOUD_FUNCTION = 23;

    // Initial state: packet originating from an App Engine service version.
    // An AppEngineVersionInfo is populated with starting version information.
    START_FROM_APP_ENGINE_VERSION = 25;

    // Initial state: packet originating from a Cloud Run revision.
    // A CloudRunRevisionInfo is populated with starting revision information.
    START_FROM_CLOUD_RUN_REVISION = 26;

    // Initial state: packet originating from a Storage Bucket. Used only for
    // return traces.
    // The storage_bucket information is populated.
    START_FROM_STORAGE_BUCKET = 29;

    // Initial state: packet originating from a published service that uses
    // Private Service Connect. Used only for return traces.
    START_FROM_PSC_PUBLISHED_SERVICE = 30;

    // Config checking state: verify ingress firewall rule.
    APPLY_INGRESS_FIREWALL_RULE = 4;

    // Config checking state: verify egress firewall rule.
    APPLY_EGRESS_FIREWALL_RULE = 5;

    // Config checking state: verify route.
    APPLY_ROUTE = 6;

    // Config checking state: match forwarding rule.
    APPLY_FORWARDING_RULE = 7;

    // Config checking state: verify load balancer backend configuration.
    ANALYZE_LOAD_BALANCER_BACKEND = 28;

    // Config checking state: packet sent or received under foreign IP
    // address and allowed.
    SPOOFING_APPROVED = 8;

    // Forwarding state: arriving at a Compute Engine instance.
    ARRIVE_AT_INSTANCE = 9;

    // Forwarding state: arriving at a Compute Engine internal load balancer.
    ARRIVE_AT_INTERNAL_LOAD_BALANCER = 10 [deprecated = true];

    // Forwarding state: arriving at a Compute Engine external load balancer.
    ARRIVE_AT_EXTERNAL_LOAD_BALANCER = 11 [deprecated = true];

    // Forwarding state: arriving at a Cloud VPN gateway.
    ARRIVE_AT_VPN_GATEWAY = 12;

    // Forwarding state: arriving at a Cloud VPN tunnel.
    ARRIVE_AT_VPN_TUNNEL = 13;

    // Forwarding state: arriving at a VPC connector.
    ARRIVE_AT_VPC_CONNECTOR = 24;

    // Transition state: packet header translated.
    NAT = 14;

    // Transition state: original connection is terminated and a new proxied
    // connection is initiated.
    PROXY_CONNECTION = 15;

    // Final state: packet could be delivered.
    DELIVER = 16;

    // Final state: packet could be dropped.
    DROP = 17;

    // Final state: packet could be forwarded to a network with an unknown
    // configuration.
    FORWARD = 18;

    // Final state: analysis is aborted.
    ABORT = 19;

    // Special state: viewer of the test result does not have permission to
    // see the configuration in this step.
    VIEWER_PERMISSION_MISSING = 20;
  }

  // A description of the step. Usually this is a summary of the state.
  string description = 1;

  // Each step is in one of the pre-defined states.
  State state = 2;

  // This is a step that leads to the final state Drop.
  bool causes_drop = 3;

  // Project ID that contains the configuration this step is validating.
  string project_id = 4;

  // Configuration or metadata associated with each step.
  // The configuration is filtered based on viewer's permission. If a viewer
  // has no permission to view the configuration in this step, for non-final
  // states a special state is populated (VIEWER_PERMISSION_MISSING), and for
  // final state the configuration is cleared.
  oneof step_info {
    // Display information of a Compute Engine instance.
    InstanceInfo instance = 5;

    // Display information of a Compute Engine firewall rule.
    FirewallInfo firewall = 6;

    // Display information of a Compute Engine route.
    RouteInfo route = 7;

    // Display information of the source and destination under analysis.
    // The endpoint information in an intermediate state may differ with the
    // initial input, as it might be modified by state like NAT,
    // or Connection Proxy.
    EndpointInfo endpoint = 8;

    // Display information of a Google service
    GoogleServiceInfo google_service = 24;

    // Display information of a Compute Engine forwarding rule.
    ForwardingRuleInfo forwarding_rule = 9;

    // Display information of a Compute Engine VPN gateway.
    VpnGatewayInfo vpn_gateway = 10;

    // Display information of a Compute Engine VPN tunnel.
    VpnTunnelInfo vpn_tunnel = 11;

    // Display information of a VPC connector.
    VpcConnectorInfo vpc_connector = 21;

    // Display information of the final state "deliver" and reason.
    DeliverInfo deliver = 12;

    // Display information of the final state "forward" and reason.
    ForwardInfo forward = 13;

    // Display information of the final state "abort" and reason.
    AbortInfo abort = 14;

    // Display information of the final state "drop" and reason.
    DropInfo drop = 15;

    // Display information of the load balancers. Deprecated in favor of the
    // `load_balancer_backend_info` field, not used in new tests.
    LoadBalancerInfo load_balancer = 16 [deprecated = true];

    // Display information of a Google Cloud network.
    NetworkInfo network = 17;

    // Display information of a Google Kubernetes Engine cluster master.
    GKEMasterInfo gke_master = 18;

    // Display information of a Cloud SQL instance.
    CloudSQLInstanceInfo cloud_sql_instance = 19;

    // Display information of a Cloud Function.
    CloudFunctionInfo cloud_function = 20;

    // Display information of an App Engine service version.
    AppEngineVersionInfo app_engine_version = 22;

    // Display information of a Cloud Run revision.
    CloudRunRevisionInfo cloud_run_revision = 23;

    // Display information of a NAT.
    NatInfo nat = 25;

    // Display information of a ProxyConnection.
    ProxyConnectionInfo proxy_connection = 26;

    // Display information of a specific load balancer backend.
    LoadBalancerBackendInfo load_balancer_backend_info = 27;

    // Display information of a Storage Bucket. Used only for return traces.
    StorageBucketInfo storage_bucket = 28;
  }
}

// For display only. Metadata associated with a Compute Engine instance.
message InstanceInfo {
  // Name of a Compute Engine instance.
  string display_name = 1;

  // URI of a Compute Engine instance.
  string uri = 2;

  // Name of the network interface of a Compute Engine instance.
  string interface = 3;

  // URI of a Compute Engine network.
  string network_uri = 4;

  // Internal IP address of the network interface.
  string internal_ip = 5;

  // External IP address of the network interface.
  string external_ip = 6;

  // Network tags configured on the instance.
  repeated string network_tags = 7;

  // Service account authorized for the instance.
  string service_account = 8 [deprecated = true];
}

// For display only. Metadata associated with a Compute Engine network.
message NetworkInfo {
  // Name of a Compute Engine network.
  string display_name = 1;

  // URI of a Compute Engine network.
  string uri = 2;

  // The IP range that matches the test.
  string matched_ip_range = 4;
}

// For display only. Metadata associated with a VPC firewall rule, an implied
// VPC firewall rule, or a hierarchical firewall policy rule.
message FirewallInfo {
  // The firewall rule's type.
  enum FirewallRuleType {
    // Unspecified type.
    FIREWALL_RULE_TYPE_UNSPECIFIED = 0;

    // Hierarchical firewall policy rule. For details, see
    // [Hierarchical firewall policies
    // overview](https://cloud.google.com/vpc/docs/firewall-policies).
    HIERARCHICAL_FIREWALL_POLICY_RULE = 1;

    // VPC firewall rule. For details, see
    // [VPC firewall rules
    // overview](https://cloud.google.com/vpc/docs/firewalls).
    VPC_FIREWALL_RULE = 2;

    // Implied VPC firewall rule. For details, see
    // [Implied
    // rules](https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules).
    IMPLIED_VPC_FIREWALL_RULE = 3;

    // Implicit firewall rules that are managed by serverless VPC access to
    // allow ingress access. They are not visible in the Google Cloud console.
    // For details, see [VPC connector's implicit
    // rules](https://cloud.google.com/functions/docs/networking/connecting-vpc#restrict-access).
    SERVERLESS_VPC_ACCESS_MANAGED_FIREWALL_RULE = 4;

    // Global network firewall policy rule.
    // For details, see [Network firewall
    // policies](https://cloud.google.com/vpc/docs/network-firewall-policies).
    NETWORK_FIREWALL_POLICY_RULE = 5;

    // Regional network firewall policy rule.
    // For details, see [Regional network firewall
    // policies](https://cloud.google.com/firewall/docs/regional-firewall-policies).
    NETWORK_REGIONAL_FIREWALL_POLICY_RULE = 6;

    // Firewall policy rule containing attributes not yet supported in
    // Connectivity tests. Firewall analysis is skipped if such a rule can
    // potentially be matched. Please see the [list of unsupported
    // configurations](https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs).
    UNSUPPORTED_FIREWALL_POLICY_RULE = 100;

    // Tracking state for response traffic created when request traffic goes
    // through allow firewall rule.
    // For details, see [firewall rules
    // specifications](https://cloud.google.com/firewall/docs/firewalls#specifications)
    TRACKING_STATE = 101;
  }

  // The display name of the VPC firewall rule. This field is not applicable
  // to hierarchical firewall policy rules.
  string display_name = 1;

  // The URI of the VPC firewall rule. This field is not applicable to
  // implied firewall rules or hierarchical firewall policy rules.
  string uri = 2;

  // Possible values: INGRESS, EGRESS
  string direction = 3;

  // Possible values: ALLOW, DENY, APPLY_SECURITY_PROFILE_GROUP
  string action = 4;

  // The priority of the firewall rule.
  int32 priority = 5;

  // The URI of the VPC network that the firewall rule is associated with.
  // This field is not applicable to hierarchical firewall policy rules.
  string network_uri = 6;

  // The target tags defined by the VPC firewall rule. This field is not
  // applicable to hierarchical firewall policy rules.
  repeated string target_tags = 7;

  // The target service accounts specified by the firewall rule.
  repeated string target_service_accounts = 8;

  // The hierarchical firewall policy that this rule is associated with.
  // This field is not applicable to VPC firewall rules.
  string policy = 9;

  // The firewall rule's type.
  FirewallRuleType firewall_rule_type = 10;
}

// For display only. Metadata associated with a Compute Engine route.
message RouteInfo {
  // Type of route:
  enum RouteType {
    // Unspecified type. Default value.
    ROUTE_TYPE_UNSPECIFIED = 0;

    // Route is a subnet route automatically created by the system.
    SUBNET = 1;

    // Static route created by the user, including the default route to the
    // internet.
    STATIC = 2;

    // Dynamic route exchanged between BGP peers.
    DYNAMIC = 3;

    // A subnet route received from peering network.
    PEERING_SUBNET = 4;

    // A static route received from peering network.
    PEERING_STATIC = 5;

    // A dynamic route received from peering network.
    PEERING_DYNAMIC = 6;

    // Policy based route.
    POLICY_BASED = 7;
  }

  // Type of next hop:
  enum NextHopType {
    // Unspecified type. Default value.
    NEXT_HOP_TYPE_UNSPECIFIED = 0;

    // Next hop is an IP address.
    NEXT_HOP_IP = 1;

    // Next hop is a Compute Engine instance.
    NEXT_HOP_INSTANCE = 2;

    // Next hop is a VPC network gateway.
    NEXT_HOP_NETWORK = 3;

    // Next hop is a peering VPC.
    NEXT_HOP_PEERING = 4;

    // Next hop is an interconnect.
    NEXT_HOP_INTERCONNECT = 5;

    // Next hop is a VPN tunnel.
    NEXT_HOP_VPN_TUNNEL = 6;

    // Next hop is a VPN gateway. This scenario only happens when tracing
    // connectivity from an on-premises network to Google Cloud through a VPN.
    // The analysis simulates a packet departing from the on-premises network
    // through a VPN tunnel and arriving at a Cloud VPN gateway.
    NEXT_HOP_VPN_GATEWAY = 7;

    // Next hop is an internet gateway.
    NEXT_HOP_INTERNET_GATEWAY = 8;

    // Next hop is blackhole; that is, the next hop either does not exist or is
    // not running.
    NEXT_HOP_BLACKHOLE = 9;

    // Next hop is the forwarding rule of an Internal Load Balancer.
    NEXT_HOP_ILB = 10;

    // Next hop is a
    // [router appliance
    // instance](https://cloud.google.com/network-connectivity/docs/network-connectivity-center/concepts/ra-overview).
    NEXT_HOP_ROUTER_APPLIANCE = 11;

    // Next hop is an NCC hub.
    NEXT_HOP_NCC_HUB = 12;
  }

  // Indicates where routes are applicable.
  enum RouteScope {
    // Unspecified scope. Default value.
    ROUTE_SCOPE_UNSPECIFIED = 0;

    // Route is applicable to packets in Network.
    NETWORK = 1;

    // Route is applicable to packets using NCC Hub's routing table.
    NCC_HUB = 2;
  }

  // Type of route.
  RouteType route_type = 8;

  // Type of next hop.
  NextHopType next_hop_type = 9;

  // Indicates where route is applicable.
  RouteScope route_scope = 14;

  // Name of a route.
  string display_name = 1;

  // URI of a route.
  // Dynamic, peering static and peering dynamic routes do not have an URI.
  // Advertised route from Google Cloud VPC to on-premises network also does
  // not have an URI.
  string uri = 2;

  // Destination IP range of the route.
  string dest_ip_range = 3;

  // Next hop of the route.
  string next_hop = 4;

  // URI of a Compute Engine network. NETWORK routes only.
  string network_uri = 5;

  // Priority of the route.
  int32 priority = 6;

  // Instance tags of the route.
  repeated string instance_tags = 7;

  // Source IP address range of the route. Policy based routes only.
  string src_ip_range = 10;

  // Destination port ranges of the route. Policy based routes only.
  repeated string dest_port_ranges = 11;

  // Source port ranges of the route. Policy based routes only.
  repeated string src_port_ranges = 12;

  // Protocols of the route. Policy based routes only.
  repeated string protocols = 13;

  // URI of a NCC Hub. NCC_HUB routes only.
  optional string ncc_hub_uri = 15;

  // URI of a NCC Spoke. NCC_HUB routes only.
  optional string ncc_spoke_uri = 16;
}

// For display only. Details of a Google Service sending packets to a
// VPC network. Although the source IP might be a publicly routable address,
// some Google Services use special routes within Google production
// infrastructure to reach Compute Engine Instances.
// https://cloud.google.com/vpc/docs/routes#special_return_paths
message GoogleServiceInfo {
  // Recognized type of a Google Service.
  enum GoogleServiceType {
    // Unspecified Google Service.
    GOOGLE_SERVICE_TYPE_UNSPECIFIED = 0;

    // Identity aware proxy.
    // https://cloud.google.com/iap/docs/using-tcp-forwarding
    IAP = 1;

    // One of two services sharing IP ranges:
    // * Load Balancer proxy
    // * Centralized Health Check prober
    // https://cloud.google.com/load-balancing/docs/firewall-rules
    GFE_PROXY_OR_HEALTH_CHECK_PROBER = 2;

    // Connectivity from Cloud DNS to forwarding targets or alternate name
    // servers that use private routing.
    // https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules
    // https://cloud.google.com/dns/docs/policies#firewall-rules
    CLOUD_DNS = 3;

    // private.googleapis.com and restricted.googleapis.com
    GOOGLE_API = 4;

    // Google API via Private Service Connect.
    // https://cloud.google.com/vpc/docs/configure-private-service-connect-apis
    GOOGLE_API_PSC = 5;

    // Google API via VPC Service Controls.
    // https://cloud.google.com/vpc/docs/configure-private-service-connect-apis
    GOOGLE_API_VPC_SC = 6;
  }

  // Source IP address.
  string source_ip = 1;

  // Recognized type of a Google Service.
  GoogleServiceType google_service_type = 2;
}

// For display only. Metadata associated with a Compute Engine forwarding rule.
message ForwardingRuleInfo {
  // Name of a Compute Engine forwarding rule.
  string display_name = 1;

  // URI of a Compute Engine forwarding rule.
  string uri = 2;

  // Protocol defined in the forwarding rule that matches the test.
  string matched_protocol = 3;

  // Port range defined in the forwarding rule that matches the test.
  string matched_port_range = 6;

  // VIP of the forwarding rule.
  string vip = 4;

  // Target type of the forwarding rule.
  string target = 5;

  // Network URI. Only valid for Internal Load Balancer.
  string network_uri = 7;
}

// For display only. Metadata associated with a load balancer.
message LoadBalancerInfo {
  // The type definition for a load balancer:
  enum LoadBalancerType {
    // Type is unspecified.
    LOAD_BALANCER_TYPE_UNSPECIFIED = 0;

    // Internal TCP/UDP load balancer.
    INTERNAL_TCP_UDP = 1;

    // Network TCP/UDP load balancer.
    NETWORK_TCP_UDP = 2;

    // HTTP(S) proxy load balancer.
    HTTP_PROXY = 3;

    // TCP proxy load balancer.
    TCP_PROXY = 4;

    // SSL proxy load balancer.
    SSL_PROXY = 5;
  }

  // The type definition for a load balancer backend configuration:
  enum BackendType {
    // Type is unspecified.
    BACKEND_TYPE_UNSPECIFIED = 0;

    // Backend Service as the load balancer's backend.
    BACKEND_SERVICE = 1;

    // Target Pool as the load balancer's backend.
    TARGET_POOL = 2;

    // Target Instance as the load balancer's backend.
    TARGET_INSTANCE = 3;
  }

  // Type of the load balancer.
  LoadBalancerType load_balancer_type = 1;

  // URI of the health check for the load balancer. Deprecated and no longer
  // populated as different load balancer backends might have different health
  // checks.
  string health_check_uri = 2 [deprecated = true];

  // Information for the loadbalancer backends.
  repeated LoadBalancerBackend backends = 3;

  // Type of load balancer's backend configuration.
  BackendType backend_type = 4;

  // Backend configuration URI.
  string backend_uri = 5;
}

// For display only. Metadata associated with a specific load balancer backend.
message LoadBalancerBackend {
  // State of a health check firewall configuration:
  enum HealthCheckFirewallState {
    // State is unspecified. Default state if not populated.
    HEALTH_CHECK_FIREWALL_STATE_UNSPECIFIED = 0;

    // There are configured firewall rules to allow health check probes to the
    // backend.
    CONFIGURED = 1;

    // There are firewall rules configured to allow partial health check ranges
    // or block all health check ranges.
    // If a health check probe is sent from denied IP ranges,
    // the health check to the backend will fail. Then, the backend will be
    // marked unhealthy and will not receive traffic sent to the load balancer.
    MISCONFIGURED = 2;
  }

  // Name of a Compute Engine instance or network endpoint.
  string display_name = 1;

  // URI of a Compute Engine instance or network endpoint.
  string uri = 2;

  // State of the health check firewall configuration.
  HealthCheckFirewallState health_check_firewall_state = 3;

  // A list of firewall rule URIs allowing probes from health check IP ranges.
  repeated string health_check_allowing_firewall_rules = 4;

  // A list of firewall rule URIs blocking probes from health check IP ranges.
  repeated string health_check_blocking_firewall_rules = 5;
}

// For display only. Metadata associated with a Compute Engine VPN gateway.
message VpnGatewayInfo {
  // Name of a VPN gateway.
  string display_name = 1;

  // URI of a VPN gateway.
  string uri = 2;

  // URI of a Compute Engine network where the VPN gateway is configured.
  string network_uri = 3;

  // IP address of the VPN gateway.
  string ip_address = 4;

  // A VPN tunnel that is associated with this VPN gateway.
  // There may be multiple VPN tunnels configured on a VPN gateway, and only
  // the one relevant to the test is displayed.
  string vpn_tunnel_uri = 5;

  // Name of a Google Cloud region where this VPN gateway is configured.
  string region = 6;
}

// For display only. Metadata associated with a Compute Engine VPN tunnel.
message VpnTunnelInfo {
  // Types of VPN routing policy. For details, refer to [Networks and Tunnel
  // routing](https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing/).
  enum RoutingType {
    // Unspecified type. Default value.
    ROUTING_TYPE_UNSPECIFIED = 0;

    // Route based VPN.
    ROUTE_BASED = 1;

    // Policy based routing.
    POLICY_BASED = 2;

    // Dynamic (BGP) routing.
    DYNAMIC = 3;
  }

  // Name of a VPN tunnel.
  string display_name = 1;

  // URI of a VPN tunnel.
  string uri = 2;

  // URI of the VPN gateway at local end of the tunnel.
  string source_gateway = 3;

  // URI of a VPN gateway at remote end of the tunnel.
  string remote_gateway = 4;

  // Remote VPN gateway's IP address.
  string remote_gateway_ip = 5;

  // Local VPN gateway's IP address.
  string source_gateway_ip = 6;

  // URI of a Compute Engine network where the VPN tunnel is configured.
  string network_uri = 7;

  // Name of a Google Cloud region where this VPN tunnel is configured.
  string region = 8;

  // Type of the routing policy.
  RoutingType routing_type = 9;
}

// For display only. The specification of the endpoints for the test.
// EndpointInfo is derived from source and destination Endpoint and validated
// by the backend data plane model.
message EndpointInfo {
  // Source IP address.
  string source_ip = 1;

  // Destination IP address.
  string destination_ip = 2;

  // IP protocol in string format, for example: "TCP", "UDP", "ICMP".
  string protocol = 3;

  // Source port. Only valid when protocol is TCP or UDP.
  int32 source_port = 4;

  // Destination port. Only valid when protocol is TCP or UDP.
  int32 destination_port = 5;

  // URI of the network where this packet originates from.
  string source_network_uri = 6;

  // URI of the network where this packet is sent to.
  string destination_network_uri = 7;

  // URI of the source telemetry agent this packet originates from.
  string source_agent_uri = 8;
}

// Details of the final state "deliver" and associated resource.
message DeliverInfo {
  // Deliver target types:
  enum Target {
    // Target not specified.
    TARGET_UNSPECIFIED = 0;

    // Target is a Compute Engine instance.
    INSTANCE = 1;

    // Target is the internet.
    INTERNET = 2;

    // Target is a Google API.
    GOOGLE_API = 3;

    // Target is a Google Kubernetes Engine cluster master.
    GKE_MASTER = 4;

    // Target is a Cloud SQL instance.
    CLOUD_SQL_INSTANCE = 5;

    // Target is a published service that uses [Private Service
    // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-services).
    PSC_PUBLISHED_SERVICE = 6;

    // Target is all Google APIs that use [Private Service
    // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis).
    PSC_GOOGLE_API = 7;

    // Target is a VPC-SC that uses [Private Service
    // Connect](https://cloud.google.com/vpc/docs/configure-private-service-connect-apis).
    PSC_VPC_SC = 8;

    // Target is a serverless network endpoint group.
    SERVERLESS_NEG = 9;

    // Target is a Cloud Storage bucket.
    STORAGE_BUCKET = 10;

    // Target is a private network. Used only for return traces.
    PRIVATE_NETWORK = 11;

    // Target is a Cloud Function. Used only for return traces.
    CLOUD_FUNCTION = 12;

    // Target is a App Engine service version. Used only for return traces.
    APP_ENGINE_VERSION = 13;

    // Target is a Cloud Run revision. Used only for return traces.
    CLOUD_RUN_REVISION = 14;
  }

  // Target type where the packet is delivered to.
  Target target = 1;

  // URI of the resource that the packet is delivered to.
  string resource_uri = 2;

  // IP address of the target (if applicable).
  string ip_address = 3 [(google.api.field_info).format = IPV4_OR_IPV6];
}

// Details of the final state "forward" and associated resource.
message ForwardInfo {
  // Forward target types.
  enum Target {
    // Target not specified.
    TARGET_UNSPECIFIED = 0;

    // Forwarded to a VPC peering network.
    PEERING_VPC = 1;

    // Forwarded to a Cloud VPN gateway.
    VPN_GATEWAY = 2;

    // Forwarded to a Cloud Interconnect connection.
    INTERCONNECT = 3;

    // Forwarded to a Google Kubernetes Engine Container cluster master.
    GKE_MASTER = 4 [deprecated = true];

    // Forwarded to the next hop of a custom route imported from a peering VPC.
    IMPORTED_CUSTOM_ROUTE_NEXT_HOP = 5;

    // Forwarded to a Cloud SQL instance.
    CLOUD_SQL_INSTANCE = 6 [deprecated = true];

    // Forwarded to a VPC network in another project.
    ANOTHER_PROJECT = 7;

    // Forwarded to an NCC Hub.
    NCC_HUB = 8;

    // Forwarded to a router appliance.
    ROUTER_APPLIANCE = 9;
  }

  // Target type where this packet is forwarded to.
  Target target = 1;

  // URI of the resource that the packet is forwarded to.
  string resource_uri = 2;

  // IP address of the target (if applicable).
  string ip_address = 3 [(google.api.field_info).format = IPV4_OR_IPV6];
}

// Details of the final state "abort" and associated resource.
message AbortInfo {
  // Abort cause types:
  enum Cause {
    // Cause is unspecified.
    CAUSE_UNSPECIFIED = 0;

    // Aborted due to unknown network. Deprecated, not used in the new tests.
    UNKNOWN_NETWORK = 1 [deprecated = true];

    // Aborted because no project information can be derived from the test
    // input. Deprecated, not used in the new tests.
    UNKNOWN_PROJECT = 3 [deprecated = true];

    // Aborted because traffic is sent from a public IP to an instance without
    // an external IP. Deprecated, not used in the new tests.
    NO_EXTERNAL_IP = 7 [deprecated = true];

    // Aborted because none of the traces matches destination information
    // specified in the input test request. Deprecated, not used in the new
    // tests.
    UNINTENDED_DESTINATION = 8 [deprecated = true];

    // Aborted because the source endpoint could not be found. Deprecated, not
    // used in the new tests.
    SOURCE_ENDPOINT_NOT_FOUND = 11 [deprecated = true];

    // Aborted because the source network does not match the source endpoint.
    // Deprecated, not used in the new tests.
    MISMATCHED_SOURCE_NETWORK = 12 [deprecated = true];

    // Aborted because the destination endpoint could not be found. Deprecated,
    // not used in the new tests.
    DESTINATION_ENDPOINT_NOT_FOUND = 13 [deprecated = true];

    // Aborted because the destination network does not match the destination
    // endpoint. Deprecated, not used in the new tests.
    MISMATCHED_DESTINATION_NETWORK = 14 [deprecated = true];

    // Aborted because no endpoint with the packet's destination IP address is
    // found.
    UNKNOWN_IP = 2;

    // Aborted because the source IP address doesn't belong to any of the
    // subnets of the source VPC network.
    SOURCE_IP_ADDRESS_NOT_IN_SOURCE_NETWORK = 23;

    // Aborted because user lacks permission to access all or part of the
    // network configurations required to run the test.
    PERMISSION_DENIED = 4;

    // Aborted because user lacks permission to access Cloud NAT configs
    // required to run the test.
    PERMISSION_DENIED_NO_CLOUD_NAT_CONFIGS = 28;

    // Aborted because user lacks permission to access Network endpoint group
    // endpoint configs required to run the test.
    PERMISSION_DENIED_NO_NEG_ENDPOINT_CONFIGS = 29;

    // Aborted because no valid source or destination endpoint is derived from
    // the input test request.
    NO_SOURCE_LOCATION = 5;

    // Aborted because the source or destination endpoint specified in
    // the request is invalid. Some examples:
    // - The request might contain malformed resource URI, project ID, or IP
    // address.
    // - The request might contain inconsistent information (for example, the
    // request might include both the instance and the network, but the instance
    // might not have a NIC in that network).
    INVALID_ARGUMENT = 6;

    // Aborted because the number of steps in the trace exceeds a certain
    // limit. It might be caused by a routing loop.
    TRACE_TOO_LONG = 9;

    // Aborted due to internal server error.
    INTERNAL_ERROR = 10;

    // Aborted because the test scenario is not supported.
    UNSUPPORTED = 15;

    // Aborted because the source and destination resources have no common IP
    // version.
    MISMATCHED_IP_VERSION = 16;

    // Aborted because the connection between the control plane and the node of
    // the source cluster is initiated by the node and managed by the
    // Konnectivity proxy.
    GKE_KONNECTIVITY_PROXY_UNSUPPORTED = 17;

    // Aborted because expected resource configuration was missing.
    RESOURCE_CONFIG_NOT_FOUND = 18;

    // Aborted because expected VM instance configuration was missing.
    VM_INSTANCE_CONFIG_NOT_FOUND = 24;

    // Aborted because expected network configuration was missing.
    NETWORK_CONFIG_NOT_FOUND = 25;

    // Aborted because expected firewall configuration was missing.
    FIREWALL_CONFIG_NOT_FOUND = 26;

    // Aborted because expected route configuration was missing.
    ROUTE_CONFIG_NOT_FOUND = 27;

    // Aborted because a PSC endpoint selection for the Google-managed service
    // is ambiguous (several PSC endpoints satisfy test input).
    GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT = 19;

    // Aborted because tests with a PSC-based Cloud SQL instance as a source are
    // not supported.
    SOURCE_PSC_CLOUD_SQL_UNSUPPORTED = 20;

    // Aborted because tests with a forwarding rule as a source are not
    // supported.
    SOURCE_FORWARDING_RULE_UNSUPPORTED = 21;

    // Aborted because one of the endpoints is a non-routable IP address
    // (loopback, link-local, etc).
    NON_ROUTABLE_IP_ADDRESS = 22;

    // Aborted due to an unknown issue in the Google-managed project.
    UNKNOWN_ISSUE_IN_GOOGLE_MANAGED_PROJECT = 30;

    // Aborted due to an unsupported configuration of the Google-managed
    // project.
    UNSUPPORTED_GOOGLE_MANAGED_PROJECT_CONFIG = 31;
  }

  // Causes that the analysis is aborted.
  Cause cause = 1;

  // URI of the resource that caused the abort.
  string resource_uri = 2;

  // IP address that caused the abort.
  string ip_address = 4 [(google.api.field_info).format = IPV4_OR_IPV6];

  // List of project IDs the user specified in the request but lacks access to.
  // In this case, analysis is aborted with the PERMISSION_DENIED cause.
  repeated string projects_missing_permission = 3;
}

// Details of the final state "drop" and associated resource.
message DropInfo {
  // Drop cause types:
  enum Cause {
    // Cause is unspecified.
    CAUSE_UNSPECIFIED = 0;

    // Destination external address cannot be resolved to a known target. If
    // the address is used in a Google Cloud project, provide the project ID
    // as test input.
    UNKNOWN_EXTERNAL_ADDRESS = 1;

    // A Compute Engine instance can only send or receive a packet with a
    // foreign IP address if ip_forward is enabled.
    FOREIGN_IP_DISALLOWED = 2;

    // Dropped due to a firewall rule, unless allowed due to connection
    // tracking.
    FIREWALL_RULE = 3;

    // Dropped due to no matching routes.
    NO_ROUTE = 4;

    // Dropped due to invalid route. Route's next hop is a blackhole.
    ROUTE_BLACKHOLE = 5;

    // Packet is sent to a wrong (unintended) network. Example: you trace a
    // packet from VM1:Network1 to VM2:Network2, however, the route configured
    // in Network1 sends the packet destined for VM2's IP address to Network3.
    ROUTE_WRONG_NETWORK = 6;

    // Route's next hop IP address cannot be resolved to a GCP resource.
    ROUTE_NEXT_HOP_IP_ADDRESS_NOT_RESOLVED = 42;

    // Route's next hop resource is not found.
    ROUTE_NEXT_HOP_RESOURCE_NOT_FOUND = 43;

    // Route's next hop instance doesn't have a NIC in the route's network.
    ROUTE_NEXT_HOP_INSTANCE_WRONG_NETWORK = 49;

    // Route's next hop IP address is not a primary IP address of the next hop
    // instance.
    ROUTE_NEXT_HOP_INSTANCE_NON_PRIMARY_IP = 50;

    // Route's next hop forwarding rule doesn't match next hop IP address.
    ROUTE_NEXT_HOP_FORWARDING_RULE_IP_MISMATCH = 51;

    // Route's next hop VPN tunnel is down (does not have valid IKE SAs).
    ROUTE_NEXT_HOP_VPN_TUNNEL_NOT_ESTABLISHED = 52;

    // Route's next hop forwarding rule type is invalid (it's not a forwarding
    // rule of the internal passthrough load balancer).
    ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID = 53;

    // Packet is sent from the Internet to the private IPv6 address.
    NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS = 44;

    // The packet does not match a policy-based VPN tunnel local selector.
    VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH = 45;

    // The packet does not match a policy-based VPN tunnel remote selector.
    VPN_TUNNEL_REMOTE_SELECTOR_MISMATCH = 46;

    // Packet with internal destination address sent to the internet gateway.
    PRIVATE_TRAFFIC_TO_INTERNET = 7;

    // Instance with only an internal IP address tries to access Google API and
    // services, but private Google access is not enabled in the subnet.
    PRIVATE_GOOGLE_ACCESS_DISALLOWED = 8;

    // Source endpoint tries to access Google API and services through the VPN
    // tunnel to another network, but Private Google Access needs to be enabled
    // in the source endpoint network.
    PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED = 47;

    // Instance with only an internal IP address tries to access external hosts,
    // but Cloud NAT is not enabled in the subnet, unless special configurations
    // on a VM allow this connection.
    NO_EXTERNAL_ADDRESS = 9;

    // Destination internal address cannot be resolved to a known target. If
    // this is a shared VPC scenario, verify if the service project ID is
    // provided as test input. Otherwise, verify if the IP address is being
    // used in the project.
    UNKNOWN_INTERNAL_ADDRESS = 10;

    // Forwarding rule's protocol and ports do not match the packet header.
    FORWARDING_RULE_MISMATCH = 11;

    // Forwarding rule does not have backends configured.
    FORWARDING_RULE_NO_INSTANCES = 12;

    // Firewalls block the health check probes to the backends and cause
    // the backends to be unavailable for traffic from the load balancer.
    // For more details, see [Health check firewall
    // rules](https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules).
    FIREWALL_BLOCKING_LOAD_BALANCER_BACKEND_HEALTH_CHECK = 13;

    // Packet is sent from or to a Compute Engine instance that is not in a
    // running state.
    INSTANCE_NOT_RUNNING = 14;

    // Packet sent from or to a GKE cluster that is not in running state.
    GKE_CLUSTER_NOT_RUNNING = 27;

    // Packet sent from or to a Cloud SQL instance that is not in running state.
    CLOUD_SQL_INSTANCE_NOT_RUNNING = 28;

    // The type of traffic is blocked and the user cannot configure a firewall
    // rule to enable it. See [Always blocked
    // traffic](https://cloud.google.com/vpc/docs/firewalls#blockedtraffic) for
    // more details.
    TRAFFIC_TYPE_BLOCKED = 15;

    // Access to Google Kubernetes Engine cluster master's endpoint is not
    // authorized. See [Access to the cluster
    // endpoints](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints)
    // for more details.
    GKE_MASTER_UNAUTHORIZED_ACCESS = 16;

    // Access to the Cloud SQL instance endpoint is not authorized.
    // See [Authorizing with authorized
    // networks](https://cloud.google.com/sql/docs/mysql/authorize-networks) for
    // more details.
    CLOUD_SQL_INSTANCE_UNAUTHORIZED_ACCESS = 17;

    // Packet was dropped inside Google Kubernetes Engine Service.
    DROPPED_INSIDE_GKE_SERVICE = 18;

    // Packet was dropped inside Cloud SQL Service.
    DROPPED_INSIDE_CLOUD_SQL_SERVICE = 19;

    // Packet was dropped because there is no peering between the originating
    // network and the Google Managed Services Network.
    GOOGLE_MANAGED_SERVICE_NO_PEERING = 20;

    // Packet was dropped because the Google-managed service uses Private
    // Service Connect (PSC), but the PSC endpoint is not found in the project.
    GOOGLE_MANAGED_SERVICE_NO_PSC_ENDPOINT = 38;

    // Packet was dropped because the GKE cluster uses Private Service Connect
    // (PSC), but the PSC endpoint is not found in the project.
    GKE_PSC_ENDPOINT_MISSING = 36;

    // Packet was dropped because the Cloud SQL instance has neither a private
    // nor a public IP address.
    CLOUD_SQL_INSTANCE_NO_IP_ADDRESS = 21;

    // Packet was dropped because a GKE cluster private endpoint is
    // unreachable from a region different from the cluster's region.
    GKE_CONTROL_PLANE_REGION_MISMATCH = 30;

    // Packet sent from a public GKE cluster control plane to a private
    // IP address.
    PUBLIC_GKE_CONTROL_PLANE_TO_PRIVATE_DESTINATION = 31;

    // Packet was dropped because there is no route from a GKE cluster
    // control plane to a destination network.
    GKE_CONTROL_PLANE_NO_ROUTE = 32;

    // Packet sent from a Cloud SQL instance to an external IP address is not
    // allowed. The Cloud SQL instance is not configured to send packets to
    // external IP addresses.
    CLOUD_SQL_INSTANCE_NOT_CONFIGURED_FOR_EXTERNAL_TRAFFIC = 33;

    // Packet sent from a Cloud SQL instance with only a public IP address to a
    // private IP address.
    PUBLIC_CLOUD_SQL_INSTANCE_TO_PRIVATE_DESTINATION = 34;

    // Packet was dropped because there is no route from a Cloud SQL
    // instance to a destination network.
    CLOUD_SQL_INSTANCE_NO_ROUTE = 35;

    // Packet could be dropped because the Cloud Function is not in an active
    // status.
    CLOUD_FUNCTION_NOT_ACTIVE = 22;

    // Packet could be dropped because no VPC connector is set.
    VPC_CONNECTOR_NOT_SET = 23;

    // Packet could be dropped because the VPC connector is not in a running
    // state.
    VPC_CONNECTOR_NOT_RUNNING = 24;

    // Packet could be dropped because it was sent from a different region
    // to a regional forwarding without global access.
    FORWARDING_RULE_REGION_MISMATCH = 25;

    // The Private Service Connect endpoint is in a project that is not approved
    // to connect to the service.
    PSC_CONNECTION_NOT_ACCEPTED = 26;

    // The packet is sent to the Private Service Connect endpoint over the
    // peering, but [it's not
    // supported](https://cloud.google.com/vpc/docs/configure-private-service-connect-services#on-premises).
    PSC_ENDPOINT_ACCESSED_FROM_PEERED_NETWORK = 41;

    // The packet is sent to the Private Service Connect backend (network
    // endpoint group), but the producer PSC forwarding rule does not have
    // global access enabled.
    PSC_NEG_PRODUCER_ENDPOINT_NO_GLOBAL_ACCESS = 48;

    // The packet is sent to the Private Service Connect backend (network
    // endpoint group), but the producer PSC forwarding rule has multiple ports
    // specified.
    PSC_NEG_PRODUCER_FORWARDING_RULE_MULTIPLE_PORTS = 54;

    // The packet is sent to the Private Service Connect backend (network
    // endpoint group) targeting a Cloud SQL service attachment, but this
    // configuration is not supported.
    CLOUD_SQL_PSC_NEG_UNSUPPORTED = 58;

    // No NAT subnets are defined for the PSC service attachment.
    NO_NAT_SUBNETS_FOR_PSC_SERVICE_ATTACHMENT = 57;

    // The packet sent from the hybrid NEG proxy matches a non-dynamic route,
    // but such a configuration is not supported.
    HYBRID_NEG_NON_DYNAMIC_ROUTE_MATCHED = 55;

    // The packet sent from the hybrid NEG proxy matches a dynamic route with a
    // next hop in a different region, but such a configuration is not
    // supported.
    HYBRID_NEG_NON_LOCAL_DYNAMIC_ROUTE_MATCHED = 56;

    // Packet sent from a Cloud Run revision that is not ready.
    CLOUD_RUN_REVISION_NOT_READY = 29;

    // Packet was dropped inside Private Service Connect service producer.
    DROPPED_INSIDE_PSC_SERVICE_PRODUCER = 37;

    // Packet sent to a load balancer, which requires a proxy-only subnet and
    // the subnet is not found.
    LOAD_BALANCER_HAS_NO_PROXY_SUBNET = 39;

    // Packet sent to Cloud Nat without active NAT IPs.
    CLOUD_NAT_NO_ADDRESSES = 40;

    // Packet is stuck in a routing loop.
    ROUTING_LOOP = 59;
  }

  // Cause that the packet is dropped.
  Cause cause = 1;

  // URI of the resource that caused the drop.
  string resource_uri = 2;

  // Source IP address of the dropped packet (if relevant).
  string source_ip = 3;

  // Destination IP address of the dropped packet (if relevant).
  string destination_ip = 4;

  // Region of the dropped packet (if relevant).
  string region = 5;
}

// For display only. Metadata associated with a Google Kubernetes Engine (GKE)
// cluster master.
message GKEMasterInfo {
  // URI of a GKE cluster.
  string cluster_uri = 2;

  // URI of a GKE cluster network.
  string cluster_network_uri = 4;

  // Internal IP address of a GKE cluster master.
  string internal_ip = 5;

  // External IP address of a GKE cluster master.
  string external_ip = 6;
}

// For display only. Metadata associated with a Cloud SQL instance.
message CloudSQLInstanceInfo {
  // Name of a Cloud SQL instance.
  string display_name = 1;

  // URI of a Cloud SQL instance.
  string uri = 2;

  // URI of a Cloud SQL instance network or empty string if the instance does
  // not have one.
  string network_uri = 4;

  // Internal IP address of a Cloud SQL instance.
  string internal_ip = 5;

  // External IP address of a Cloud SQL instance.
  string external_ip = 6;

  // Region in which the Cloud SQL instance is running.
  string region = 7;
}

// For display only. Metadata associated with a Cloud Function.
message CloudFunctionInfo {
  // Name of a Cloud Function.
  string display_name = 1;

  // URI of a Cloud Function.
  string uri = 2;

  // Location in which the Cloud Function is deployed.
  string location = 3;

  // Latest successfully deployed version id of the Cloud Function.
  int64 version_id = 4;
}

// For display only. Metadata associated with a Cloud Run revision.
message CloudRunRevisionInfo {
  // Name of a Cloud Run revision.
  string display_name = 1;

  // URI of a Cloud Run revision.
  string uri = 2;

  // Location in which this revision is deployed.
  string location = 4;

  // URI of Cloud Run service this revision belongs to.
  string service_uri = 5;
}

// For display only. Metadata associated with an App Engine version.
message AppEngineVersionInfo {
  // Name of an App Engine version.
  string display_name = 1;

  // URI of an App Engine version.
  string uri = 2;

  // Runtime of the App Engine version.
  string runtime = 3;

  // App Engine execution environment for a version.
  string environment = 4;
}

// For display only. Metadata associated with a VPC connector.
message VpcConnectorInfo {
  // Name of a VPC connector.
  string display_name = 1;

  // URI of a VPC connector.
  string uri = 2;

  // Location in which the VPC connector is deployed.
  string location = 3;
}

// For display only. Metadata associated with NAT.
message NatInfo {
  // Types of NAT.
  enum Type {
    // Type is unspecified.
    TYPE_UNSPECIFIED = 0;

    // From Compute Engine instance's internal address to external address.
    INTERNAL_TO_EXTERNAL = 1;

    // From Compute Engine instance's external address to internal address.
    EXTERNAL_TO_INTERNAL = 2;

    // Cloud NAT Gateway.
    CLOUD_NAT = 3;

    // Private service connect NAT.
    PRIVATE_SERVICE_CONNECT = 4;
  }

  // Type of NAT.
  Type type = 1;

  // IP protocol in string format, for example: "TCP", "UDP", "ICMP".
  string protocol = 2;

  // URI of the network where NAT translation takes place.
  string network_uri = 3;

  // Source IP address before NAT translation.
  string old_source_ip = 4;

  // Source IP address after NAT translation.
  string new_source_ip = 5;

  // Destination IP address before NAT translation.
  string old_destination_ip = 6;

  // Destination IP address after NAT translation.
  string new_destination_ip = 7;

  // Source port before NAT translation. Only valid when protocol is TCP or UDP.
  int32 old_source_port = 8;

  // Source port after NAT translation. Only valid when protocol is TCP or UDP.
  int32 new_source_port = 9;

  // Destination port before NAT translation. Only valid when protocol is TCP or
  // UDP.
  int32 old_destination_port = 10;

  // Destination port after NAT translation. Only valid when protocol is TCP or
  // UDP.
  int32 new_destination_port = 11;

  // Uri of the Cloud Router. Only valid when type is CLOUD_NAT.
  string router_uri = 12;

  // The name of Cloud NAT Gateway. Only valid when type is CLOUD_NAT.
  string nat_gateway_name = 13;
}

// For display only. Metadata associated with ProxyConnection.
message ProxyConnectionInfo {
  // IP protocol in string format, for example: "TCP", "UDP", "ICMP".
  string protocol = 1;

  // Source IP address of an original connection.
  string old_source_ip = 2;

  // Source IP address of a new connection.
  string new_source_ip = 3;

  // Destination IP address of an original connection
  string old_destination_ip = 4;

  // Destination IP address of a new connection.
  string new_destination_ip = 5;

  // Source port of an original connection. Only valid when protocol is TCP or
  // UDP.
  int32 old_source_port = 6;

  // Source port of a new connection. Only valid when protocol is TCP or UDP.
  int32 new_source_port = 7;

  // Destination port of an original connection. Only valid when protocol is TCP
  // or UDP.
  int32 old_destination_port = 8;

  // Destination port of a new connection. Only valid when protocol is TCP or
  // UDP.
  int32 new_destination_port = 9;

  // Uri of proxy subnet.
  string subnet_uri = 10;

  // URI of the network where connection is proxied.
  string network_uri = 11;
}

// For display only. Metadata associated with the load balancer backend.
message LoadBalancerBackendInfo {
  // Health check firewalls configuration state enum.
  enum HealthCheckFirewallsConfigState {
    // Configuration state unspecified. It usually means that the backend has
    // no health check attached, or there was an unexpected configuration error
    // preventing Connectivity tests from verifying health check configuration.
    HEALTH_CHECK_FIREWALLS_CONFIG_STATE_UNSPECIFIED = 0;

    // Firewall rules (policies) allowing health check traffic from all required
    // IP ranges to the backend are configured.
    FIREWALLS_CONFIGURED = 1;

    // Firewall rules (policies) allow health check traffic only from a part of
    // required IP ranges.
    FIREWALLS_PARTIALLY_CONFIGURED = 2;

    // Firewall rules (policies) deny health check traffic from all required
    // IP ranges to the backend.
    FIREWALLS_NOT_CONFIGURED = 3;

    // The network contains firewall rules of unsupported types, so Connectivity
    // tests were not able to verify health check configuration status. Please
    // refer to the documentation for the list of unsupported configurations:
    // https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview#unsupported-configs
    FIREWALLS_UNSUPPORTED = 4;
  }

  // Display name of the backend. For example, it might be an instance name for
  // the instance group backends, or an IP address and port for zonal network
  // endpoint group backends.
  string name = 1;

  // URI of the backend instance (if applicable). Populated for instance group
  // backends, and zonal NEG backends.
  string instance_uri = 2;

  // URI of the backend service this backend belongs to (if applicable).
  string backend_service_uri = 3;

  // URI of the instance group this backend belongs to (if applicable).
  string instance_group_uri = 4;

  // URI of the network endpoint group this backend belongs to (if applicable).
  string network_endpoint_group_uri = 5;

  // URI of the backend bucket this backend targets (if applicable).
  string backend_bucket_uri = 8;

  // URI of the PSC service attachment this PSC NEG backend targets (if
  // applicable).
  string psc_service_attachment_uri = 9;

  // PSC Google API target this PSC NEG backend targets (if applicable).
  string psc_google_api_target = 10;

  // URI of the health check attached to this backend (if applicable).
  string health_check_uri = 6;

  // Output only. Health check firewalls configuration state for the backend.
  // This is a result of the static firewall analysis (verifying that health
  // check traffic from required IP ranges to the backend is allowed or not).
  // The backend might still be unhealthy even if these firewalls are
  // configured. Please refer to the documentation for more information:
  // https://cloud.google.com/load-balancing/docs/firewall-rules
  HealthCheckFirewallsConfigState health_check_firewalls_config_state = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Type of a load balancer. For more information, see [Summary of Google Cloud
// load
// balancers](https://cloud.google.com/load-balancing/docs/load-balancing-overview#summary-of-google-cloud-load-balancers).
enum LoadBalancerType {
  // Forwarding rule points to a different target than a load balancer or a
  // load balancer type is unknown.
  LOAD_BALANCER_TYPE_UNSPECIFIED = 0;

  // Global external HTTP(S) load balancer.
  HTTPS_ADVANCED_LOAD_BALANCER = 1;

  // Global external HTTP(S) load balancer (classic)
  HTTPS_LOAD_BALANCER = 2;

  // Regional external HTTP(S) load balancer.
  REGIONAL_HTTPS_LOAD_BALANCER = 3;

  // Internal HTTP(S) load balancer.
  INTERNAL_HTTPS_LOAD_BALANCER = 4;

  // External SSL proxy load balancer.
  SSL_PROXY_LOAD_BALANCER = 5;

  // External TCP proxy load balancer.
  TCP_PROXY_LOAD_BALANCER = 6;

  // Internal regional TCP proxy load balancer.
  INTERNAL_TCP_PROXY_LOAD_BALANCER = 7;

  // External TCP/UDP Network load balancer.
  NETWORK_LOAD_BALANCER = 8;

  // Target-pool based external TCP/UDP Network load balancer.
  LEGACY_NETWORK_LOAD_BALANCER = 9;

  // Internal TCP/UDP load balancer.
  TCP_UDP_INTERNAL_LOAD_BALANCER = 10;
}

// For display only. Metadata associated with Storage Bucket.
message StorageBucketInfo {
  // Cloud Storage Bucket name.
  string bucket = 1;
}