Upstream reverse connection socket interface (proto)

This extension has the qualified name envoy.bootstrap.reverse_tunnel.upstream_socket_interface

Note

This extension is work-in-progress. Functionality is incomplete and it is not intended for production use.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

envoy.bootstrap

This extension must be configured with one of the following type URLs:

type.googleapis.com/envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface

extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface

[extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3.UpstreamReverseConnectionSocketInterface proto]

Configuration for the upstream reverse connection socket interface.

{
  "stat_prefix": ...,
  "ping_failure_threshold": {...},
  "enable_detailed_stats": ...,
  "reporter_config": {...},
  "enable_tenant_isolation": {...},
  "access_log": []
}

stat_prefix: (string) Stat prefix for upstream reverse connection socket interface stats.

ping_failure_threshold: (UInt32Value) Number of consecutive ping failures before an idle reverse connection socket is marked dead. Defaults to 3 if unset. Must be at least 1.

enable_detailed_stats: (bool) Enable detailed per-node and per-cluster statistics. When enabled, emits hidden statistics for individual nodes and clusters. Defaults to false.

reporter_config: (config.core.v3.TypedExtensionConfig) Optional configuration for a tunnel reporting extension. When provided, the socket interface instantiates a reporter via the configured factory. If unset, no reporting is done.

enable_tenant_isolation: (BoolValue) Enables tenant-aware isolation for reverse connections. When set to true, the socket interface requires tenant identifiers in addition to node and cluster identifiers and derives composite tenant:node and tenant:cluster keys for socket tracking. Identifiers containing the : delimiter are rejected to avoid ambiguity. Defaults to false for backwards compatibility.

access_log: (repeated config.accesslog.v3.AccessLog) Access logs emitted for reverse tunnel lifecycle events. Entries are generated for tunnel setup, socket handoff, tunnel close, and post-handoff HTTP/2 keepalive timeout observations.