Source File:


Upstreams represent destination for routing HTTP requests. Upstreams can be compared to clusters in Envoy terminology. Each upstream in Gloo has a type. Supported types include static, kubernetes, aws, consul, and more. Each upstream type is handled by a corresponding Gloo plugin. (plugins currently need to be compiled into Gloo)

"healthChecks": []
"useHttp2": .google.protobuf.BoolValue
"initialStreamWindowSize": .google.protobuf.UInt32Value
"initialConnectionWindowSize": .google.protobuf.UInt32Value
"maxConcurrentStreams": .google.protobuf.UInt32Value
"overrideStreamErrorOnInvalidHttpMessage": .google.protobuf.BoolValue
"httpProxyHostname": .google.protobuf.StringValue
"httpConnectHeaders": []
"ignoreHealthOnHostRemoval": .google.protobuf.BoolValue
"respectDnsTtl": .google.protobuf.BoolValue
"dnsRefreshRate": .google.protobuf.Duration
"proxyProtocolVersion": .google.protobuf.StringValue

Field Type Description
namespacedStatuses NamespacedStatuses indicates the validation status of this resource. NamespacedStatuses is read-only by clients, and set by gloo during validation.
metadata Metadata contains the object metadata for this resource.
discoveryMetadata Upstreams and their configuration can be automatically by Gloo Discovery if this upstream is created or modified by Discovery, metadata about the operation will be placed here.
sslConfig SslConfig contains the options necessary to configure envoy to originate TLS to an upstream.
circuitBreakers Circuit breakers for this upstream. if not set, the defaults ones from the Gloo settings will be used. if those are not set, envoy’s defaults will be used.
loadBalancerConfig Settings for the load balancer that sends requests to the Upstream. The load balancing method is set to round robin by default.
healthChecks []
kube Only one of kube, static, pipe, aws, azure, consul, or awsEc2 can be set.
static Only one of static, kube, pipe, aws, azure, consul, or awsEc2 can be set.
pipe Only one of pipe, kube, static, aws, azure, consul, or awsEc2 can be set.
aws Only one of aws, kube, static, pipe, azure, consul, or awsEc2 can be set.
azure Only one of azure, kube, static, pipe, aws, consul, or awsEc2 can be set.
consul Only one of consul, kube, static, pipe, aws, azure, or awsEc2 can be set.
awsEc2 Only one of awsEc2, kube, static, pipe, aws, azure, or consul can be set.
failover Failover endpoints for this upstream. If omitted (the default) no failovers will be applied.
connectionConfig HTTP/1 connection configurations.
protocolSelection Determines how Envoy selects the protocol used to speak to upstream hosts.
useHttp2 .google.protobuf.BoolValue Use http2 when communicating with this upstream this field is evaluated true for upstreams with a grpc service spec. otherwise defaults to false.
initialStreamWindowSize .google.protobuf.UInt32Value (UInt32Value) Initial stream-level flow-control window size. Valid values range from 65535 (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 (256 * 1024 * 1024). NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default window size now, so it’s also the minimum. This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to stop the flow of data to the codec buffers. Requires UseHttp2 to be true to be acknowledged.
initialConnectionWindowSize .google.protobuf.UInt32Value (UInt32Value) Similar to initial_stream_window_size, but for connection-level flow-control window. Currently, this has the same minimum/maximum/default as initial_stream_window_size. Requires UseHttp2 to be true to be acknowledged.
maxConcurrentStreams .google.protobuf.UInt32Value (UInt32Value) Maximum concurrent streams allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) and defaults to 2147483647. Requires UseHttp2 to be true to be acknowledged.
overrideStreamErrorOnInvalidHttpMessage .google.protobuf.BoolValue Allows invalid HTTP messaging and headers. When this option is disabled (default), then the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, when this option is enabled, only the offending stream is terminated. This overrides any HCM :ref:stream_error_on_invalid_http_messaging <> See RFC7540, sec. 8.1 <>_ for details.
httpProxyHostname .google.protobuf.StringValue Tells envoy that the upstream is an HTTP proxy (e.g., another proxy in a DMZ) that supports HTTP Connect. This configuration sets the hostname used as part of the HTTP Connect request. For example, setting to: and making a request routed to the upstream such as curl <envoy>:<port>/v1 would result in the following request: CONNECT HTTP/1.1 host: GET /v1 HTTP/1.1 host: : user-agent: curl/7.64.1 accept: / Note: if setting this field to a hostname rather than IP:PORT, you may want to also set host_rewrite on the route.
httpConnectSslConfig HttpConnectSslConfig contains the options necessary to configure envoy to originate TLS to an HTTP Connect proxy. If you also want to ensure the bytes proxied by the HTTP Connect proxy are encrypted, you should also specify ssl_config.
httpConnectHeaders [] HttpConnectHeaders specifies the headers sent with the initial HTTP Connect request.
ignoreHealthOnHostRemoval .google.protobuf.BoolValue (bool) If set to true, Envoy will ignore the health value of a host when processing its removal from service discovery. This means that if active health checking is used, Envoy will not wait for the endpoint to go unhealthy before removing it.
respectDnsTtl .google.protobuf.BoolValue If set to true, Service Discovery update period will be triggered once the TTL is expired. If minimum TTL of all records is 0 then dns_refresh_rate will be used.
dnsRefreshRate .google.protobuf.Duration Service Discovery DNS Refresh Rate. Minimum value is 1 ms. Values below the minimum are considered invalid. Only valid for STRICT_DNS and LOGICAL_DNS cluster types. All other cluster types are considered invalid.
proxyProtocolVersion .google.protobuf.StringValue Proxy Protocol Version to add when communicating with the upstream. If unset will not wrap the transport socket. These are of the format “V1” or “V2”.


Name Description
USE_CONFIGURED_PROTOCOL Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2). If :ref:http2_protocol_options <envoy_v3_api_field_config.cluster.v3.Cluster.http2_protocol_options> are present, HTTP2 will be used, otherwise HTTP1.1 will be used.
USE_DOWNSTREAM_PROTOCOL Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection.


created by discovery services

"labels": map<string, string>

Field Type Description
labels map<string, string> Labels inherited from the original upstream (e.g. Kubernetes labels).


Header name/value pair.

"key": string
"value": string

Field Type Description
key string Header name.
value string Header value.