Build Cloud Run service mesh traffic configurations with weighted routing, canary deployments, and retry policies.
Last verified: May 2026
Build Cloud Run service mesh traffic configurations with weighted routing, canary deployments, and retry policies.
Required Fields
serviceMesh.nameservicestrafficConfig.httpRoutesOutput will appear here...The builder constructs Cloud Service Mesh configurations for Cloud Run: HTTPRoute resources (for traffic routing with match conditions on headers/paths/methods, plus weighted backend service references), DestinationRule resources (for circuit breaker config, retry policies, mTLS settings), and ServiceImport bindings to make Cloud Run services available in the mesh. Output is generated as gcloud commands and Terraform google_network_services_http_route + google_network_services_endpoint_policy resources.
Cloud Run now integrates with Cloud Service Mesh (formerly Anthos Service Mesh / Traffic Director) to bring service mesh capabilities — traffic management, mutual TLS, observability, and policy enforcement — to serverless containers. This lets you apply consistent networking policies across GKE and Cloud Run services. This builder helps you configure service mesh settings for Cloud Run services including traffic routing, retry policies, circuit breakers, and mTLS enforcement.
Your team has 12 microservices on Cloud Run that call each other via HTTPS. Currently no mTLS — service-to-service traffic could be intercepted by anyone with VPC access. The builder generates Cloud Service Mesh config: HTTPRoutes for each service, DestinationRules enabling automatic mTLS via workload identity, circuit breakers (max 100 concurrent connections per service, fail open after 50% error rate). After deploy, all inter-service traffic is mTLS-encrypted, downstream incidents stop cascading via circuit breakers. Compliance audit closed; PCI-DSS encryption-in-transit requirement met without any application code changes.
Cloud Run's built-in traffic splitting (percentage between revisions) covers ~80% of canary deploy use cases. Only add Service Mesh when you need header-based routing, mirroring, fault injection, or unified policy with GKE services. The mesh adds operational complexity that's not worth it for simple traffic splits.
Mutual TLS between services is the killer security feature. Without code changes, you eliminate plaintext service-to-service traffic. Combined with workload identity, you get end-to-end identity-bound encryption. For compliance (PCI-DSS, HIPAA), this is genuinely required and Service Mesh handles it transparently.
Circuit breaker patterns are more impactful than retry policies for resilience. Retries can amplify cascading failures (every request retries 3x = 4x downstream load during incidents). Circuit breakers FAIL FAST when downstream is unhealthy, giving the downstream time to recover. Configure breakers BEFORE adding aggressive retries.
Service mesh adds several capabilities beyond Cloud Run's built-in traffic splitting: mutual TLS encryption between services without code changes, fine-grained traffic routing based on headers, paths, and query parameters, circuit breaker patterns for resilience, distributed tracing and metrics collection, and policy enforcement across both GKE and Cloud Run services. It is most valuable in microservice architectures where Cloud Run services communicate with each other or with GKE services.
No. Cloud Run provides built-in traffic splitting between revisions using percentage-based routing, which is sufficient for basic canary deployments and gradual rollouts. Cloud Service Mesh adds advanced routing capabilities like header-based routing, mirroring, fault injection, and circuit breakers. Use the built-in traffic splitting for simple use cases and service mesh when you need more sophisticated traffic management.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.