docs: Various documentation and comment improvements, Enable organization-level support for VPC Flow Logs

Google APIs · copybara-github · commit eae19435eb84 · 2025-07-03T01:58:44.000-07:00
feat: Enable organization-level support for VPC Flow Logs
feat: add field `service_uri` to message `Endpoint.CloudRunRevisionEndpoint`
feat: add message `Endpoint.SingleEdgeResponse`
feat: add http additional_bindings
feat: add enum `Status` to message `InstanceInfo`
feat: add field `running` to message `InstanceInfo`
feat: add field `policy_priority` to message `NetworkInfo`
feat: add enum value `RouteInfo.NextHopType.SECURE_WEB_PROXY_GATEWAY`
feat: add enum `DeliverInfo.GoogleServiceType`
feat: add field `google_service_type` to message `DeliverInfo`
feat: add enum value `AbortInfo.Cause.GOOGLE_MANAGED_SERVICE_AMBIGUOUS_ENDPOINT`
feat: add enum values `NO_ROUTE_FROM_EXTERNAL_IPV6_SOURCE_TO_PRIVATE_IPV6_ADDRESS`, `TRAFFIC_FROM_HYBRID_ENDPOINT_TO_INTERNET_DISALLOWED`, `NO_MATCHING_NAT64_GATEWAY`, `LOAD_BALANCER_BACKEND_IP_VERSION_MISMATCH`, and `NO_KNOWN_ROUTE_FROM_NCC_NETWORK_TO_DESTINATION` to `DropInfo.Cause`
feat: add rpc `VpcFlowLogsService.QueryOrgVpcFlowLogsConfigs`
feat: add service `OrganizationVpcFlowLogsService`
feat: add enum `VpcFlowLogsConfig.CrossProjectMetadata`
feat: add enum `VpcFlowLogsConfig.TargetResourceState`
feat: add fields `cross_project_metadata`, `target_resource_state`, `network`, and `subnet` to message `VpcFlowLogsConfig`

PiperOrigin-RevId: 778807926
diff --git a/google/cloud/networkmanagement/v1beta1/BUILD.bazel b/google/cloud/networkmanagement/v1beta1/BUILD.bazel
@@ -102,6 +102,10 @@ java_gapic_library(
 java_gapic_test(
     name = "networkmanagement_java_gapic_test_suite",
     test_classes = [
+        # This test is temporarily disabled due to the issue:
+        # https://github.com/googleapis/sdk-platform-java/issues/1839
+        # "com.google.cloud.networkmanagement.v1beta1.OrganizationVpcFlowLogsServiceClientHttpJsonTest",
+        "com.google.cloud.networkmanagement.v1beta1.OrganizationVpcFlowLogsServiceClientTest",
         # This test is temporarily disabled due to the issue:
         # https://github.com/googleapis/sdk-platform-java/issues/1839
         # "com.google.cloud.networkmanagement.v1beta1.ReachabilityServiceClientHttpJsonTest",
@@ -360,7 +364,6 @@ load(
 
 csharp_proto_library(
     name = "networkmanagement_csharp_proto",
-    extra_opts = [],
     deps = [":networkmanagement_proto"],
 )
 
diff --git a/google/cloud/networkmanagement/v1beta1/connectivity_test.proto b/google/cloud/networkmanagement/v1beta1/connectivity_test.proto
@@ -173,6 +173,11 @@ message Endpoint {
     // URI. The format is:
     // projects/{project}/locations/{location}/revisions/{revision}
     string uri = 1;
+
+    // Output only. The URI of the Cloud Run service that the revision belongs
+    // to. The format is:
+    // projects/{project}/locations/{location}/services/{service}
+    string service_uri = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
   }
 
   // The IP address of the endpoint, which can be an external or internal IP.
@@ -376,6 +381,34 @@ message ProbingDetails {
     string metropolitan_area = 1;
   }
 
+  // Probing results for a single edge device.
+  message SingleEdgeResponse {
+    // The overall result of active probing for this egress device.
+    ProbingResult result = 1;
+
+    // Number of probes sent.
+    int32 sent_probe_count = 2;
+
+    // Number of probes that reached the destination.
+    int32 successful_probe_count = 3;
+
+    // Latency as measured by active probing in one direction: from the source
+    // to the destination endpoint.
+    LatencyDistribution probing_latency = 4;
+
+    // The EdgeLocation from which a packet, destined to the internet, will
+    // egress the Google network.
+    // This will only be populated for a connectivity test which has an internet
+    // destination address.
+    // The absence of this field *must not* be used as an indication that the
+    // destination is part of the Google network.
+    EdgeLocation destination_egress_location = 5;
+
+    // Router name in the format '{router}.{metroshard}'. For example:
+    // pf01.aaa01, pr02.aaa01.
+    string destination_router = 6;
+  }
+
   // The overall result of active probing.
   ProbingResult result = 1;
 
@@ -402,11 +435,17 @@ message ProbingDetails {
   // from the source to the destination endpoint.
   LatencyDistribution probing_latency = 8;
 
-  // The EdgeLocation from which a packet destined for/originating from the
-  // internet will egress/ingress the Google network.
+  // The EdgeLocation from which a packet, destined to the internet, will egress
+  // the Google network.
   // This will only be populated for a connectivity test which has an internet
-  // destination/source address.
+  // destination address.
   // The absence of this field *must not* be used as an indication that the
-  // destination/source is part of the Google network.
+  // destination is part of the Google network.
   EdgeLocation destination_egress_location = 9;
+
+  // Probing results for all edge devices.
+  repeated SingleEdgeResponse edge_responses = 10;
+
+  // Whether all relevant edge devices were probed.
+  bool probed_all_devices = 11;
 }
diff --git a/google/cloud/networkmanagement/v1beta1/networkmanagement_v1beta1.yaml b/google/cloud/networkmanagement/v1beta1/networkmanagement_v1beta1.yaml
@@ -5,6 +5,7 @@ title: Network Management API
 
 apis:
 - name: google.cloud.location.Locations
+- name: google.cloud.networkmanagement.v1beta1.OrganizationVpcFlowLogsService
 - name: google.cloud.networkmanagement.v1beta1.ReachabilityService
 - name: google.cloud.networkmanagement.v1beta1.VpcFlowLogsService
 - name: google.iam.v1.IAMPolicy
@@ -51,8 +52,12 @@ http:
   rules:
   - selector: google.cloud.location.Locations.GetLocation
     get: '/v1beta1/{name=projects/*/locations/*}'
+    additional_bindings:
+    - get: '/v1beta1/{name=organizations/*/locations/*}'
   - selector: google.cloud.location.Locations.ListLocations
     get: '/v1beta1/{name=projects/*}/locations'
+    additional_bindings:
+    - get: '/v1beta1/{name=organizations/*}/locations'
   - selector: google.iam.v1.IAMPolicy.GetIamPolicy
     get: '/v1beta1/{resource=projects/*/locations/global/connectivityTests/*}:getIamPolicy'
   - selector: google.iam.v1.IAMPolicy.SetIamPolicy
@@ -64,12 +69,21 @@ http:
   - selector: google.longrunning.Operations.CancelOperation
     post: '/v1beta1/{name=projects/*/locations/global/operations/*}:cancel'
     body: '*'
+    additional_bindings:
+    - post: '/v1beta1/{name=organizations/*/locations/global/operations/*}:cancel'
+      body: '*'
   - selector: google.longrunning.Operations.DeleteOperation
     delete: '/v1beta1/{name=projects/*/locations/global/operations/*}'
+    additional_bindings:
+    - delete: '/v1beta1/{name=organizations/*/locations/global/operations/*}'
   - selector: google.longrunning.Operations.GetOperation
     get: '/v1beta1/{name=projects/*/locations/global/operations/*}'
+    additional_bindings:
+    - get: '/v1beta1/{name=organizations/*/locations/global/operations/*}'
   - selector: google.longrunning.Operations.ListOperations
     get: '/v1beta1/{name=projects/*/locations/global}/operations'
+    additional_bindings:
+    - get: '/v1beta1/{name=organizations/*/locations/global}/operations'
 
 authentication:
   rules:
@@ -81,6 +95,10 @@ authentication:
     oauth:
       canonical_scopes: |-
         https://www.googleapis.com/auth/cloud-platform
+  - selector: 'google.cloud.networkmanagement.v1beta1.OrganizationVpcFlowLogsService.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
   - selector: 'google.cloud.networkmanagement.v1beta1.ReachabilityService.*'
     oauth:
       canonical_scopes: |-
diff --git a/google/cloud/networkmanagement/v1beta1/trace.proto b/google/cloud/networkmanagement/v1beta1/trace.proto
@@ -316,6 +316,19 @@ message Step {
 
 // For display only. Metadata associated with a Compute Engine instance.
 message InstanceInfo {
+  // The status of the instance. We treat all states other than "RUNNING" as
+  // not running.
+  enum Status {
+    // Default unspecified value.
+    STATUS_UNSPECIFIED = 0;
+
+    // The instance is running.
+    RUNNING = 1;
+
+    // The instance has any status other than "RUNNING".
+    NOT_RUNNING = 2;
+  }
+
   // Name of a Compute Engine instance.
   string display_name = 1;
 
@@ -342,10 +355,16 @@ message InstanceInfo {
 
   // URI of the PSC network attachment the NIC is attached to (if relevant).
   string psc_network_attachment_uri = 9;
+
+  // Indicates whether the Compute Engine instance is running.
+  // Deprecated: use the `status` field instead.
+  bool running = 10 [deprecated = true];
+
+  // The status of the instance.
+  Status status = 11;
 }
 
 // For display only. Metadata associated with a Compute Engine network.
-// Next ID: 7
 message NetworkInfo {
   // Name of a Compute Engine network.
   string display_name = 1;
@@ -459,6 +478,11 @@ message FirewallInfo {
 
   // The firewall rule's type.
   FirewallRuleType firewall_rule_type = 10;
+
+  // The priority of the firewall policy that this rule is associated with.
+  // This field is not applicable to VPC firewall rules and implied VPC firewall
+  // rules.
+  int32 policy_priority = 12;
 }
 
 // For display only. Metadata associated with a Compute Engine route.
@@ -544,6 +568,9 @@ message RouteInfo {
     // Next hop is an NCC hub. This scenario only happens when the user doesn't
     // have permissions to the project where the next hop resource is located.
     NEXT_HOP_NCC_HUB = 12;
+
+    // Next hop is Secure Web Proxy Gateway.
+    SECURE_WEB_PROXY_GATEWAY = 13;
   }
 
   // Indicates where routes are applicable.
@@ -986,6 +1013,35 @@ message DeliverInfo {
     REDIS_CLUSTER = 17;
   }
 
+  // Recognized type of a Google Service.
+  enum GoogleServiceType {
+    // Unspecified Google Service.
+    GOOGLE_SERVICE_TYPE_UNSPECIFIED = 0;
+
+    // Identity aware proxy.
+    // https://cloud.google.com/iap/docs/using-tcp-forwarding
+    IAP = 1;
+
+    // One of two services sharing IP ranges:
+    // * Load Balancer proxy
+    // * Centralized Health Check prober
+    // https://cloud.google.com/load-balancing/docs/firewall-rules
+    GFE_PROXY_OR_HEALTH_CHECK_PROBER = 2;
+
+    // Connectivity from Cloud DNS to forwarding targets or alternate name
+    // servers that use private routing.
+    // https://cloud.google.com/dns/docs/zones/forwarding-zones#firewall-rules
+    // https://cloud.google.com/dns/docs/policies#firewall-rules
+    CLOUD_DNS = 3;
+
+    // private.googleapis.com and restricted.googleapis.com
+    PRIVATE_GOOGLE_ACCESS = 4;
+
+    // Google API via Serverless VPC Access.
+    // https://cloud.google.com/vpc/docs/serverless-vpc-access
+    SERVERLESS_VPC_ACCESS = 5;
+  }
+
   // Target type where the packet is delivered to.
   Target target = 1;
 
@@ -1001,6 +1057,10 @@ message DeliverInfo {
 
   // PSC Google API target the packet is delivered to (if applicable).
   string psc_google_api_target = 5;
+
+  // Recognized type of a Google Service the packet is delivered to (if
+  // applicable).
+  GoogleServiceType google_service_type = 6;
 }
 
 // Details of the final state "forward" and associated resource.
@@ -1036,6 +1096,9 @@ message ForwardInfo {
 
     // Forwarded to a router appliance.
     ROUTER_APPLIANCE = 9;
+
+    // Forwarded to a Secure Web Proxy Gateway.
+    SECURE_WEB_PROXY_GATEWAY = 10;
   }
 
   // Target type where this packet is forwarded to.
@@ -1162,10 +1225,14 @@ message AbortInfo {
     // Aborted because expected route configuration was missing.
     ROUTE_CONFIG_NOT_FOUND = 27;
 
-    // Aborted because a PSC endpoint selection for the Google-managed service
+    // Aborted because PSC endpoint selection for the Google-managed service
     // is ambiguous (several PSC endpoints satisfy test input).
     GOOGLE_MANAGED_SERVICE_AMBIGUOUS_PSC_ENDPOINT = 19;
 
+    // Aborted because endpoint selection for the Google-managed service is
+    // ambiguous (several endpoints satisfy test input).
+    GOOGLE_MANAGED_SERVICE_AMBIGUOUS_ENDPOINT = 39;
+
     // Aborted because tests with a PSC-based Cloud SQL instance as a source are
     // not supported.
     SOURCE_PSC_CLOUD_SQL_UNSUPPORTED = 20;
@@ -1265,9 +1332,14 @@ message DropInfo {
     // rule of the internal passthrough load balancer).
     ROUTE_NEXT_HOP_FORWARDING_RULE_TYPE_INVALID = 53;
 
-    // Packet is sent from the Internet to the private IPv6 address.
+    // Packet is sent from the Internet or Google service to the private IPv6
+    // address.
     NO_ROUTE_FROM_INTERNET_TO_PRIVATE_IPV6_ADDRESS = 44;
 
+    // Packet is sent from the external IPv6 source address of an instance to
+    // the private IPv6 address of an instance.
+    NO_ROUTE_FROM_EXTERNAL_IPV6_SOURCE_TO_PRIVATE_IPV6_ADDRESS = 98;
+
     // The packet does not match a policy-based VPN tunnel local selector.
     VPN_TUNNEL_LOCAL_SELECTOR_MISMATCH = 45;
 
@@ -1277,18 +1349,18 @@ message DropInfo {
     // Packet with internal destination address sent to the internet gateway.
     PRIVATE_TRAFFIC_TO_INTERNET = 7;
 
-    // Instance with only an internal IP address tries to access Google API and
-    // services, but private Google access is not enabled in the subnet.
+    // Endpoint with only an internal IP address tries to access Google API and
+    // services, but Private Google Access is not enabled in the subnet or is
+    // not applicable.
     PRIVATE_GOOGLE_ACCESS_DISALLOWED = 8;
 
     // Source endpoint tries to access Google API and services through the VPN
     // tunnel to another network, but Private Google Access needs to be enabled
     // in the source endpoint network.
     PRIVATE_GOOGLE_ACCESS_VIA_VPN_TUNNEL_UNSUPPORTED = 47;
 
-    // Instance with only an internal IP address tries to access external hosts,
-    // but Cloud NAT is not enabled in the subnet, unless special configurations
-    // on a VM allow this connection.
+    // Endpoint with only an internal IP address tries to access external hosts,
+    // but there is no matching Cloud NAT gateway in the subnet.
     NO_EXTERNAL_ADDRESS = 9;
 
     // Destination internal address cannot be resolved to a known target. If
@@ -1563,6 +1635,22 @@ message DropInfo {
     // Packet with destination IP address within the reserved NAT64 range is
     // dropped due to matching a route of an unsupported type.
     UNSUPPORTED_ROUTE_MATCHED_FOR_NAT64_DESTINATION = 88;
+
+    // Packet could be dropped because hybrid endpoint like a VPN gateway or
+    // Interconnect is not allowed to send traffic to the Internet.
+    TRAFFIC_FROM_HYBRID_ENDPOINT_TO_INTERNET_DISALLOWED = 89;
+
+    // Packet with destination IP address within the reserved NAT64 range is
+    // dropped due to no matching NAT gateway in the subnet.
+    NO_MATCHING_NAT64_GATEWAY = 90;
+
+    // Packet is dropped due to being sent to a backend of a passthrough load
+    // balancer that doesn't use the same IP version as the frontend.
+    LOAD_BALANCER_BACKEND_IP_VERSION_MISMATCH = 96;
+
+    // Packet from the unknown NCC network is dropped due to no known route
+    // from the source network to the destination IP address.
+    NO_KNOWN_ROUTE_FROM_NCC_NETWORK_TO_DESTINATION = 97;
   }
 
   // Cause that the packet is dropped.
diff --git a/google/cloud/networkmanagement/v1beta1/vpc_flow_logs.proto b/google/cloud/networkmanagement/v1beta1/vpc_flow_logs.proto
diff --git a/google/cloud/networkmanagement/v1beta1/vpc_flow_logs_config.proto b/google/cloud/networkmanagement/v1beta1/vpc_flow_logs_config.proto
