Skip to main content
API resource reference for Backend, an Envoy Gateway extension resource. To create or change one, see Changing resources; to inspect, see Reading resources.
This resource is part of the v1alpha1 Envoy Gateway extension API and is subject to change. Fields and behavior may change in future releases.

Identity

Groupgateway.envoyproxy.io
Versionv1alpha1
KindBackend
ScopeProject

Overview

A Backend defines a set of network endpoints that traffic can be routed to, along with the behavior of the connection from the Datum Cloud gateway data plane to those endpoints. It is an Envoy Gateway extension to the Gateway API, defined by the Envoy Gateway API: instead of routing to a Service, a route can reference a Backend to reach fully qualified domain names, raw IP addresses, or Unix domain sockets — with optional TLS origination and fallback behavior. Use a Backend when you need to send traffic to a destination that is described by an explicit address (for example, an external API reachable by FQDN) rather than a Service in your Project, or when you need per-backend TLS or failover controls.

Spec fields

FieldTypeRequiredDescription
spec.typestringNoBackend type. One of Endpoints (default) or DynamicResolver.
spec.endpoints[]ObjectNoThe endpoints to connect to. Each entry is exactly one of fqdn, ip, or unix.
spec.endpoints[].fqdnObjectNoA fully qualified domain name endpoint.
spec.endpoints[].fqdn.hostnamestringYes*The FQDN hostname of the endpoint (*required when fqdn is set).
spec.endpoints[].fqdn.portintegerYes*The port of the endpoint (*required when fqdn is set).
spec.endpoints[].ipObjectNoAn IP endpoint. Supports IPv4 and IPv6.
spec.endpoints[].ip.addressstringYes*The IP address of the endpoint (*required when ip is set).
spec.endpoints[].ip.portintegerYes*The port of the endpoint (*required when ip is set).
spec.endpoints[].unixObjectNoA Unix domain socket endpoint.
spec.endpoints[].hostnamestringNoOptional hostname for the endpoint.
spec.endpoints[].zonestringNoThe service zone of the endpoint.
spec.appProtocols[]stringNoApplication protocols supported when connecting to the backend.
spec.fallbackbooleanNoMarks the backend as a fallback. Fallback backends only receive traffic when the health of the active backends drops (they begin serving once active health falls below roughly 72%). Configure active or passive health checks so failover is detected and reversed automatically.
spec.tlsObjectNoTLS settings for connecting to the backend. When both this and a BackendTLSPolicy apply, the settings are merged and the policy’s values win on overlap.
spec.tls.caCertificateRefs[]ObjectNoOne or more references to objects containing the CA certificates used as trust anchors to validate the backend’s certificate (a single reference with the CA in a ca.crt key is currently supported). Either this or wellKnownCACertificates must be set, but not both.
spec.tls.wellKnownCACertificatesstringNoUse system-provided CA certificates for the handshake. Only value is System. Either this or caCertificateRefs must be set, but not both.
spec.tls.insecureSkipVerifybooleanNoSkip verification of the backend’s certificate. Defaults to false.

Status fields (read-only)

FieldTypeDescription
status.conditions[]ObjectDescribes the current conditions of the Backend.

Usage

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: example-api
spec:
  type: Endpoints
  endpoints:
    - fqdn:
        hostname: api.example.com
        port: 443
datumctl apply -f backend.yaml --project my-project
datumctl get backends --project my-project
datumctl describe backend example-api --project my-project
Run datumctl explain backends --recursive to see the full, live field tree for this resource.
Last modified on July 2, 2026