> ## Documentation Index
> Fetch the complete documentation index at: https://datum-4926dda5-docs-api-reference-demo.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Backend

> Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend.

<Note>
  API resource reference for **Backend**, an [Envoy Gateway](/api/networking/envoy/overview) extension resource. To create or change one, see [Changing resources](/datumctl/resources/changing); to inspect, see [Reading resources](/datumctl/resources/reading).
</Note>

<Warning>
  This resource is part of the `v1alpha1` Envoy Gateway extension API and is subject to change. Fields and behavior may change in future releases.
</Warning>

## Identity

|         |                         |
| ------- | ----------------------- |
| Group   | `gateway.envoyproxy.io` |
| Version | `v1alpha1`              |
| Kind    | `Backend`               |
| Scope   | Project                 |

## Overview

A `Backend` defines a set of network endpoints that traffic can be routed to, along with the behavior of the connection from the Datum Cloud gateway data plane to those endpoints. It is an Envoy Gateway extension to the Gateway API, defined by the [Envoy Gateway API](https://gateway.envoyproxy.io/docs/api/extension_types/): instead of routing to a Service, a route can reference a `Backend` to reach fully qualified domain names, raw IP addresses, or Unix domain sockets — with optional TLS origination and fallback behavior.

Use a `Backend` when you need to send traffic to a destination that is described by an explicit address (for example, an external API reachable by FQDN) rather than a Service in your Project, or when you need per-backend TLS or failover controls.

## Spec fields

| Field                              | Type      | Required | Description                                                                                                                                                                                                                                                                         |
| ---------------------------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `spec.type`                        | string    | No       | Backend type. One of `Endpoints` (default) or `DynamicResolver`.                                                                                                                                                                                                                    |
| `spec.endpoints`                   | \[]Object | No       | The endpoints to connect to. Each entry is exactly one of `fqdn`, `ip`, or `unix`.                                                                                                                                                                                                  |
| `spec.endpoints[].fqdn`            | Object    | No       | A fully qualified domain name endpoint.                                                                                                                                                                                                                                             |
| `spec.endpoints[].fqdn.hostname`   | string    | Yes\*    | The FQDN hostname of the endpoint (\*required when `fqdn` is set).                                                                                                                                                                                                                  |
| `spec.endpoints[].fqdn.port`       | integer   | Yes\*    | The port of the endpoint (\*required when `fqdn` is set).                                                                                                                                                                                                                           |
| `spec.endpoints[].ip`              | Object    | No       | An IP endpoint. Supports IPv4 and IPv6.                                                                                                                                                                                                                                             |
| `spec.endpoints[].ip.address`      | string    | Yes\*    | The IP address of the endpoint (\*required when `ip` is set).                                                                                                                                                                                                                       |
| `spec.endpoints[].ip.port`         | integer   | Yes\*    | The port of the endpoint (\*required when `ip` is set).                                                                                                                                                                                                                             |
| `spec.endpoints[].unix`            | Object    | No       | A Unix domain socket endpoint.                                                                                                                                                                                                                                                      |
| `spec.endpoints[].hostname`        | string    | No       | Optional hostname for the endpoint.                                                                                                                                                                                                                                                 |
| `spec.endpoints[].zone`            | string    | No       | The service zone of the endpoint.                                                                                                                                                                                                                                                   |
| `spec.appProtocols`                | \[]string | No       | Application protocols supported when connecting to the backend.                                                                                                                                                                                                                     |
| `spec.fallback`                    | boolean   | No       | Marks the backend as a fallback. Fallback backends only receive traffic when the health of the active backends drops (they begin serving once active health falls below roughly 72%). Configure active or passive health checks so failover is detected and reversed automatically. |
| `spec.tls`                         | Object    | No       | TLS settings for connecting to the backend. When both this and a `BackendTLSPolicy` apply, the settings are merged and the policy's values win on overlap.                                                                                                                          |
| `spec.tls.caCertificateRefs`       | \[]Object | No       | One or more references to objects containing the CA certificates used as trust anchors to validate the backend's certificate (a single reference with the CA in a `ca.crt` key is currently supported). Either this or `wellKnownCACertificates` must be set, but not both.         |
| `spec.tls.wellKnownCACertificates` | string    | No       | Use system-provided CA certificates for the handshake. Only value is `System`. Either this or `caCertificateRefs` must be set, but not both.                                                                                                                                        |
| `spec.tls.insecureSkipVerify`      | boolean   | No       | Skip verification of the backend's certificate. Defaults to `false`.                                                                                                                                                                                                                |

## Status fields (read-only)

| Field               | Type      | Description                                      |
| ------------------- | --------- | ------------------------------------------------ |
| `status.conditions` | \[]Object | Describes the current conditions of the Backend. |

## Usage

```yaml theme={null}
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: example-api
spec:
  type: Endpoints
  endpoints:
    - fqdn:
        hostname: api.example.com
        port: 443
```

```bash theme={null}
datumctl apply -f backend.yaml --project my-project
datumctl get backends --project my-project
datumctl describe backend example-api --project my-project
```

<Tip>
  Run `datumctl explain backends --recursive` to see the full, live field tree for this resource.
</Tip>
