Skip to main content
API resource reference for BackendTrafficPolicy, an Envoy Gateway extension resource. To create or change one, see Changing resources; to inspect, see Reading resources.
This resource is part of the v1alpha1 API and is subject to change. Fields and behavior may change in future releases.

Identity

Groupgateway.envoyproxy.io
Versionv1alpha1
KindBackendTrafficPolicy
ScopeProject

Overview

A BackendTrafficPolicy tunes how the gateway sends traffic from a listener to the backend services behind it. It is an Envoy Gateway extension to the Gateway API standard, defined by the Envoy Gateway API: you attach it to a Gateway or route resource and use it to shape connection behavior — load balancing, retries, timeouts, circuit breaking, rate limiting, active health checks, fault injection, and more. Use it when you need finer control over backend traffic than the route itself provides, for example to cap concurrent connections to a backend, retry failed upstream requests, apply rate limits, or gradually ramp traffic to newly added endpoints. The policy attaches to a target resource through targetRefs and takes effect within the same Project.

Spec fields

FieldTypeRequiredDescription
spec.targetRefs[]ObjectNoTarget resources (typically Gateways) this policy attaches to.
spec.targetRefs[].groupstringYesGroup of the target resource.
spec.targetRefs[].kindstringYesKind of the target resource.
spec.targetRefs[].namestringYesName of the target resource.
spec.targetRefs[].sectionNamestringNoA section within the target (Gateway listener name, route rule name, or Service port name). Targets the whole resource when unset.
spec.targetSelectors[]ObjectNoSelects target resources for this policy by label.
spec.targetRefObjectNoSingle target resource this policy attaches to. Deprecated: use targetRefs/targetSelectors instead.
spec.mergeTypestringNoHow this configuration merges into a parent policy (one targeting a Gateway or Listener). Cannot be set when targeting a parent resource.
spec.loadBalancerObjectNoLoad balancer policy for routing to backend endpoints. Defaults to LeastRequest.
spec.loadBalancer.typestringYes*Load balancer type: ConsistentHash, LeastRequest, Random, or RoundRobin. Required when loadBalancer is set.
spec.loadBalancer.consistentHashObjectNoConfiguration used when type is ConsistentHash.
spec.loadBalancer.slowStartObjectNoGradually increases traffic to newly added hosts (RoundRobin/LeastRequest only).
spec.loadBalancer.zoneAwareObjectNoDistributes requests across locality zones.
spec.retryObjectNoRetry behavior. Disabled when unset.
spec.retry.numRetriesintegerNoNumber of retries to attempt. Defaults to 2.
spec.retry.perRetryObjectNoRetry policy applied per retry attempt (e.g. per-try timeout, backoff).
spec.retry.retryOnObjectNoConditions that trigger a retry (e.g. connect failure, retriable status codes).
spec.timeoutObjectNoTimeout settings for backend connections.
spec.timeout.httpObjectNoHTTP timeout settings.
spec.timeout.tcpObjectNoTCP timeout settings.
spec.circuitBreakerObjectNoCircuit breaker thresholds for upstream connections and requests. Enabled with defaults when unset.
spec.circuitBreaker.maxConnectionsintegerNoMaximum connections Envoy establishes to the backend.
spec.circuitBreaker.maxParallelRequestsintegerNoMaximum parallel requests to the backend.
spec.circuitBreaker.maxPendingRequestsintegerNoMaximum pending requests queued to the backend.
spec.circuitBreaker.maxParallelRetriesintegerNoMaximum parallel retries to the backend.
spec.circuitBreaker.maxRequestsPerConnectionintegerNoMaximum requests over a single connection. Default: unlimited.
spec.healthCheckObjectNoActive/passive health checking of backends.
spec.healthCheck.activeObjectNoActive health check configuration.
spec.healthCheck.passiveObjectNoPassive (outlier detection) health check configuration.
spec.healthCheck.panicThresholdintegerNoUnhealthy-endpoint threshold at which Envoy balances across all endpoints. Defaults to 50%; 0 disables panic mode.
spec.rateLimitObjectNoLimits incoming requests based on attributes of the traffic flow.
spec.rateLimit.typestringYes*Rate limit scope: Global or Local. Required when rateLimit is set.
spec.rateLimit.localObjectNoLocal rate limit configuration.
spec.rateLimit.globalObjectNoGlobal rate limit configuration.
spec.faultInjectionObjectNoInjects delays and aborts to mimic failure scenarios such as service failures and overloads.
spec.connectionObjectNoBackend connection settings.
spec.tcpKeepaliveObjectNoTCP keepalive settings for the upstream connection. Disabled by default.
spec.proxyProtocolObjectNoEnables the Proxy Protocol when communicating with the backend.
spec.compression[]ObjectNoCompression configuration for HTTP streams.
spec.http2ObjectNoHTTP/2 configuration for backend connections.
spec.httpUpgrade[]ObjectNoHTTP protocol upgrade configuration. Defaults to websocket.
spec.dnsObjectNoDNS resolution settings.
spec.requestBufferObjectNoBuffers and fully receives each request before forwarding upstream, shielding backends from slow clients and enforcing a maximum request size. May impact performance.
spec.responseOverride[]ObjectNoOverrides specific responses with a custom one. First matching configuration wins.
spec.telemetryObjectNoTelemetry settings for the policy target, overriding the EnvoyProxy telemetry settings.
spec.useClientProtocolbooleanNoPrefer sending backend requests using the same HTTP protocol as the incoming request. Defaults to false.
Fields marked Yes* are required only when their parent object is provided.

Status fields (read-only)

FieldTypeDescription
status.ancestors[]ObjectAncestor resources (usually Gateways) this policy applies to, with the policy’s status for each. A maximum of 16 ancestors are represented; an empty list means the policy is not relevant to any ancestor.

Usage

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: backend-traffic-example
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  loadBalancer:
    type: LeastRequest
  retry:
    numRetries: 3
  timeout:
    http:
      requestTimeout: 10s
datumctl apply -f backendtrafficpolicy.yaml --project my-project
datumctl get backendtrafficpolicies --project my-project
datumctl describe backendtrafficpolicy backend-traffic-example --project my-project
Run datumctl explain backendtrafficpolicies --recursive to see the full, live field tree for this resource.
Last modified on July 2, 2026