The gcp:networkservices/mesh:Mesh resource, part of the Pulumi GCP provider, defines a logical configuration grouping for workload-to-workload communication within a service mesh. This guide focuses on two capabilities: creating meshes with sidecar proxy interception and creating meshes without traffic interception.
Meshes are referenced by route resources that define how requests flow within the mesh boundary. The examples are intentionally small. Combine them with your own route configurations and workload deployments.
Create a mesh with traffic interception
Service mesh deployments with sidecar proxies configure an interception port to redirect traffic through the proxy layer.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.networkservices.Mesh("default", {
name: "my-mesh",
labels: {
foo: "bar",
},
description: "my description",
interceptionPort: 443,
});
import pulumi
import pulumi_gcp as gcp
default = gcp.networkservices.Mesh("default",
name="my-mesh",
labels={
"foo": "bar",
},
description="my description",
interception_port=443)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkservices.NewMesh(ctx, "default", &networkservices.MeshArgs{
Name: pulumi.String("my-mesh"),
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
Description: pulumi.String("my description"),
InterceptionPort: pulumi.Int(443),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.NetworkServices.Mesh("default", new()
{
Name = "my-mesh",
Labels =
{
{ "foo", "bar" },
},
Description = "my description",
InterceptionPort = 443,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networkservices.Mesh;
import com.pulumi.gcp.networkservices.MeshArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Mesh("default", MeshArgs.builder()
.name("my-mesh")
.labels(Map.of("foo", "bar"))
.description("my description")
.interceptionPort(443)
.build());
}
}
resources:
default:
type: gcp:networkservices:Mesh
properties:
name: my-mesh
labels:
foo: bar
description: my description
interceptionPort: 443
The interceptionPort property instructs sidecar proxies to listen on the specified port of localhost (127.0.0.1). All traffic is redirected to this port regardless of its actual destination. The name property provides a short identifier, while labels and description add organizational metadata.
Create a mesh without traffic interception
When workloads communicate directly or use alternative proxy patterns, you can omit the interception port.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.networkservices.Mesh("default", {
name: "my-mesh-noport",
labels: {
foo: "bar",
},
description: "my description",
});
import pulumi
import pulumi_gcp as gcp
default = gcp.networkservices.Mesh("default",
name="my-mesh-noport",
labels={
"foo": "bar",
},
description="my description")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networkservices"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkservices.NewMesh(ctx, "default", &networkservices.MeshArgs{
Name: pulumi.String("my-mesh-noport"),
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
Description: pulumi.String("my description"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.NetworkServices.Mesh("default", new()
{
Name = "my-mesh-noport",
Labels =
{
{ "foo", "bar" },
},
Description = "my description",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networkservices.Mesh;
import com.pulumi.gcp.networkservices.MeshArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Mesh("default", MeshArgs.builder()
.name("my-mesh-noport")
.labels(Map.of("foo", "bar"))
.description("my description")
.build());
}
}
resources:
default:
type: gcp:networkservices:Mesh
properties:
name: my-mesh-noport
labels:
foo: bar
description: my description
Without interceptionPort, the mesh defines a logical boundary but doesn’t configure sidecar proxy behavior. If you later enable interception, it defaults to port 15001. This configuration suits deployments where workloads handle routing directly or use non-sidecar proxy patterns.
Beyond these examples
These snippets focus on specific mesh-level features: mesh naming and metadata, and sidecar proxy interception configuration. They’re intentionally minimal rather than full service mesh deployments.
The examples assume pre-existing infrastructure such as a GCP project with Network Services API enabled. They focus on configuring the mesh rather than provisioning routes or workloads.
To keep things focused, common mesh patterns are omitted, including:
- Route configuration (routes reference meshes but are separate resources)
- Workload registration and service discovery
- Multi-region mesh federation
- Integration with GKE or Compute Engine workloads
These omissions are intentional: the goal is to illustrate how mesh configuration is wired, not provide drop-in service mesh modules. See the Network Services Mesh resource reference for all available configuration options.
Let's configure GCP Network Services Mesh
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Labels & Metadata
labels field is non-authoritative and only manages labels present in your Pulumi configuration. Labels added outside Pulumi (via console, gcloud, or other tools) won’t be removed. Use the effectiveLabels output to view all labels on the resource.Configuration & Limits
location property defaults to ‘global’ if omitted.interceptionPort to any valid TCP port (1-65535) for sidecar proxy deployments. If unset, it defaults to port 15001.description field has a maximum length of 1024 characters.Immutability & Lifecycle
project and location properties cannot be changed after the mesh is created. Modifying these requires destroying and recreating the resource.interceptionPort is optional. If unset, it defaults to port 15001 for sidecar proxy deployments.Using a different cloud?
Explore networking guides for other cloud providers: