StatusPulse StatusPulse
← All features

Probe type · Pro+

gRPC Health probe

Speaks the gRPC Health Checking Protocol natively — the same RPC kubelet uses — so per-service health and mTLS auth come out of the box.

Why you need it

A gRPC Health probe calls the canonical grpc.health.v1.Health service every modern gRPC server exposes — the same protocol kubelet readiness probes, Envoy health filters, and Linkerd liveness checks use. A non-gRPC probe of a gRPC server can't reach this surface — HTTP probes see reflection rejection, TCP probes only confirm the port is open.

Three depth levels:

  • Level 1 — Server-overall Check. Empty service field. Asserts the server as a whole is healthy. SERVING → Up. NOT_SERVING / UNKNOWN → Down. Mirrors what kubelet asks during rolling deploys.
  • Level 2 — Per-service Check. Supply a fully-qualified protobuf service name (myapp.users.v1.UserService). Useful when one server hosts multiple services and you want to alert on a specific critical service.
  • Level 3 — Streaming Watch. Issue a Watch RPC, read the first frame, cancel the stream. Useful for servers that only implement Watch and return UNIMPLEMENTED on unary Check.

Full mTLS support — client certificate + private key (PEM format, concatenated) are AES-GCM encrypted at rest with Azure Key Vault as master key; CA bundle in PEM stays plaintext. Optional bearer-style authorization metadata is encrypted. Transport defaults to HTTP/2 (gRPC standard); HTTP/3 (QUIC) is one toggle away. Supports an :authority pseudo-header override for proxied setups.

Where it pays off

The right probe for any gRPC service that needs to be checked from outside the cluster:

  • Public gRPC APIs — Stripe-style API products that expose gRPC alongside REST. Level 1 catches outages; Level 2 catches partial outages.
  • Internal microservices behind an Envoy edge — probe through the edge with the right :authority override so you catch routing misconfigurations.
  • mTLS-only services — finance / regtech / healthcare environments where every caller authenticates with a client cert.
  • Servers that only implement Watch — some legacy codepaths skip the unary Check; Level 3 handles them.
  • HTTP/3 / QUIC rollouts — early adopters running gRPC over QUIC end-to-end.

Not the right choice when: your server doesn't implement grpc.health.v1.Health — use the HTTP probe against your own health endpoint instead. Also not the right tool for plain HTTP/2 APIs that aren't gRPC.

Configuration parameters

Field Type Required Default Description
Name string Required Human-readable label for the probe.
Target URL string (https:// or http://) Required Full URL including scheme and port. Internal hostnames rejected at save time.
Mode Check | Watch Optional Check Which RPC to invoke. Check = unary; Watch = streaming first-frame.
Service string (FQ protobuf name) Optional Fully-qualified service name. Empty = ask about the whole server (Level 1).
Use TLS boolean Optional true When off, the probe uses plaintext HTTP/2 (rare in production).
Client certificate + key (PEM) string (encrypted at rest) Optional Client certificate and private key concatenated as a single PEM blob. AES-GCM encrypted.
CA bundle (PEM) string Optional Custom CA bundle in PEM. Plaintext — CAs are public information.
Authority override string Optional Override for the :authority pseudo-header. Useful when probing through a proxy.
Auth header string (encrypted at rest) Optional Bearer-style token sent verbatim as the authorization gRPC metadata entry. AES-GCM encrypted.
Custom metadata JSON object Optional Map of additional gRPC metadata entries. The authorization key is reserved for the Auth header field.
HTTP version Http2 | Http3 Optional Http2 Transport version. HTTP/3 (QUIC) opt-in; falls back gracefully when server doesn't advertise QUIC.
Ignore server cert validation boolean Optional false Accept self-signed or untrusted server certs.
Handshake Degraded (ms) integer Optional 1000 Connect + TLS + HTTP/2 init budget.
RTT Degraded (ms) integer Optional 200 Post-handshake RPC RTT budget.
Timeout (ms) integer Optional 5000 Hard ceiling on the whole RPC call.

Available on Pro+. Already on StatusPulse? See the full config in Help →

Related

Try gRPC Health probe in StatusPulse

5 probes, 1 status page, forever. No credit card. US or EU host — you choose.

Start free See pricing