config: breadcrumb annotations to infer earlier API message versions. (#9166)

This PR avoids having to include an API type database in the Envoy build by introducing a message annotation option that allows Envoy to determine earlier corresponding message types via descriptor inspection. The ApiTypeDb is now ApiTypeOracle and utilizes these annotations. Risk level: Low Testing: Existing API and verison upgrade tests pass. Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 297f7a73b3f93bccf8af73c0a555ae52bce6cecb
5 years ago · e961a470d0
parent 492d1f4675
commit e961a470d0
165 changed files with 1593 additions and 33 deletions
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@ -15,8 +15,8 @@ PROMETHEUS_SHA = "783bdaf8ee0464b35ec0c8704871e1e72afa0005c3f3587f65d9d6694bf391

 KAFKA_SOURCE_SHA = "ae7a1696c0a0302b43c5b21e515c37e6ecd365941f68a510a7e442eebddf39a1"  # 2.2.0-rc2

-UDPA_GIT_SHA = "015fc86d90f4045a56f831bcdfa560bc455450e2"  # Oct 4, 2019
-UDPA_SHA256 = "2f2b4bdb718250531f3ed9c2010272f04bbca92af70348714fd3687e86acc1f7"
+UDPA_GIT_SHA = "a45f154471612140bc7f4a4d5abbc8a315848d7f"  # Dec 12, 2019
+UDPA_SHA256 = "03e794f7bae192930213622105bf9c6891e7de20c22deae12d8e92f54baca8c5"

 ZIPKINAPI_RELEASE = "0.2.2"  # Aug 23, 2019
 ZIPKINAPI_SHA256 = "688c4fe170821dd589f36ec45aaadc03a618a40283bc1f97da8fa11686fc816b"
--- a/envoy/admin/v3alpha/BUILD
+++ b/envoy/admin/v3alpha/BUILD
@ -12,5 +12,6 @@ api_proto_package(
        "//envoy/config/bootstrap/v3alpha:pkg",
        "//envoy/service/tap/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/admin/v3alpha/certs.proto
+++ b/envoy/admin/v3alpha/certs.proto
@ -8,17 +8,25 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";

 import "google/protobuf/timestamp.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Certificates]

 // Proto representation of certificate details. Admin endpoint uses this wrapper for `/certs` to
 // display certificate information. See :ref:`/certs <operations_admin_interface_certs>` for more
 // information.
 message Certificates {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.Certificates";
+
  // List of certificates known to an Envoy.
  repeated Certificate certificates = 1;
 }

 message Certificate {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.Certificate";
+
  // Details of CA certificate.
  repeated CertificateDetails ca_cert = 1;

@ -28,6 +36,9 @@ message Certificate {

 // [#next-free-field: 7]
 message CertificateDetails {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.CertificateDetails";
+
  // Path of the certificate.
  string path = 1;

@ -48,6 +59,9 @@ message CertificateDetails {
 }

 message SubjectAlternateName {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.SubjectAlternateName";
+
  // Subject Alternate Name.
  oneof name {
    string dns = 1;
--- a/envoy/admin/v3alpha/clusters.proto
+++ b/envoy/admin/v3alpha/clusters.proto
@ -11,11 +11,15 @@ import "envoy/api/v3alpha/core/address.proto";
 import "envoy/api/v3alpha/core/health_check.proto";
 import "envoy/type/v3alpha/percent.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Clusters]

 // Admin endpoint uses this wrapper for `/clusters` to display cluster status information.
 // See :ref:`/clusters <operations_admin_interface_clusters>` for more information.
 message Clusters {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Clusters";
+
  // Mapping from cluster name to each cluster's status.
  repeated ClusterStatus cluster_statuses = 1;
 }
@ -23,6 +27,9 @@ message Clusters {
 // Details an individual cluster's current status.
 // [#next-free-field: 6]
 message ClusterStatus {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.ClusterStatus";
+
  // Name of the cluster.
  string name = 1;

@ -72,6 +79,8 @@ message ClusterStatus {
 // Current state of a particular host.
 // [#next-free-field: 9]
 message HostStatus {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.HostStatus";
+
  // Address of this host.
  api.v3alpha.core.Address address = 1;

@ -123,6 +132,9 @@ message HostStatus {
 // Health status for a host.
 // [#next-free-field: 7]
 message HostHealthStatus {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.HostHealthStatus";
+
  // The host is currently failing active health checks.
  bool failed_active_health_check = 1;

--- a/envoy/admin/v3alpha/config_dump.proto
+++ b/envoy/admin/v3alpha/config_dump.proto
@ -16,11 +16,15 @@ import "envoy/config/bootstrap/v3alpha/bootstrap.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/timestamp.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: ConfigDump]

 // The :ref:`/config_dump <operations_admin_interface_config_dump>` admin endpoint uses this wrapper
 // message to maintain and serve arbitrary configuration information from any component in Envoy.
 message ConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.ConfigDump";
+
  // This list is serialized and dumped in its entirety at the
  // :ref:`/config_dump <operations_admin_interface_config_dump>` endpoint.
  //
@ -35,6 +39,9 @@ message ConfigDump {
 }

 message UpdateFailureState {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.UpdateFailureState";
+
  // What the component configuration would have been if the update had succeeded.
  google.protobuf.Any failed_configuration = 1;

@ -50,6 +57,9 @@ message UpdateFailureState {
 // the static portions of an Envoy configuration by reusing the output as the bootstrap
 // configuration for another Envoy.
 message BootstrapConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.BootstrapConfigDump";
+
  config.bootstrap.v3alpha.Bootstrap bootstrap = 1;

  // The timestamp when the BootstrapConfig was last updated.
@ -60,8 +70,14 @@ message BootstrapConfigDump {
 // configuration information can be used to recreate an Envoy configuration by populating all
 // listeners as static listeners or by returning them in a LDS response.
 message ListenersConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.ListenersConfigDump";
+
  // Describes a statically loaded listener.
  message StaticListener {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ListenersConfigDump.StaticListener";
+
    // The listener config.
    api.v3alpha.Listener listener = 1;

@ -70,6 +86,9 @@ message ListenersConfigDump {
  }

  message DynamicListenerState {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ListenersConfigDump.DynamicListenerState";
+
    // This is the per-resource version information. This version is currently taken from the
    // :ref:`version_info <envoy_api_field_api.v3alpha.DiscoveryResponse.version_info>` field at the
    // time that the listener was loaded. In the future, discrete per-listener versions may be
@ -86,6 +105,9 @@ message ListenersConfigDump {
  // Describes a dynamically loaded listener via the LDS API.
  // [#next-free-field: 6]
  message DynamicListener {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ListenersConfigDump.DynamicListener";
+
    // The name or unique id of this listener, pulled from the DynamicListenerState config.
    string name = 1;

@ -125,8 +147,14 @@ message ListenersConfigDump {
 // configuration information can be used to recreate an Envoy configuration by populating all
 // clusters as static clusters or by returning them in a CDS response.
 message ClustersConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.ClustersConfigDump";
+
  // Describes a statically loaded cluster.
  message StaticCluster {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ClustersConfigDump.StaticCluster";
+
    // The cluster config.
    api.v3alpha.Cluster cluster = 1;

@ -136,6 +164,9 @@ message ClustersConfigDump {

  // Describes a dynamically loaded cluster via the CDS API.
  message DynamicCluster {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ClustersConfigDump.DynamicCluster";
+
    // This is the per-resource version information. This version is currently taken from the
    // :ref:`version_info <envoy_api_field_api.v3alpha.DiscoveryResponse.version_info>` field at the
    // time that the cluster was loaded. In the future, discrete per-cluster versions may be
@ -174,7 +205,13 @@ message ClustersConfigDump {
 // to recreate an Envoy configuration by populating all routes as static routes or by returning them
 // in RDS responses.
 message RoutesConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.RoutesConfigDump";
+
  message StaticRouteConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.RoutesConfigDump.StaticRouteConfig";
+
    // The route config.
    api.v3alpha.RouteConfiguration route_config = 1;

@ -183,6 +220,9 @@ message RoutesConfigDump {
  }

  message DynamicRouteConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.RoutesConfigDump.DynamicRouteConfig";
+
    // This is the per-resource version information. This version is currently taken from the
    // :ref:`version_info <envoy_api_field_api.v3alpha.DiscoveryResponse.version_info>` field at the
    // time that the route configuration was loaded.
@ -207,7 +247,13 @@ message RoutesConfigDump {
 // the scopes defined inline with the higher order object (i.e., the HttpConnectionManager) and the
 // dynamically obtained scopes via the SRDS API.
 message ScopedRoutesConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.ScopedRoutesConfigDump";
+
  message InlineScopedRouteConfigs {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ScopedRoutesConfigDump.InlineScopedRouteConfigs";
+
    // The name assigned to the scoped route configurations.
    string name = 1;

@ -219,6 +265,9 @@ message ScopedRoutesConfigDump {
  }

  message DynamicScopedRouteConfigs {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.ScopedRoutesConfigDump.DynamicScopedRouteConfigs";
+
    // The name assigned to the scoped route configurations.
    string name = 1;

@ -243,8 +292,14 @@ message ScopedRoutesConfigDump {

 // Envoys SDS implementation fills this message with all secrets fetched dynamically via SDS.
 message SecretsConfigDump {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.SecretsConfigDump";
+
  // DynamicSecret contains secret information fetched via SDS.
  message DynamicSecret {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.SecretsConfigDump.DynamicSecret";
+
    // The name assigned to the secret.
    string name = 1;

@ -262,6 +317,9 @@ message SecretsConfigDump {

  // StaticSecret specifies statically loaded secret in bootstrap.
  message StaticSecret {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.admin.v2alpha.SecretsConfigDump.StaticSecret";
+
    // The name assigned to the secret.
    string name = 1;

--- a/envoy/admin/v3alpha/listeners.proto
+++ b/envoy/admin/v3alpha/listeners.proto
@ -8,17 +8,24 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";

 import "envoy/api/v3alpha/core/address.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Listeners]

 // Admin endpoint uses this wrapper for `/listeners` to display listener status information.
 // See :ref:`/listeners <operations_admin_interface_listeners>` for more information.
 message Listeners {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Listeners";
+
  // List of listener statuses.
  repeated ListenerStatus listener_statuses = 1;
 }

 // Details an individual listener's current status.
 message ListenerStatus {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.ListenerStatus";
+
  // Name of the listener
  string name = 1;

--- a/envoy/admin/v3alpha/memory.proto
+++ b/envoy/admin/v3alpha/memory.proto
@ -6,6 +6,8 @@ option java_outer_classname = "MemoryProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.admin.v3alpha";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Memory]

 // Proto representation of the internal memory consumption of an Envoy instance. These represent
@ -13,6 +15,8 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";
 // docs entitled ["Generic Tcmalloc Status"](https://gperftools.github.io/gperftools/tcmalloc.html).
 // [#next-free-field: 6]
 message Memory {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.Memory";
+
  // The number of bytes allocated by the heap for Envoy. This is an alias for
  // `generic.current_allocated_bytes`.
  uint64 allocated = 1;
--- a/envoy/admin/v3alpha/metrics.proto
+++ b/envoy/admin/v3alpha/metrics.proto
@ -6,10 +6,15 @@ option java_outer_classname = "MetricsProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.admin.v3alpha";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Metrics]

 // Proto representation of an Envoy Counter or Gauge value.
 message SimpleMetric {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.SimpleMetric";
+
  enum Type {
    COUNTER = 0;
    GAUGE = 1;
--- a/envoy/admin/v3alpha/mutex_stats.proto
+++ b/envoy/admin/v3alpha/mutex_stats.proto
@ -6,6 +6,8 @@ option java_outer_classname = "MutexStatsProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.admin.v3alpha";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: MutexStats]

 // Proto representation of the statistics collected upon absl::Mutex contention, if Envoy is run
@ -16,6 +18,8 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";
 // correspond to core clock frequency. For more information, see the `CycleClock`
 // [docs](https://github.com/abseil/abseil-cpp/blob/master/absl/base/internal/cycleclock.h).
 message MutexStats {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.MutexStats";
+
  // The number of individual mutex contentions which have occurred since startup.
  uint64 num_contentions = 1;

--- a/envoy/admin/v3alpha/server_info.proto
+++ b/envoy/admin/v3alpha/server_info.proto
@ -8,12 +8,16 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Server State]

 // Proto representation of the value returned by /server_info, containing
 // server version/server status information.
 // [#next-free-field: 7]
 message ServerInfo {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.ServerInfo";
+
  enum State {
    // Server is live and serving traffic.
    LIVE = 0;
@ -49,6 +53,9 @@ message ServerInfo {

 // [#next-free-field: 28]
 message CommandLineOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.admin.v2alpha.CommandLineOptions";
+
  enum IpVersion {
    v4 = 0;
    v6 = 1;
--- a/envoy/admin/v3alpha/tap.proto
+++ b/envoy/admin/v3alpha/tap.proto
@ -8,10 +8,14 @@ option java_package = "io.envoyproxy.envoy.admin.v3alpha";

 import "envoy/service/tap/v3alpha/common.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // The /tap admin request body that is used to configure an active tap session.
 message TapRequest {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.TapRequest";
+
  // The opaque configuration ID used to match the configuration to a loaded extension.
  // A tap extension configures a similar opaque ID that is used to match.
  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
--- a/envoy/api/v3alpha/BUILD
+++ b/envoy/api/v3alpha/BUILD
@ -14,5 +14,6 @@ api_proto_package(
        "//envoy/api/v3alpha/route:pkg",
        "//envoy/config/listener/v2:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/api/v3alpha/auth/BUILD
+++ b/envoy/api/v3alpha/auth/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/api/v3alpha/auth/cert.proto
+++ b/envoy/api/v3alpha/auth/cert.proto
@ -13,11 +13,16 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common TLS configuration]

 message TlsParameters {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.TlsParameters";
+
  enum TlsProtocol {
    // Envoy will choose the optimal TLS version.
    TLS_AUTO = 0;
@ -105,6 +110,9 @@ message TlsParameters {
 // (potentially asynchronous) signing and decryption operations. Some use cases for private key
 // methods would be TPM support and TLS acceleration.
 message PrivateKeyProvider {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.PrivateKeyProvider";
+
  reserved 2;

  reserved "config";
@ -121,6 +129,9 @@ message PrivateKeyProvider {

 // [#next-free-field: 7]
 message TlsCertificate {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.TlsCertificate";
+
  // The TLS certificate chain.
  core.DataSource certificate_chain = 1;

@ -148,6 +159,9 @@ message TlsCertificate {
 }

 message TlsSessionTicketKeys {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.TlsSessionTicketKeys";
+
  // Keys for encrypting and decrypting TLS session tickets. The
  // first key in the array contains the key to encrypt all new sessions created by this context.
  // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
@ -177,6 +191,9 @@ message TlsSessionTicketKeys {

 // [#next-free-field: 9]
 message CertificateValidationContext {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.CertificateValidationContext";
+
  // TLS certificate data containing certificate authority certificates to use in verifying
  // a presented peer certificate (e.g. server certificate for clusters or client certificate
  // for listeners). If not specified and a peer certificate is presented it will not be
@ -292,7 +309,13 @@ message CertificateValidationContext {
 // TLS context shared by both client and server TLS contexts.
 // [#next-free-field: 9]
 message CommonTlsContext {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.CommonTlsContext";
+
  message CombinedCertificateValidationContext {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
+
    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];
@ -350,6 +373,9 @@ message CommonTlsContext {
 }

 message UpstreamTlsContext {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.UpstreamTlsContext";
+
  // Common TLS context settings.
  //
  // .. attention::
@ -378,6 +404,9 @@ message UpstreamTlsContext {

 // [#next-free-field: 6]
 message DownstreamTlsContext {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.DownstreamTlsContext";
+
  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;

@ -399,6 +428,9 @@ message DownstreamTlsContext {
 }

 message SdsSecretConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.auth.SdsSecretConfig";
+
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
  // When only name is specified, then secret will be loaded from static
@ -409,6 +441,8 @@ message SdsSecretConfig {
 }

 message Secret {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";
+
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;

--- a/envoy/api/v3alpha/cds.proto
+++ b/envoy/api/v3alpha/cds.proto
@ -25,6 +25,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Clusters]
@ -48,6 +50,8 @@ service ClusterDiscoveryService {
 // Configuration for a single upstream cluster.
 // [#next-free-field: 45]
 message Cluster {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
+
  // Refer to :ref:`service discovery type <arch_overview_service_discovery_types>`
  // for an explanation on each type.
  enum DiscoveryType {
@ -149,6 +153,9 @@ message Cluster {
  // TransportSocketMatch specifies what transport socket config will be used
  // when the match conditions are satisfied.
  message TransportSocketMatch {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.TransportSocketMatch";
+
    // The name of the match, used in stats generation.
    string name = 1 [(validate.rules).string = {min_len: 1}];

@ -165,6 +172,9 @@ message Cluster {

  // Extended cluster type.
  message CustomClusterType {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.CustomClusterType";
+
    // The type of the cluster to instantiate. The name must match a supported cluster type.
    string name = 1 [(validate.rules).string = {min_bytes: 1}];

@ -175,6 +185,9 @@ message Cluster {

  // Only valid when discovery type is EDS.
  message EdsClusterConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.EdsClusterConfig";
+
    // Configuration for the source of EDS updates for this Cluster.
    core.ConfigSource eds_config = 1;

@ -188,6 +201,9 @@ message Cluster {
  // endpoint metadata and selected by route and weighted cluster metadata.
  // [#next-free-field: 8]
  message LbSubsetConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.LbSubsetConfig";
+
    // If NO_FALLBACK is selected, a result
    // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected,
    // any cluster endpoint may be returned (subject to policy, health checks,
@ -201,6 +217,9 @@ message Cluster {

    // Specifications for subsets.
    message LbSubsetSelector {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.Cluster.LbSubsetConfig.LbSubsetSelector";
+
      // Allows to override top level fallback policy per selector.
      enum LbSubsetSelectorFallbackPolicy {
        // If NOT_DEFINED top level config fallback policy is used instead.
@ -311,6 +330,9 @@ message Cluster {

  // Specific configuration for the LeastRequest load balancing policy.
  message LeastRequestLbConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.LeastRequestLbConfig";
+
    // The number of random healthy hosts from which the host with the fewest active requests will
    // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set.
    google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}];
@ -319,6 +341,9 @@ message Cluster {
  // Specific configuration for the :ref:`RingHash<arch_overview_load_balancing_types_ring_hash>`
  // load balancing policy.
  message RingHashLbConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.RingHashLbConfig";
+
    // The hash function used to hash hosts onto the ketama ring.
    enum HashFunction {
      // Use `xxHash <https://github.com/Cyan4973/xxHash>`_, this is the default hash function.
@ -352,6 +377,9 @@ message Cluster {
  // :ref:`Original Destination <arch_overview_load_balancing_types_original_destination>`
  // load balancing policy.
  message OriginalDstLbConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.OriginalDstLbConfig";
+
    // When true, :ref:`x-envoy-original-dst-host
    // <config_http_conn_man_headers_x-envoy-original-dst-host>` can be used to override destination
    // address.
@ -367,9 +395,15 @@ message Cluster {
  // Common configuration for all load balancer implementations.
  // [#next-free-field: 7]
  message CommonLbConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.CommonLbConfig";
+
    // Configuration for :ref:`zone aware routing
    // <arch_overview_load_balancing_zone_aware_routing>`.
    message ZoneAwareLbConfig {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.Cluster.CommonLbConfig.ZoneAwareLbConfig";
+
      // Configures percentage of requests that will be considered for zone aware routing
      // if zone aware routing is configured. If not specified, the default is 100%.
      // * :ref:`runtime values <config_cluster_manager_cluster_runtime_zone_routing>`.
@ -393,6 +427,8 @@ message Cluster {
    // Configuration for :ref:`locality weighted load balancing
    // <arch_overview_load_balancing_locality_weighted_lb>`
    message LocalityWeightedLbConfig {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig";
    }

    // Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.
@ -452,6 +488,9 @@ message Cluster {
  }

  message RefreshRate {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Cluster.RefreshRate";
+
    // Specifies the base interval between refreshes. This parameter is required and must be greater
    // than zero and less than
    // :ref:`max_interval <envoy_api_field_api.v3alpha.Cluster.RefreshRate.max_interval>`.
@ -806,7 +845,13 @@ message Cluster {
 // To facilitate this, the config message for the top-level LB policy may include a field of
 // type LoadBalancingPolicy that specifies the child policy.
 message LoadBalancingPolicy {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.LoadBalancingPolicy";
+
  message Policy {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.LoadBalancingPolicy.Policy";
+
    reserved 2;

    reserved "config";
@ -826,11 +871,17 @@ message LoadBalancingPolicy {
 // An extensible structure containing the address Envoy should bind to when
 // establishing upstream connections.
 message UpstreamBindConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.UpstreamBindConfig";
+
  // The address Envoy should bind to when establishing upstream connections.
  core.Address source_address = 1;
 }

 message UpstreamConnectionOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.UpstreamConnectionOptions";
+
  // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
  core.TcpKeepalive tcp_keepalive = 1;
 }
--- a/envoy/api/v3alpha/cluster/BUILD
+++ b/envoy/api/v3alpha/cluster/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/api/v3alpha/cluster/circuit_breaker.proto
+++ b/envoy/api/v3alpha/cluster/circuit_breaker.proto
@ -10,6 +10,8 @@ import "envoy/api/v3alpha/core/base.proto";

 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Circuit breakers]
@ -17,10 +19,16 @@ import "validate/validate.proto";
 // :ref:`Circuit breaking<arch_overview_circuit_break>` settings can be
 // specified individually for each defined priority.
 message CircuitBreakers {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.cluster.CircuitBreakers";
+
  // A Thresholds defines CircuitBreaker settings for a
  // :ref:`RoutingPriority<envoy_api_enum_api.v3alpha.core.RoutingPriority>`.
  // [#next-free-field: 8]
  message Thresholds {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.cluster.CircuitBreakers.Thresholds";
+
    // The :ref:`RoutingPriority<envoy_api_enum_api.v3alpha.core.RoutingPriority>`
    // the specified CircuitBreaker settings apply to.
    core.RoutingPriority priority = 1 [(validate.rules).enum = {defined_only: true}];
--- a/envoy/api/v3alpha/cluster/filter.proto
+++ b/envoy/api/v3alpha/cluster/filter.proto
@ -8,12 +8,16 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.cluster";

 import "google/protobuf/any.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Upstream filters]
 //
 // Upstream filters apply to the connections to the upstream cluster hosts.
 message Filter {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.cluster.Filter";
+
  // The name of the filter to instantiate. The name must match a
  // :ref:`supported filter <config_network_filters>`.
  string name = 1 [(validate.rules).string = {min_bytes: 1}];
--- a/envoy/api/v3alpha/cluster/outlier_detection.proto
+++ b/envoy/api/v3alpha/cluster/outlier_detection.proto
@ -9,6 +9,8 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.cluster";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Outlier detection]
@ -17,6 +19,9 @@ import "validate/validate.proto";
 // more information on outlier detection.
 // [#next-free-field: 21]
 message OutlierDetection {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.cluster.OutlierDetection";
+
  // The number of consecutive 5xx responses or local origin errors that are mapped
  // to 5xx error codes before a consecutive 5xx ejection
  // occurs. Defaults to 5.
--- a/envoy/api/v3alpha/core/BUILD
+++ b/envoy/api/v3alpha/core/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/type/v3alpha:pkg"],
+    deps = [
+        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/api/v3alpha/core/address.proto
+++ b/envoy/api/v3alpha/core/address.proto
@ -10,11 +10,15 @@ import "envoy/api/v3alpha/core/base.proto";

 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Network addresses]

 message Pipe {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe";
+
  // Unix Domain Socket path. On Linux, paths starting with '@' will use the
  // abstract namespace. The starting '@' is replaced by a null byte by Envoy.
  // Paths starting with '@' will result in an error in environments other than
@ -24,6 +28,9 @@ message Pipe {

 // [#next-free-field: 7]
 message SocketAddress {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.SocketAddress";
+
  enum Protocol {
    TCP = 0;
    UDP = 1;
@ -70,6 +77,8 @@ message SocketAddress {
 }

 message TcpKeepalive {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive";
+
  // Maximum number of keepalive probes to send without response before deciding
  // the connection is dead. Default is to use the OS level configuration (unless
  // overridden, Linux defaults to 9.)
@ -86,6 +95,8 @@ message TcpKeepalive {
 }

 message BindConfig {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig";
+
  // The address to bind to when creating a socket.
  SocketAddress source_address = 1 [(validate.rules).message = {required: true}];

@ -107,6 +118,8 @@ message BindConfig {
 // used to tell Envoy where to bind/listen, connect to upstream and find
 // management servers.
 message Address {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address";
+
  oneof address {
    option (validate.required) = true;

@ -119,6 +132,8 @@ message Address {
 // CidrRange specifies an IP Address and a prefix length to construct
 // the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
 message CidrRange {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange";
+
  // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
  string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/api/v3alpha/core/base.proto
+++ b/envoy/api/v3alpha/core/base.proto
@ -13,6 +13,8 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common types]
@ -57,6 +59,8 @@ enum TrafficDirection {

 // Identifies location of where either Envoy runs or where upstream hosts run.
 message Locality {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.Locality";
+
  // Region this :ref:`zone <envoy_api_field_api.v3alpha.core.Locality.zone>` belongs to.
  string region = 1;

@ -82,6 +86,8 @@ message Locality {
 // configuration for serving.
 // [#next-free-field: 6]
 message Node {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.Node";
+
  // An opaque node identifier for the Envoy node. This also provides the local
  // service node name. It should be set if any of the following features are
  // used: :ref:`statsd <arch_overview_statistics>`, :ref:`CDS
@ -138,6 +144,8 @@ message Node {
 //   endpoint and is also used during header processing
 //   (x-envoy-upstream-canary) and for stats purposes.
 message Metadata {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.Metadata";
+
  // Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
  // namespace is reserved for Envoy's built-in filters.
  map<string, google.protobuf.Struct> filter_metadata = 1;
@ -145,6 +153,9 @@ message Metadata {

 // Runtime derived uint32 with a default when not specified.
 message RuntimeUInt32 {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RuntimeUInt32";
+
  // Default value if runtime value is not available.
  uint32 default_value = 2;

@ -154,6 +165,9 @@ message RuntimeUInt32 {

 // Runtime derived bool with a default when not specified.
 message RuntimeFeatureFlag {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RuntimeFeatureFlag";
+
  // Default value if runtime value is not available.
  google.protobuf.BoolValue default_value = 1 [(validate.rules).message = {required: true}];

@ -165,6 +179,8 @@ message RuntimeFeatureFlag {

 // Header name/value pair.
 message HeaderValue {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue";
+
  // Header name.
  string key = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 16384}];

@ -178,6 +194,9 @@ message HeaderValue {

 // Header name/value pair plus option to control append behavior.
 message HeaderValueOption {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.HeaderValueOption";
+
  // Header name/value pair that this option applies to.
  HeaderValue header = 1 [(validate.rules).message = {required: true}];

@ -188,11 +207,15 @@ message HeaderValueOption {

 // Wrapper for a set of headers.
 message HeaderMap {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap";
+
  repeated HeaderValue headers = 1;
 }

 // Data source consisting of either a file or an inline value.
 message DataSource {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource";
+
  oneof specifier {
    option (validate.required) = true;

@ -209,6 +232,9 @@ message DataSource {

 // The message specifies how to fetch data from remote and how to verify it.
 message RemoteDataSource {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RemoteDataSource";
+
  // The HTTP URI to fetch the remote data.
  HttpUri http_uri = 1 [(validate.rules).message = {required: true}];

@ -218,6 +244,9 @@ message RemoteDataSource {

 // Async data source which support async data fetch.
 message AsyncDataSource {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.AsyncDataSource";
+
  oneof specifier {
    option (validate.required) = true;

@ -234,6 +263,9 @@ message AsyncDataSource {
 // empty, a default transport socket implementation and configuration will be
 // chosen based on the platform and existence of tls_context.
 message TransportSocket {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.TransportSocket";
+
  reserved 2;

  reserved "config";
@ -253,6 +285,8 @@ message TransportSocket {
 // might not exist in upstream kernels or precompiled Envoy binaries.
 // [#next-free-field: 7]
 message SocketOption {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketOption";
+
  enum SocketState {
    // Socket options are applied after socket creation but before binding the socket to a port
    STATE_PREBIND = 0;
@ -300,6 +334,9 @@ message SocketOption {
 //   integral percentage out of 100. For instance, a runtime key lookup returning the value "42"
 //   would parse as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED.
 message RuntimeFractionalPercent {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RuntimeFractionalPercent";
+
  // Default value if the runtime value's for the numerator/denominator keys are not available.
  type.v3alpha.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}];

@ -309,6 +346,8 @@ message RuntimeFractionalPercent {

 // Identifies a specific ControlPlane instance that Envoy is connected to.
 message ControlPlane {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.ControlPlane";
+
  // An opaque control plane identifier that uniquely identifies an instance
  // of control plane. This can be used to identify which control plane instance,
  // the Envoy is connected to.
--- a/envoy/api/v3alpha/core/config_source.proto
+++ b/envoy/api/v3alpha/core/config_source.proto
@ -11,6 +11,8 @@ import "envoy/api/v3alpha/core/grpc_service.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Configuration sources]
@ -19,6 +21,9 @@ import "validate/validate.proto";
 // will use to fetch an xDS API.
 // [#next-free-field: 8]
 message ApiConfigSource {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.ApiConfigSource";
+
  // APIs may be fetched via either REST or gRPC.
  enum ApiType {
    // Ideally this would be 'reserved 0' but one can't reserve the default
@ -76,6 +81,8 @@ message ApiConfigSource {
 // set in :ref:`ConfigSource <envoy_api_msg_api.v3alpha.core.ConfigSource>` can be used to
 // specify that ADS is to be used.
 message AggregatedConfigSource {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.AggregatedConfigSource";
 }

 // [#not-implemented-hide:]
@ -83,10 +90,15 @@ message AggregatedConfigSource {
 // set in :ref:`ConfigSource <envoy_api_msg_api.v3alpha.core.ConfigSource>` can be used to
 // specify that other data can be obtained from the same server.
 message SelfConfigSource {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.SelfConfigSource";
 }

 // Rate Limit settings to be applied for discovery requests made by Envoy.
 message RateLimitSettings {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RateLimitSettings";
+
  // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a
  // default value of 100 will be used.
  google.protobuf.UInt32Value max_tokens = 1;
@ -104,6 +116,8 @@ message RateLimitSettings {
 // inotify for updates.
 // [#next-free-field: 6]
 message ConfigSource {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource";
+
  oneof config_source_specifier {
    option (validate.required) = true;

--- a/envoy/api/v3alpha/core/grpc_service.proto
+++ b/envoy/api/v3alpha/core/grpc_service.proto
@ -13,6 +13,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: gRPC services]
@ -21,7 +23,12 @@ import "validate/validate.proto";
 // <envoy_api_msg_api.v3alpha.core.ApiConfigSource>` and filter configurations.
 // [#next-free-field: 6]
 message GrpcService {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService";
+
  message EnvoyGrpc {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.GrpcService.EnvoyGrpc";
+
    // The name of the upstream gRPC cluster. SSL credentials will be supplied
    // in the :ref:`Cluster <envoy_api_msg_api.v3alpha.Cluster>` :ref:`transport_socket
    // <envoy_api_field_api.v3alpha.Cluster.transport_socket>`.
@ -30,8 +37,14 @@ message GrpcService {

  // [#next-free-field: 7]
  message GoogleGrpc {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.GrpcService.GoogleGrpc";
+
    // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html.
    message SslCredentials {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials";
+
      // PEM encoded server root certificates.
      DataSource root_certs = 1;

@ -45,11 +58,16 @@ message GrpcService {
    // Local channel credentials. Only UDS is supported for now.
    // See https://github.com/grpc/grpc/pull/15909.
    message GoogleLocalCredentials {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials";
    }

    // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call
    // credential types.
    message ChannelCredentials {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials";
+
      oneof credential_specifier {
        option (validate.required) = true;

@ -64,19 +82,33 @@ message GrpcService {

    // [#next-free-field: 7]
    message CallCredentials {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials";
+
      message ServiceAccountJWTAccessCredentials {
+        option (udpa.api.annotations.versioning).previous_message_type =
+            "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials."
+            "ServiceAccountJWTAccessCredentials";
+
        string json_key = 1;

        uint64 token_lifetime_seconds = 2;
      }

      message GoogleIAMCredentials {
+        option (udpa.api.annotations.versioning).previous_message_type =
+            "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials";
+
        string authorization_token = 1;

        string authority_selector = 2;
      }

      message MetadataCredentialsFromPlugin {
+        option (udpa.api.annotations.versioning).previous_message_type =
+            "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials."
+            "MetadataCredentialsFromPlugin";
+
        reserved 2;

        reserved "config";
--- a/envoy/api/v3alpha/core/health_check.proto
+++ b/envoy/api/v3alpha/core/health_check.proto
@ -15,6 +15,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Health check]
@ -50,8 +52,13 @@ enum HealthStatus {

 // [#next-free-field: 21]
 message HealthCheck {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
+
  // Describes the encoding of the payload bytes in the payload.
  message Payload {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.Payload";
+
    oneof payload {
      option (validate.required) = true;

@ -65,6 +72,9 @@ message HealthCheck {

  // [#next-free-field: 11]
  message HttpHealthCheck {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.HttpHealthCheck";
+
    reserved 7;

    reserved "use_http2";
@ -114,6 +124,9 @@ message HealthCheck {
  }

  message TcpHealthCheck {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.TcpHealthCheck";
+
    // Empty payloads imply a connect-only health check.
    Payload send = 1;

@ -124,6 +137,9 @@ message HealthCheck {
  }

  message RedisHealthCheck {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.RedisHealthCheck";
+
    // If set, optionally perform ``EXISTS <key>`` instead of ``PING``. A return value
    // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other
    // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance
@ -136,6 +152,9 @@ message HealthCheck {
  // healthcheck. See `gRPC doc <https://github.com/grpc/grpc/blob/master/doc/health-checking.md>`_
  // for details.
  message GrpcHealthCheck {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.GrpcHealthCheck";
+
    // An optional service name parameter which will be sent to gRPC service in
    // `grpc.health.v1.HealthCheckRequest
    // <https://github.com/grpc/grpc/blob/master/src/proto/grpc/health/v1/health.proto#L20>`_.
@ -151,6 +170,9 @@ message HealthCheck {

  // Custom health check.
  message CustomHealthCheck {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.HealthCheck.CustomHealthCheck";
+
    reserved 2;

    reserved "config";
--- a/envoy/api/v3alpha/core/http_uri.proto
+++ b/envoy/api/v3alpha/core/http_uri.proto
@ -8,12 +8,16 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.core";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: HTTP Service URI ]

 // Envoy external URI descriptor
 message HttpUri {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpUri";
+
  // The HTTP server URI. It should be a full FQDN with protocol, host and path.
  //
  // Example:
--- a/envoy/api/v3alpha/core/protocol.proto
+++ b/envoy/api/v3alpha/core/protocol.proto
@ -9,15 +9,22 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.core";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Protocol options]

 // [#not-implemented-hide:]
 message TcpProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.TcpProtocolOptions";
 }

 message HttpProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.HttpProtocolOptions";
+
  // The idle timeout for connections. The idle timeout is defined as the
  // period in which there are no active requests. If not set, there is no idle timeout. When the
  // idle timeout is reached the connection will be closed. If the connection is an HTTP/2
@ -47,8 +54,16 @@ message HttpProtocolOptions {
 }

 message Http1ProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.Http1ProtocolOptions";
+
  message HeaderKeyFormat {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat";
+
    message ProperCaseWords {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords";
    }

    oneof header_format {
@ -87,6 +102,9 @@ message Http1ProtocolOptions {

 // [#next-free-field: 13]
 message Http2ProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.Http2ProtocolOptions";
+
  // `Maximum table size <https://httpwg.org/specs/rfc7541.html#rfc.section.4.2>`_
  // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values
  // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header
@ -189,5 +207,8 @@ message Http2ProtocolOptions {

 // [#not-implemented-hide:]
 message GrpcProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.GrpcProtocolOptions";
+
  Http2ProtocolOptions http2_protocol_options = 1;
 }
--- a/envoy/api/v3alpha/discovery.proto
+++ b/envoy/api/v3alpha/discovery.proto
@ -11,12 +11,16 @@ import "envoy/api/v3alpha/core/base.proto";
 import "google/protobuf/any.proto";
 import "google/rpc/status.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: Common discovery API components]

 // A DiscoveryRequest requests a set of versioned resources of the same type for
 // a given Envoy node on some API.
 // [#next-free-field: 7]
 message DiscoveryRequest {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.DiscoveryRequest";
+
  // The version_info provided in the request messages will be the version_info
  // received with the most recent successfully processed response or empty on
  // the first request. It is expected that no new request is sent after a
@ -60,6 +64,8 @@ message DiscoveryRequest {

 // [#next-free-field: 7]
 message DiscoveryResponse {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.DiscoveryResponse";
+
  // The version of the response data.
  string version_info = 1;

@ -135,6 +141,9 @@ message DiscoveryResponse {
 // initial_resource_versions.
 // [#next-free-field: 8]
 message DeltaDiscoveryRequest {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.DeltaDiscoveryRequest";
+
  // The node making the request.
  core.Node node = 1;

@ -192,6 +201,9 @@ message DeltaDiscoveryRequest {

 // [#next-free-field: 7]
 message DeltaDiscoveryResponse {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.DeltaDiscoveryResponse";
+
  // The version of the response data (used for debugging).
  string system_version_info = 1;

@ -215,6 +227,8 @@ message DeltaDiscoveryResponse {
 }

 message Resource {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Resource";
+
  // The resource's name, to distinguish it from others of the same type of resource.
  string name = 3;

--- a/envoy/api/v3alpha/eds.proto
+++ b/envoy/api/v3alpha/eds.proto
@ -15,6 +15,8 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: EDS]
@ -48,10 +50,19 @@ service EndpointDiscoveryService {
 // then an endpoint within that locality will be chose based on its weight.
 // [#next-free-field: 6]
 message ClusterLoadAssignment {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.ClusterLoadAssignment";
+
  // Load balancing policy settings.
  // [#next-free-field: 6]
  message Policy {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.ClusterLoadAssignment.Policy";
+
    message DropOverload {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload";
+
      // Identifier for the policy specifying the drop.
      string category = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/api/v3alpha/endpoint/BUILD
+++ b/envoy/api/v3alpha/endpoint/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/api/v3alpha/endpoint/endpoint.proto
+++ b/envoy/api/v3alpha/endpoint/endpoint.proto
@ -12,14 +12,21 @@ import "envoy/api/v3alpha/core/health_check.proto";

 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Endpoints]

 // Upstream host identifier.
 message Endpoint {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.endpoint.Endpoint";
+
  // The optional health check configuration.
  message HealthCheckConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.endpoint.Endpoint.HealthCheckConfig";
+
    // Optional alternative health check port value.
    //
    // By default the health check address port of an upstream host is the same
@ -53,6 +60,9 @@ message Endpoint {
 // An Endpoint that Envoy can route traffic to.
 // [#next-free-field: 6]
 message LbEndpoint {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.LbEndpoint";
+
  // Upstream host identifier or a named reference.
  oneof host_identifier {
    Endpoint endpoint = 1;
@ -90,6 +100,9 @@ message LbEndpoint {
 // balancing weights or different priorities.
 // [#next-free-field: 7]
 message LocalityLbEndpoints {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.LocalityLbEndpoints";
+
  // Identifies location of where the upstream hosts run.
  core.Locality locality = 1;

--- a/envoy/api/v3alpha/endpoint/load_report.proto
+++ b/envoy/api/v3alpha/endpoint/load_report.proto
@ -12,6 +12,8 @@ import "envoy/api/v3alpha/core/base.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // These are stats Envoy reports to GLB every so often. Report frequency is
@ -21,6 +23,9 @@ import "validate/validate.proto";
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 // [#next-free-field: 9]
 message UpstreamLocalityStats {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.UpstreamLocalityStats";
+
  // Name of zone, region and optionally endpoint group these metrics were
  // collected from. Zone and region names could be empty if unknown.
  core.Locality locality = 1;
@ -57,6 +62,9 @@ message UpstreamLocalityStats {
 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 // [#next-free-field: 8]
 message UpstreamEndpointStats {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.UpstreamEndpointStats";
+
  // Upstream host address.
  core.Address address = 1;

@ -96,6 +104,9 @@ message UpstreamEndpointStats {

 // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
 message EndpointLoadMetricStats {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.EndpointLoadMetricStats";
+
  // Name of the metric; may be empty.
  string metric_name = 1;

@ -113,7 +124,13 @@ message EndpointLoadMetricStats {
 // Next ID: 7
 // [#next-free-field: 7]
 message ClusterStats {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.endpoint.ClusterStats";
+
  message DroppedRequests {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.endpoint.ClusterStats.DroppedRequests";
+
    // Identifier for the policy specifying the drop.
    string category = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/api/v3alpha/lds.proto
+++ b/envoy/api/v3alpha/lds.proto
@ -18,6 +18,8 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Listener]
@ -44,6 +46,8 @@ service ListenerDiscoveryService {

 // [#next-free-field: 21]
 message Listener {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
+
  enum DrainType {
    // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
    // filter), listener removal/modification, and hot restart.
@ -57,6 +61,9 @@ message Listener {

  // [#not-implemented-hide:]
  message DeprecatedV1 {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Listener.DeprecatedV1";
+
    // Whether the listener should bind to the port. A listener that doesn't
    // bind can only receive connections redirected from other listeners that
    // set use_original_dst parameter to true. Default is true.
@ -72,6 +79,9 @@ message Listener {

  // Configuration for listener connection balancing.
  message ConnectionBalanceConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.Listener.ConnectionBalanceConfig";
+
    // A connection balancer implementation that does exact balancing. This means that a lock is
    // held during balancing so that connection counts are nearly exactly balanced between worker
    // threads. This is "nearly" exact in the sense that a connection might close in parallel thus
@ -79,6 +89,8 @@ message Listener {
    // sacrifices accept throughput for accuracy and should be used when there are a small number of
    // connections that rarely cycle (e.g., service mesh gRPC egress).
    message ExactBalance {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.Listener.ConnectionBalanceConfig.ExactBalance";
    }

    oneof balance_type {
--- a/envoy/api/v3alpha/listener/BUILD
+++ b/envoy/api/v3alpha/listener/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/api/v3alpha/listener/listener.proto
+++ b/envoy/api/v3alpha/listener/listener.proto
@ -13,12 +13,16 @@ import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Listener components]
 // Listener :ref:`configuration overview <config_listeners>`

 message Filter {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter";
+
  reserved 3, 2;

  reserved "config";
@ -64,6 +68,9 @@ message Filter {
 // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
 // [#next-free-field: 13]
 message FilterChainMatch {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.listener.FilterChainMatch";
+
  enum ConnectionSourceType {
    // Any connection source matches.
    ANY = 0;
@ -160,6 +167,9 @@ message FilterChainMatch {
 // various other parameters.
 // [#next-free-field: 8]
 message FilterChain {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.listener.FilterChain";
+
  reserved 2;

  reserved "tls_context";
@ -198,6 +208,9 @@ message FilterChain {
 }

 message ListenerFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.listener.ListenerFilter";
+
  reserved 2;

  reserved "config";
--- a/envoy/api/v3alpha/listener/quic_config.proto
+++ b/envoy/api/v3alpha/listener/quic_config.proto
@ -9,11 +9,16 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.listener";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: QUIC listener Config]

 // Configuration specific to the QUIC protocol.
 // Next id: 4
 message QuicProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.listener.QuicProtocolOptions";
+
  // Maximum number of streams that the client can negotiate per connection. 100
  // if not specified.
  google.protobuf.UInt32Value max_concurrent_streams = 1;
--- a/envoy/api/v3alpha/listener/udp_listener_config.proto
+++ b/envoy/api/v3alpha/listener/udp_listener_config.proto
@ -9,10 +9,15 @@ option java_package = "io.envoyproxy.envoy.api.v3alpha.listener";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";

+import "udpa/api/annotations/versioning.proto";
+
 // [#protodoc-title: UDP Listener Config]
 // Listener :ref:`configuration overview <config_listeners>`

 message UdpListenerConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.listener.UdpListenerConfig";
+
  reserved 2;

  reserved "config";
--- a/envoy/api/v3alpha/ratelimit/BUILD
+++ b/envoy/api/v3alpha/ratelimit/BUILD
@ -4,4 +4,6 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")

 licenses(["notice"])  # Apache 2

-api_proto_package()
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/api/annotations:pkg"],
+)
--- a/envoy/api/v3alpha/ratelimit/ratelimit.proto
+++ b/envoy/api/v3alpha/ratelimit/ratelimit.proto
@ -6,6 +6,8 @@ option java_outer_classname = "RatelimitProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.api.v3alpha.ratelimit";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common rate limit components]
@ -52,7 +54,13 @@ import "validate/validate.proto";
 // The idea behind the API is that (1)/(2)/(3) and (4)/(5) can be sent in 1 request if desired.
 // This enables building complex application scenarios with a generic backend.
 message RateLimitDescriptor {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.ratelimit.RateLimitDescriptor";
+
  message Entry {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.ratelimit.RateLimitDescriptor.Entry";
+
    // Descriptor key.
    string key = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/api/v3alpha/rds.proto
+++ b/envoy/api/v3alpha/rds.proto
@ -15,6 +15,8 @@ import "envoy/api/v3alpha/route/route.proto";
 import "google/api/annotations.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: HTTP route configuration]
@ -59,6 +61,9 @@ service VirtualHostDiscoveryService {

 // [#next-free-field: 11]
 message RouteConfiguration {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.RouteConfiguration";
+
  // The name of the route configuration. For example, it might match
  // :ref:`route_config_name
  // <envoy_api_field_config.filter.network.http_connection_manager.v3alpha.Rds.route_config_name>`
@ -139,6 +144,8 @@ message RouteConfiguration {

 // [#not-implemented-hide:]
 message Vhds {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Vhds";
+
  // Configuration source specifier for VHDS.
  core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
 }
--- a/envoy/api/v3alpha/route/BUILD
+++ b/envoy/api/v3alpha/route/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/type/matcher/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/api/v3alpha/route/route.proto
+++ b/envoy/api/v3alpha/route/route.proto
@ -17,6 +17,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: HTTP route]
@ -30,6 +32,8 @@ import "validate/validate.proto";
 // upstream cluster to route to or whether to perform a redirect.
 // [#next-free-field: 19]
 message VirtualHost {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost";
+
  enum TlsRequirementType {
    // No TLS requirement for the virtual host.
    NONE = 0;
@ -149,6 +153,9 @@ message VirtualHost {

 // A filter-defined action type.
 message FilterAction {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.FilterAction";
+
  google.protobuf.Any action = 1;
 }

@ -161,6 +168,8 @@ message FilterAction {
 //   <envoy_api_msg_api.v3alpha.route.HeaderMatcher>`.
 // [#next-free-field: 18]
 message Route {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route";
+
  reserved 6, 8;

  reserved "per_filter_config";
@ -249,8 +258,14 @@ message Route {
 // traffic to be forwarded to each cluster. The router selects an upstream cluster based on the
 // weights.
 message WeightedCluster {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.WeightedCluster";
+
  // [#next-free-field: 11]
  message ClusterWeight {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.WeightedCluster.ClusterWeight";
+
    reserved 7, 8;

    reserved "per_filter_config";
@ -330,10 +345,17 @@ message WeightedCluster {

 // [#next-free-field: 12]
 message RouteMatch {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch";
+
  message GrpcRouteMatchOptions {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions";
  }

  message TlsContextMatchOptions {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions";
+
    // If specified, the route will match against whether or not a certificate is presented.
    google.protobuf.BoolValue presented = 1;
  }
@ -418,6 +440,8 @@ message RouteMatch {

 // [#next-free-field: 12]
 message CorsPolicy {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy";
+
  reserved 1, 8, 7;

  reserved "allow_origin", "allow_origin_regex", "enabled";
@ -466,6 +490,8 @@ message CorsPolicy {

 // [#next-free-field: 30]
 message RouteAction {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction";
+
  enum ClusterNotFoundResponseCode {
    // HTTP status code - 503 Service Unavailable.
    SERVICE_UNAVAILABLE = 0;
@ -488,6 +514,9 @@ message RouteAction {
  // During shadowing, the host/authority header is altered such that *-shadow* is appended. This is
  // useful for logging. For example, *cluster1* becomes *cluster1-shadow*.
  message RequestMirrorPolicy {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RouteAction.RequestMirrorPolicy";
+
    reserved 2;

    reserved "runtime_key";
@ -512,7 +541,13 @@ message RouteAction {
  // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer
  // <arch_overview_load_balancing_types>`.
  message HashPolicy {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RouteAction.HashPolicy";
+
    message Header {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RouteAction.HashPolicy.Header";
+
      // The name of the request header that will be used to obtain the hash
      // key. If the request header is not present, no hash will be produced.
      string header_name = 1 [(validate.rules).string = {min_bytes: 1}];
@ -533,6 +568,9 @@ message RouteAction {
    //    streams on the same connection will independently receive the same
    //    cookie, even if they arrive at the Envoy simultaneously.
    message Cookie {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RouteAction.HashPolicy.Cookie";
+
      // The name of the cookie that will be used to obtain the hash key. If the
      // cookie is not present and ttl below is not set, no hash will be
      // produced.
@ -549,6 +587,9 @@ message RouteAction {
    }

    message ConnectionProperties {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties";
+
      // Hash on source IP address.
      bool source_ip = 1;
    }
@ -595,6 +636,9 @@ message RouteAction {
  // <envoy_api_field_config.filter.network.http_connection_manager.v3alpha.HttpConnectionManager.upgrade_configs>`
  // but does not affect any custom filter chain specified there.
  message UpgradeConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RouteAction.UpgradeConfig";
+
    // The case-insensitive name of this upgrade, e.g. "websocket".
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type] will be proxied upstream.
@ -806,7 +850,12 @@ message RouteAction {
 // HTTP retry :ref:`architecture overview <arch_overview_http_routing_retry>`.
 // [#next-free-field: 11]
 message RetryPolicy {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy";
+
  message RetryPriority {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RetryPolicy.RetryPriority";
+
    reserved 2;

    reserved "config";
@ -819,6 +868,9 @@ message RetryPolicy {
  }

  message RetryHostPredicate {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RetryPolicy.RetryHostPredicate";
+
    reserved 2;

    reserved "config";
@ -831,6 +883,9 @@ message RetryPolicy {
  }

  message RetryBackOff {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RetryPolicy.RetryBackOff";
+
    // Specifies the base interval between retries. This parameter is required and must be greater
    // than zero. Values less than 1 ms are rounded up to 1 ms.
    // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's
@ -907,6 +962,8 @@ message RetryPolicy {

 // HTTP request hedging :ref:`architecture overview <arch_overview_http_routing_hedging>`.
 message HedgePolicy {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy";
+
  // Specifies the number of initial requests that should be sent upstream.
  // Must be at least 1.
  // Defaults to 1.
@ -932,6 +989,9 @@ message HedgePolicy {

 // [#next-free-field: 9]
 message RedirectAction {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.RedirectAction";
+
  enum RedirectResponseCode {
    // Moved Permanently HTTP Status Code - 301.
    MOVED_PERMANENTLY = 0;
@ -994,6 +1054,9 @@ message RedirectAction {
 }

 message DirectResponseAction {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.DirectResponseAction";
+
  // Specifies the HTTP response status to be returned.
  uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 100}];

@ -1009,6 +1072,8 @@ message DirectResponseAction {
 }

 message Decorator {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator";
+
  // The operation name associated with the request matched to this route. If tracing is
  // enabled, this information will be used as the span name reported for this request.
  //
@ -1021,6 +1086,8 @@ message Decorator {
 }

 message Tracing {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing";
+
  // Target percentage of requests managed by this HTTP connection manager that will be force
  // traced if the :ref:`x-client-trace-id <config_http_conn_man_headers_x-client-trace-id>`
  // header is set. This field is a direct analog for the runtime variable
@ -1065,6 +1132,9 @@ message Tracing {
 //    every application endpoint. This is both not easily maintainable and as well the matching and
 //    statistics output are not free.
 message VirtualCluster {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.VirtualCluster";
+
  reserved 1, 3;

  reserved "pattern", "method";
@ -1082,8 +1152,13 @@ message VirtualCluster {

 // Global rate limiting :ref:`architecture overview <arch_overview_rate_limit>`.
 message RateLimit {
+  option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";
+
  // [#next-free-field: 7]
  message Action {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.route.RateLimit.Action";
+
    // The following descriptor entry is appended to the descriptor:
    //
    // .. code-block:: cpp
@ -1092,6 +1167,8 @@ message RateLimit {
    //
    // <local service cluster> is derived from the :option:`--service-cluster` option.
    message SourceCluster {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.SourceCluster";
    }

    // The following descriptor entry is appended to the descriptor:
@ -1113,6 +1190,8 @@ message RateLimit {
    // indicates which
    //   header in the request contains the target cluster.
    message DestinationCluster {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.DestinationCluster";
    }

    // The following descriptor entry is appended when a header contains a key that matches the
@ -1122,6 +1201,9 @@ message RateLimit {
    //
    //   ("<descriptor_key>", "<header_value_queried_from_header>")
    message RequestHeaders {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.RequestHeaders";
+
      // The header name to be queried from the request headers. The header’s
      // value is used to populate the value of the descriptor entry for the
      // descriptor_key.
@ -1138,6 +1220,8 @@ message RateLimit {
    //
    //   ("remote_address", "<trusted address from x-forwarded-for>")
    message RemoteAddress {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.RemoteAddress";
    }

    // The following descriptor entry is appended to the descriptor:
@ -1146,6 +1230,9 @@ message RateLimit {
    //
    //   ("generic_key", "<descriptor_value>")
    message GenericKey {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.GenericKey";
+
      // The value to use in the descriptor entry.
      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];
    }
@ -1156,6 +1243,9 @@ message RateLimit {
    //
    //   ("header_match", "<descriptor_value>")
    message HeaderValueMatch {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch";
+
      // The value to use in the descriptor entry.
      string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}];

@ -1243,6 +1333,9 @@ message RateLimit {
 //  [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.]
 // [#next-free-field: 12]
 message HeaderMatcher {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.HeaderMatcher";
+
  reserved 2, 3, 5;

  reserved "regex_match";
@ -1307,6 +1400,9 @@ message HeaderMatcher {
 // as an ampersand-separated list of keys and/or key=value elements.
 // [#next-free-field: 7]
 message QueryParameterMatcher {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.route.QueryParameterMatcher";
+
  reserved 3, 4;

  reserved "value", "regex";
--- a/envoy/api/v3alpha/srds.proto
+++ b/envoy/api/v3alpha/srds.proto
@ -11,6 +11,8 @@ import "envoy/api/v3alpha/discovery.proto";

 import "google/api/annotations.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: HTTP scoped routing configuration]
@ -98,13 +100,22 @@ service ScopedRoutesDiscoveryService {
 // RouteConfiguration being assigned to the HTTP request/stream.
 //
 message ScopedRouteConfiguration {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.api.v2.ScopedRouteConfiguration";
+
  // Specifies a key which is matched against the output of the
  // :ref:`scope_key_builder<envoy_api_field_config.filter.network.http_connection_manager.v3alpha.ScopedRoutes.scope_key_builder>`
  // specified in the HttpConnectionManager. The matching is done per HTTP
  // request and is dependent on the order of the fragments contained in the
  // Key.
  message Key {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.api.v2.ScopedRouteConfiguration.Key";
+
    message Fragment {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.api.v2.ScopedRouteConfiguration.Key.Fragment";
+
      oneof type {
        option (validate.required) = true;

--- a/envoy/config/accesslog/v3alpha/BUILD
+++ b/envoy/config/accesslog/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/accesslog/v3alpha/als.proto
+++ b/envoy/config/accesslog/v3alpha/als.proto
@ -11,6 +11,8 @@ import "envoy/api/v3alpha/core/grpc_service.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: gRPC Access Log Service (ALS)]
@ -21,6 +23,9 @@ import "validate/validate.proto";
 // <envoy_api_field_service.accesslog.v3alpha.StreamAccessLogsMessage.http_logs>`.
 // [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.accesslog.v2.HttpGrpcAccessLogConfig";
+
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];

  // Additional request headers to log in :ref:`HTTPRequestProperties.request_headers
@ -40,12 +45,18 @@ message HttpGrpcAccessLogConfig {
 // populate *StreamAccessLogsMessage.tcp_logs*.
 // [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.accesslog.v2.TcpGrpcAccessLogConfig";
+
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

 // Common configuration for gRPC access logs.
 // [#next-free-field: 6]
 message CommonGrpcAccessLogConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.accesslog.v2.CommonGrpcAccessLogConfig";
+
  // The friendly name of the access log to be returned in :ref:`StreamAccessLogsMessage.Identifier
  // <envoy_api_msg_service.accesslog.v3alpha.StreamAccessLogsMessage.Identifier>`. This allows the
  // access log server to differentiate between different access logs coming from the same Envoy.
--- a/envoy/config/accesslog/v3alpha/file.proto
+++ b/envoy/config/accesslog/v3alpha/file.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.accesslog.v3alpha";

 import "google/protobuf/struct.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: File access log]
@ -17,6 +19,9 @@ import "validate/validate.proto";
 // <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>` that writes log entries directly to a
 // file. Configures the built-in *envoy.file_access_log* AccessLog.
 message FileAccessLog {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.accesslog.v2.FileAccessLog";
+
  // A path to a local file to which to write the access log entries.
  string path = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/config/bootstrap/v3alpha/BUILD
+++ b/envoy/config/bootstrap/v3alpha/BUILD
@ -12,5 +12,6 @@ api_proto_package(
        "//envoy/config/metrics/v3alpha:pkg",
        "//envoy/config/overload/v3alpha:pkg",
        "//envoy/config/trace/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/bootstrap/v3alpha/bootstrap.proto
+++ b/envoy/config/bootstrap/v3alpha/bootstrap.proto
@ -20,6 +20,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Bootstrap]
@ -30,7 +32,13 @@ import "validate/validate.proto";
 // Bootstrap :ref:`configuration overview <config_overview_v2_bootstrap>`.
 // [#next-free-field: 20]
 message Bootstrap {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.Bootstrap";
+
  message StaticResources {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.Bootstrap.StaticResources";
+
    // Static :ref:`Listeners <envoy_api_msg_api.v3alpha.Listener>`. These listeners are
    // available regardless of LDS configuration.
    repeated api.v3alpha.Listener listeners = 1;
@ -48,6 +56,9 @@ message Bootstrap {
  }

  message DynamicResources {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.Bootstrap.DynamicResources";
+
    reserved 4;

    // All :ref:`Listeners <envoy_api_msg_api.v3alpha.Listener>` are provided by a single
@ -156,6 +167,9 @@ message Bootstrap {
 // Administration interface :ref:`operations documentation
 // <operations_admin_interface>`.
 message Admin {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.Admin";
+
  // The path to write the access log for the administration server. If no
  // access log is desired specify ‘/dev/null’. This is only required if
  // :ref:`address <envoy_api_field_config.bootstrap.v3alpha.Admin.address>` is set.
@ -176,7 +190,13 @@ message Admin {

 // Cluster manager :ref:`architecture overview <arch_overview_cluster_manager>`.
 message ClusterManager {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.ClusterManager";
+
  message OutlierDetection {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.ClusterManager.OutlierDetection";
+
    // Specifies the path to the outlier event log.
    string event_log_path = 1;
  }
@ -210,6 +230,9 @@ message ClusterManager {
 // nonresponsive threads and kills the process after the configured thresholds.
 // See the :ref:`watchdog documentation <operations_performance_watchdog>` for more information.
 message Watchdog {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.Watchdog";
+
  // The duration after which Envoy counts a nonresponsive thread in the
  // *watchdog_miss* statistic. If not specified the default is 200ms.
  google.protobuf.Duration miss_timeout = 1;
@ -232,6 +255,9 @@ message Watchdog {

 // Runtime :ref:`configuration overview <config_runtime>` (deprecated).
 message Runtime {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.Runtime";
+
  // The implementation assumes that the file system tree is accessed via a
  // symbolic link. An atomic link swap is used when a new tree should be
  // switched to. This parameter specifies the path to the symbolic link. Envoy
@ -262,8 +288,14 @@ message Runtime {

 // [#next-free-field: 6]
 message RuntimeLayer {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.RuntimeLayer";
+
  // :ref:`Disk runtime <config_runtime_local_disk>` layer.
  message DiskLayer {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.RuntimeLayer.DiskLayer";
+
    // The implementation assumes that the file system tree is accessed via a
    // symbolic link. An atomic link swap is used when a new tree should be
    // switched to. This parameter specifies the path to the symbolic link.
@ -285,10 +317,15 @@ message RuntimeLayer {

  // :ref:`Admin console runtime <config_runtime_admin>` layer.
  message AdminLayer {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.RuntimeLayer.AdminLayer";
  }

  // :ref:`Runtime Discovery Service (RTDS) <config_runtime_rtds>` layer.
  message RtdsLayer {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.bootstrap.v2.RuntimeLayer.RtdsLayer";
+
    // Resource to subscribe to at *rtds_config* for the RTDS layer.
    string name = 1;

@ -319,6 +356,9 @@ message RuntimeLayer {

 // Runtime :ref:`configuration overview <config_runtime>`.
 message LayeredRuntime {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.bootstrap.v2.LayeredRuntime";
+
  // The :ref:`layers <config_runtime_layering>` of the runtime. This is ordered
  // such that later layers in the list overlay earlier entries.
  repeated RuntimeLayer layers = 1;
--- a/envoy/config/cluster/dynamic_forward_proxy/v3alpha/BUILD
+++ b/envoy/config/cluster/dynamic_forward_proxy/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/common/dynamic_forward_proxy/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/common/dynamic_forward_proxy/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto
+++ b/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.cluster.dynamic_forward_proxy.

 import "envoy/config/common/dynamic_forward_proxy/v3alpha/dns_cache.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Dynamic forward proxy cluster configuration]
@ -16,6 +18,9 @@ import "validate/validate.proto";
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
 // [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig";
+
  // The DNS cache configuration that the cluster will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
  // <envoy_api_field_config.filter.http.dynamic_forward_proxy.v3alpha.FilterConfig.dns_cache_config>`.
--- a/envoy/config/common/dynamic_forward_proxy/v3alpha/BUILD
+++ b/envoy/config/common/dynamic_forward_proxy/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha:pkg"],
+    deps = [
+        "//envoy/api/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/common/dynamic_forward_proxy/v3alpha/dns_cache.proto
+++ b/envoy/config/common/dynamic_forward_proxy/v3alpha/dns_cache.proto
@ -11,6 +11,8 @@ import "envoy/api/v3alpha/cds.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Dynamic forward proxy common configuration]
@ -19,6 +21,9 @@ import "validate/validate.proto";
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
 // [#next-free-field: 6]
 message DnsCacheConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig";
+
  // The name of the cache. Multiple named caches allow independent dynamic forward proxy
  // configurations to operate within a single Envoy process using different configurations. All
  // configurations with the same name *must* otherwise have the same settings when referenced
--- a/envoy/config/common/tap/v3alpha/BUILD
+++ b/envoy/config/common/tap/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/service/tap/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/common/tap/v3alpha/common.proto
+++ b/envoy/config/common/tap/v3alpha/common.proto
@ -9,14 +9,22 @@ option java_package = "io.envoyproxy.envoy.config.common.tap.v3alpha";
 import "envoy/api/v3alpha/core/config_source.proto";
 import "envoy/service/tap/v3alpha/common.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common tap extension configuration]

 // Common configuration for all tap extensions.
 message CommonExtensionConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.common.tap.v2alpha.CommonExtensionConfig";
+
  // [#not-implemented-hide:]
  message TapDSConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.common.tap.v2alpha.CommonExtensionConfig.TapDSConfig";
+
    // Configuration for the source of TapDS updates for this Cluster.
    api.v3alpha.core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];

@ -42,6 +50,9 @@ message CommonExtensionConfig {
 // Configuration for the admin handler. See :ref:`here <config_http_filters_tap_admin_handler>` for
 // more information.
 message AdminConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.common.tap.v2alpha.AdminConfig";
+
  // Opaque configuration ID. When requests are made to the admin handler, the passed opaque ID is
  // matched to the configured filter opaque ID to determine which filter to configure.
  string config_id = 1 [(validate.rules).string = {min_bytes: 1}];
--- a/envoy/config/filter/accesslog/v3alpha/BUILD
+++ b/envoy/config/filter/accesslog/v3alpha/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/api/v3alpha/route:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/accesslog/v3alpha/accesslog.proto
+++ b/envoy/config/filter/accesslog/v3alpha/accesslog.proto
@ -13,11 +13,16 @@ import "envoy/type/v3alpha/percent.proto";
 import "google/protobuf/any.proto";
 import "google/protobuf/struct.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common access log types]

 message AccessLog {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.AccessLog";
+
  reserved 3;

  reserved "config";
@ -49,6 +54,9 @@ message AccessLog {

 // [#next-free-field: 12]
 message AccessLogFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.AccessLogFilter";
+
  oneof filter_specifier {
    option (validate.required) = true;

@ -89,6 +97,9 @@ message AccessLogFilter {

 // Filter on an integer comparison.
 message ComparisonFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.ComparisonFilter";
+
  enum Op {
    // =
    EQ = 0;
@ -109,12 +120,18 @@ message ComparisonFilter {

 // Filters on HTTP response/status code.
 message StatusCodeFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.StatusCodeFilter";
+
  // Comparison.
  ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}];
 }

 // Filters on total request duration in milliseconds.
 message DurationFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.DurationFilter";
+
  // Comparison.
  ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}];
 }
@ -122,15 +139,22 @@ message DurationFilter {
 // Filters for requests that are not health check requests. A health check
 // request is marked by the health check filter.
 message NotHealthCheckFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.NotHealthCheckFilter";
 }

 // Filters for requests that are traceable. See the tracing overview for more
 // information on how a request becomes traceable.
 message TraceableFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.TraceableFilter";
 }

 // Filters for random sampling of requests.
 message RuntimeFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.RuntimeFilter";
+
  // Runtime key to get an optional overridden numerator for use in the *percent_sampled* field.
  // If found in runtime, this value will replace the default numerator.
  string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}];
@ -157,6 +181,9 @@ message RuntimeFilter {
 // Filters are evaluated sequentially and if one of them returns false, the
 // filter returns false immediately.
 message AndFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.AndFilter";
+
  repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}];
 }

@ -164,11 +191,17 @@ message AndFilter {
 // Filters are evaluated sequentially and if one of them returns true, the
 // filter returns true immediately.
 message OrFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.OrFilter";
+
  repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}];
 }

 // Filters requests based on the presence or value of a request header.
 message HeaderFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.HeaderFilter";
+
  // Only requests with a header which matches the specified HeaderMatcher will pass the filter
  // check.
  api.v3alpha.route.HeaderMatcher header = 1 [(validate.rules).message = {required: true}];
@ -178,6 +211,9 @@ message HeaderFilter {
 // A list of the response flags can be found
 // in the access log formatter :ref:`documentation<config_access_log_format_response_flags>`.
 message ResponseFlagFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.ResponseFlagFilter";
+
  // Only responses with the any of the flags listed in this field will be logged.
  // This field is optional. If it is not specified, then any response flag will pass
  // the filter check.
@ -211,6 +247,9 @@ message ResponseFlagFilter {
 // Filters gRPC requests based on their response status. If a gRPC status is not provided, the
 // filter will infer the status from the HTTP status code.
 message GrpcStatusFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.GrpcStatusFilter";
+
  enum Status {
    OK = 0;
    CANCELED = 1;
@ -241,6 +280,9 @@ message GrpcStatusFilter {

 // Extension filter is statically registered at runtime.
 message ExtensionFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.accesslog.v2.ExtensionFilter";
+
  reserved 2;

  reserved "config";
--- a/envoy/config/filter/fault/v3alpha/BUILD
+++ b/envoy/config/filter/fault/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/type/v3alpha:pkg"],
+    deps = [
+        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/fault/v3alpha/fault.proto
+++ b/envoy/config/filter/fault/v3alpha/fault.proto
@ -10,6 +10,8 @@ import "envoy/type/v3alpha/percent.proto";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Common fault injection types]
@ -18,6 +20,9 @@ import "validate/validate.proto";
 // HTTP/gRPC/Mongo/Redis operation or delay proxying of TCP connections.
 // [#next-free-field: 6]
 message FaultDelay {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.fault.v2.FaultDelay";
+
  enum FaultDelayType {
    // Unused and deprecated.
    FIXED = 0;
@ -27,6 +32,8 @@ message FaultDelay {
  // :ref:`http fault filter <config_http_filters_fault_injection_http_header>` documentation for
  // more information.
  message HeaderDelay {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.fault.v2.FaultDelay.HeaderDelay";
  }

  reserved 2, 1;
@ -54,8 +61,14 @@ message FaultDelay {

 // Describes a rate limit to be applied.
 message FaultRateLimit {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.fault.v2.FaultRateLimit";
+
  // Describes a fixed/constant rate limit.
  message FixedLimit {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.fault.v2.FaultRateLimit.FixedLimit";
+
    // The limit supplied in KiB/s.
    uint64 limit_kbps = 1 [(validate.rules).uint64 = {gte: 1}];
  }
@ -64,6 +77,8 @@ message FaultRateLimit {
  // :ref:`http fault filter <config_http_filters_fault_injection_http_header>` documentation for
  // more information.
  message HeaderLimit {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.fault.v2.FaultRateLimit.HeaderLimit";
  }

  oneof limit_type {
--- a/envoy/config/filter/http/adaptive_concurrency/v3alpha/BUILD
+++ b/envoy/config/filter/http/adaptive_concurrency/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto
+++ b/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto
@ -13,6 +13,8 @@ import "google/api/annotations.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Adaptive Concurrency]
@ -22,9 +24,16 @@ import "validate/validate.proto";

 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.adaptive_concurrency.v2alpha.GradientControllerConfig";
+
  // Parameters controlling the periodic recalculation of the concurrency limit from sampled request
  // latencies.
  message ConcurrencyLimitCalculationParams {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.http.adaptive_concurrency.v2alpha.GradientControllerConfig."
+        "ConcurrencyLimitCalculationParams";
+
    // The allowed upper-bound on the calculated concurrency limit. Defaults to 1000.
    google.protobuf.UInt32Value max_concurrency_limit = 2 [(validate.rules).uint32 = {gt: 0}];

@ -38,6 +47,10 @@ message GradientControllerConfig {
  // Parameters controlling the periodic minRTT recalculation.
  // [#next-free-field: 6]
  message MinimumRTTCalculationParams {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.http.adaptive_concurrency.v2alpha.GradientControllerConfig."
+        "MinimumRTTCalculationParams";
+
    // The time interval between recalculating the minimum request round-trip time.
    google.protobuf.Duration interval = 1 [(validate.rules).duration = {
      required: true
@ -76,6 +89,9 @@ message GradientControllerConfig {
 }

 message AdaptiveConcurrency {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.adaptive_concurrency.v2alpha.AdaptiveConcurrency";
+
  oneof concurrency_controller_config {
    option (validate.required) = true;

--- a/envoy/config/filter/http/csrf/v3alpha/BUILD
+++ b/envoy/config/filter/http/csrf/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/type/matcher/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/csrf/v3alpha/csrf.proto
+++ b/envoy/config/filter/http/csrf/v3alpha/csrf.proto
@ -9,6 +9,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.csrf.v3alpha";
 import "envoy/api/v3alpha/core/base.proto";
 import "envoy/type/matcher/v3alpha/string.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: CSRF]
@ -17,6 +19,9 @@ import "validate/validate.proto";

 // CSRF filter config.
 message CsrfPolicy {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.csrf.v2.CsrfPolicy";
+
  // Specifies the % of requests for which the CSRF filter is enabled.
  //
  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
--- a/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/BUILD
+++ b/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/common/dynamic_forward_proxy/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/common/dynamic_forward_proxy/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto
+++ b/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.dynamic_forward_pr

 import "envoy/config/common/dynamic_forward_proxy/v3alpha/dns_cache.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Dynamic forward proxy]
@ -16,6 +18,9 @@ import "validate/validate.proto";
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
 // [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.dynamic_forward_proxy.v2alpha.FilterConfig";
+
  // The DNS cache configuration that the filter will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy cluster configuration
  // <envoy_api_field_config.cluster.dynamic_forward_proxy.v3alpha.ClusterConfig.dns_cache_config>`.
@ -25,6 +30,9 @@ message FilterConfig {

 // Per route Configuration for the dynamic forward proxy HTTP filter.
 message PerRouteConfig {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.dynamic_forward_proxy.v2alpha.PerRouteConfig";
+
  oneof host_rewrite_specifier {
    // Indicates that before DNS lookup, the host header will be swapped with
    // this value. If not set or empty, the original host header value
--- a/envoy/config/filter/http/ext_authz/v3alpha/BUILD
+++ b/envoy/config/filter/http/ext_authz/v3alpha/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/type/matcher/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
@ -12,6 +12,8 @@ import "envoy/api/v3alpha/core/http_uri.proto";
 import "envoy/type/matcher/v3alpha/string.proto";
 import "envoy/type/v3alpha/http_status.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: External Authorization]
@ -20,6 +22,9 @@ import "validate/validate.proto";

 // [#next-free-field: 11]
 message ExtAuthz {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
+
  reserved 4;

  reserved "use_alpha";
@ -99,6 +104,9 @@ message ExtAuthz {

 // Configuration for buffering the request data.
 message BufferSettings {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.BufferSettings";
+
  // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
  // *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number
  // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow
@ -137,6 +145,9 @@ message BufferSettings {
 // for details.
 // [#next-free-field: 9]
 message HttpService {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.HttpService";
+
  reserved 3, 4, 5, 6;

  // Sets the HTTP server URI which the authorization requests must be sent to.
@ -153,6 +164,9 @@ message HttpService {
 }

 message AuthorizationRequest {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest";
+
  // Authorization request will include the client request headers that have a correspondent match
  // in the :ref:`list <envoy_api_msg_type.matcher.v3alpha.ListStringMatcher>`. Note that in
  // addition to the user's supplied matchers:
@ -170,6 +184,9 @@ message AuthorizationRequest {
 }

 message AuthorizationResponse {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.AuthorizationResponse";
+
  // When this :ref:`list <envoy_api_msg_type.matcher.v3alpha.ListStringMatcher>` is set,
  // authorization response headers that have a correspondent match will be added to the original
  // client request. Note that coexistent headers will be overridden.
@ -186,6 +203,9 @@ message AuthorizationResponse {

 // Extra settings on a per virtualhost/route/weighted-cluster level.
 message ExtAuthzPerRoute {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute";
+
  oneof override {
    option (validate.required) = true;

@ -204,6 +224,9 @@ message ExtAuthzPerRoute {
 // host is used without needing to parse the host header. If CheckSettings is specified in multiple
 // per-filter-configs, they will be merged in order, and the result will be used.
 message CheckSettings {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ext_authz.v2.CheckSettings";
+
  // Context extensions to set on the CheckRequest's
  // :ref:`AttributeContext.context_extensions<envoy_api_field_service.auth.v3alpha.AttributeContext.context_extensions>`
  //
--- a/envoy/config/filter/http/fault/v3alpha/BUILD
+++ b/envoy/config/filter/http/fault/v3alpha/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/route:pkg",
        "//envoy/config/filter/fault/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/fault/v3alpha/fault.proto
+++ b/envoy/config/filter/http/fault/v3alpha/fault.proto
@ -12,6 +12,8 @@ import "envoy/type/v3alpha/percent.proto";

 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Fault Injection]
@ -19,6 +21,9 @@ import "validate/validate.proto";
 // [#extension: envoy.filters.http.fault]

 message FaultAbort {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.fault.v2.FaultAbort";
+
  reserved 1;

  oneof error_type {
@ -35,6 +40,9 @@ message FaultAbort {

 // [#next-free-field: 14]
 message HTTPFault {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.fault.v2.HTTPFault";
+
  // If specified, the filter will inject delays based on the values in the
  // object.
  filter.fault.v3alpha.FaultDelay delay = 1;
--- a/envoy/config/filter/http/health_check/v3alpha/BUILD
+++ b/envoy/config/filter/http/health_check/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/route:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/health_check/v3alpha/health_check.proto
+++ b/envoy/config/filter/http/health_check/v3alpha/health_check.proto
@ -12,6 +12,8 @@ import "envoy/type/v3alpha/percent.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Health check]
@ -20,6 +22,9 @@ import "validate/validate.proto";

 // [#next-free-field: 6]
 message HealthCheck {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.health_check.v2.HealthCheck";
+
  reserved 2;

  // Specifies whether the filter operates in pass through mode or not.
--- a/envoy/config/filter/http/ip_tagging/v3alpha/BUILD
+++ b/envoy/config/filter/http/ip_tagging/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto
+++ b/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.ip_tagging.v3alpha

 import "envoy/api/v3alpha/core/address.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: IP tagging]
@ -15,6 +17,9 @@ import "validate/validate.proto";
 // [#extension: envoy.filters.http.ip_tagging]

 message IPTagging {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.ip_tagging.v2.IPTagging";
+
  // The type of requests the filter should apply to. The supported types
  // are internal, external or both. The
  // :ref:`x-forwarded-for<config_http_conn_man_headers_x-forwarded-for_internal_origin>` header is
@ -34,6 +39,9 @@ message IPTagging {

  // Supplies the IP tag name and the IP address subnets.
  message IPTag {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.http.ip_tagging.v2.IPTagging.IPTag";
+
    // Specifies the IP tag name to apply.
    string ip_tag_name = 1;

--- a/envoy/config/filter/http/jwt_authn/v3alpha/BUILD
+++ b/envoy/config/filter/http/jwt_authn/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/api/v3alpha/route:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/http/jwt_authn/v3alpha/config.proto
+++ b/envoy/config/filter/http/jwt_authn/v3alpha/config.proto
@ -13,6 +13,8 @@ import "envoy/api/v3alpha/route/route.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: JWT Authentication]
@ -50,6 +52,9 @@ import "validate/validate.proto";
 //
 // [#next-free-field: 10]
 message JwtProvider {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
+
  // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
  // the JWT, usually a URL or an email address.
  //
@ -188,6 +193,9 @@ message JwtProvider {

 // This message specifies how to fetch JWKS from remote and how to cache it.
 message RemoteJwks {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks";
+
  // The HTTP URI to fetch the JWKS. For example:
  //
  // .. code-block:: yaml
@ -205,6 +213,9 @@ message RemoteJwks {

 // This message specifies a header location to extract JWT token.
 message JwtHeader {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader";
+
  // The HTTP header name.
  string name = 1 [(validate.rules).string = {min_bytes: 1}];

@ -216,6 +227,9 @@ message JwtHeader {

 // Specify a required provider with audiences.
 message ProviderWithAudiences {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.ProviderWithAudiences";
+
  // Specify a required provider name.
  string provider_name = 1;

@ -265,6 +279,9 @@ message ProviderWithAudiences {
 //
 // [#next-free-field: 6]
 message JwtRequirement {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirement";
+
  oneof requires_type {
    // Specify a required provider name.
    string provider_name = 1;
@ -291,6 +308,9 @@ message JwtRequirement {
 // This message specifies a list of RequiredProvider.
 // Their results are OR-ed; if any one of them passes, the result is passed
 message JwtRequirementOrList {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirementOrList";
+
  // Specify a list of JwtRequirement.
  repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}];
 }
@ -298,6 +318,9 @@ message JwtRequirementOrList {
 // This message specifies a list of RequiredProvider.
 // Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.
 message JwtRequirementAndList {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirementAndList";
+
  // Specify a list of JwtRequirement.
  repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}];
 }
@ -324,6 +347,9 @@ message JwtRequirementAndList {
 // In above example, all requests matched the path prefix require jwt authentication
 // from "provider-A".
 message RequirementRule {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.RequirementRule";
+
  // The route matching parameter. Only when the match is satisfied, the "requires" field will
  // apply.
  //
@ -358,6 +384,9 @@ message RequirementRule {
 // If a filter set "jwt_selector" with "issuer_1" to FilterState for a request,
 // jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.
 message FilterStateRule {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.FilterStateRule";
+
  // The filter state name to retrieve the `Router::StringAccessor` object.
  string name = 1 [(validate.rules).string = {min_bytes: 1}];

@ -408,6 +437,9 @@ message FilterStateRule {
 //              - provider_name: provider2
 //
 message JwtAuthentication {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication";
+
  // Map of provider names to JwtProviders.
  //
  // .. code-block:: yaml
--- a/envoy/config/filter/http/rate_limit/v3alpha/BUILD
+++ b/envoy/config/filter/http/rate_limit/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/ratelimit/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/ratelimit/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto
+++ b/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto
@ -10,6 +10,8 @@ import "envoy/config/ratelimit/v3alpha/rls.proto";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
@ -18,6 +20,9 @@ import "validate/validate.proto";

 // [#next-free-field: 8]
 message RateLimit {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.rate_limit.v2.RateLimit";
+
  // The rate limit domain to use when calling the rate limit service.
  string domain = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/config/filter/http/rbac/v3alpha/BUILD
+++ b/envoy/config/filter/http/rbac/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/rbac/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/rbac/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/rbac/v3alpha/rbac.proto
+++ b/envoy/config/filter/http/rbac/v3alpha/rbac.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.rbac.v3alpha";

 import "envoy/config/rbac/v3alpha/rbac.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: RBAC]
@ -16,6 +18,9 @@ import "validate/validate.proto";

 // RBAC filter config.
 message RBAC {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.rbac.v2.RBAC";
+
  // Specify the RBAC rules to be applied globally.
  // If absent, no enforcing RBAC policy will be applied.
  config.rbac.v3alpha.RBAC rules = 1;
@ -27,6 +32,9 @@ message RBAC {
 }

 message RBACPerRoute {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.rbac.v2.RBACPerRoute";
+
  reserved 1;

  // Override the global configuration of the filter with this new config.
--- a/envoy/config/filter/http/router/v3alpha/BUILD
+++ b/envoy/config/filter/http/router/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/filter/accesslog/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/filter/accesslog/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/router/v3alpha/router.proto
+++ b/envoy/config/filter/http/router/v3alpha/router.proto
@ -10,6 +10,8 @@ import "envoy/config/filter/accesslog/v3alpha/accesslog.proto";

 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Router]
@ -18,6 +20,9 @@ import "validate/validate.proto";

 // [#next-free-field: 7]
 message Router {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.router.v2.Router";
+
  // Whether the router generates dynamic cluster statistics. Defaults to
  // true. Can be disabled in high performance scenarios.
  google.protobuf.BoolValue dynamic_stats = 1;
--- a/envoy/config/filter/http/tap/v3alpha/BUILD
+++ b/envoy/config/filter/http/tap/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/common/tap/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/common/tap/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/http/tap/v3alpha/tap.proto
+++ b/envoy/config/filter/http/tap/v3alpha/tap.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.tap.v3alpha";

 import "envoy/config/common/tap/v3alpha/common.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Tap]
@ -16,6 +18,9 @@ import "validate/validate.proto";

 // Top level configuration for the tap filter.
 message Tap {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.http.tap.v2alpha.Tap";
+
  // Common configuration for the HTTP tap filter.
  common.tap.v3alpha.CommonExtensionConfig common_config = 1
      [(validate.rules).message = {required: true}];
--- a/envoy/config/filter/network/client_ssl_auth/v3alpha/BUILD
+++ b/envoy/config/filter/network/client_ssl_auth/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto
+++ b/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto
@ -10,6 +10,8 @@ import "envoy/api/v3alpha/core/address.proto";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Client TLS authentication]
@ -18,6 +20,9 @@ import "validate/validate.proto";
 // [#extension: envoy.filters.network.client_ssl_auth]

 message ClientSSLAuth {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.client_ssl_auth.v2.ClientSSLAuth";
+
  // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
  // the authentication service. The filter will connect to the service every 60s to fetch the list
  // of principals. The service must support the expected :ref:`REST API
--- a/envoy/config/filter/network/dubbo_proxy/v3alpha/BUILD
+++ b/envoy/config/filter/network/dubbo_proxy/v3alpha/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/route:pkg",
        "//envoy/type/matcher/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto
+++ b/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto
@ -10,6 +10,8 @@ import "envoy/config/filter/network/dubbo_proxy/v3alpha/route.proto";

 import "google/protobuf/any.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Dubbo Proxy]
@ -30,6 +32,9 @@ enum SerializationType {

 // [#next-free-field: 6]
 message DubboProxy {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.DubboProxy";
+
  // The human readable prefix to use when emitting statistics.
  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

@ -51,6 +56,9 @@ message DubboProxy {

 // DubboFilter configures a Dubbo filter.
 message DubboFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.DubboFilter";
+
  // The name of the filter to instantiate. The name must match a supported
  // filter.
  string name = 1 [(validate.rules).string = {min_bytes: 1}];
--- a/envoy/config/filter/network/dubbo_proxy/v3alpha/route.proto
+++ b/envoy/config/filter/network/dubbo_proxy/v3alpha/route.proto
@ -10,6 +10,8 @@ import "envoy/api/v3alpha/route/route.proto";
 import "envoy/type/matcher/v3alpha/string.proto";
 import "envoy/type/v3alpha/range.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Dubbo Proxy Route Configuration]
@ -17,6 +19,9 @@ import "validate/validate.proto";

 // [#next-free-field: 6]
 message RouteConfiguration {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.RouteConfiguration";
+
  // The name of the route configuration. Reserved for future use in asynchronous route discovery.
  string name = 1;

@ -35,6 +40,9 @@ message RouteConfiguration {
 }

 message Route {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.Route";
+
  // Route matching parameters.
  RouteMatch match = 1 [(validate.rules).message = {required: true}];

@ -43,6 +51,9 @@ message Route {
 }

 message RouteMatch {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.RouteMatch";
+
  // Method level routing matching.
  MethodMatch method = 1;

@ -54,6 +65,9 @@ message RouteMatch {
 }

 message RouteAction {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.RouteAction";
+
  oneof cluster_specifier {
    option (validate.required) = true;

@ -69,8 +83,14 @@ message RouteAction {
 }

 message MethodMatch {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.dubbo_proxy.v2alpha1.MethodMatch";
+
  // The parameter matching type.
  message ParameterMatchSpecifier {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.dubbo_proxy.v2alpha1.MethodMatch.ParameterMatchSpecifier";
+
    oneof parameter_match_specifier {
      // If specified, header match will be performed based on the value of the header.
      string exact_match = 3;
--- a/envoy/config/filter/network/ext_authz/v3alpha/BUILD
+++ b/envoy/config/filter/network/ext_authz/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.network.ext_authz.v3alp

 import "envoy/api/v3alpha/core/grpc_service.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Network External Authorization ]
@ -20,6 +22,9 @@ import "validate/validate.proto";
 // :ref:`CheckRequest <envoy_api_msg_service.auth.v3alpha.CheckRequest>`.
 // A failed check will cause this filter to close the TCP connection.
 message ExtAuthz {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
+
  // The prefix to use when emitting statistics.
  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/config/filter/network/http_connection_manager/v3alpha/BUILD
+++ b/envoy/config/filter/network/http_connection_manager/v3alpha/BUILD
@ -10,5 +10,6 @@ api_proto_package(
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/config/filter/accesslog/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/network/http_connection_manager/v3alpha/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v3alpha/http_connection_manager.proto
@ -18,6 +18,8 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: HTTP connection manager]
@ -26,6 +28,9 @@ import "validate/validate.proto";

 // [#next-free-field: 36]
 message HttpConnectionManager {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
+
  enum CodecType {
    // For every new connection, the connection manager will determine which
    // codec to use. This mode supports both ALPN for TLS listeners as well as
@ -86,6 +91,9 @@ message HttpConnectionManager {

  // [#next-free-field: 8]
  message Tracing {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing";
+
    enum OperationName {
      // The HTTP listener is used for ingress/incoming requests.
      INGRESS = 0;
@ -139,12 +147,20 @@ message HttpConnectionManager {
  }

  message InternalAddressConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager."
+        "InternalAddressConfig";
+
    // Whether unix socket addresses should be considered internal.
    bool unix_sockets = 1;
  }

  // [#next-free-field: 7]
  message SetCurrentClientCertDetails {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager."
+        "SetCurrentClientCertDetails";
+
    reserved 2;

    // Whether to forward the subject of the client cert. Defaults to false.
@ -183,6 +199,10 @@ message HttpConnectionManager {
  //    The current implementation of upgrade headers does not work with HTTP/2
  //    upstreams.
  message UpgradeConfig {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager."
+        "UpgradeConfig";
+
    // The case-insensitive name of this upgrade, e.g. "websocket".
    // For each upgrade type present in upgrade_configs, requests with
    // Upgrade: [upgrade_type]
@ -458,6 +478,9 @@ message HttpConnectionManager {
 }

 message Rds {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.Rds";
+
  // Configuration source specifier for RDS.
  api.v3alpha.core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];

@ -470,12 +493,18 @@ message Rds {

 // This message is used to work around the limitations with 'oneof' and repeated fields.
 message ScopedRouteConfigurationsList {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.ScopedRouteConfigurationsList";
+
  repeated api.v3alpha.ScopedRouteConfiguration scoped_route_configurations = 1
      [(validate.rules).repeated = {min_items: 1}];
 }

 // [#next-free-field: 6]
 message ScopedRoutes {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes";
+
  // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These
  // keys are matched against a set of
  // :ref:`Key<envoy_api_msg_api.v3alpha.ScopedRouteConfiguration.Key>` objects assembled from
@ -488,8 +517,15 @@ message ScopedRoutes {
  // :ref:`RouteConfiguration<envoy_api_msg_api.v3alpha.RouteConfiguration>`) to use for the
  // request.
  message ScopeKeyBuilder {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder";
+
    // Specifies the mechanism for constructing key fragments which are composed into scope keys.
    message FragmentBuilder {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
+          "FragmentBuilder";
+
      // Specifies how the value of a header should be extracted.
      // The following example maps the structure of a header to the fields in this message.
      //
@ -508,8 +544,16 @@ message ScopedRoutes {
      //
      //    Each 'a=b' key-value pair constitutes an 'element' of the header field.
      message HeaderValueExtractor {
+        option (udpa.api.annotations.versioning).previous_message_type =
+            "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
+            "FragmentBuilder.HeaderValueExtractor";
+
        // Specifies a header field's key value pair to match on.
        message KvElement {
+          option (udpa.api.annotations.versioning).previous_message_type =
+              "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder."
+              "FragmentBuilder.HeaderValueExtractor.KvElement";
+
          // The separator between key and value (e.g., '=' separates 'k=v;...').
          // If an element is an empty string, the element is ignored.
          // If an element contains no separator, the whole element is parsed as key and the
@ -584,12 +628,18 @@ message ScopedRoutes {
 }

 message ScopedRds {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.ScopedRds";
+
  // Configuration source specifier for scoped RDS.
  api.v3alpha.core.ConfigSource scoped_rds_config_source = 1
      [(validate.rules).message = {required: true}];
 }

 message HttpFilter {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.http_connection_manager.v2.HttpFilter";
+
  reserved 3, 2;

  reserved "config";
--- a/envoy/config/filter/network/mongo_proxy/v3alpha/BUILD
+++ b/envoy/config/filter/network/mongo_proxy/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/filter/fault/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/filter/fault/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/network/mongo_proxy/v3alpha/mongo_proxy.proto
+++ b/envoy/config/filter/network/mongo_proxy/v3alpha/mongo_proxy.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.network.mongo_proxy.v3a

 import "envoy/config/filter/fault/v3alpha/fault.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Mongo proxy]
@ -15,6 +17,9 @@ import "validate/validate.proto";
 // [#extension: envoy.filters.network.mongo_proxy]

 message MongoProxy {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.mongo_proxy.v2.MongoProxy";
+
  // The human readable prefix to use when emitting :ref:`statistics
  // <config_network_filters_mongo_proxy_stats>`.
  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
--- a/envoy/config/filter/network/rate_limit/v3alpha/BUILD
+++ b/envoy/config/filter/network/rate_limit/v3alpha/BUILD
@ -8,5 +8,6 @@ api_proto_package(
    deps = [
        "//envoy/api/v3alpha/ratelimit:pkg",
        "//envoy/config/ratelimit/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/envoy/config/filter/network/rate_limit/v3alpha/rate_limit.proto
+++ b/envoy/config/filter/network/rate_limit/v3alpha/rate_limit.proto
@ -11,6 +11,8 @@ import "envoy/config/ratelimit/v3alpha/rls.proto";

 import "google/protobuf/duration.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
@ -19,6 +21,9 @@ import "validate/validate.proto";

 // [#next-free-field: 7]
 message RateLimit {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.rate_limit.v2.RateLimit";
+
  // The prefix to use when emitting :ref:`statistics <config_network_filters_rate_limit_stats>`.
  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

--- a/envoy/config/filter/network/rbac/v3alpha/BUILD
+++ b/envoy/config/filter/network/rbac/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/config/rbac/v3alpha:pkg"],
+    deps = [
+        "//envoy/config/rbac/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/network/rbac/v3alpha/rbac.proto
+++ b/envoy/config/filter/network/rbac/v3alpha/rbac.proto
@ -8,6 +8,8 @@ option java_package = "io.envoyproxy.envoy.config.filter.network.rbac.v3alpha";

 import "envoy/config/rbac/v3alpha/rbac.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: RBAC]
@ -19,6 +21,9 @@ import "validate/validate.proto";
 // Header should not be used in rules/shadow_rules in RBAC network filter as
 // this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
 message RBAC {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.rbac.v2.RBAC";
+
  enum EnforcementType {
    // Apply RBAC policies when the first byte of data arrives on the connection.
    ONE_TIME_ON_FIRST_BYTE = 0;
--- a/envoy/config/filter/network/redis_proxy/v3alpha/BUILD
+++ b/envoy/config/filter/network/redis_proxy/v3alpha/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["//envoy/api/v3alpha/core:pkg"],
+    deps = [
+        "//envoy/api/v3alpha/core:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
+    ],
 )
--- a/envoy/config/filter/network/redis_proxy/v3alpha/redis_proxy.proto
+++ b/envoy/config/filter/network/redis_proxy/v3alpha/redis_proxy.proto
@ -11,6 +11,8 @@ import "envoy/api/v3alpha/core/base.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "udpa/api/annotations/versioning.proto";
+
 import "validate/validate.proto";

 // [#protodoc-title: Redis Proxy]
@ -19,9 +21,15 @@ import "validate/validate.proto";

 // [#next-free-field: 7]
 message RedisProxy {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.redis_proxy.v2.RedisProxy";
+
  // Redis connection pool settings.
  // [#next-free-field: 9]
  message ConnPoolSettings {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings";
+
    // ReadPolicy controls how Envoy routes read commands to Redis nodes. This is currently
    // supported for Redis Cluster. All ReadPolicy settings except MASTER may return stale data
    // because replication is asynchronous and requires some delay. You need to ensure that your
@ -110,12 +118,22 @@ message RedisProxy {
  }

  message PrefixRoutes {
+    option (udpa.api.annotations.versioning).previous_message_type =
+        "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes";
+
    message Route {
+      option (udpa.api.annotations.versioning).previous_message_type =
+          "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.Route";
+
      // The router is capable of shadowing traffic from one cluster to another. The current
      // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to
      // respond before returning the response from the primary cluster. All normal statistics are
      // collected for the shadow cluster making this feature useful for testing.
      message RequestMirrorPolicy {
+        option (udpa.api.annotations.versioning).previous_message_type =
+            "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.Route."
+            "RequestMirrorPolicy";
+
        // Specifies the cluster that requests will be mirrored to. The cluster must
        // exist in the cluster manager configuration.
        string cluster = 1 [(validate.rules).string = {min_bytes: 1}];
@ -219,6 +237,9 @@ message RedisProxy {
 // :ref:`extension_protocol_options<envoy_api_field_api.v3alpha.Cluster.extension_protocol_options>`,
 // keyed by the name `envoy.redis_proxy`.
 message RedisProtocolOptions {
+  option (udpa.api.annotations.versioning).previous_message_type =
+      "envoy.config.filter.network.redis_proxy.v2.RedisProtocolOptions";
+
  // Upstream server password as defined by the `requirepass` directive
  // <https://redis.io/topics/config>`_ in the server's configuration file.
  api.v3alpha.core.DataSource auth_password = 1;
--- a/envoy/config/filter/network/tcp_proxy/v3alpha/BUILD
+++ b/envoy/config/filter/network/tcp_proxy/v3alpha/BUILD
@ -9,5 +9,6 @@ api_proto_package(
        "//envoy/api/v3alpha/core:pkg",
        "//envoy/config/filter/accesslog/v3alpha:pkg",
        "//envoy/type/v3alpha:pkg",
+        "@com_github_cncf_udpa//udpa/api/annotations:pkg",
    ],
 )
--- a/Show More
+++ b/Show More