What’s new for the Google Cloud global front end for web delivery and protection
Peter Blum
Group Product Manager
The Google Cloud global front end is a solution we launched last year as part of Cross-Cloud Network that helps customers deliver and protect internet-facing web services using the same technologies, infrastructure, and teams that we use for our own Google web services. By leveraging the power of our global Cross-Cloud Network, it can do this for workloads hosted not only in Google Cloud but other public clouds, co-location and on-prem data centers.
The global front end solution consists of the Cloud External Global Application Load Balancer, providing open-scalable and programmable traffic control; Cloud CDN for performance and backend infrastructure offload; and Cloud Armor for planet-scale Web and DDoS protection.
At Google Cloud Next ‘24, we announced a series of enhancements across the solution to help our customers improve the performance, protection, and scalability of their internet-facing web services (sites, apps, and APIs) plus enable higher levels of automation and programmability. In this blog, we take a deeper look at the global front end solution, and how it uses the new capabilities in our networking platform.
1. Open, scalable, and programmable traffic control
Service Extension callouts
The newly released Service Extension callouts capability makes the Google Cloud web data plane programmable, allowing easier customization and improved partner solution integration. Service Extension callouts allow a wide range of control over various web requests and responses, including changing origin routing, adding security services to inspect and protect traffic, modifying the request headers, or adjusting the HTML.
In addition to Service Extensions, we have a library of example code for common operations. We are also have a broad set of partners who are delivering security and experience optimization integrations. You can read more about Service Extensions here.
Private origin access over the Internet with App Connector
The global external Application Load Balancer coordinates communication with backend infrastructure and today provides a broad set of options for connecting and serving from Google Cloud infrastructure such as Google Compute Engine and Google Kubernetes Engine (GKE), but also infrastructure outside Google Cloud such as other public clouds, on-prem data centers, or co-location facilities. It’s able to do this over the public internet using an FQDN or IP address or even using HA VPN links. Both options require opening ports from the web origin environment to the public internet. And while those can be secure to only allow Google Cloud communications, some customers don’t want any open ports to the Internet.
Today, we now have a new option for private origin communication over the internet using Google Cloud’s App Connector technology. This lets you run dual App Connector agents in another cloud, on-prem, or in a co-location environment. When the agents launch, they connect back to the App Connector service in Google Cloud, enabling a reverse-tunnel for origin communications without needing to open incoming ports from the internet. This capability is now in preview, and you can contact your sales team for more information and to gain access.
Custom error responses
Custom error responses, now in preview, allows you to customize your own error responses when HTTP 4xx and 5xx errors are generated. This lets you define your own error and maintenance pages with custom messages and branding. You can also create custom error pages when requests are denied by Cloud Armor security policies.
Load balancing for AI workloads
Generative AI workloads have unique traffic patterns, with large requests and responses along with unique backend compute usage. This can lead to variable processing times and uneven use of GPU and TPU compute resources, resulting in suboptimal user response times and higher infrastructure costs.
To address this, we are enhancing our Cloud Application Load Balancing with a new class of innovations to optimize for AI workloads. This includes load balancing based on LLM platform queue depth to optimize TPU and GPU utilization, and enhancements to monitor the health of individual model service endpoints for higher reliability for cross-region deployments. You can read more details in this blog.
2. Planet-scale protection
Cloud Armor Enterprise for premium web and DDoS protection
Cloud Armor Enterprise is the new name for the premium tier of Cloud Armor protection with Adaptive Protection ML DDoS protection, Google Threat Intelligence, enhanced DDoS attack visibility, and more. In addition to the new name, we also introduced more flexible consumption models, with pay-as-you-go pricing in addition to the existing annual subscriptions.
Granular Adaptive Protection ML models for Layer 7 DDoS Defense
We have enhanced our Adaptive protection systems to allow the creation of more granular ML based traffic models, now in preview, to better detect service specific attacks and provide mitigations. This feature lets you configure specific hosts or paths that Adaptive Protection will analyze, such as the set of paths on your website related to new account creation or a checkout sequence for buying a product, experience, or booking.
Graph QL API Protection
GraphQL is an open-source data query and manipulation language for APIs. The Cloud Armor inspection engine and its built-in rules have been enhanced to allow it to help protect GraphQL-based API calls.
3. Global performance
UI controls for dynamic compression with gzip and Brotli
To make performance even easier we recently enhanced the Google Cloud console to allow control of our dynamic compression capability. This feature automatically compresses text and code responses served by Cloud CDN by 60% to 85% in typical cases. It determines the requesting browsers’ capabilities and uses gzip or Brotli compression to reduce the size of the objects and help improve performance.
Internet observability with Catchpoint
We announced a new performance observability partner for our global front end solution with Catchpoint, whose Internet Performance Monitoring service helps customers monitor web performance globally and improve uptime to help catch issues before impacting the business. Catchpoint is offering a free trial and expert assistance to help measure the performance of the Google global front end. You can reach them on gcp-catchpoint-trial@catchpoint.com to learn more.
4. Modern automation
CI/CD Automation reference guide and toolkit
Our newly released Global Front End CI/CD Automation Toolkit and reference guide make it easier to integrate the global front end into a number of popular CI/CD platforms including Jenkins, Gitlab, and our own Cloud Build. It provides built-in recommended settings, pre-created workflows for common operations like roll-out, roll-back across the solution, and simplified workflows to enable canary rollouts of new versions of your applications and services. Since it’s a toolkit, you can use it in whole or just take the pieces you need to help with end-to-end automated deployment of your applications and services.
Summary
With the Cross-Cloud Network, we’re empowering customers to simplify, modernize and secure their hybrid and multi-cloud networks and applications. And using the global front end solution lets you deliver, scale, and protect your internet -facing web services using the same technologies, infrastructure, and teams as we use for our own web services.
See below for links to more information on the Cross-Cloud Network global front end solution: