Configure a route extension

Service Extensions enables Application Load Balancers to send callouts to backend services to inject custom processing in the processing path. Route extensions run in the request processing path when the load balancer receives request headers and before it evaluates the URL map. This page describes how to configure route extensions.

For an overview about Application Load Balancer extensions, see Cloud Load Balancing extensions overview.

Introduction

A route extension for an Application Load Balancer points to the following resources:

  • A forwarding rule to attach to
  • A callout backend service whose backends run the ext_proc gRPC API

A route extension groups related extension services into a chain. The extension chain selects the traffic to act on by using Common Expression Language (CEL) match conditions. The load balancer evaluates a request against match conditions for a chain in a sequential manner. When a request matches the conditions defined by a chain, all extensions in the chain act on the request. Only one chain matches a given request.

For information about the limits related to Application Load Balancer extensions, see the Quotas and limits page.

The extension references the load balancer forwarding rule to attach to. After you configure the resource, the load balancer starts sending matching requests to extension services.

Before you begin

Create the required resources as described in Configure a callout backend service.

Configure a route extension

The following example shows how to configure a route extension to call when the path matches /extensions. The route callout server in the callout-vm changes the Host header to service-extensions.com, sets the path to /, and then sends an instruction to the load balancer to recompute the route. The traffic then flows to l7-ilb-backend-service2 instead of l7-ilb-backend-service.

  1. Check if there's a match for /extensions in the URL map.

    1. Establish an SSH connection to the client VM.

      Console

      1. In the Google Cloud console, go to the VM instances page.

        Go to VM instances

      2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

      gcloud

      Use the gcloud compute ssh command.

      gcloud compute ssh CLIENT_VM \
    --zone=ZONE

      Replace the following:

      • CLIENT_VM: the name of the client VM
      • ZONE: the zone of the VM

    2. Run the following curl command against the forwarding rule in the client VM:

      curl FORWARDING_RULE_IP/extensions

      Replace FORWARDING_RULE_IP with the IP address of the forwarding rule. To find the IP address, use the gcloud compute forwarding-rules describe command.

      The output indicates that there is no match for /extensions in the URL map. The output is similar to the following:

      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
...

    3. Close the SSH connection.

  2. Configure the route extension.

    Console

    1. In the Google Cloud console, go to the Service Extensions page.

      Go to Service Extensions

    2. Click Create extension.

      A wizard opens to guide you through some initial steps.

    3. For the product, select Load Balancing. Then, click Continue.

      A list of Application Load Balancers that support extensions appears.

    4. Select a load balancer type. For regional load balancers, also specify the region. Click Continue.

    5. For the service extension type, select Route extensions, click Continue, and then click Done.

      The Create service extension form opens. Notice that the preceding selections, which appear at the top of the page, are not editable.

    6. In the Basics section, do the following:

      1. Specify a unique name for the service extension.

        The name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and must not end with a hyphen.

      2. Optional: Enter a brief description about the extension by using a maximum of 1,024 characters.

      3. Optional: In the Labels section, click Add label. Then, in the row that appears, do the following:

        • For Key, enter a key name.
        • For Value, enter a value for the key.

        To add more key-value pairs, with the maximum limit being 64, click Add label.

        For more information about labels, see Create and update labels for projects.

    7. For Forwarding rules, select one or more forwarding rules to associate with the extension.

      Forwarding rules that are already associated with another extension cannot be selected and appear disabled.

    8. For Extension chains, add one or more extension chains to execute for a matching request.

      To add an extension chain, click Add an extension chain, do the following, and then click Done.

      • For Extension chain name, specify a unique name.

        The name must conform with RFC-1034, use only lowercase letters, numbers, and hyphens, and have a maximum length of 63 characters. Additionally, the first character must be a letter and the last character must be a letter or a number.

      • For Match condition, specify a Common Expression Language (CEL) expression to match requests for which the extension chain is executed.

        For more information, click Get syntax help or see CEL matcher language reference.

      • Add an extension to execute for a matching request. For route extensions, you can specify only one extension.

        Under Extensions, do the following, and then click Done:

        • For Extension name, specify a unique name.

          The name must conform with RFC-1034, use only lowercase letters, numbers, and hyphens, and have a maximum length of 63 characters. Additionally, the first character must be a letter and the last a letter or a number.

        • For Authority, enter the authority header from the gRPC request sent from Envoy to the extension service.

        • For Backend service, select a backend service created by following the instructions in Configure a callout backend service.

        • For Timeout, specify a value between 10 and 1000 milliseconds, after which a message on the stream times out while Envoy is still waiting for a response from the ext_proc service.

        • For Forward headers, click Add header, and then add HTTP headers to forward to the extension (from the client or the backend). If a header is not specified, all headers are sent.

        • Optional: For Fail open, if you want the extension to fail open, select Enabled. In this case, if the call to the extension fails or times out, request or response processing continues without error. Any subsequent extensions in the extension chain are also executed.

          By default, the Fail open field is not selected. In this case, if response headers have not been delivered to the downstream client, a generic HTTP 500 status code is returned to the client. If response headers have been delivered, the HTTP stream to the downstream client is reset.

    9. Click Create extension.

    gcloud

    1. Define the extension in a YAML file and associate it with the forwarding rule. Use the sample values provided.

      cat >route.yaml <<EOF
    name: route-ext
    forwardingRules:
    - https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/forwardingRules/l7-ilb-forwarding-rule
    loadBalancingScheme: INTERNAL_MANAGED
    metadata: '{"fr": "{forwarding_rule_id}", "key2": {"key3":"value"}}'
    extensionChains:
    - name: "chain1"
      matchCondition:
        celExpression: 'request.path.startsWith("/extensions")'
      extensions:
      - name: 'ext11'
        authority: ext11.com
        service: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/backendServices/l7-ilb-callout-service
        failOpen: false
        timeout: 0.1s
EOF

      Replace PROJECT_ID with the project ID.

      The metadata field in the extension configuration lets you pass any JSON objects from the load balancer to the extension server. The metadata is sent in ProcessingRequest and encoded as protobuf.Struct. Any text within the JSON object that matches the specified forwarding rule ID is replaced with the fully qualified resource URL of the forwarding rule associated with the client request.

    2. Import the route extension. Use the gcloud service-extensions lb-route-extensions import command with the following sample values.

      gcloud service-extensions lb-route-extensions import route-ext \
    --source=route.yaml \
    --location=us-west1

  3. Verify that the route extension works as expected. Establish an SSH connection to the client VM and use the same curl command:

    curl FORWARDING_RULE_IP/extensions

    The output indicates that the traffic matched the virtual host service-extensions.com and reached the l7-ilb-backend-service2 service even though the original request did not. The output is similar to the following:

    Page served from second backend service

    To validate that the extension is targeting only requests with the /extension prefix, repeat the curl command without the path prefix.

    curl FORWARDING_RULE_IP

    The output is similar to the following:

    Page served from: l7-ilb-backend-example-1c7t

Limitations for route extensions

  • Cross-project referencing between extensions and the forwarding rule is not supported.
  • Route extensions don't support HTTP body processing.
  • Route extensions cannot override the processing mode of ext_proc stream.
  • A direct response from the extension to the client is not supported for route extensions. If your route extension server responds to a processing request with a processing response that contains a direct response, Envoy ignores the processing response.

What's next