Service Extensions lets you use extensions to instruct supported Application Load Balancers to use plugins or send callouts from the load balancing data path to callout backend services. This page provides an overview about Cloud Load Balancing extensions.
You can configure Application Load Balancers to use the following types of extensions:
Route extensions help you influence backend service selection. These extensions are configured to run early in the request processing lifecycle.
Authorization extensions (Preview) help you send authorization requests to your custom authorization engine. You configure these at the end of the processing cycle just before the load balancer sends requests to backends.
Traffic extensions help support additional custom security logic and traffic management capabilities. You configure these after authorization extensions but before the load balancer sends requests to backends or receives responses from them.
Supported Application Load Balancers
Service Extensions supports extensions for the following Application Load Balancers:
Application Load Balancers | Extensions | |||||
---|---|---|---|---|---|---|
Route | Authorization | Traffic | ||||
Plugins | Callouts | Plugins | Callouts | Plugins | Callouts | |
Global external Application Load Balancer | Preview | Preview | ||||
Regional external Application Load Balancer | Preview | |||||
Regional internal Application Load Balancer | Preview | |||||
Cross-region internal Application Load Balancer | Preview | Preview | Preview | |||
Classic Application Load Balancer |
Extensibility points in the load balancing data path
Service Extensions supports extensions in different stages of the load balancing data path.
Figure 1 shows how Service Extensions supports extensions in the routing, application security, and traffic management stages for these types of load balancers: Regional external Application Load Balancer, Regional internal Application Load Balancer, and Cross-region internal Application Load Balancer.
Figure 2 shows how Service Extensions supports extensions in the application security and traffic management stages for global external Application Load Balancers.
How route extensions work
Route extensions run first in the request processing path when the load balancer receives request headers and before it evaluates the URL map.
After a load balancer invokes a route extension for a request, it does the following:
- Selects the backend service by evaluating the URL map
- Applies Google Cloud Armor policies for the selected backend service
- Applies Identity-Aware Proxy (IAP) policies for the selected backend service
- Performs fault injection
- Performs request header transformations and resolves custom request header variables
- Invokes traffic extensions, if they exist in the processing path of the selected backend service
- Performs URL rewrites
- Performs redirects or routing to the selected backend service and applies timeouts and retry policies in the URL map and other load balancing settings for the backend service
How authorization extensions work
On the request path, authorization extensions are called after route extensions are called and a backend for the request has been selected. These extensions cannot influence the backend service selection.
Authorization extensions can process only request headers and not request bodies or any part of responses.
How traffic extensions work
Load balancers run traffic extensions last in the request processing path and first in the response processing path.
These extensions let you modify the headers and payloads of both requests and responses without impacting the choice of the backend service. You can also use traffic extensions for custom logging by specifying the information that you want to log, the format, and the external provider.
Before a load balancer invokes a traffic extension on the request path for a request, it does the following:
- Performs fault injection
- Performs request header transformations and resolves custom request header variables
- Selects a backend service for the request
- Applies Google Cloud Armor policies for the selected backend service
- Applies IAP policies for the selected backend service
- Applies Cloud CDN caching policies for the selected backend service in the case of global external Application Load Balancers
After a load balancer invokes a traffic extension on the request path for a request, it does the following:
- Performs URL rewrites
- Performs header manipulation according to the URL map
- Performs redirects or routing to the selected backend service while applying timeouts and retry policies in the URL map and the load balancing settings for the backend service
- Performs request mirroring
After a load balancer invokes a traffic extension on the response path for a request, it does the following:
- Performs response header transformations and resolves custom response header variables
- Performs logging by using Cloud Logging
- Performs Cloud CDN caching in the case of global external Application Load Balancers
Limitations for extensions
- A forwarding rule can have only one
LbTrafficExtension
resource and oneLbRouteExtension
resource. - The callout backend service must be in the same project as the forwarding rule.