Service Extensions overview

Service Extensions enables the users of Google Cloud products, such as Cloud Load Balancing and Media CDN, to insert programmability directly into the data path. This helps you customize the behavior of these proxies to meet your business needs. This page provides a high-level overview about Service Extensions.

Types of Service Extensions extensions

The data path in edge networking products, such as Cloud Load Balancing and Media CDN, can be visualized as a pipeline of data processing stages. Service Extensions lets you insert custom logic into one or more of these stages.

Service Extensions offers two ways to insert programmability: plugins and callouts.

Plugins

Plugins let you insert custom code inline in the networking data path. You build these plugins by using WebAssembly (Wasm) and Proxy-Wasm ABI.

Plugins run as Wasm modules on a Google-managed sandbox infrastructure similar to a serverless infrastructure. Plugins run on Google-managed compute. They have restricted capability and strict runtime requirements. They run close to the data plane, and latency optimization is managed.

For more information about plugins, see Plugins overview.

Callouts

Callouts let you use Cloud Load Balancing to make gRPC calls to user-managed services during data processing.

You write callouts against Envoy's external processing gRPC API (ext-proc). Callouts run as general-purpose gRPC servers on user-managed compute VMs and Google Kubernetes Engine Pods on Google Cloud, multicloud, or on-premises environments.

Callouts have no runtime restrictions and can reuse existing software, as required. With callouts, you can get the benefits of fully managed services that are also customizable to meet the unique needs of specific workloads. You only need to ensure the scalability and availability of your callout service.

For more information about callouts, see Callouts overview.

Cloud Load Balancing extensions

Service Extensions for Cloud Load Balancing empowers users to add rich customization to the load balancing request and response processing paths for supported Application Load Balancers.

For more information, see Cloud Load Balancing extensions overview.

Plugins for Cloud Load Balancing

Service Extensions helps you use prepublished plugins for your custom needs by adding them in the Cloud Load Balancing processing path. Figure 1 shows this flow.

Application Load Balancers use plugins to include custom logic.
Figure 1. Application Load Balancer plugins (click to enlarge).

Use plugins with Cloud Load Balancing in the following sample scenarios:

Exception handling
Redirect clients to a custom error page for certain response classes.
Custom logging
Log user-defined headers or custom data into Cloud Logging.
Header addition
Create new headers relevant for your applications or specific customers.
Insert new headers for request and response.
Header manipulation
Rewrite existing request and response headers or override client headers on their way to the backend or while responding to a client.
Security
Write custom security policies based on client request or response headers and make enforcement decisions within your plugin.
Script injection
Rewrite HTML from the origin for Google reCAPTCHA integration or Google Analytics tagging.

Callouts for Cloud Load Balancing

Service Extensions lets supported Application Load Balancers send a callout from the data processing path to callout backend services managed by the user. Figure 2 shows this flow.

Application Load Balancers use callouts to include custom logic from callout backend services.
Figure 2. Application Load Balancers send Service Extensions callouts to backend services (click to enlarge).

Use callouts with Cloud Load Balancing for the following:

  • When the amount of compute or storage is arbitrary
  • When you want to maintain state
  • When you want to use external services, such as BigQuery or third-party applications hosted anywhere

Callouts are highly flexible and support a variety of customizations. Some examples of everyday use cases follow:

Custom routing and traffic management
Perform HTTP or URL redirects.
Modify request attributes, such as headers or URLs, based on application-specific logic to force the URL map to choose a different backend service than originally targeted by the request.
Add, remove, or modify headers or rewrite URLs based on complex application-specific logic before forwarding traffic to the backend service.
Implement custom session affinity or stickiness based on the specific attributes of a request.
Security and logging
Log custom information from payloads or custom headers to Logging or a custom-made logging solution.
Use security tools or services, including custom user authentication and authorization support.
Validate arbitrary headers and query parameters such as device IDs.
Log requests and responses to third-party logging solutions.
Implement custom user authentication and authorization.
Partner integration
Integrate security products, such as API Gateway security, BOT management, or Web Application Firewall (WAF).
Authorization (Preview)
Enrich the authorization decision-making process or further constrain the authorization decisions from Google-provided built-in authorization engines.
Mix authorization decisions from multiple authorization systems.

For more information, see Cloud Load Balancing extensions overview.

Media CDN extensions

Media CDN provides many built-in core capabilities to address the most common use cases for content delivery networks (CDNs). Service Extensions helps you address several requirements that are beyond these capabilities.

For more information, see Media CDN extensions overview.

Plugins for Media CDN

Service Extensions helps you use prepublished plugins for your custom needs by adding them in the Media CDN processing path. Figure 3 shows this flow.

Application Load Balancers use callouts to include custom logic from callout backend services.
Figure 3. Media CDN plugins (click to enlarge).

Some key use cases where you can use plugins with Media CDN follow:

Customization
Rewrite request URLs.
Normalize header values to improve cache performance.
Security and logging
During live events, block users with pirated tokens.
Support custom user authentication and authorization.
Translate and implement custom URL signing.
Customize cache keys, application-specific headers, or device types.
Log custom variables to Cloud Logging.
Targeting and monetization
Improve conversions through A-B testing.
Implement custom ad targeting.
Offer trial usage models at no extra charge.
Partner integration
Implement video watermarking.
Optimize videos and images.