GCP – Customize load balancers for unique application needs with Service Extensions callouts
Service Extension callouts on Google Cloud Application Load Balancers, which we recently announced at Google Next ‘23, are now available in public preview. Service Extensions empower users to quickly and easily customize the data plane of Google Cloud Networking products. This custom logic can address unique workflow requirements, offer an on-ramp for partners to integrate their software with Google services, or help organizations implement Cross-Cloud Network services.
Service Extensions offers two methods to inject custom logic into the networking data path: plugins and callouts.
Plugins allow users to insert WebAssembly (wasm) code to run the extension inline in the networking data path. Since they are a fully managed resource, they are a friendly option for users that want the benefits of a Google-managed offering. Plugins are currently only available on Media CDN.Callouts allow users to instruct Google Cloud Networking products to make RPC ‘callouts’ to custom services running in Google Cloud, multi-cloud, or on-premises from within the data processing path. Callouts are deployed on user-managed general-purpose computing.
With the introduction of Service Extensions callouts for Google Cloud Application Load Balancers, users instruct the load-balancers to forward traffic from within the Cloud Load Balancing data processing path via gRPC to a user-managed or partner-hosted application. These applications can apply various policies or functions, such as header or payload manipulation, security screening, custom logging or authentication on the traffic before returning the traffic to the load-balancer for further processing.
Figure #1, Service Extensions callouts data flow
Two callout extension types, route extensions and traffic extensions, are planned. Each of these types has a primary customization focus:
Route extensions execute first in the request processing order and can be used to insert custom logic near the beginning of the request path. These extensions can be used to influence how Cloud Load Balancers choose which backend service to send the request.
Traffic extensions execute last in the request processing path and can be used to insert custom logic just before the request goes to the backend. These extensions support a wide variety of use cases, such as adding a request header, modifying the payload or enabling custom logging.
Benefits of Service Extensions callouts include:
Bespoke implementation – Traffic handling is tailored to address unique workflow requirements and can optimize the performance of cloud applications or services.User empowerment – Organizations can develop their own applications or purchase programs to change how a service is delivered to support new or custom requirements.Partner integration – Partners can programmatically integrate their software with Google Cloud Application Load Balancer services and deliver new advanced use cases.
While Service Extensions can deliver a wide variety of functions and services, customer feedback is that the following are very popular use cases:
Incorporating partner software or services allows users an easy, quick, and efficient way to integrate partner applications or services with Google Cloud Load Balancing. Typical areas of interest for this use case include integrating leading security capabilities, such as web application firewall (WAF), API security, and bot management. We are excited to see partners including Fortinet, Palo Alto, Traceable and Human Security share an interest in this use case.Data plane customization focuses on modifying traffic headers and payloads, including rewriting HTML responses to inject security or adtech JavaScript, customizing cache keys by geography, or adding/removing/changing app-specific headers or device types.Security and logging enables users to support custom user authentication and authorization based on JWT payloads, translate and implement custom URL signing mechanisms, support custom TLS fingerprinting, or establish custom logs based on custom attributes.Traffic steering allows callouts to rewrite header information to influence backend selection based on user location and HTTP method, implement custom sticky session logic, and support geo-based regional Load Balancer traffic routing.
Early feedback on Service Extensions callouts from customers and partners such as Palo Alto Networks, Fortinet, Traceable and Human Security, has been very positive:
“With Google’s new Service Extensions callout capability, Fortinet and Google Cloud customers get even better, more seamless protection for their workloads on Google Cloud.” – John Maddison, Chief Marketing Officer and EVP, Product Strategy, Fortinet
“API security is critical with 90% of web traffic being routed through APIs and becoming the primary targets for modern day AuthN/AuthZ based attacks, data exfiltration and fraud. Traceable’s collaboration with Service Extensions for Google Cloud Load Balancing solves a key customer need of seamless L7 Traffic steering for comprehensive API security. This innovative integration between Google Cloud and Traceable empowers our joint customers to quickly operationalize API security and continuously discover, test, analyze, and protect the digital assets and systems powered by APIs.” – Sanjay Nagaraj, Chief Technology Officer/Co-founder, Traceable
“We are excited to be at the forefront of leveraging Service Extensions callouts to simplify and streamline the integration of the Human Defense Platform for our Google Cloud customers. With this expansion of our partnership with Google Cloud, we are making it easier for our valued partners and clients to safeguard their applications from cybersecurity threats, fraud and abuse. This innovative approach allows effortless integration of the Human Defense Platform into our customers’ applications running anywhere, all without any additional modification of their applications.” – Ido Safruti, Chief Technology Officer, Human Security
“Service Extensions callouts on Google Cloud Load Balancing have the potential to unlock and simplify multiple use cases for our business. The flexibility to use our code or third-party software to change how traffic is secured and processed is particularly attractive to us. We look forward to participating in the public preview and partnering with Google to guide the Service Extensions roadmap.” – Roiy Berko, Vice President of Technical Operations, DoubleVerify
Please see the Service Extensions documentation for additional information.
Read More for the details.