Cloud Load Balancing and Cloud CDN extensions overview (original) (raw)
Service Extensions lets you use extensions to instructsupported Application Load Balancersto use plugins or send callouts from the load balancing data path to callout backend services or Google services. This page provides an overview about Cloud Load Balancing extensions.
You can configure Application Load Balancers to use the following types of extensions:
- Edge extensions help you manipulate request headers to influence backend service selection and the content that Cloud CDN serves from cache. These extensions are configured to run early in the request processing lifecycle to influence caching and routing decisions, respectively, at the edge.
- Route extensions help you influence backend service selection. These extensions are configured to run early in the request processing lifecycle.
- Authorization extensions help you send authorization requests to your custom authorization engine. You configure these at the end of the processing cycle just before the load balancer sends requests to backends.
- Traffic extensions help support additional custom security logic and traffic management capabilities. You configure these after authorization extensions but before the load balancer sends requests to backends or receives responses from them.
Supported Application Load Balancers for user-managed extensions
Service Extensions supports user-managed extensions for the following Application Load Balancers:
| Application Load Balancers | Extensions | ||||
|---|---|---|---|---|---|
| Edge | Route | Authorization | Traffic | ||
| Plugins | Plugins | Callouts | Callouts | Plugins | Callouts |
| Global external Application Load Balancer | ✓ | ✓ | ✓ | ✓ | |
| Regional external Application Load Balancer | ✓ Preview | ✓ | ✓ | ✓ Preview | ✓ |
| Regional internal Application Load Balancer | ✓ Preview | ✓ | ✓ | ✓ Preview | ✓ |
| Cross-region internal Application Load Balancer | ✓ | ✓ | ✓ | ✓ | ✓ |
Extensibility points in the load balancing data path
Service Extensions supports extensions in different stages of the load balancing data path.
Figure 1 shows how Service Extensions supports extensions in the application security and traffic management stages for global external Application Load Balancers.
Figure 1. Global external Application Load Balancers support extensions at the edge routing, application security, and traffic management stages (click to enlarge).
Figure 2 shows how Service Extensions supports extensions in the routing, application security, and traffic management stages for these types of load balancers: Regional external Application Load Balancer, Regional internal Application Load Balancer, and Cross-region internal Application Load Balancer.
Figure 2. Regional external Application Load Balancers, regional internal Application Load Balancers, and cross-region internal Application Load Balancers support extensions at the routing and traffic management stages (click to enlarge).
How edge extensions work
Edge extensions run first on the request processing path and let you use request headers to influence backend service selection and the content that Cloud CDN serves from cache.
After a load balancer calls an edge extension, it does the following:
- Selects the backend service by evaluating the URL map
- Applies Google Cloud Armor policiessecurity policies
- Does a cache lookup and serves from cache if there is a cache hit
- Applies Cloud Armor policies for the selected backend service
- Applies CORS policies
- Applies the stateful session affinity policy
- Applies Identity-Aware Proxy (IAP) policies for the selected backend service
- Calls authorization extensions, if any are configured in the processing path of the selected backend service
- Performs fault injection
- Calls traffic extensions, if any
- Performs URL rewrites
- Performs header manipulation according to the URL map and adds custom request header variables
- Performs redirects or routing to the selected backend service while applying timeouts and retry policies in the URL map and the load balancing settings for the backend service
- Performs request mirroring
How route extensions work
Route extensions run first in the request processing path when the load balancer receives request headers and before it evaluates theURL map.
After a load balancer calls a route extension for a request, it does the following:
- Selects the backend service by evaluating the URL map
- Applies Cloud Armor policies for the selected backend service
- Applies IAP policies for the selected backend service
- Performs fault injection
- Performs request header transformations and resolves custom request header variables
- Calls traffic extensions, if they exist in the processing path of the selected backend service
- Performs URL rewrites
- Performs redirects or routing to the selected backend service and applies timeouts and retry policies in the URL map and other load balancing settings for the backend service
You can configure authorization policies with authorization extensions to delegate authorization decisions to custom authorization engines. For more information about authorization policies, seeAuthorization policy overview.
Authorization extensions are called on the request path after route extensions are called and a backend for the request has been selected. These extensions can't influence backend service selection.
In Preview, for regional external Application Load Balancers and regional internal Application Load Balancers, authorization policies are invoked after route extensions. When designing authorization extensions, consider the following points:
- Extensions invoked by authorization policies of the
REQUEST_AUTHZprofile type receive and evaluate only HTTP request headers with theext_proc orext_authzprotocol. - Extensions invoked by authorization policies of the
CONTENT_AUTHZprofile type receive headers, body, and trailers of requests and responses. These must be configured inFULL_DUPLEX_STREAMEDbody processing mode of theext_procprotocol.
In the data path, authorization extensions based on request authorization policies run before those based on content authorization policies.
How traffic extensions work
Load balancers run traffic extensions last in the request processing path and first in the response processing path.
These extensions let you modify the headers and payloads of both requests and responses without impacting the choice of the backend service. You can also use traffic extensions for custom logging by specifying the information that you want to log, the format, and the external provider.
Before a load balancer calls a traffic extension on the request path for a request, it does the following:
- Performs fault injection
- Selects a backend service for the request
- Applies Cloud Armor policies for the selected backend service
- Applies IAP policies for the selected backend service
- Applies Cloud CDN caching policies for the selected backend service in the case of global external Application Load Balancers
After a load balancer calls a traffic extension on the request path for a request, it does the following:
- Performs URL rewrites
- Performs header manipulation according to the URL map and adds custom request header variables
- Performs redirects or routing to the selected backend service while applying timeouts and retry policies in the URL map and the load balancing settings for the backend service
- Performs request mirroring
After a load balancer calls a traffic extension on the response path for a request, it does the following:
- Performs response header transformations and resolves custom response header variables
- Performs logging by using Cloud Logging
- Performs Cloud CDN caching in the case of global external Application Load Balancers
In the traffic path, edge and route extensions run at extensibility points before the stage at which the load balancer addscustom headers. As such, the headers that the edge and route extensions receive don't contain the custom headers that the load balancer adds.
To make information that you might usually put in custom headers available to edge and route extensions, consider using asupported attribute instead.
Limitations of extensions
- A forwarding rule can have only one
LbEdgeExtensionresource, oneLbTrafficExtensionresource, and oneLbRouteExtensionresource. - For callouts, the callout backend service must be in the same project as the forwarding rule.
- Cross-project referencing between extensions and forwarding rules isn't supported.