Service Extensions enables Application Load Balancers to send callouts to backend services to insert custom processing in the processing path. Authorization extensions run in the request processing path when the load balancer receives request headers and after the URL map chooses the backend service. This page describes how to configure authorization extensions to use a custom authorization engine defined in an authorization policy.
For an overview about Application Load Balancer extensions, see Cloud Load Balancing extensions overview.
Introduction
Cloud Load Balancing lets you configure authorization policies that enforce access control on traffic entering load balancers. Sometimes, complex authorization decisions cannot be readily expressed using an authorization policy.
You can configure authorization policies with authorization extensions to delegate authorization decisions to custom authorization engines. In the data path, authorization extensions are executed after route extensions but before traffic extensions. For each authorization request, the load balancer forwards the request headers to the extension. Depending on the response from the provider, the load balancer proxy either forwards or rejects the request.
For information about the limits related to Application Load Balancer extensions, see the Quotas and limits page.
Before you begin
Create the required resources as described in Configure a callout backend service.
Configure an authorization extension
The following example shows how to configure an authorization extension,
my-authz-ext, with an authorization policy to delegate authorization
decisions for a regional internal Application Load Balancer in us-east1.
gcloud
- Configure the authorization extension. - Define the extension in a YAML file that associates it with the backend service, - authz-service. Use the sample values provided.- cat >authz-extension.yaml <<EOF name: my-authz-ext authority: ext11.com loadBalancingScheme: INTERNAL_MANAGED service: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/backendServices/authz-service forwardHeaders: - Authorization failOpen: false timeout: "0.1s" EOF- Replace - PROJECT_IDwith the project ID.
- Import the authorization extension. Use the - gcloud beta service-extensions authz-extensions importcommand with the following sample values.- gcloud beta service-extensions authz-extensions import my-authz-ext \ --source=authz-extension.yaml \ --location=us-east1
 
- Configure an authorization policy with the extension. - Define an authorization policy that associates the extension, - my-authz-extwith the forwarding rule,- fr1. Use the sample values provided. The- CUSTOMaction indicates that an extension is being used.- cat >authz-policy.yaml <<EOF name: my-authz-policy target: loadBalancingScheme: INTERNAL_MANAGED resources: - "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-east1/forwardingRules/fr1" action: CUSTOM customProvider: authzExtension: resources: - "projects/PROJECT_ID/locations/us-east1/authzExtensions/my-authz-ext" EOF
- Import the authorization policy to the project. Use the - gcloud beta network-security authz-policies importcommand with the following sample values.- gcloud beta network-security authz-policies import my-authz-policy \ --source=authz-policy.yaml \ --location=us-east1
 
Limitations for authorization extensions
The following are some limitations of authorization extensions:
- An authorization policy can have only one authorization extension.
- A forwarding rule can be used with several authorization policies of which only one can be a custom authorization policy.
For limitations that are applicable to all extensions, see Limitations for extensions.
What's next
- View Python and Go samples of ext_procservers in the Service Extensions GitHub repository.
- Configure a route extension
- Configure a traffic extension
- Manage extensions