Service Extensions enables the users of Google Cloud products, such as Cloud Load Balancing and Media CDN, to insert custom code directly into the data path. This helps you customize the behavior of these products to meet your business needs. This page provides a high-level overview about Service Extensions.
Types of extensions
The data path in networking products, such as Cloud Load Balancing and Media CDN, can be visualized as a pipeline of data processing stages. Service Extensions lets you insert custom logic into one or more of these stages.
Service Extensions offers two ways to insert custom logic: plugins and callouts.
Plugins
Plugins let you insert custom code inline in the networking data path. You build these plugins by using WebAssembly (Wasm) and Proxy-Wasm ABI.
Plugins run as Wasm modules on a Google-managed sandbox infrastructure similar to a serverless infrastructure. Plugins run on Google-managed compute. They have restricted capability and strict runtime requirements. They run close to the data plane, and latency optimization is managed.
For more information about plugins, see Plugins overview.
Callouts
Callouts let you use Cloud Load Balancing to make gRPC calls to Google services and user-managed services during data processing.
You write callouts against Envoy's external processing gRPC API (ext_proc).
Callouts run as general-purpose gRPC servers on user-managed compute VMs and
Google Kubernetes Engine Pods on Google Cloud, multicloud, or on-premises environments.
Callouts have no runtime restrictions and can reuse existing software, as required. With callouts, you can get the benefits of fully managed services that are also customizable to meet the unique needs of specific workloads. You only need to confirm the scalability and availability of your callout service.
For more information about callouts, see Callouts overview.
Cloud Load Balancing extensions
Service Extensions for Cloud Load Balancing empowers users to add rich customization to the load balancing request and response processing paths for supported Application Load Balancers.
For more information, see Cloud Load Balancing extensions overview.
Plugins
Service Extensions helps you use prepublished plugins for your custom needs by adding them in the Cloud Load Balancing processing path. Figure 1 shows this flow.
Use plugins with Cloud Load Balancing in the following sample scenarios:
- Exception handling
- Redirect clients to a custom error page for certain response classes.
- Custom logging
- Log user-defined headers or custom data into Cloud Logging.
- Header addition
- Create new headers relevant for your applications or specific customers.
- Insert new headers for request and response.
- Header manipulation
- Rewrite existing request and response headers or override client headers on their way to the backend or while responding to a client.
- Security
- Write custom security policies based on client request or response headers and make enforcement decisions within your plugin.
- Script injection
- Rewrite HTML from the origin for Google reCAPTCHA integration or Google Analytics tagging.
- Influencing Cloud CDN
- Manipulate HTTP request characteristics to influence custom caching dynamics and determine which content gets served from the Cloud CDN cache.
- Routing
- Rewrite HTTP requests to influence backend service selection, allowing for more advanced routing decisions at the edge.
Callouts to user-managed services
Service Extensions lets supported Application Load Balancers send a callout from the data processing path to backend services managed by the user. Figure 2 shows this flow.
Use callouts with Cloud Load Balancing for the following:
- When the amount of compute or storage is arbitrary
- When you want to maintain state
- When you want to use external services, such as BigQuery or third-party applications hosted anywhere
Callouts are highly flexible and support a variety of customizations. Some examples of everyday use cases follow:
- Custom routing and traffic management
- Perform HTTP or URL redirects.
- Modify request attributes, such as headers or URLs, based on application-specific logic to force the URL map to choose a different backend service than originally targeted by the request.
- Add, remove, or modify headers or rewrite URLs based on complex application-specific logic before forwarding traffic to the backend service.
- Implement custom session affinity or stickiness based on the specific attributes of a request.
- Security and logging
- Log custom information from payloads or custom headers to Logging or a custom-made logging solution.
- Use security tools or services, including custom user authentication and authorization support.
- Validate arbitrary headers and query parameters such as device IDs.
- Log requests and responses to third-party logging solutions.
- Implement custom user authentication and authorization.
- Partner integration
- Integrate security products, such as API Gateway security, BOT management, or Web Application Firewall (WAF).
- Authorization (Preview)
- Enrich the authorization decision-making process or further constrain the authorization decisions from Google-provided built-in authorization engines.
- Mix authorization decisions from multiple authorization systems.
For more information, see Cloud Load Balancing extensions overview.
Callouts to Google services
Service Extensions lets supported Application Load Balancers send a callout from the data processing path to selected Google services. Figure 3 shows this flow.
You can configure an extension to call Model Armor to uniformly enforce security policies on inference traffic on application load balancers, including GKE Inference Gateway.
For more information, see Integration with Google services.
GKE extensions
The Google Kubernetes Engine (GKE) Gateway supports using extensions to add custom code into the load balancing processing path. You can use these extensions to customize routing, modify request or response payloads, and integrate with external services.
For more information, see Customize GKE Gateway traffic routing using Service Extensions.
Media CDN extensions
Media CDN provides many built-in core capabilities to address the most common use cases for content delivery networks (CDNs). Service Extensions helps you address several requirements that are beyond these capabilities.
For more information, see Media CDN extensions overview.
Plugins for Media CDN
Service Extensions helps you use prepublished plugins for your custom needs by adding them in the Media CDN processing path. Figure 4 shows this flow.
Some key use cases where you can use plugins with Media CDN follow:
- Customization
- Rewrite request URLs.
- Normalize header values to improve cache performance.
- Security and logging
- During live events, block users with pirated tokens.
- Support custom user authentication and authorization.
- Translate and implement custom URL signing.
- Customize cache keys, application-specific headers, or device types.
- Log custom variables to Cloud Logging.
- Targeting and monetization
- Improve conversions through A-B testing.
- Implement custom ad targeting.
- Offer trial usage models at no extra charge.
- Partner integration
- Implement video watermarking.
- Optimize videos and images.