Cloud Load Balancing and Cloud CDN extensions overview
Service Extensions lets you use extensions to instructsupported Application Load Balancersto use plugins or send callouts from the load balancing data path to calloutbackend services or Google services. This page provides an overview aboutCloud Load Balancing extensions.
You can configure Application Load Balancers to use the following types ofextensions:
Edge extensions help you manipulate request headers to influence backendservice selection and the content that Cloud CDN serves from cache. Theseextensions are configured to run early in the request processing lifecycleto influence caching and routing decisions, respectively, at the edge.
Route extensions help you influence backend service selection. Theseextensions are configured to run early in the request processing lifecycle.
Authorization extensions help you send authorization requests to your customauthorization engine. You configure these at the end of the processing cyclejust before the load balancer sends requests to backends.
Traffic extensions help support additional custom security logic and trafficmanagement capabilities. You configure these after authorization extensionsbut before the load balancer sends requests to backends or receives responsesfrom them.
Supported Application Load Balancers for user-managed extensions
Service Extensions supports user-managed extensions for the followingApplication Load Balancers:
| Application Load Balancers | Extensions | |||||||
|---|---|---|---|---|---|---|---|---|
| Edge | Route | Authorization | Traffic | |||||
| Plugins | Plugins | Callouts | Callouts | Plugins | Callouts | |||
| Global external Application Load Balancer | ✓ | ✓ | ✓ | ✓ | ||||
| Regional external Application Load Balancer | ✓Preview | ✓ | ✓ | ✓Preview | ✓ | |||
| Regional internal Application Load Balancer | ✓Preview | ✓ | ✓ | ✓Preview | ✓ | |||
| Cross-region internal Application Load Balancer | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Extensibility points in the load balancing data path
Service Extensions supports extensions in differentstages of the load balancing data path.
Figure 1 shows how Service Extensions supports extensionsin the application security and traffic management stages for global external Application Load Balancers.
Figure 2 shows how Service Extensions supports extensionsin the routing, application security, and traffic management stages for thesetypes of load balancers: Regional external Application Load Balancer,Regional internal Application Load Balancer, and Cross-region internal Application Load Balancer.
How edge extensions work
Edge extensions run first on the request processing path and let you userequest headers to influence backend service selection and the content thatCloud CDN serves from cache.
Note: Load balancers call edge extensions only during request processing andonly for request headers.After a load balancer calls an edge extension, it does the following:
- Selects the backend service by evaluating the URL map
- AppliesGoogle Cloud Armor policiessecurity policies
- Does a cache lookup and serves from cache if there is a cache hit
- Applies Cloud Armor policies for the selected backend service
- Applies CORS policies
- Applies the stateful session affinity policy
- AppliesIdentity-Aware Proxy (IAP) policiesfor the selected backend service
- Calls authorization extensions, if any are configured in the processingpath of the selected backend service
- Performs fault injection
- Calls traffic extensions, if any
- Performs URL rewrites
- Performs header manipulation according to the URL map and adds customrequest header variables
- Performs redirects or routing to the selected backend service while applyingtimeouts and retry policies in the URL map and the load balancing settingsfor the backend service
- Performs request mirroring
How authorization extensions work
On the request path, authorization extensions are called after routeextensions are called and a backend for the request has been selected.These extensions cannot influence the backend service selection.
Authorization extensions can process only request headers and not request bodiesor any part of responses.
How route extensions work
Route extensions run first in the request processing path when the loadbalancer receives request headers and before it evaluates theURL map.
Note: Load balancers invoke route extensions only during request processing andonly for request headers.After a load balancer calls a route extension for a request, itdoes the following:
- Selects the backend service by evaluating the URL map
- Applies Cloud Armor policies for the selected backend service
- Applies IAP policies for the selected backend service
- Performs fault injection
- Performs request header transformations and resolves custom request headervariables
- Calls traffic extensions, if they exist in the processing path ofthe selected backend service
- Performs URL rewrites
- Performs redirects or routing to the selected backend service and appliestimeouts and retry policies in the URL map and other load balancing settingsfor the backend service
How traffic extensions work
Load balancers run traffic extensions last in the request processingpath and first in the response processing path.
These extensions let you modify the headers and payloads of both requestsand responses without impacting the choice of the backend service. You can alsouse traffic extensions for custom logging by specifying the information that youwant to log, the format, and the external provider.
Before a load balancer calls a traffic extension on the request pathfor a request, it does the following:
- Performs fault injection
- Selects a backend service for the request
- Applies Cloud Armor policies for the selected backend service
- Applies IAP policies for the selected backend service
- AppliesCloud CDN caching policies for the selectedbackend service in the case of global external Application Load Balancers
After a load balancer calls a traffic extension on the request pathfor a request, it does the following:
- Performs URL rewrites
- Performs header manipulation according to the URL map and adds customrequest header variables
- Performs redirects or routing to the selected backend service while applyingtimeouts and retry policies in the URL map and the load balancing settingsfor the backend service
- Performs request mirroring
After a load balancer calls a traffic extension on the response pathfor a request, it does the following:
- Performs response header transformations and resolves custom responseheader variables
- Performs logging by usingCloud Logging
- Performs Cloud CDN caching in the case of global external Application Load Balancers
Limitations for extensions
- A forwarding rule can have only one
LbEdgeExtensionresource, oneLbTrafficExtensionresource, and oneLbRouteExtensionresource. - For callouts, the callout backend service must be in the same projectas the forwarding rule.
- Cross-project referencing between extensions and forwarding rulesisn't supported.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.