--- title: Google Cloud Service Extensions summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/google-cloud-service-extensions --- The Next-Gen WAF agent integrates with Google Cloud Service Extensions as a user-managed callout backend service, enabling real-time traffic inspection and security enforcement within Google Cloud Load Balancer's request processing pipeline. ## Prerequisites - [Copy the agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys) for your workspace. You will need them when configuring the deployment. - Google Cloud project with Service Extensions API, Compute Engine API and Network [Services API enabled](https://docs.cloud.google.com/load-balancing/docs/l7-internal/setting-up-l7-internal#permissions) - Appropriate IAM permissions for creating Service Extensions and backend services - HTTP/2 and gRPC support in your deployment infrastructure ## How the Fastly WAF Service Extensions integration works The Google Cloud Load Balancer invokes the Service Extension, which communicates with the Next-Gen WAF agent via gRPC using Envoy's external processing protocol throughout the request lifecycle. Review a sample deployment [scenario](https://docs.cloud.google.com/service-extensions/docs/callouts-overview#sample_deployment_scenario). | Processing stage | Description | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `REQUEST_HEADERS` | Load balancer sends HTTP/HTTPS request headers to the Next-Gen WAF agent for inspection. The agent analyzes headers against active [rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules) and [threshold configurations](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations). | | `REQUEST_BODY` | Load balancer streams request body chunks to the Next-Gen WAF agent. The agent inspects payload data and can block malicious requests or [tag](https://www.fastly.com/documentation/guides/next-gen-waf/signals/about-signals) suspicious content. | | `RESPONSE_HEADERS` | Load balancer sends response headers to the Next-Gen WAF agent for further analysis. | ## Configure the Next-Gen WAF agent callout backend service This section describes how to configure a user-managed callout backend service. ### Prepare your load balancer and test client 1. Create and configure an [Application Load Balancer that supports extensions](https://docs.cloud.google.com/service-extensions/docs/lb-extensions-overview#supported-lbs). For this example, [set up a regional internal Application Load Balancer with VM instance group backends](https://docs.cloud.google.com/load-balancing/docs/l7-internal/setting-up-l7-internal). Use the sample values mentioned. 2. [Create a client VM for testing](https://docs.cloud.google.com/load-balancing/docs/l7-internal/setting-up-l7-internal#test_client). ### Create and set up the callout backend service 1. Create a virtual machine (VM) instance for the callout backend service that's running the Next-Gen WAF agent. ```term copy nolinenums REGION=us-west2 ZONE=us-west2-a gcloud compute instances create callouts-vm \ --zone=$ZONE \ --network=lb-network \ --subnet=backend-subnet \ --machine-type=e2-medium \ --image-family=cos-stable \ --image-project=cos-cloud \ --tags=allow-ssh,load-balanced-backend \ --metadata-from-file=startup-script=startup-script-tls.sh ``` 2. Create a startup script named `startup-script-tls.sh`. The following example shows the general structure of the script. Replace the placeholder values with your own configuration. > **IMPORTANT:** Ensure that the gRPC server is configured to use TLS. Without TLS, connections to the extension server fail. ```term copy nolinenums cat >startup-script-tls.sh < \ -e SIGSCI_SECRETACCESSKEY= \ -e SIGSCI_SERVER_FLAVOR=GCP \ -e SIGSCI_ENVOY_GRPC_ADDRESS=0.0.0.0:443 \ -e SIGSCI_ENVOY_EXTPROC_ENABLED=true \ -e SIGSCI_ENVOY_GRPC_CERT=/etc/ssl/certs/sigsci/cert.pem \ -e SIGSCI_ENVOY_GRPC_KEY=/etc/ssl/certs/sigsci/key.pem \ signalsciences/sigsci-agent:latest # Log startup completion echo "Signal Sciences agent with TLS started at $(date)" >> /var/log/startup.log EOF ``` 3. Add the VM to an unmanaged instance group, create a callout backend service, and add a backend, as demonstrated in the sample script below. For detailed explanations of each command, refer to [Google Cloud's documentation](https://docs.cloud.google.com/service-extensions/docs/configure-callout-backend-service). ```term copy nolinenums REGION=us-west2 ZONE=us-west2-a gcloud compute instances create callouts-vm \ --zone=$ZONE \ --network=lb-network \ --subnet=backend-subnet \ --machine-type=e2-medium \ --image-family=cos-stable \ --image-project=cos-cloud \ --tags=allow-ssh,load-balanced-backend \ --metadata-from-file=startup-script=startup-script-tls.sh ##### Add the VM to an unmanaged instance group # add the VM to an unmanaged instance group gcloud compute instance-groups unmanaged create callouts-ig \ --zone=$ZONE # set port for instance group gcloud compute instance-groups unmanaged set-named-ports callouts-ig \ --named-ports=http:80,grpc:443 \ --zone=$ZONE # add the new VM to the unmanaged instance group gcloud compute instance-groups unmanaged add-instances callouts-ig \ --zone=$ZONE \ --instances=callouts-vm ####### create a callout backend service and add a backend # Create a basic HTTP health check for the instance # health check protocol of agent needs to be: Protocol gRPC with TLS gcloud compute health-checks create grpc-with-tls callouts-hc \ --region=$REGION \ --port=443 # Create a callout backend service that uses the HTTP/2 protocol gcloud compute backend-services create l7-ilb-callout-service \ --load-balancing-scheme=INTERNAL_MANAGED \ --protocol=HTTP2 \ --port-name=grpc \ --health-checks=callouts-hc \ --health-checks-region=$REGION \ --region=$REGION # Add the instance group with the extension server as a backend to the backend service. The instance group runs the ext_proc service. gcloud compute backend-services add-backend l7-ilb-callout-service \ --balancing-mode=UTILIZATION \ --instance-group=callouts-ig \ --instance-group-zone=$ZONE \ --region=$REGION ``` ### Create a Service Extension configuration file 1. Create a traffic extension configuration file named `traffic.yaml`. The following example shows the general structure of the script. Modify the configuration based on the [extension type](https://docs.cloud.google.com/service-extensions/docs/configure-callout-backend-service#whats_next) you're using. ```yaml copy name: traffic-ext forwardingRules: - https://www.googleapis.com/compute/v1/projects//regions/us-west2/forwardingRules/l7-ilb-forwarding-rule loadBalancingScheme: INTERNAL_MANAGED extensionChains: - name: "chain1" matchCondition: celExpression: 'request.path.startsWith("/")' extensions: - name: 'ext11' authority: ext11.com service: https://www.googleapis.com/compute/v1/projects//regions/us-west2/backendServices/l7-ilb-callout-service failOpen: true timeout: 0.1s metadata: "key": "value" "fr": "forwarding_rule_id" supportedEvents: - REQUEST_HEADERS - REQUEST_BODY - RESPONSE_HEADERS ``` 2. Import the traffic extension. ```term copy nolinenums gcloud service-extensions lb-traffic-extensions import traffic-ext \ --source=traffic.yaml \ --location=$REGION ``` 3. Verify the Service Extension is active. ```term copy nolinenums gcloud service-extensions lb-route-extensions describe traffic-ext \ --location=$REGION ``` The Service Extension should automatically apply to requests matching the `celExpression: 'request.path.startsWith("/")'` forwarding rule specified in the configuration. ## Monitor and troubleshoot ### Enable Debugging and Check Next-Gen WAF agent logs 1. Add the following environment variable to the callout backend service. ```term copy nolinenums -e SIGSCI_DEBUG_LOG_VERBOSITY=3 \ ``` 2. Add the environment variable to `startup-script-tls.sh`. 3. Delete the existing VM. ```term copy nolinenums gcloud compute instances delete callouts-vm --zone=$ZONE ``` 4. Recreate the [VM](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/google-cloud-service-extensions/#create-and-setup-the-callout-backend-service). 5. Add the VM back to the unmanaged instance group. ```term copy nolinenums gcloud compute instance-groups unmanaged add-instances callouts-ig --zone=$ZONE --instances=callouts-vm ``` 6. SSH into the VM. ```term copy nolinenums gcloud compute ssh callouts-vm --zone=$ZONE ``` 7. View docker logs. ```term copy nolinenums docker logs sigsci-agent -f ``` ### Common troubleshooting steps - **Verify Next-Gen WAF agent health status:** Ensure the `callouts-vm` instance is healthy and reachable by the load balancers health checks. ```term copy nolinenums gcloud compute backend-services get-health l7-ilb-callout-service --region=$REGION ``` - **Verify health check protocol:** The Next-Gen WAF agent uses `GRPC_WITH_TLS`. ## Related content - [PaaS overview](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro) - [Getting started with the agent](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/getting-started-with-the-agent)