This DataDome module is developed in Go and integrates with a compatible Application Load Balancer using Google Service Extension callout.

Compatibility

DataDome supports Google Load Balancer Service Extensions Traffic

Prerequisites

This article assumes that the user has already:

1. A Google Cloud account: https://console.cloud.google.com/
2. Created a project in GCP: https://console.cloud.google.com/projectcreate
3. Created a Load Balancer: https://console.cloud.google.com/net-services/loadbalancing/add

Installation

There are three main steps and they outline the essential fields required to successfully activate DataDome integration:

1. Cloud Run: Create a service to run the DataDome module.
2. Load Balancer Backend Service: Create a Backend Service and a NEG (Network Endpoint Group) that allows the Service Extension to connect to the Cloud Run service (step 1).
3. Service Extensions: Create a Service Extension and attach the Load Balancer to the Backend Service (step 2).

1 - Cloud Run

To call DataDome, it is mandatory to execute the module within the GCP project by creating a service on Cloud Run:

• Go to the Cloud Run main page
• Click on Deploy Container button and select Service

• Click on Deploy one revision from an existing container image button
• Add DataDome DockerHub image path to Container image URL field:
  • datadome/datadome-google-cloud-service-extensions-callout
  • Service name will be automatically filled
• Select a Region on the dropdown list
• Select Allow unauthenticated invocations button

• Ingress control
  • Click on Internal button
    • Check Allow traffic from external Application Load Balancer

• Expand Container(s), Volume, Networking Security

  • Container(s)
    • Container port
      • use the default 8080 value on the text field
    • Variable & Secrets
      • Click on Add variable button:
        • Name: DATADOME_SERVER_SIDE_KEY
        • Value: DataDome server side key, found on the dashboard

• Go to Networking
  • Check Use HTTP/2 end-to-end

• Click on Create button

2 - Load Balancer Backend Service

The Load Balancer Backend Service calls the Cloud Run service via gRPC to execute DataDome module.

To achieve this, create a Backend Service with a NEG (Network Endpoint Group) pointing to the CloudRun service created on step 1:

• Go to Load Balancing page

• Go to Backends tab and click on the Create BackendService button

• Select the type of service based on the Load Balancer in place

• Add a Name to the backend service text field
• Select a Region on the dropdown list
• Select Backend type : Serverless network endpoint group

• Add a Backend
• Select Create Serverless Network Endpoint Group

• Add a Name to the network endpoint group
• Select on the the Cloud Run service created on step 1
• Click on Create button

• Now, back to the backend service, click on Create button

3 - Service Extensions

To protect the Load Balancer, create and configure a Service Extension which will call the Backend Service (step 2) and DataDome integration hosted on Cloud Run (step 1):

• Go to Service Extensions page
• Click on Create extension button

• Click on Continue button

• Select the Load Balancer type
• Select a Region on the dropdown list
• Click on Continue button

• Add a Service Extension name
• Select the forwarding rule attached to the Load Balancer on the dropdown list

• Add a matching condition to trigger the Service Extension
  • e.g.: request.host != "example.com"
• Add an Extension name and Authority
• Select the Backend service created on step 2
• Select the timeout of the Service Extension
  • note: It should be higher than DataDome timeout
• Select Request headers and Response headers on Events dropdown list
• Check Enabled on Fail open
• Click on Create Extension button

Settings

"\\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js|map|json)$"

FAQ