DocumentationAPIChangelogTest your siteDashboard
Documentation

Google Cloud Load Balancer

Suggest Edits

This DataDome module is developed in Go and integrates with a compatible Application Load Balancer using Google Service Extension callout.

Compatibility

DataDome supports Google Load Balancer Service Extensions Traffic

Prerequisites

This article assumes that the user has already:

  1. A Google Cloud account: https://console.cloud.google.com/
  2. Created a project in GCP: https://console.cloud.google.com/projectcreate
  3. Created a Load Balancer: https://console.cloud.google.com/net-services/loadbalancing/add

Installation

There are three main steps and they outline the essential fields required to successfully activate DataDome integration:

  1. Cloud Run: Create a service to run the DataDome module.
  2. Load Balancer Backend Service: Create a Backend Service and a NEG (Network Endpoint Group) that allows the Service Extension to connect to the Cloud Run service (step 1).
  3. Service Extensions: Create a Service Extension and attach the Load Balancer to the Backend Service (step 2).

1 - Cloud Run

To call DataDome, it is mandatory to execute the module within the GCP project by creating a service on Cloud Run:

  • Go to the Cloud Run main page
  • Click on Deploy Container button and select Service
  • Click on Deploy one revision from an existing container image button
  • Add DataDome DockerHub image path to Container image URL field:
    • datadome/datadome-google-cloud-service-extensions-callout
    • Service name will be automatically filled
  • Select a Region on the dropdown list
  • Select Allow unauthenticated invocations button
  • Ingress control
    • Click on Internal button
      • Check Allow traffic from external Application Load Balancer

  • Expand Container(s), Volume, Networking Security

    • Container(s)
      • Container port
        • use the default 8080 value on the text field
      • Variable & Secrets
        • Click on Add variable button:
          • Name: DATADOME_SERVER_SIDE_KEY
          • Value: DataDome server side key, found on the dashboard
  • Go to Networking
    • Check Use HTTP/2 end-to-end
  • Click on Create button

2 - Load Balancer Backend Service

The Load Balancer Backend Service calls the Cloud Run service via gRPC to execute DataDome module.

To achieve this, create a Backend Service with a NEG (Network Endpoint Group) pointing to the CloudRun service created on step 1:

  • Go to Load Balancing page
  • Go to Backends tab and click on the Create BackendService button
  • Select the type of service based on the Load Balancer in place
  • Add a Name to the backend service text field
  • Select a Region on the dropdown list
  • Select Backend type : Serverless network endpoint group
  • Add a Backend
  • Select Create Serverless Network Endpoint Group
  • Add a Name to the network endpoint group
  • Select on the the Cloud Run service created on step 1
  • Click on Create button
  • Now, back to the backend service, click on Create button

3 - Service Extensions

To protect the Load Balancer, create and configure a Service Extension which will call the Backend Service (step 2) and DataDome integration hosted on Cloud Run (step 1):

  • Go to Service Extensions page
  • Click on Create extension button
  • Click on Continue button
  • Select the Load Balancer type
  • Select a Region on the dropdown list
  • Click on Continue button
  • Add a Service Extension name
  • Select the forwarding rule attached to the Load Balancer on the dropdown list
  • Add a matching condition to trigger the Service Extension
    • e.g.: request.host != "example.com"
  • Add an Extension name and Authority
  • Select the Backend service created on step 2
  • Select the timeout of the Service Extension
    • note: It should be higher than DataDome timeout
  • Select Request headers and Response headers on Events dropdown list
  • Check Enabled on Fail open
  • Click on Create Extension button

Settings

SettingDescriptionRequiredDefault Value
DATADOME_SERVER_SIDE_KEYDataDome server side key, found on the dashboardyes-
DATADOME_ENDPOINTHost of the API Server
Available endpoints		noapi.datadome.co
DATADOME_TIMEOUTTimeout for regular API callsno150 (in milliseconds)
DATADOME_URL_PATTERN_INCLUSIONRegular expression to include URLsno-
DATADOME_URL_PATTERN_EXCLUSIONRegular expression to exclude URLsnoList of excluded static assets below
"\\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js|map|json)$"

Logging

The execution of this integration on Cloud Run automatically sends logs to Google Cloud Logging.

  • To manage the logs, go to Google Cloud Logging
    • Logs are stored in the _Default bucket
    • Log retention can be configured to control storage costs
      • The default retention is 30 days
      • To change it, click on the button on the right and select Edit Bucket
        • Choose the Retention period (in days)
  • Alerts can be set up to monitor bucket size and notify you of potential cost increases
    • Click on Create Policy
    • Select Global -> Logs-Based metrics
    • Select the desired metric

Updated 29 days ago