Google Cloud Load Balancer
This DataDome module is developed in Go and integrates with a compatible Application Load Balancer using Google Service Extension callout.
Compatibility
DataDome supports Google Load Balancer Service Extensions Traffic
Prerequisites
This article assumes that the user has already:
- A Google Cloud account: https://console.cloud.google.com/
- Created a project in GCP: https://console.cloud.google.com/projectcreate
- Created a Load Balancer: https://console.cloud.google.com/net-services/loadbalancing/add
Installation
There are three main steps and they outline the essential fields required to successfully activate DataDome integration:
- Cloud Run: Create a service to run the DataDome module.
- Load Balancer Backend Service: Create a Backend Service and a NEG (Network Endpoint Group) that allows the Service Extension to connect to the Cloud Run service (step 1).
- Service Extensions: Create a Service Extension and attach the Load Balancer to the Backend Service (step 2).
1 - Cloud Run
To call DataDome, it is mandatory to execute the module within the GCP project by creating a service on Cloud Run:
- Go to the Cloud Run main page
- Click on Deploy Container button and select Service
- Click on Deploy one revision from an existing container image button
- Add DataDome DockerHub image path to Container image URL field:
datadome/datadome-google-cloud-service-extensions-callout
- Service name will be automatically filled
- Select a Region on the dropdown list
- Select Allow unauthenticated invocations button
- Ingress control
- Click on Internal button
- Check Allow traffic from external Application Load Balancer
- Click on Internal button
-
Expand Container(s), Volume, Networking Security
- Container(s)
- Container port
- use the default
8080
value on the text field
- use the default
- Variable & Secrets
- Click on Add variable button:
- Name:
DATADOME_SERVER_SIDE_KEY
- Value: DataDome server side key, found on the dashboard
- Name:
- Click on Add variable button:
- Container port
- Container(s)
- Go to Networking
- Check Use HTTP/2 end-to-end
- Click on Create button
2 - Load Balancer Backend Service
The Load Balancer Backend Service calls the Cloud Run service via gRPC to execute DataDome module.
To achieve this, create a Backend Service with a NEG (Network Endpoint Group) pointing to the CloudRun service created on step 1:
- Go to Load Balancing page
- Go to Backends tab and click on the Create BackendService button
- Select the type of service based on the Load Balancer in place
- Add a Name to the backend service text field
- Select a Region on the dropdown list
- Select Backend type : Serverless network endpoint group
- Add a Backend
- Select Create Serverless Network Endpoint Group
- Add a Name to the network endpoint group
- Select on the the Cloud Run service created on step 1
- Click on Create button
- Now, back to the backend service, click on Create button
3 - Service Extensions
To protect the Load Balancer, create and configure a Service Extension which will call the Backend Service (step 2) and DataDome integration hosted on Cloud Run (step 1):
- Go to Service Extensions page
- Click on Create extension button
- Click on Continue button
- Select the Load Balancer type
- Select a Region on the dropdown list
- Click on Continue button
- Add a Service Extension name
- Select the forwarding rule attached to the Load Balancer on the dropdown list
- Add a matching condition to trigger the Service Extension
- e.g.:
request.host != "example.com"
- e.g.:
- Add an Extension name and Authority
- Select the Backend service created on step 2
- Select the timeout of the Service Extension
- note: It should be higher than DataDome timeout
- Select Request headers and Response headers on Events dropdown list
- Check Enabled on Fail open
- Click on Create Extension button
Settings
Setting | Description | Required | Default Value |
---|---|---|---|
DATADOME_SERVER_SIDE_KEY | DataDome server side key, found on the dashboard | yes | - |
DATADOME_ENDPOINT | Host of the API Server Available endpoints | no | api.datadome.co |
DATADOME_TIMEOUT | Timeout for regular API calls | no | 150 (in milliseconds) |
DATADOME_URL_PATTERN_INCLUSION | Regular expression to include URLs | no | - |
DATADOME_URL_PATTERN_EXCLUSION | Regular expression to exclude URLs | no | List of excluded static assets below |
"\\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js|map|json)$"
FAQ
Updated about 1 month ago