The Apigee Extension Processor lets Apigee
customers add API management capabilities to Google Cloud products and services, or external services, exposed using Cloud Load Balancing.
Apigee customers using the Extension Processor can select from a range of Apigee policies that
apply API management capabilities to any products or services exposed using a Google Cloud load balancer.
With the Extension Processor, you can:
Secure access to Google Cloud workloads.
Choose from a wide range of Apigee policies to apply to your load balancer traffic, including VerifyApiKey,
OAuthV2,
and VerifyJWS.
Apply quota enforcement to network traffic.
This capability lets API providers enforce limits on the number of API calls made to backend services over a
specified time period. For example, you can use the Quota policy to limit calls to 1 request per minute, or to 10,000 requests per month.
Manage Google token injection for authenticating requests.
Using the Extension Processor and the AssignMessage policy,
you can inject a Google access token or Google ID token
into client request headers to manage access to GOogle-authenticated backend services and products.
In addition to supporting the use cases described earlier, the Extension Processor provides all the benefits of built-in Apigee features, such as:
Security: Advanced API Security continually monitors and analyzes your API traffic to identify suspicious API requests and provides tools to block or flag those requests.
Monetization: Generate revenue whenever your APIs are used by adding rate plans to customized API products you create within Apigee.
Traceability: Apigee's distributed tracing system lets you track requests in distributed systems
across multiple applications, services, and databases, and proxies.
Business intelligence: Apigee API Analytics collects the wealth of information flowing through your load balancer, providing
data visualization in the UI or the ability to download data for offline analysis.
How Apigee Extension Processor works
The Apigee Extension Processor is a traffic extension (a type of service extension) that lets you use Cloud Load Balancing
to send callouts to Apigee from the data processing path of the application load balancer. Once the application load balancer
and service extension are configured, traffic flowing through the application load balancer will trigger calls to
Apigee proxies using the service extension, as shown in the following figure:
Figure 1: Infrastructure and dataflow for the Apigee Extension Processor.
The diagram outlines the required components of the Apigee Extension Processor configuration:
An Application Load Balancer with a backend service configured with a Network Endpoint Group (NEG) covering all application backends.
An Apigee instance with a dedicated environment for the Extension Processor and the property apigee-service-extension-enabled set to true.
A traffic extension (a type of service extension) configured to use a Private Service Connect (PSC) endpoint to connect to the Apigee runtime plane.
A no-target Apigee API proxy running in a special environment. The proxy is used to apply API management capabilities to the load balancer traffic.
As shown in the flow diagram:
1: The client sends a request to the Application Load Balancer.
2: The Application Load Balancer reviews the traffic and calls out to the Service Extension.
3: The Service Extension implementation in the Apigee message processor applies any
relevant API management policies and returns the request, with any modifications, to the Application Load Balancer.
4: The Application Load Balancer completes processing and forwards the request to the backend service. Similar processing
occurs for the response path from the backend service to the Application Load Balancer and to the client.
The Apigee Extension Processor has the following known limitations:
The Extension Processor is applied at the load balancer level. All traffic passing through the
load balancer is processed by the same proxy, with no base path or URL distinction.
Traffic through the Extension Processor is subject to the same quotas as the Cloud Load Balancing.
Relevant limits and quotas include the following:
Maximum number of traffic extensions per load balancer: 1
Additional limits apply to environments, environment groups, and API proxies when using the
Extension Processor:
A maximum of one environment can be attached to the environment group used
to configure the Extension Processor.
The environment used when configuring the Extension Processor can have a maximum of 50 API proxies
deployed.
The API proxies deployed in the dedicated environment for the Extension Processor must all be of the
same proxy type. The API proxies must be either all standard API proxies or all extensible API proxies.
Standard and extensible API proxies can't be mixed in the Extension Processor environment.
In addition to costs associated with your Apigee Subscription or Pay-as-you-go pricing plans,
the following networking costs may apply when using Apigee Extension Processor:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Apigee Extension Processor overview\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nThe Apigee Extension Processor lets Apigee customers add API management capabilities to Google Cloud products and services, or external services, exposed using Cloud Load Balancing.\n\n\u003cbr /\u003e\n\nTo get started using the Apigee Extension Processor, see the [Apigee Extension Processor quickstart](/apigee/docs/api-platform/service-extensions/extension-processor-quickstart).\n\nUse cases for the Apigee Extension Processor\n--------------------------------------------\n\nApigee customers using the Extension Processor can select from a range of Apigee policies that\napply API management capabilities to any products or services exposed using a Google Cloud load balancer.\n\nWith the Extension Processor, you can:\n\n- **Secure access to Google Cloud workloads.**\n\n Choose from a wide range of Apigee policies to apply to your load balancer traffic, including [VerifyApiKey](/apigee/docs/api-platform/reference/policies/verify-api-key-policy),\n [OAuthV2](/apigee/docs/api-platform/reference/policies/oauthv2-policy),\n and [VerifyJWS](/apigee/docs/api-platform/reference/policies/verify-jws-policy).\n- **Apply quota enforcement to network traffic.**\n\n This capability lets API providers enforce limits on the number of API calls made to backend services over a\n specified time period. For example, you can use the [Quota](/apigee/docs/api-platform/reference/policies/quota-policy) policy to limit calls to 1 request per minute, or to 10,000 requests per month.\n- **Manage Google token injection for authenticating requests.**\n\n Using the Extension Processor and the [AssignMessage](/apigee/docs/api-platform/reference/policies/assign-message-policy) policy,\n you can inject a [Google access token](/docs/authentication/token-types#access) or [Google ID token](/docs/authentication/token-types#id)\n into client request headers to manage access to GOogle-authenticated backend services and products.\n- **Support native protocols.**\n\n The Extension Processor unlocks support for native protocols such as [gRPC bi-directional streaming](https://grpc.io/docs/what-is-grpc/core-concepts/#service-definition),\n [server-sent events (SSE)](/apigee/docs/api-platform/develop/server-sent-events), and [HTTP/3](/load-balancing/docs/https#QUIC).\n\nBenefits\n--------\n\nIn addition to supporting the use cases described earlier, the Extension Processor provides all the benefits of built-in Apigee features, such as:\n\n- **Security**: Advanced API Security continually monitors and analyzes your API traffic to identify suspicious API requests and provides tools to block or flag those requests.\n- **Monetization**: Generate revenue whenever your APIs are used by adding rate plans to customized API products you create within Apigee.\n- **Traceability**: Apigee's distributed tracing system lets you track requests in distributed systems across multiple applications, services, and databases, and proxies.\n- **Business intelligence**: Apigee API Analytics collects the wealth of information flowing through your load balancer, providing data visualization in the UI or the ability to download data for offline analysis.\n\nHow Apigee Extension Processor works\n------------------------------------\n\nThe Apigee Extension Processor is a traffic extension (a type of [service extension](/service-extensions/docs/lb-extensions-overview)) that lets you use Cloud Load Balancing\nto send callouts to Apigee from the data processing path of the application load balancer. Once the application load balancer\nand service extension are configured, traffic flowing through the application load balancer will trigger calls to\nApigee proxies using the service extension, as shown in the following figure:\n\n**Figure 1**: Infrastructure and dataflow for the Apigee Extension Processor.\n\nThe diagram outlines the required components of the Apigee Extension Processor configuration:\n\n- An Application Load Balancer with a backend service configured with a Network Endpoint Group (NEG) covering all application backends.\n- An Apigee instance with a dedicated environment for the Extension Processor and the property `apigee-service-extension-enabled` set to `true`.\n- A [traffic extension](/service-extensions/docs/configure-traffic-extensions) (a type of service extension) configured to use a Private Service Connect (PSC) endpoint to connect to the Apigee runtime plane.\n- A [no-target Apigee API proxy](/apigee/docs/api-platform/fundamentals/build-simple-api-proxy) running in a special environment. The proxy is used to apply API management capabilities to the load balancer traffic.\n\n\u003cbr /\u003e\n\nAs shown in the flow diagram:\n\n- **1**: The client sends a request to the Application Load Balancer.\n- **2**: The Application Load Balancer reviews the traffic and calls out to the Service Extension.\n- **3**: The Service Extension implementation in the Apigee message processor applies any relevant API management policies and returns the request, with any modifications, to the Application Load Balancer.\n- **4**: The Application Load Balancer completes processing and forwards the request to the backend service. Similar processing occurs for the response path from the backend service to the Application Load Balancer and to the client.\n\nFor more information, see [Cloud Load Balancing extensions](/service-extensions/docs/overview#integration-lb-callouts).\n\nLimitations\n-----------\n\nThe Apigee Extension Processor has the following known limitations:\n\n- The Extension Processor is applied at the load balancer level. All traffic passing through the load balancer is processed by the same proxy, with no base path or URL distinction.\n- Traffic through the Extension Processor is subject to the same quotas as the Cloud Load Balancing. Relevant limits and quotas include the following:\n\n - Maximum number of traffic extensions per load balancer: 1\n - Maximum traffic extensions per project: 100\n - Maximum extension chains per project: 5\n - Maximum extensions per resource: 3\n\n For more information, see [Quotas and limits](/load-balancing/docs/quotas).\n- Additional limits apply to environments, environment groups, and API proxies when using the Extension Processor:\n - A maximum of **one** environment can be attached to the environment group used to configure the Extension Processor.\n - The environment used when configuring the Extension Processor can have a maximum of **50** API proxies deployed.\n - The API proxies deployed in the dedicated environment for the Extension Processor must all be of the same [*proxy type*](/apigee/docs/api-platform/fundamentals/understanding-apis-and-api-proxies#proxy-types). The API proxies must be either all **standard** API proxies or all **extensible** API proxies. Standard and extensible API proxies can't be mixed in the Extension Processor environment.\n\n For more information, see [Create an Apigee environment](/apigee/docs/api-platform/service-extensions/extension-processor-quickstart#create-apigee-environment).\n\n For more information on Apigee limits generally, see [Limits](/apigee/docs/api-platform/reference/limits).\n- The following Apigee policies are not supported for use with the Extension Processor:\n - [Publish message](/apigee/docs/api-platform/reference/policies/publish-message-policy)\n - [ExternalCallout](/apigee/docs/api-platform/reference/policies/external-callout-policy)\n - [IntegrationCallout](/apigee/docs/api-platform/reference/policies/integration-callout-policy)\n - [ServiceCallout](/apigee/docs/api-platform/reference/policies/service-callout-policy)\n - [SetIntegrationRequest](/apigee/docs/api-platform/reference/policies/set-integration-request-policy)\n - [MessageLogging](/apigee/docs/api-platform/reference/policies/message-logging-policy)\n - [GenerateJWT](/apigee/docs/api-platform/reference/policies/generate-jwt-policy)\n\nPricing\n-------\n\nIn addition to costs associated with your Apigee Subscription or Pay-as-you-go pricing plans,\nthe following networking costs may apply when using Apigee Extension Processor:\n\n- [Service Extensions pricing](/service-extensions/pricing)\n- [Backend service pricing](https://cloud.google.com/vpc/network-pricing#lb)\n- [Private Service Connect charges](https://cloud.google.com/vpc/network-pricing#psc-consumer-data-processing)\n\nWhat's next\n-----------\n\n- Learn how to [Get started with the Apigee Extension Processor](/apigee/docs/api-platform/service-extensions/extension-processor-quickstart).\n- Learn more about working with [Service Extensions](/service-extensions/docs/overview).\n- Explore how Apigee Extension Processor works with the [Apigee APIM Operator for Kubernetes](/apigee/docs/api-platform/apigee-kubernetes/apigee-apim-operator-overview)."]]
