Stay organized with collections
Save and categorize content based on your preferences.
Service Extensions enables Application Load Balancers to send callouts to
backend services to insert custom processing in the processing path.
Authorization extensions run in
the request processing path when the load balancer receives request headers and
after the URL map chooses the backend
service. This page describes how to configure authorization extensions to use a
custom authorization engine defined in an authorization policy.
Cloud Load Balancing lets you configure authorization policies that enforce
access control on traffic entering load balancers. Sometimes, complex
authorization decisions cannot be readily expressed using an authorization
policy.
You can configure authorization policies with authorization extensions to
delegate authorization decisions to custom authorization engines. In the data
path, authorization extensions are executed after route extensions but
before traffic extensions. For each authorization request,
the load balancer forwards the request headers to the extension. Depending on
the response from the provider, the load balancer proxy either forwards or
rejects the request.
For information about the limits related to Application Load Balancer extensions,
see the Quotas and limits page.
The following example shows how to configure an authorization extension,
my-authz-ext, with an authorization policy to delegate authorization
decisions for a regional internal Application Load Balancer in us-east1.
gcloud
Configure the authorization extension.
Define the extension in a YAML file that associates it with the backend
service, authz-service. Use the sample values provided.
Configure an authorization policy with the extension.
Define an authorization policy that associates
the extension, my-authz-ext with the forwarding rule, fr1.
Use the sample values provided. The CUSTOM action indicates that an
extension is being used.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Configure an authorization extension\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nService Extensions enables Application Load Balancers to send callouts to\nbackend services to insert custom processing in the processing path.\n[Authorization extensions](/service-extensions/docs/callouts-overview#authorization-extensions) run in\nthe request processing path when the load balancer receives request headers and\nafter the [URL map](/load-balancing/docs/url-map-concepts) chooses the backend\nservice. This page describes how to configure authorization extensions to use a\ncustom authorization engine defined in an [authorization policy](/load-balancing/docs/auth-policy/auth-policy-overview).\n\nFor an overview about Application Load Balancer extensions, see\n[Cloud Load Balancing extensions overview](/service-extensions/docs/callouts-overview).\n\nIntroduction\n------------\n\nCloud Load Balancing lets you configure authorization policies that enforce\naccess control on traffic entering load balancers. Sometimes, complex\nauthorization decisions cannot be readily expressed using an authorization\npolicy.\n\nYou can configure authorization policies with authorization extensions to\ndelegate authorization decisions to custom authorization engines. In the data\npath, authorization extensions are executed after route extensions but\nbefore traffic extensions. For each authorization request,\nthe load balancer forwards the request headers to the extension. Depending on\nthe response from the provider, the load balancer proxy either forwards or\nrejects the request.\n\nFor information about the limits related to Application Load Balancer extensions,\nsee the [Quotas and limits](/service-extensions/docs/quotas#for_callouts) page.\n| **Important:** You can attach only one authorization extension to a forwarding rule.\n\nBefore you begin\n----------------\n\nCreate the required resources as described in\n[Configure a callout backend service](/service-extensions/docs/configure-callout-backend-service).\n\nConfigure an authorization extension\n------------------------------------\n\nThe following example shows how to configure an authorization extension,\n`my-authz-ext`, with an authorization policy to delegate authorization\ndecisions for a regional internal Application Load Balancer in `us-east1`. \n\n### gcloud\n\n1. Configure the authorization extension.\n\n 1. Define the extension in a YAML file that associates it with the backend\n service, `authz-service`. Use the sample values provided.\n\n cat \u003eauthz-extension.yaml \u003c\u003cEOF\n name: my-authz-ext\n authority: ext11.com\n loadBalancingScheme: INTERNAL_MANAGED\n service: https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/us-west1/backendServices/authz-service\n forwardHeaders:\n - Authorization\n failOpen: false\n timeout: \"0.1s\"\n EOF\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the\n [project ID](/resource-manager/docs/creating-managing-projects#identifying_projects).\n 2. Import the authorization extension. Use the\n [`gcloud beta service-extensions authz-extensions import` command](/sdk/gcloud/reference/beta/service-extensions/authz-extensions/import) with the following sample values.\n\n ```\n gcloud beta service-extensions authz-extensions import my-authz-ext \\\n --source=authz-extension.yaml \\\n --location=us-east1\n ```\n2. Configure an authorization policy with the extension.\n\n 1. Define an authorization policy that associates\n the extension, `my-authz-ext` with the forwarding rule, `fr1`.\n Use the sample values provided. The `CUSTOM` action indicates that an\n extension is being used.\n\n cat \u003eauthz-policy.yaml \u003c\u003cEOF\n name: my-authz-policy\n target:\n loadBalancingScheme: INTERNAL_MANAGED\n resources:\n - \"https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/us-east1/forwardingRules/fr1\"\n action: CUSTOM\n customProvider:\n authzExtension:\n resources:\n - \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/us-east1/authzExtensions/my-authz-ext\"\n EOF\n\n 2. Import the authorization policy to the project. Use the\n [`gcloud beta network-security authz-policies import` command](/sdk/gcloud/reference/beta/network-security/authorization-policies/import)\n with the following sample values.\n\n ```\n gcloud beta network-security authz-policies import my-authz-policy \\\n --source=authz-policy.yaml \\\n --location=us-east1\n ```\n\nLimitations for authorization extensions\n----------------------------------------\n\nThe following are some limitations of authorization extensions:\n\n- An authorization policy can have only one authorization extension.\n- A forwarding rule can be used with several authorization policies of which only one can be a custom authorization policy.\n\nFor limitations that are applicable to all extensions, see\n[Limitations for extensions](/service-extensions/docs/lb-extensions-overview#limitations).\n\nWhat's next\n-----------\n\n- View Python and Go samples of `ext-proc` servers in the [Service Extensions GitHub repository](https://github.com/GoogleCloudPlatform/service-extensions-samples/tree/main/callouts).\n- [Configure a route extension](/service-extensions/docs/configure-route-extensions)\n- [Configure a traffic extension](/service-extensions/docs/configure-traffic-extensions)\n- [Manage extensions](/service-extensions/docs/manage-extensions)"]]
