Load balancing in cloud computing improves security

Cloud Load Balancing Strategies

At Google Cloud Next ’23, the Cloud Networking Load Balancing team announced several upgrades that expand its use cases and utility.

Our four main traits are:

MTLS supports client-side authentication during TLS negotiation on global external Application Load Balancers. This function lets the server authenticate clients like clients do in TLS authentication. Man-in-the-middle attacks can be prevented by adding mTLS to security.

Service Extensions callouts let users customize load balancer data-plane processing using user-written or third-party applications. Clients can add features and alter Google Cloud workload flow to improve user experience.

Global backends with Internal Application Cloud Load Balancer! So, the internal load balancer may now distribute load to global backends. Built-in worldwide access lets clients access internal Application Load Balancers from anywhere. This option gives more flexibility in backend hosting and client location.

Cross-project service referencing with external global Application Load Balancers lets organizations distribute traffic to hundreds of services across several projects. Cross-project service referencing relies on Shared VPC, which connects resources from several projects to a single Virtual Private Cloud (VPC) network for secure and effective interaction.

Details on each of these intriguing new skills follow:

Google Cloud external load balancer mTLS support

HTTPS authentication usually just involves the client verifying the server’s identity. The global external Application Load Balancer and the traditional one support mutual TLS (mTLS), for applications that require the load balancer to verify client identities.

In mTLS, the load balancer requests a client certificate to validate its authenticity during the TLS handshake. The load balancer can validate the client certificate chain of trust using a trust store.
The benefits of mTLS include:

• Increased security: mTLS requires client and server authentication, making it harder for attackers to pretend as either side and access confidential information.
• Reduced risk of man-in-the-middle attacks: Man-in-the-middle attacks (MITM), in which an attacker intercepts and reroutes communication, are rarer. MITM attacks are reduced by mTLS’s two-way authentication.
• Increased visibility: mTLS lets organizations track which clients are connected to their servers, increasing network traffic visibility. This may help discover security threats and improve security.

Besides these benefits, mTLS is compatible with Apigee X and other apps. Thus, mTLS is becoming used for network security.

Application Load Balancer Service Extension Commands

Service Extensions callouts enable custom logic in Google Cloud Application Load Balancers. With this customized logic, enterprises can create a Cross-Cloud Network or link their applications to Google services to meet client workflow demands. Google Cloud users and partners can employ custom user authentication, logging, and header rewrites to execute tasks on load balanced traffic.
Google Cloud Load Balancing can transmit traffic from the load-balancing data-processing route through an RPC, such as gRPC, to a user-managed application or service anywhere using Service Extensions callouts. These apps may apply rules or functions before passing traffic back to the load balancer for processing.

Service Extension calls provide several benefits

Service Extensions callouts enable custom logic injection into Google Cloud Application Load Balancers. This custom logic can solve unique customer process issues, enable partners link their software with Google services, or develop Cross-Cloud Network. This feature lets Google Cloud customers and partners write code to conduct header rewrites, incremental security, custom logging, and custom user authentication on load balanced traffic.
Service Extensions callouts tell Google Cloud Load Balancing to send traffic from the load-balancing data-processing pipeline through gRPC to a user-managed application or service anywhere. The load balancer processes traffic after these applications apply policies or functionalities.

Service Extensions callout benefits:

• Implementation tailored to workflow demands may improve cloud app or service performance.
• Users gain power Businesses can make applications or acquire programs to customize services for new or specific demands.
• Users may always innovate and improve services with agile delivery.
• By connecting their software with Google Cloud Application Load Balancer services, partners may quickly and programmatically deliver new advanced use cases.

Accessibility: Cloud Load Balancing Service Extensions callouts will be publicly previewed in October 2023. Supports global external (excluding Classic), regional external, and regional internal application load balancers.

Cross-region internal Application Load Balancer

Internal application load balancers distribute HTTP and HTTPS traffic to Compute Engine, GKE, Cloud Run, on-premises, and other cloud backends. Regionally, Internal Application Load Balancer could only connect to local backends. Internal cross-regional application load balancers remove this constraint.

A Google-managed cross-region Internal Application Load Balancer can resemble a multi-region load balancer. Since it provides global access, the load balancer can be used by Google Cloud clients worldwide. Users can load balance traffic to geographically distributed backends utilizing cross-region mode. The load balancer’s high availability comes from spreading backends over multiple locations to safeguard customers from downtime. If one region’s backends fail, traffic can effortlessly switch regions. Since it may be implemented in several regions, the load balancer is robust against outages that can influence service availability.

Remember that cross-regional load balancing always deploys load balancer proxy instances to the places you designate.

Internal cross-region application load balancers have several benefits

• Supports internal traffic-specific global cloud load balancing: This feature makes active/active multi-region traffic allocation more flexible.
• Enhanced availability: Failover to services in a different region might mitigate zone- or region-specific problems.
• Unlocks Private Service Connect (PSC) use cases: Private Service Connect (PSC) can be used to access managed services privately from within a VPC network.
• Support for Google-managed certificates: Certificate Manager and Certificate Authority Service provide this capabilities for Google-managed certificates.

Global external Application Load Balancer cross-project service reference

Cross-project service referencing lets enterprises build one load balancer to redirect traffic to hundreds of services across various projects. All traffic routing rules and regulations can be managed in one URL map. You can also link the load balancer to one set of hostnames and SSL certificates.

This paradigm places the load balancer’s frontend and URL map in a host or service project. The load balancer’s backend services and backends can be shared across Shared VPC projects. A URL map can reference cross-project backend services.
Cross-project service referencing benefits:

• Efficient deployment: Multiple services on one load balancer reduces the number of load balancers needed to deploy your application. Reduced forwarding rules and load balancing resources cut expenses, operational overhead, and quotas.
• Improved administrative control: Customers can separate roles by creating projects for each functional team. Service owners can construct services in service projects while network teams install and manage load balancers in another project using cross-project service reference.

News source: