Improving API Security with Google Cloud Service Extensions

Jun 04, 2024
6 minutes
... views

Explore the potential of Service Extensions to strengthen your API security layer and protect web applications across any cloud-native architecture, public or private.

New Service Extensions Release

Google Cloud has recently released Service Extensions for their widely utilized Load Balancing solution. Service Extensions for Load Balancing will help customers enhance cloud cybersecurity and integrate cloud-native application protection platform (CNAPP) strategies, with a particular focus on Web Application and API Security.

With Google Cloud offering a growing and diverse set of technologies to enable organizations to bring their services and apps to the cloud, Palo Alto Networks and Prisma Cloud have been in close partnership to support new technologies and help strengthen the security layer of APIs.

Let’s look at what our partnership can make possible for customers.

How Google Cloud Service Extensions Work

Service Extensions are a significant advancement for cybersecurity providers, offering comprehensive visibility into network traffic and facilitating seamless integration with third-party vendors.

Any cloud-native web application relies on load balancing solutions to proxy and distribute traffic. This is true both for north-south traffic (traffic from the internet) and east-west traffic (traffic between cloud services).

Google Cloud has four main types of load balancers, all of which have different properties, such as local versus global and internal versus external. An internal load balancer would have an internal IP address, while an external load balancer has an external internet IP address because it’s intended to receive traffic from the internet. Local load balancers are bound to a single Google Cloud region, while global reach spans over multiple Google Cloud regions. Multiregionality is achieved by introducing layers in the GCP infrastructure. Google deploys the first layer on the external boundaries of its networks and routes the traffic to an internal secondary layer to navigate the traffic streams to their final destination in the customer app.

Service Extensions for Load Balancing has a supporting matrix in Google Cloud. In the matrix, classic application load balancers (ALBs) are out of scope since classic ALB components are legacy and usually do not appear in modern web application architectures.

Figure 1. Google Cloud support for Application Load Balancers (ALBs)
Figure 1. Google Cloud support for Application Load Balancers (ALBs)

With Google Cloud, load balancer extension points are inline with the traffic pipeline, so adding extensions will allow third-party integrations like Prisma Cloud to manipulate and observe both incoming and outgoing traffic.

Figure 2. Google Cloud ALBs support extensions for routing and managing traffic
Figure 2. Google Cloud ALBs support extensions for routing and managing traffic

This service extension capability is provided in two forms: the “Route” extension and the “Traffic” extensions. Before we dive into the details of an integration though, let’s take a moment to understand the underlying load balancing technology itself.

Cloud-Native Extensibility Is a Positive Trend for Customers

Google Cloud has adopted Envoy proxy as its core technology for load balancing. The benefit for Google in choosing Envoy as its proxy is because it’s completely open source and maintained by a responsible, active community that also benefits from Google’s own contributions and support for the product. Envoy has a relatively small memory footprint, is tuned for high performance, supports all modern protocols, and supports advanced options for navigating traffic. So, Envoy broadly supports enhanced visibility to help improve cloud-native security.

Figure 3. Envoy is an L7 proxy and communication bus for modern service-oriented architectures
Figure 3. Envoy is an L7 proxy and communication bus for modern service-oriented architectures

Service Extensions for Load Balancing builds on Envoy’s extendability. Using a gRPC-based callout server, it is now possible to connect to supported load balancers and observe the traffic flowing through it. Not only that, but the routing itself is extensible, with the cloud-native standards to connect being based on Envoy protocol buffers and APIs.

This integration of common web instruments through open-source infrastructures and industry standards, led by Google Cloud, can be interpreted as a positive trend and one that may influence other cloud providers. This is a hugely positive shift from “closed” architectures and “home-brewed” solutions that are commonly found in the cloud providers Web Consoles and SDKs. Usually, cloud providers would not expose their underlying technologies, nor would they allow extendability for third parties. But this time the story is different, with better opportunities to secure cloud infrastructures and workloads.

Benefits of Prisma Cloud and Cloud-Native API Security

Securing APIs is a primary outcome of Prisma Cloud and has become increasingly critical as businesses continue to adopt microservices architectures and cloud-based solutions. Traditionally used for distributing traffic among servers, load balancers can now play a pivotal role in API security. By utilizing service extensions, load balancers provide additional observability features that help protect APIs from various threats, and Prisma Cloud is taking advantage of this innovation for customers.

Our approach is quick and easy in terms of integration, yet insightful and efficient in terms of data collection detection and prevention.

Integrating cloud network observability with Prisma Cloud’s Attack Path analysis and extensive threat monitoring and detection capabilities can strengthen the customer’s API security layer. Increased transparency for analysts also enables security teams to gain a deeper understanding of the true attack surface, including workloads, networks and application dimensions.

Figure 4. Prisma Cloud raises the bar for Web App and API Security (WAAS)
Figure 4. Prisma Cloud raises the bar for Web App and API Security (WAAS)

Prisma Cloud lets the customer correlate API security data with network topology and other cybersecurity insights. The more data sources and observability the customer has, the better Prisma Cloud can reflect and analyze security for the cloud.

Going Even Further

With the abundance of data streams and a clear, seamless integration to network tools, applications based on statistical analysis and even machine learning can be introduced. The availability of full transaction logs in a streaming environment can feed data intensive processors. Service Extensions provide a solution for observability, detection and eventually prevention of malicious API activity on the cloud.

Prisma Cloud Is Better Together with Google Cloud

As the Google Cloud 2024 Global Technology Partner of the Year, Palo Alto Networks with Prisma Cloud has established a strong relationship with Google Cloud. Our collaboration on bringing innovation like Service Extensions to customers can further enhance our partnership, while customers gain greater visibility into their APIs, enabling them to better manage API risk.

Learn More to Improve Your API Security

Want to learn more about our Prisma Cloud web application and web API (WAAS) offering? Get started with our WAAS solution brief or let us know if you want to try out a free trial.





Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.