About agent-only deployment
Last updated 2024-03-14
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.
The Core WAF deployment method includes both agent-only and module-agent deployment options. With an agent-only deployment, you're responsible for managing your Next-Gen WAF deployment in your hosting environment and the agent performs the following functions:
- decides how requests should be handled and executes the decisions (e.g., blocks, allows, and tags requests).
- acts as a proxy to the web application that you're protecting.
- provides an interface between your web server and our cloud engine.
While setting up an agent-only deployment, you'll install the Next-Gen WAF agent component. You will not install the optional module component.
Agent reverse proxy mode
The Next-Gen WAF agent can be configured to run as a reverse proxy. In reverse proxy mode, the agent interacts directly with requests and responses without the need for a module. Running the agent in reverse proxy mode is ideal when a module for your web service does not yet exist or you do not want to modify your web service configuration (e.g., while testing the product). In this mode, the agent sits inline as a service in front of your web service. For more information, check out our Configuring Agent reverse proxy deployments guide.
Envoy proxy integration
The Next-Gen WAF agent can integrate directly with Envoy, a cloud-native reverse proxy, to inspect and protect web traffic. For more information, check out our Configuring Envoy proxy deployments guide.
gRPC proxy deployments
The Next-Gen WAF agent can act as a proxy for gRPC traffic to allow inspection of protobuf-based gRPC messages (Content-Type: application/grpc). For more information, check out our Configuring gRPC proxy deployments guide.
Istio service mesh integration
The Next-Gen WAF agent can integrate with Istio service mesh to inspect and protect north-south and east-west traffic in microservices architecture applications. For more information, check out our guide on Istio and Kubernetes.
AWS Lambda integration
The Next-Gen WAF agent can integrate with AWS Lambda. To provide on-demand protection, the agent can be set up to initialize with each function and close out upon function completion. For more information, check out our guide on AWS Lambda.
Egress HTTP proxies
You can configure the Next-Gen WAF agent to use a proxy for egress traffic.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
