Allocating resources for the agent

The Next-Gen WAF agent requires computational resources to properly function. When setting up and testing your deployment, you must allocate adequate CPU, RAM, and file handles to the agent. The exact amount needed for your web application and anticipated traffic flow depends on multiple factors such as request size and content, application and network latency, and number and type of rules applied. Generally, try to balance allocating sufficient resources for the agent to keep request latency to a minimum.

Average agent resource usage

While the exact computational resources needed for the agent depends on the deployment, you can use aggregate agent resource usage numbers from other users to get an idea of what your deployment will need. Looking at the averages provides a good starting point, and the higher percentile values give an indication of what can be anticipated for high volume deployments.

Average CPU usage

Most deployed agents do not fully use the CPU resources they have available. It is typically desirable to budget more CPU than the agent may need at baseline traffic levels to allow enough headroom to remain performant during traffic spikes.

The table below shows a snapshot in time of deployed agents' CPU usage adjusted to normalize for the number of CPU cores the agent is configured to use.

Average RAM usage

The agent memory footprint typically remains fairly stable during its long-term execution. However, Golang is a garbage collected language, so there may be momentary memory spikes above the typical baseline during traffic spikes. To account for these spikes, we recommend leaving additional memory headroom above the normal observed baseline to allow the agent to momentarily burst higher without needing to perform as many garbage collection cycles. Variance in customer configurations, datasets, and rulesets may impact the memory footprint.

The table below shows a snapshot in time of deployed agents' RAM usage.

Average number of usable CPU cores

To prevent CPU starvation for other processes on the system, the agent defaults to using only half of the available CPU cores on the host. You can use the max-procs setting to change this number.

The table below shows a snapshot in time of the number of usable CPU cores provided to deployed agents. Keep in mind the following about the data:

• Some agents have modified max-procs configurations above or below the 50% default.
• All deployment types are represented, including Kubernetes deployments. Kubernetes deployments have a higher quantity of lower resourced agents, which causes a strong skew toward the low end of the distribution.

Calculating agent resource needs

To understand the infrastructure costs the agent will incur, complete the following steps:

1. Prior to deploying the Next-Gen WAF, measure the computational resources used by your web application, especially during peak usage times. Focus on CPU utilization, memory usage, and file handle counts, both for the web application and for the OS in general.
2. Deploy the Next-Gen WAF and register it with a representative set of rules.
3. Verify that traffic is being inspected, tagged, and blocked when applicable.
4. Perform the same tests that you conducted in step one. If possible, run the tests on the same hosts, with the same resources, at the same time of day, on the same days of the week, and during the same business cycle as before.
5. Compare the results of the tests.

For example, let's say that prior to installing the Next-Gen WAF, you measure 50 percent CPU usage to run your web application. Then, after installing and configuring the Next-Gen WAF alongside your application, you measure 90 percent CPU usage and no adverse latency to your web application. You may want to scale to a larger host system with more CPU cores to have spare capacity for traffic fluctuations. For Kubernetes environments this may mean adapting your replica count, auto scaling, or resource limit configurations.

Hypervisors

Virtual machines run in an environment that shares resources with other virtual machines. Sometimes these groups of VMs are over-subscribed on the hypervisor. The agent is a real-time security solution designed to operate with minimum latency. If the virtual machine has to wait on the hypervisor for CPU cycles, queuing will occur and performance will suffer. In extreme examples, this type of resource starvation can lead to complete failures and application crashes. To avoid this resource scheduling conflict, we recommend running the Next-Gen WAF on a VM that is not over-subscribed or that has resource reservations.

Kubernetes

It is a common practice to request and limit resources in Kubernetes in general. To help place the Next-Gen WAF pods on nodes with sufficient resources, we recommend setting resource requests. However, we generally don’t recommend setting resource limits because if the pod reaches those limits it will be killed, impacting the level of protection and potentially causing disruptions. To restrict the number of CPU cores the agent is permitted to fully use, use the max-procs setting.