Setting up Edge WAF deployments using the Next-Gen WAF control panel

The Edge WAF deployment method allows you to add the Next-Gen WAF as an edge security service onto Fastly's Edge Cloud platform using both CDN and Compute services.

Prerequisites

Before setting up an Edge WAF deployment, be sure you have the following prerequisites in place:

• You must purchase the Next-Gen WAF for your Fastly account by contacting sales@fastly.com. Once purchased, our staff will create a Next-Gen WAF corp (also known as account) and at least one site (also known as workspace) for your use when you log in to the Next-Gen WAF control panel.
• You must have at least one existing CDN or Compute service that you want to map to a Next-Gen WAF site (workspace).
• If you want to map Compute services to Next-Gen WAF sites (workspaces), ask our support team to enable Compute for your corp (account).

Limitations and considerations

Keep in mind the following things when working with the Edge WAF deployment method:

• Adding the Next-Gen WAF via the Edge WAF deployment method to an existing Fastly CDN service counts against the service chain limit.
• We automatically support VCL directors on CDN services as long as they are defined using the Fastly API.

Creating the edge security service

Create a new edge security service by calling the Edge WAF deployment API endpoint. This API call creates a new edge security service associated with your corp (account) and site (workspace). You will need to replace ${corpName} and ${siteName} with those of the corp (account) and site (workspace) you are adding the edge security service to. Your ${corpname} and ${siteName} are both present in the address of your Next-Gen WAF control panel, such as https://dashboard.signalsciences.net/corps/${corpName}/sites/${siteName}.

$ curl -X PUT "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment" \
-H "x-api-user:${SIGSCI_EMAIL}" \
-H "x-api-token:${SIGSCI_TOKEN}" \
-H "Fastly-Key: ${FASTLY_KEY}" \
-H "Content-Type: application/json" \
-d '{"authorizedServices": [ "${fastlySID}" ] }'

Run this API call again for each site (workspace) you want to deploy on.

If successful, you will receive an HTTP 200 response with a blank response body ({}). To confirm the Next-Gen WAF instance resources associated with the site (workspace) have been created, query the edgeDeployment endpoint again using the following request:

$ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
-H "Content-Type: application/json" \
"https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment"

The query should now return the appropriate Next-Gen WAF instance associated with the Next-Gen WAF site (workspace) in the URL path with no services attached. To attach the appropriate service, refer to Mapping to the Fastly service.

{"AgentHostName":"se--${corpName}--{SiteUID}.edgecompute.app","ServicesAttached":[]}

Mapping to a Fastly CDN service

To map your corp (account) and site (workspace) to an existing Fastly CDN service and synchronize the origins, follow these steps:

1. Using the curl command line tool, call the PUT deliveryIntegration/${fastlySID} API endpoint in a terminal application:

   1. Unix-based
   2. Windows-based

   $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
   -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \
   "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"

   This API call will create and activate a new service version with dynamic VCL snippets automatically added to the service. By default, the service will be activated and set to 0% traffic ramping. You can override those defaults by providing parameters in the JSON body:

   • activateVersion - activate Fastly service version after clone. Possible values are true or false (unquoted). If not specified, defaults to true.
   • percentEnabled - percentage of traffic to send to the Next-Gen WAF. Possible values are integers values 0 to 100 (unquoted). If not specified, defaults to 0. This can be adjusted later. Check out Traffic ramping for details.

   For example, to disable initial activation and set initial traffic ramping to 10%, add the curl parameter -d '{"activateVersion": false, "percentEnabled": 10}' to the usual call:

   $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
   -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \
   -d '{"activateVersion": false, "percentEnabled": 10}' \
   "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"

   This API call requires the Fastly-Key header for authentication. The Fastly API key must have write access to the Fastly service ID. This API call will create and activate a new service version with dynamic VCL snippets automatically added to the service.

2. Optionally, follow these steps again for each additional Fastly service that you want to deploy on.

   If your origins change, you will need to call the PUT deliveryIntegration/${fastlySID}/backends API endpoint again to resynchronize the backends.

WAF execution for CDN services

Once both API calls are completed, your service will automatically be set up with dynamic VCL snippets that control the execution of the Next-Gen WAF. A new service version will be created and activated containing the additional VCL snippets.

The edge security service runs in the vcl_miss and vcl_pass subroutines. Execution priority is set to a high value to enable compatibility with any other VCL snippets that may be in use.