---
title: Setting up Edge WAF deployments using the Next-Gen WAF control panel
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/setting-up-edge-waf-deployments-using-the-next-gen-waf-control-panel
---


> **IMPORTANT:** This guide only applies to Next-Gen WAF customers who **cannot** access the WAF in the Fastly control panel. If you can access the WAF in the Fastly control panel, refer to the [Edge WAF deployment using the Fastly control panel](/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel) guide instead.

The Edge WAF deployment method allows you to add the Next-Gen WAF as an edge security service onto Fastly's Edge Cloud platform using both CDN and Compute services.

<!-- TabbedPanels component: 
<Panel id="cdn-service" label="CDN service">

To deploy the Next-Gen WAF on an existing CDN service, complete the following steps:

1. Contact [Fastly support](https://support.fastly.com/) to enable Edge WAF deployment for your corp (account).
1. Create the [edge security service](#creating-the-edge-security-service), which invokes the Edge WAF.
1. [Map your corp (account) and site (workspace)](#mapping-to-a-fastly-cdn-service) to an existing Fastly CDN service and synchronize the origins. Privileged dynamic snippets that enable inspection are added to your CDN service.

</Panel>
<Panel id="compute-service" label="Compute service">

To deploy the Next-Gen WAF on an existing Compute service, complete the following steps:

1. Create the [edge security service](#creating-the-edge-security-service), which invokes the Edge WAF.
1. Update the [inspect function](/solutions/tutorials/next-gen-waf-compute/#inspect-the-request-and-handle-the-verdict) of your Rust code to authorize your service to make calls to the Edge WAF.

</Panel>
 -->

## Prerequisites

Before setting up an Edge WAF deployment, be sure you have the necessary [prerequisites](/guides/next-gen-waf/setup-and-configuration/edge-deployment/getting-started-with-the-edge-waf#prerequisites) in place.

## Limitations and considerations

Keep in mind the following things when working with the Edge WAF deployment method:

* Adding the Next-Gen WAF via the Edge WAF deployment method to an existing Fastly CDN service counts against the [service chain limit](/guides/getting-started/services/service-chaining).
* We automatically support VCL directors on CDN services as long as they are defined using the Fastly API.

## Creating the edge security service

> **IMPORTANT:** Do you have access to the Next-Gen WAF in the Fastly control panel? If so, follow the instructions on the [Edge WAF deployment using the Fastly control panel](/guides/next-gen-waf/setup-and-configuration/edge-deployment/edge-waf-deployment-using-the-fastly-control-panel/) guide instead.

Create a new edge security service by calling the [Edge WAF deployment API endpoint](/signalsciences/api/#_corps__corpName__sites__siteName__edgeDeployment_put). This API call creates a new edge security service associated with your corp (account) and site (workspace). You will need to replace `${corpName}` and `${siteName}` with those of the corp (account) and site (workspace) you are adding the edge security service to. Your `${corpname}` and `${siteName}` are both present in the address of your Next-Gen WAF control panel, such as `https://dashboard.signalsciences.net/corps/${corpName}/sites/${siteName}`.

<!-- TabbedPanels component: 
<Panel id="cdn-service" label="CDN service">

```term copy nolinenums
$ curl -X PUT "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment" \
-H "x-api-user:${SIGSCI_EMAIL}" \
-H "x-api-token:${SIGSCI_TOKEN}" \
-H "Content-Type: application/json"
```

</Panel>
<Panel id="compute-service" label="Compute service">

```term copy nolinenums
$ curl -X PUT "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment" \
-H "x-api-user:${SIGSCI_EMAIL}" \
-H "x-api-token:${SIGSCI_TOKEN}" \
-H "Fastly-Key: ${FASTLY_KEY}" \
-H "Content-Type: application/json" \
-d '{"authorizedServices": [ "${fastlySID}" ] }'
```

</Panel>
 -->

Run this API call again for each site (workspace) you want to deploy on.

If successful, you will receive an HTTP 200 response with a blank response body (`{}`). To confirm the Next-Gen WAF instance resources associated with the site (workspace) have been created, query the `edgeDeployment` endpoint again using the following request:

```term copy nolinenums
$ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
-H "Content-Type: application/json" \
"https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/edgeDeployment"
```

The query should now return the appropriate Next-Gen WAF instance associated with the Next-Gen WAF site (workspace) in the URL path with no services attached. To attach the appropriate service, refer to [Mapping to the Fastly service](#mapping-to-a-fastly-cdn-service).

```term nolinenums
{"AgentHostName":"se--${corpName}--{SiteUID}.edgecompute.app","ServicesAttached":[]}
```

> **IMPORTANT:** If you're using Next-Gen WAF with a Compute service, your next step would be to update your Rust code to call Next-Gen WAF via an [inspect function](/solutions/tutorials/next-gen-waf-compute/#inspect-the-request-and-handle-the-verdict). If you're using a CDN service, continue with the steps below to map your corp (account) and site (workspace) to a Fastly CDN service and synchronize the origins.

## Mapping to a Fastly CDN service

To map your corp (account) and site (workspace) to an existing Fastly CDN service and synchronize the origins, follow these steps:

1. Using the curl command line tool, call the [PUT deliveryIntegration/${fastlySID} API endpoint](/signalsciences/api/#_corps__corpName__sites__siteName__deliveryIntegration__fastlySID__put) in a terminal application:

   <!-- TabbedPanels component: 
   <Panel id="unix-based" label="Unix-based">

   ```term copy nolinenums
      $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
      -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \
      "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"
      ```

   </Panel>
   <Panel id="windows-based" label="Windows-based">

   ```term copy nolinenums
      $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
      -H "Fastly-Key: ${FASTLY_KEY}" -H "Content-Type: application/json" -X PUT \
      "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"
      ```

   </Panel>
    -->

   This API call will create and activate a new service version with dynamic VCL snippets automatically added to the service. By default, the service will be activated and set to 0% traffic ramping. You can override those defaults by providing parameters in the JSON body:

   * `activateVersion` - activate Fastly service version after clone. Possible values are `true` or `false` (unquoted). If not specified, defaults to `true`.
   * `percentEnabled` - percentage of traffic to send to the Next-Gen WAF. Possible values are integers values `0` to `100` (unquoted). If not specified, defaults to `0`. This can be adjusted later. Check out [Traffic ramping](/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/configuring-edge-waf-deployments-using-the-next-gen-waf-control-panel#changing-the-percentage-of-traffic-sent-to-the-waf) for details.

   For example, to disable initial activation and set initial traffic ramping to 10%, add the curl parameter  `-d '{"activateVersion": false, "percentEnabled": 10}'` to the usual call:

   ```term copy nolinenums
   $ curl -H "x-api-user:${SIGSCI_EMAIL}" -H "x-api-token:${SIGSCI_TOKEN}" \
   -H "Fastly-Key: ${FASTLY_KEY}" -H 'Content-Type: application/json' -X PUT \
   -d '{"activateVersion": false, "percentEnabled": 10}' \
   "https://dashboard.signalsciences.net/api/v0/corps/${corpName}/sites/${siteName}/deliveryIntegration/${fastlySID}"
   ```

   This API call requires the [Fastly-Key](/reference/http/http-headers/Fastly-Key/) header for authentication. The Fastly API key must have write access to the Fastly service ID. This API call will create and activate a new service version with dynamic VCL snippets automatically added to the service.

1. Optionally, follow these steps again for each additional Fastly service that you want to deploy on.

   If your origins change, you will need to call the [PUT deliveryIntegration/${fastlySID}/backends API endpoint](/signalsciences/api/#_corps__corpName__sites__siteName__deliveryIntegration__fastlySID__backends_put) again to resynchronize the backends.

## WAF execution for CDN services

Once both API calls are completed, your service will automatically be set up with dynamic VCL snippets that control the execution of the Next-Gen WAF. A new service version will be created and activated containing the additional VCL snippets.

## Related content

* [Using Next-Gen WAF in Compute](/solutions/tutorials/next-gen-waf-compute/)