1. Home
2. Guides
3. Next-Gen WAF
4. Setup and configuration
5. PaaS deployment

The Next-Gen WAF agent integrates with Google Cloud Service Extensions as a user-managed callout backend service, enabling real-time traffic inspection and security enforcement within Google Cloud Load Balancer's request processing pipeline.

Prerequisites

• Copy the agent keys for your workspace. You will need them when configuring the deployment.
• Google Cloud project with Service Extensions API, Compute Engine API and Network Services API enabled
• Appropriate IAM permissions for creating Service Extensions and backend services
• HTTP/2 and gRPC support in your deployment infrastructure

How the Fastly WAF Service Extensions integration works

The Google Cloud Load Balancer invokes the Service Extension, which communicates with the Next-Gen WAF agent via gRPC using Envoy's external processing protocol throughout the request lifecycle. Review a sample deployment scenario.

Configure the Next-Gen WAF agent callout backend service

This section describes how to configure a user-managed callout backend service.

Prepare your load balancer and test client

1. Create and configure an Application Load Balancer that supports extensions. For this example, set up a regional internal Application Load Balancer with VM instance group backends. Use the sample values mentioned.

2. Create a client VM for testing.

Create and set up the callout backend service

1. Create a virtual machine (VM) instance for the callout backend service that's running the Next-Gen WAF agent.

   REGION=us-west2
   ZONE=us-west2-a
   
   gcloud compute instances create callouts-vm \
     --zone=$ZONE \
     --network=lb-network \
     --subnet=backend-subnet \
     --machine-type=e2-medium \
     --image-family=cos-stable \
     --image-project=cos-cloud \
     --tags=allow-ssh,load-balanced-backend \
     --metadata-from-file=startup-script=startup-script-tls.sh

2. Create a startup script named startup-script-tls.sh. The following example shows the general structure of the script. Replace the placeholder values with your own configuration.

   IMPORTANT: Ensure that the gRPC server is configured to use TLS. Without TLS, connections to the extension server fail.

   cat >startup-script-tls.sh <<EOF
     #!/bin/bash
     # Create certificate directory
     mkdir -p /etc/ssl/certs/sigsci
   
     # Generate self-signed certificates for the gRPC service
     openssl req -x509 -newkey rsa:4096 \
       -keyout /etc/ssl/certs/sigsci/key.pem \
       -out /etc/ssl/certs/sigsci/cert.pem \
       -days 365 -nodes \
       -subj "/C=US/ST=CA/L=SF/O=Fastly/CN=ext11.com"
   
     # Set proper permissions for the sigsci user inside the container
     chmod 644 /etc/ssl/certs/sigsci/key.pem
     chmod 644 /etc/ssl/certs/sigsci/cert.pem
   
     # Start Signal Sciences agent with TLS configuration
     docker run -d \
       --name sigsci-agent \
       --restart unless-stopped \
       -p 443:443 \
       -v /etc/ssl/certs/sigsci:/etc/ssl/certs/sigsci:ro \
       -e SIGSCI_ACCESSKEYID=<YOUR_ACCESS_KEY_ID> \
       -e SIGSCI_SECRETACCESSKEY=<YOUR_SECRET_ACCESS_KEY> \
       -e SIGSCI_SERVER_FLAVOR=GCP \
       -e SIGSCI_ENVOY_GRPC_ADDRESS=0.0.0.0:443 \
       -e SIGSCI_ENVOY_EXTPROC_ENABLED=true \
       -e SIGSCI_ENVOY_GRPC_CERT=/etc/ssl/certs/sigsci/cert.pem \
       -e SIGSCI_ENVOY_GRPC_KEY=/etc/ssl/certs/sigsci/key.pem \
       signalsciences/sigsci-agent:latest
   
     # Log startup completion
     echo "Signal Sciences agent with TLS started at $(date)" >> /var/log/startup.log
   EOF

3. Add the VM to an unmanaged instance group, create a callout backend service, and add a backend, as demonstrated in the sample script below. For detailed explanations of each command, refer to Google Cloud's documentation.

   REGION=us-west2
   ZONE=us-west2-a
   
   gcloud compute instances create callouts-vm \
     --zone=$ZONE \
     --network=lb-network \
     --subnet=backend-subnet \
     --machine-type=e2-medium \
     --image-family=cos-stable \
     --image-project=cos-cloud \
     --tags=allow-ssh,load-balanced-backend \
     --metadata-from-file=startup-script=startup-script-tls.sh
   
   ##### Add the VM to an unmanaged instance group
   
   # add the VM to an unmanaged instance group
   gcloud compute instance-groups unmanaged create callouts-ig \
     --zone=$ZONE
   # set port for instance group
   gcloud compute instance-groups unmanaged set-named-ports callouts-ig \
     --named-ports=http:80,grpc:443 \
     --zone=$ZONE
   # add the new VM to the unmanaged instance group
   gcloud compute instance-groups unmanaged add-instances callouts-ig \
     --zone=$ZONE \
     --instances=callouts-vm
   
   ####### create a callout backend service and add a backend
   # Create a basic HTTP health check for the instance
   # health check protocol of agent needs to be: Protocol gRPC with TLS
   gcloud compute health-checks create grpc-with-tls callouts-hc \
     --region=$REGION \
     --port=443
   # Create a callout backend service that uses the HTTP/2 protocol
   gcloud compute backend-services create l7-ilb-callout-service \
     --load-balancing-scheme=INTERNAL_MANAGED \
     --protocol=HTTP2 \
     --port-name=grpc \
     --health-checks=callouts-hc \
     --health-checks-region=$REGION \
     --region=$REGION
   
   # Add the instance group with the extension server as a backend to the backend service. The instance group runs the ext_proc service.
   gcloud compute backend-services add-backend l7-ilb-callout-service \
     --balancing-mode=UTILIZATION \
     --instance-group=callouts-ig \
     --instance-group-zone=$ZONE \
     --region=$REGION

Create a Service Extension configuration file

1. Create a traffic extension configuration file named traffic.yaml. The following example shows the general structure of the script. Modify the configuration based on the extension type you're using.

   name: traffic-ext
   forwardingRules:
   - https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/regions/us-west2/forwardingRules/l7-ilb-forwarding-rule
   loadBalancingScheme: INTERNAL_MANAGED
   extensionChains:
   - name: "chain1"
     matchCondition:
       celExpression: 'request.path.startsWith("/")'
     extensions:
     - name: 'ext11'
       authority: ext11.com
       service: https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/regions/us-west2/backendServices/l7-ilb-callout-service
       failOpen: true
       timeout: 0.1s
       metadata:
         "key": "value"
         "fr": "forwarding_rule_id"
       supportedEvents:
       - REQUEST_HEADERS
       - REQUEST_BODY
       - RESPONSE_HEADERS

2. Import the traffic extension.

   gcloud service-extensions lb-traffic-extensions import traffic-ext \
       --source=traffic.yaml \
       --location=$REGION

3. Verify the Service Extension is active.

   gcloud service-extensions lb-route-extensions describe traffic-ext \
     --location=$REGION

   The Service Extension should automatically apply to requests matching the celExpression: 'request.path.startsWith("/")' forwarding rule specified in the configuration.

Monitor and troubleshoot

Enable Debugging and Check Next-Gen WAF agent logs

1. Add the following environment variable to the callout backend service.

   -e SIGSCI_DEBUG_LOG_VERBOSITY=3 \

2. Add the environment variable to startup-script-tls.sh.

3. Delete the existing VM.

   gcloud compute instances delete callouts-vm --zone=$ZONE

4. Recreate the VM.

5. Add the VM back to the unmanaged instance group.

   gcloud compute instance-groups unmanaged add-instances callouts-ig --zone=$ZONE --instances=callouts-vm

6. SSH into the VM.

   gcloud compute ssh callouts-vm --zone=$ZONE

7. View docker logs.

   docker logs sigsci-agent -f

Common troubleshooting steps

• Verify Next-Gen WAF agent health status: Ensure the callouts-vm instance is healthy and reachable by the load balancers health checks.

  gcloud compute backend-services get-health l7-ilb-callout-service --region=$REGION

• Verify health check protocol: The Next-Gen WAF agent uses GRPC_WITH_TLS.

Related content

• PaaS overview
• Getting started with the agent