diff --git a/macros/edge-services/assets/scaleway-edge-services-pipeline-diag.webp b/macros/edge-services/assets/scaleway-edge-services-pipeline-diag.webp
new file mode 100644
index 0000000000..12af101ff0
Binary files /dev/null and b/macros/edge-services/assets/scaleway-edge-services-pipeline-diag.webp differ
diff --git a/macros/edge-services/assets/scaleway-edge-services-pipeline-nowaf.webp b/macros/edge-services/assets/scaleway-edge-services-pipeline-nowaf.webp
new file mode 100644
index 0000000000..f5476c7fc9
Binary files /dev/null and b/macros/edge-services/assets/scaleway-edge-services-pipeline-nowaf.webp differ
diff --git a/macros/edge-services/assets/scaleway-edge-services-pipeline.webp b/macros/edge-services/assets/scaleway-edge-services-pipeline.webp
deleted file mode 100644
index 49ffb573d9..0000000000
Binary files a/macros/edge-services/assets/scaleway-edge-services-pipeline.webp and /dev/null differ
diff --git a/macros/edge-services/edge-services-bucket-benefits.mdx b/macros/edge-services/edge-services-bucket-benefits.mdx
index da80a33491..6e9bdd70cf 100644
--- a/macros/edge-services/edge-services-bucket-benefits.mdx
+++ b/macros/edge-services/edge-services-bucket-benefits.mdx
@@ -7,4 +7,4 @@ macro: edge-services-bucket-benefits
- Enhance performance by caching your stored objects, to be served directly by Edge Services from the cache
- Finely control your cached objects via purging (cache invalidation)
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/macros/edge-services/edge-services-lb-benefits.mdx b/macros/edge-services/edge-services-lb-benefits.mdx
index d1e86eaefe..99514fb61a 100644
--- a/macros/edge-services/edge-services-lb-benefits.mdx
+++ b/macros/edge-services/edge-services-lb-benefits.mdx
@@ -4,12 +4,13 @@ macro: edge-services-lb-benefits
Creating an Edge Services pipeline for your Load Balancer helps to reduce load on your Load Balancer's backend servers. The origin configuration you define is used by Edge Services to connect to your Load Balancer and request content, which is then stored in the cache. Then, when your Load Balancer origin is accessed via its customizable Edge Services endpoint, the requested content is served from the cache (if present), without the need to fetch this content via the Load Balancer and its backend servers.
-
+
Edge Services lets you:
- Define the specific origin (Load Balancer, frontend port, and host) for a given pipeline and its associated cache
- Choose the TTL for cached objects, and purge the entire cache or specific cached objects at any time (cache invalidation)
+- Configure a [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
- Customize your Edge Services pipeline endpoint using a subdomain of your own domain
- Add an SSL/TLS certificate so that Edge Services can serve content over HTTPS for your subdomain
diff --git a/menu/navigation.json b/menu/navigation.json
index 4a852d3a1b..7d2f6b15a0 100644
--- a/menu/navigation.json
+++ b/menu/navigation.json
@@ -3670,6 +3670,10 @@
"label": "Configure a cache",
"slug": "configure-cache"
},
+ {
+ "label": "Configure WAF",
+ "slug": "configure-waf"
+ },
{
"label": "Monitor with Cockpit",
"slug": "monitor-cockpit"
diff --git a/pages/edge-services/assets/scaleway-create-es-pipeline-lb.webp b/pages/edge-services/assets/scaleway-create-es-pipeline-lb.webp
deleted file mode 100644
index 75d89eb2b6..0000000000
Binary files a/pages/edge-services/assets/scaleway-create-es-pipeline-lb.webp and /dev/null differ
diff --git a/pages/edge-services/assets/scaleway-edge-create-pipeline-lb.webp b/pages/edge-services/assets/scaleway-edge-create-pipeline-lb.webp
index b2840e1f6b..f66f76d12c 100644
Binary files a/pages/edge-services/assets/scaleway-edge-create-pipeline-lb.webp and b/pages/edge-services/assets/scaleway-edge-create-pipeline-lb.webp differ
diff --git a/pages/edge-services/assets/scaleway-edge-create-pipeline-os.webp b/pages/edge-services/assets/scaleway-edge-create-pipeline-os.webp
index bdeb85751f..75c81507c5 100644
Binary files a/pages/edge-services/assets/scaleway-edge-create-pipeline-os.webp and b/pages/edge-services/assets/scaleway-edge-create-pipeline-os.webp differ
diff --git a/pages/edge-services/assets/scaleway-edge-services-lb-dashboard.webp b/pages/edge-services/assets/scaleway-edge-services-lb-dashboard.webp
deleted file mode 100644
index 659b74e395..0000000000
Binary files a/pages/edge-services/assets/scaleway-edge-services-lb-dashboard.webp and /dev/null differ
diff --git a/pages/edge-services/assets/scaleway-edge-services-pipeline.webp b/pages/edge-services/assets/scaleway-edge-services-pipeline.webp
index 49ffb573d9..12af101ff0 100644
Binary files a/pages/edge-services/assets/scaleway-edge-services-pipeline.webp and b/pages/edge-services/assets/scaleway-edge-services-pipeline.webp differ
diff --git a/pages/edge-services/concepts.mdx b/pages/edge-services/concepts.mdx
index e91b265686..b399fd069e 100644
--- a/pages/edge-services/concepts.mdx
+++ b/pages/edge-services/concepts.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Understand Scaleway Edge Services terminology with our glossary of the core concepts underpinning this product. Learn about key features, architecture, and best practices.
tags: edge-services edge services pipeline custom-domain cache
dates:
- creation: 2025-05-05
+ creation: 2025-05-14
validation: 2025-03-03
categories:
- networks
@@ -29,7 +29,10 @@ The CNAME record pointing your subdomain to the Edge Services endpoint, if you h
## Edge Services
-Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides a [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin), and a customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
+Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides:
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin)
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
+- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
## Endpoint
@@ -37,6 +40,10 @@ The endpoint from which a given Edge Services pipeline can be accessed, e.g. `ht
The endpoint can be customized with a user-defined subdomain, allowing you to replace the standardized endpoint with the subdomain of a domain you already own, e.g. `http://my-own-domain.com`. An associated [certificate](#certificate), and [CNAME record](#cname-record) will be required, in this case.
+## Exclusions
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), exclusions let you define filters for requests that should not be evaluated by WAF, but rather pass straight to the Load Balancer origin. Learn more about [creating exclusions](/edge-services/how-to/configure-waf/#how-to-set-exclusions)
+
## Origin
The primary source from which a Scaleway Edge Services pipeline retrieves and caches data. An origin can consist of either:
@@ -54,13 +61,17 @@ The origin host must be associated with the origin Load Balancer / its backend s
The Load Balancer defined by the user as origin for a given Edge Services pipeline. The pipeline connects to this Load Balancer, on the specified frontend port to request content.
+## Paranoia level
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), the paranoia level determines how sensitive the request-evaluation mechanism is to potential threats. Four paranoia levels are available, with level 1 being the least sensitive, and level 4 being the most sensitive. The higher the paranoia level, the more likely it is that a given request will be judged to be malicious. For full details on paranoia levels, see our [detailed documentation](/edge-services/reference-content/understanding-waf/#waf-ruleset-and-paranoia-levels).
+
## Pipeline
-
+
-An Edge Services pipeline consists of an [origin](#origin) for which Edge Services requests and [caches](#cache) content, and an [endpoint](#endpoint) from which this content is served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS.
+An Edge Services pipeline consists of an [origin](#origin), which Edge Services can protect from threats with a [Web Application Firefall](#web-application-firewall), and for which it also requests and [caches](#cache) content. Each pipeline also has an [endpoint](#endpoint) from which content is accessed served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. Edge Services can also protect
-You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that the cache can be enabled and disabled at will, so it is an optional part of the pipeline, as is the customization of the endpoint.
+You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that caching and WAF can be enabled and disabled at will, so are optional parts of the pipeline, as is the customization of the endpoint. WAF is only available for Load Balancer origins, not Object Storage buckets.
## Protocol
@@ -68,8 +79,4 @@ The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sen
## WAF
-
-Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/) and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming to the Scaleway console soon.
-
-
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).
\ No newline at end of file
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the [paranoia level](#paranoia-level) to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more about [configuring a WAF](/edge-services/how-to/configure-waf/).
diff --git a/pages/edge-services/faq.mdx b/pages/edge-services/faq.mdx
index 7c98ed8f08..1c8d3437a5 100644
--- a/pages/edge-services/faq.mdx
+++ b/pages/edge-services/faq.mdx
@@ -5,18 +5,20 @@ meta:
content:
h1: Edge Services FAQ
dates:
- validation: 2025-03-03
+ validation: 2025-05-14
category: network
productIcon: EdgeServicesProductIcon
---
## What is Edge Services?
-Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. Creating Edge Services [pipelines](/edge-services/concepts/#pipeline) towards your Load Balancers or Object Storage buckets provides:
--A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and
+Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. Creating Edge Services [pipelines](/edge-services/concepts/#pipeline) towards your Load Balancers or Object Storage buckets provides:
+
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity, and
- A customizable and secure endpoint for accessing content via Edge Services, which can be set to a subdomain of your choice and secured with an SSL/TLS certificate.
-
+
## Which products are compatible with Edge Services?
@@ -34,6 +36,18 @@ Yes, if you choose to [customize your Edge Services endpoint with your own subdo
## What is WAF?
-**W**eb **A**pplication **F**irewall is currently available in Public Beta via Edge via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/) only. It will be coming to the Scaleway console soon.
+**W**eb **A**pplication **F**irewall is a feature available via Edge Services. It is currently in Public Beta. When enabled, WAF filters requests to your origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
+
+## How can I use WAF with a different type of Scaleway resource?
+
+For now, WAF is only compatible with Load Balancers and Object Storage. You must put other resources behind a Load Balancer in order to benefit from WAF. Watch this space for other solutions in the future.
+
+## Can I use WAF and caching simultaneously?
+
+Yes, you can have both of these features enabled at the same time on the same Load Balancer pipeline. WAF protects your Load Balancer origin only: it does not filter requests served by the cache.
+
+## What ruleset is used by WAF? Is it updated automatically?
+
+Scaleway Edge Services WAF uses the [OWASP **C**ore **R**ule **S**et (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack such as SQL injection and cross-site scripting. Full details are available in the [OWASP CRS documentation](https://coreruleset.org/docs/).
-When enabled, WAF filters requests to your Load Balancer origin or Object Storage bucket to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
\ No newline at end of file
+We handle the automatic updating of rules, removing this hassle from you the user.
diff --git a/pages/edge-services/how-to/assets/scaleway-create-es-pipeline-lb.webp b/pages/edge-services/how-to/assets/scaleway-create-es-pipeline-lb.webp
deleted file mode 100644
index 75d89eb2b6..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-create-es-pipeline-lb.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-create-pipeline-lb.webp b/pages/edge-services/how-to/assets/scaleway-create-pipeline-lb.webp
deleted file mode 100644
index b2840e1f6b..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-create-pipeline-lb.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-create-pipeline-lb.webp b/pages/edge-services/how-to/assets/scaleway-edge-create-pipeline-lb.webp
new file mode 100644
index 0000000000..f66f76d12c
Binary files /dev/null and b/pages/edge-services/how-to/assets/scaleway-edge-create-pipeline-lb.webp differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-pipelines.webp b/pages/edge-services/how-to/assets/scaleway-edge-pipelines.webp
deleted file mode 100644
index 49f8cb4408..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-edge-pipelines.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-services-configure-domain.webp b/pages/edge-services/how-to/assets/scaleway-edge-services-configure-domain.webp
deleted file mode 100644
index 520f1f44fb..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-edge-services-configure-domain.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-services-customised.webp b/pages/edge-services/how-to/assets/scaleway-edge-services-customised.webp
deleted file mode 100644
index 127c869f22..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-edge-services-customised.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-services-lb-dashboard.webp b/pages/edge-services/how-to/assets/scaleway-edge-services-lb-dashboard.webp
index 659b74e395..04e06062c6 100644
Binary files a/pages/edge-services/how-to/assets/scaleway-edge-services-lb-dashboard.webp and b/pages/edge-services/how-to/assets/scaleway-edge-services-lb-dashboard.webp differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-services-pipeline.webp b/pages/edge-services/how-to/assets/scaleway-edge-services-pipeline.webp
deleted file mode 100644
index 49ffb573d9..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-edge-services-pipeline.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-waf-add-exc.webp b/pages/edge-services/how-to/assets/scaleway-edge-waf-add-exc.webp
new file mode 100644
index 0000000000..40f0b61abb
Binary files /dev/null and b/pages/edge-services/how-to/assets/scaleway-edge-waf-add-exc.webp differ
diff --git a/pages/edge-services/how-to/assets/scaleway-edge-waf-popup.webp b/pages/edge-services/how-to/assets/scaleway-edge-waf-popup.webp
new file mode 100644
index 0000000000..e86b7cb410
Binary files /dev/null and b/pages/edge-services/how-to/assets/scaleway-edge-waf-popup.webp differ
diff --git a/pages/edge-services/how-to/assets/scaleway-lb-edge-services.webp b/pages/edge-services/how-to/assets/scaleway-lb-edge-services.webp
deleted file mode 100644
index 59d99a1efe..0000000000
Binary files a/pages/edge-services/how-to/assets/scaleway-lb-edge-services.webp and /dev/null differ
diff --git a/pages/edge-services/how-to/configure-waf.mdx b/pages/edge-services/how-to/configure-waf.mdx
new file mode 100644
index 0000000000..6eb7e22ea5
--- /dev/null
+++ b/pages/edge-services/how-to/configure-waf.mdx
@@ -0,0 +1,148 @@
+---
+meta:
+ title: How to configure Edge Services Web Application Firewall
+ description: Learn how to configure a Web Application Firewall (WAF) for Edge Services. Protect your Load Balancer origin from threats and malicious requests, and fine tune your settings to pick the right paranoia level and exclusions for your use case.
+content:
+ h1: How to configure Edge Services Web Application Firewall
+ paragraph: Learn how to configure a Web Application Firewall (WAF) for Edge Services. Protect your Load Balancer origin from threats and malicious requests, and fine tune your settings to pick the right paranoia level and exclusions for your use case.
+dates:
+ validation: 2025-03-03
+ posted: 2024-07-24
+tags: object-storage edge-services cdn network waf paranoia block exclusions
+categories:
+ - network
+---
+
+
+Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/).
+
+
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose.
+
+This page walks you through the process of enabling and configuring WAF to protect your Load Balancer origin.
+
+To read more about how WAF works, try our [Understanding WAF](/edge-services/reference-content/understanding-waf/) page.
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An Edge Services pipeline for a [Load Balancer](/edge-services/how-to/create-pipeline-lb/) origin
+
+## How to enable and configure WAF
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to enable WAF:
+
+
+
+2. In the **Web Application Firewall (WAF)** panel, click **Enable WAF**.
+
+ A pop-up displays:
+
+
+
+3. Choose the **paranoia level**, from 1 - 4, that is best adapted to your use case. The higher the paranoia level, the more sensitive WAF is to potential threats, and the more likely it is to classify a request as malicious. For help with choosing a paranoia level, see our [dedicated documentation](/edge-services/reference-content/understanding-waf/#waf-ruleset-and-paranoia-levels).
+
+
+ After enabling WAF, you will be able to [set exclusions](#how-to-set-exclusions) that filter out requests matching certain criteria from being evaluated by WAF.
+
+
+4. Select a WAF **mode**. Requests judged to be malicious can either be **blocked** and prevented from passing to the Load Balancer origin, or **logged** but allowed to pass.
+
+5. Click **Save**
+
+WAF is enabled and you are returned to your Edge Services pipeline overview. You can disable or edit WAF settings at any time.
+
+## How to set exclusions
+
+Once you have enabled WAF, you can choose to set **exclusions**. Exclusions are a set of filters: requests that match the filters are not evaluated by WAF, and pass directly to your Load Balancer origin.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to set WAF exclusions.
+
+2. In the **WAF** panel, click **+ Add exclusions**. WAF goes into Edit mode.
+
+
+ You can only add exclusions **after** you have already enabled WAF.
+
+
+ The following screen displays:
+
+
+
+3. Set up to two filters for this exclusion. You can add either:
+ - One ***Path regex** filter, to match paths of requests to exclude. For example, `/api/v1/.*`
+ - One **HTTP method** filter, to match te HTTP methods of requests to exclude. For example, enter one or more of `GET`, `PATCH`, `PUT`, `DELETE` etc. Requests that match any of these methods will be considered to match the HTTP method filter.
+ - One of each of the above (use the **Add filter** button to add the second filter)
+
+ If you include both a path regex and an HTTP method filter in the same exclusion, requests must match both of the filters in order to be excluded.
+
+ Currently, the only action possible to set for matching requests is **Bypass WAF** (matching requests will not be evaluated by WAF and will proceed directly to the Load Balancer origin.) In the future, more actions will be added.
+
+4. Click **Add** to add the exclusion.
+
+ You are returned to your Edge Services pipeline overview.
+
+5. **Optional** Click **Add exclusions** to add more exclusions, if you wish (maximum 100). Follow steps 3 to 4 each time.
+
+6. Click **Save changes** to exit Edit mode and save all the exclusions you added.
+
+## How to edit exclusions
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF exclusions.
+
+2. In the WAF panel, click next to the exclusion you want to edit.
+
+3. Make edits to the filters as required. Remember, you cannot add more than one filter of each type (maximum of one path regex and one HTTP method filter per exclusion).
+
+4. Click **Confirm** when you have finished editing.
+
+ You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+
+5. Continue to edit or delete other exclusions as necessary.
+
+6. Click **Save changes** to exit Edit mode and save all your changes.
+
+## How to delete exclusions
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to delete WAF exclusions.
+
+2. In the WAF panel, click next to the exclusion you want to delete.
+
+ WAF goes into Edit mode, and a pop-up displays, asking you to confirm the deletion.
+
+3. Click **Delete**.
+
+ You are returned to your Edge Services pipeline overview, but you are still in Edit mode.
+
+4. Continue to edit or delete other exclusions as necessary.
+
+6. Click **Save changes** to exit Edit mode and save all your changes and deletions.
+
+## How to edit WAF configuration
+
+You can edit WAF's paranoia level and mode (log or block) at any time.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to edit WAF.
+
+2. In the WAF panel, click .
+
+3. Edit the paranoia level and mode as required.
+
+4. Click **Save**.
+
+ Your edits are saved, and you are returned to the Edge Services pipeline dashboard.
+
+## How to disable WAF
+
+You can disable WAF at any time.
+
+1. In the Scaleway console, navigate to the Edge Services dashboard for the Load Balancer pipeline on which you want to disable WAF.
+
+2. In the WAF panel, click **Disable WAF**.
+
+ A pop-up displays, informing you that WAF will no longer evaluate, block or log requests to your Load Balancer origin.
+
+3. Click **Disable** to confirm.
+
+ WAF is disabled and you are returned to your Edge Services' pipeline overview.
+
diff --git a/pages/edge-services/how-to/create-pipeline-bucket.mdx b/pages/edge-services/how-to/create-pipeline-bucket.mdx
index f78d9342b8..efb18f1673 100644
--- a/pages/edge-services/how-to/create-pipeline-bucket.mdx
+++ b/pages/edge-services/how-to/create-pipeline-bucket.mdx
@@ -44,7 +44,10 @@ You can create an Edge Services pipeline [from the Object Storage section of the
5. Enter a name for the pipeline, or leave the randomly generated name in place.
-6. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
+6. Optionally, configure **Advanced Settings:**
+ - **Cache**: When enabled, content from your origin bucket is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+
+7. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
You are returned to the **Pipelines** tab, where the newly created pipeline now displays.
diff --git a/pages/edge-services/how-to/create-pipeline-lb.mdx b/pages/edge-services/how-to/create-pipeline-lb.mdx
index f4cf6ea3be..2adab2a081 100644
--- a/pages/edge-services/how-to/create-pipeline-lb.mdx
+++ b/pages/edge-services/how-to/create-pipeline-lb.mdx
@@ -6,7 +6,7 @@ content:
h1: How to create an Edge Services pipeline for a Load Balancer
paragraph: This page explains how to configure an Edge Services pipeline on your Load Balancer, enabling a caching service for faster and more efficient delivery.
dates:
- validation: 2025-04-24
+ validation: 2025-05-14
posted: 2024-07-24
tags: load-balancer edge-services cdn network cache domain https
categories:
@@ -33,8 +33,7 @@ You can create an Edge Services pipeline from the Load Balancer section of the c
1. Click **Edge Services** in the **Network** section of the [Scaleway console](https://console.scaleway.com/) side menu.
2. Click **Create pipeline**. The pipeline creation wizard displays.
-
-
+
3. Configure the [origin](/edge-services/concepts/#origin) for this pipeline:
- Select **Load Balancer** as the origin type.
@@ -52,9 +51,13 @@ You can create an Edge Services pipeline from the Load Balancer section of the c
5. Enter a name for this Edge Services pipeline, or leave the auto-generated name in place.
+6. Optionally, configure **Advanced Settings:**
+ - **Cache**: When enabled, content from your Load Balancer origin is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+ - **WAF**: When enabled, requests to your Load Balancer origin are evaluated by a **W**eb **A**pplication **F**irewall. Malicious requests are blocked or logged, depending on your settings. Set a paranoia level to determine WAF's aggressivity, and a mode (block or log) for dealing with malicious requests. [Find out more about WAF](/edge-services/reference-content/understanding-waf/).
+
The summary cost for the creation of this pipeline is displayed, notably whether it falls within the limits of your current [subscription plan](/edge-services/reference-content/understanding-pricing/)
-6. Click **Create Edge Services pipeline** to finish.
+7. Click **Create Edge Services pipeline** to finish.
You are returned to the **Pipelines** tab, where the newly created pipeline now displays.
diff --git a/pages/edge-services/how-to/subscribe-edge-services.mdx b/pages/edge-services/how-to/subscribe-edge-services.mdx
index aa3e8ed264..dbf5a3e78e 100644
--- a/pages/edge-services/how-to/subscribe-edge-services.mdx
+++ b/pages/edge-services/how-to/subscribe-edge-services.mdx
@@ -6,22 +6,29 @@ content:
h1: How to subscribe to Edge Services
paragraph: Find out how to take your first steps with Scaleway Edge Services by subscribing to a pricing plan. Learn how to choose the best plan for your needs and change your plan at the click of a button.
dates:
- validation: 2025-04-24
+ validation: 2025-05-14
posted: 2024-10-15
tags: object-storage edge-services subscription-plan subscribe billing pricing
categories:
- network
---
-Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It lets you benefit from a powerful caching service to reduce the load on your origin servers and streamline delivery. On top of this, you get a customizable Edge Services endpoint and can set it to a subdomain of your choice, securing it with an SSL/TLS certificate.
+Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides:
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin)
+- A [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
+- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice
To use Edge Services, you must subscribe to a [pricing plan](https://www.scaleway.com/en/pricing/network/#edge-services). Within its monthly price, each pricing plan includes:
- A fixed number of Edge Services [pipelines](/edge-services/concepts/#pipeline). You can create pipelines for either Load Balancers, Object Storage buckets, or a mixture of both, with your subscription plan.
-- A certain amount of egress [cache](/edge-services/concepts/#cache) data (the quantity of data transferred from Edge Services' caches, not including the transfer from the origin bucket or Load Balancer).
-- A custom domain and SSL certificate (managed or custom) for each pipeline.
+- A certain amount of egress cache data (the quantity of data transferred from Edge Services' caches, not including the transfer from the origin bucket or Load Balancer).
+- A certain amount of WAF requests (the number of requests that can be filtered through WAF across all your pipelines)
-If you create more pipelines than are included in your plan, or your pipelines' caches egress more data than is included, you will be charged additionally for this. The rates per pipeline/GB of data are indicated on the [pricing](https://www.scaleway.com/en/pricing/network/#edge-services) page.
+
+WAF is currently in Public Beta, and free of charge. Additional charges for exceeding your plan's WAF requests will only come into effect once the feature goes into General Availability.
+
+
+If you create more pipelines than are included in your plan, or your pipelines' caches egress more data than is included, or you make more WAF requests than are included, you will be charged additionally for this. The rates per pipeline/GB of data are indicated on the [pricing](https://www.scaleway.com/en/pricing/network/#edge-services) page.
Subscriptions are pro-rata, meaning you can cancel your subscription or change your plan at any time, and you will be charged proportionally.
@@ -35,24 +42,26 @@ Find out more about how Edge Service subscription plans and billing works on our
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
-You can subscribe to Edge Services from the Object Storage or Load Balancer dashboards of the Scaleway console. However, the instructions below detail how to describe from the dedicated Edge Services section of the console. Whichever path you use, the same pricing plans and subscription mechanisms apply. Subscribing from the Object Storage or Load Balancer dashboards does **not** limit you to only creating pipelines for that product with your subscription. Subscription plans are scoped to a single Scaleway [Project](/organizations-and-projects/concepts/#project).
+You can subscribe to Edge Services from the Object Storage or Load Balancer dashboards of the Scaleway console. However, the instructions below detail how to subscribe from the dedicated Edge Services section of the console.
Whichever path you use, the same pricing plans and subscription mechanisms apply. Subscribing from the Object Storage or Load Balancer dashboards does **not** limit you to only creating pipelines for that product with your subscription. Subscription plans are scoped to a single Scaleway [Project](/organizations-and-projects/concepts/#project).
1. Click **Edge Services** in the **Network** section of the [Scaleway console](https://console.scaleway.com/) side menu.
2. Click **Subscribe to Edge Services**.
- Information about available [pricing plans](https://www.scaleway.com/en/pricing/network/#edge-services) is displayed. All pricing plans have a fixed monthly price, and include a certain number of pipelines and a certain amount of cache data (data egressed from all your Edge Services pipelines' caches). Any extra pipelines or cache egress data are charged at the additional rates shown.
+ Information about available [pricing plans](https://www.scaleway.com/en/pricing/network/#edge-services) is displayed. All pricing plans have a fixed monthly price, and include a certain number of pipelines, a certain amount of cache data (data egressed from all your Edge Services pipelines' caches), and a certain amount of WAF requests (across all pipelines). Any extra pipelines, cache egress or WAF requests are charged at the additional rates shown.
3. Select a plan, and click **Subscribe to Edge Services**.
Your subscription is created, and you are returned to the Edge Services dashboard, on the **Pipelines** tab. All your Edge Services pipelines will display here.
+ On the **Plans** tab you can view your current subscription plan, and your Edge Services consumption in relation to your plan's limits on pipelines, cache and WAF.
+
## How to change your subscription plan
You can change your Edge Services subscription plan at any time. Subscriptions are pro-rata: the monthly price will be applied based on the proportion of the month you are subscribed to the plan.
-If you upgrade your plan, any additional charges (for extra pipelines or cache data) that you had already accumulated before the time of upgrade will still stand.
+If you upgrade your plan, any additional charges (for extra pipelines, cache data or WAF requests) that you had already accumulated before the time of upgrade will still stand.
Find out more about how Edge Service subscription plans and billing works, including scenarios for changing your plan mid-month, on our [Understanding Edge Services pricing](/edge-services/reference-content/understanding-pricing/) page.
diff --git a/pages/edge-services/index.mdx b/pages/edge-services/index.mdx
index 11983dba81..f6311c4e9f 100644
--- a/pages/edge-services/index.mdx
+++ b/pages/edge-services/index.mdx
@@ -6,15 +6,15 @@ meta:
- Web Application Firewall (WAF) for Edge Services is now in Public Beta and available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). Enable WAF to protect your origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
+ Edge Services now offers a Web Application Firewall (WAF) service, currently in Public Beta. Activate and manage WAF in the Scaleway console or API / developer tools. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
diff --git a/pages/edge-services/quickstart.mdx b/pages/edge-services/quickstart.mdx
index 23d17a44bd..55c6729cb9 100644
--- a/pages/edge-services/quickstart.mdx
+++ b/pages/edge-services/quickstart.mdx
@@ -7,17 +7,20 @@ content:
paragraph: Quickly set up Scaleway Edge Services for Object Storage buckets or Load Balancer origins with our guide. Learn to configure pipelines, customize endpoints, and manage caching for optimal performance.
tags: edge-services edge services pipeline custom-domain cache
dates:
- validation: 2025-05-05
+ validation: 2025-05-14
creation: 2024-07-24
categories:
- networks
---
-Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides a [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and a customizable and secure [endpoint](/edge-services/concepts/#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
+Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides:
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin)
+- A [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
+- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice
To use Edge Services, you must take out a subscription plan, which then enables you to create a certain number of Edge Services pipelines towards your Load Balancer origins or Object Storage buckets.
-
+
@@ -27,7 +30,7 @@ To use Edge Services, you must take out a subscription plan, which then enables
## How to subscribe to Edge Services
-To use Edge Services, you must subscribe to a [pricing plan](https://www.scaleway.com/en/pricing/network/#edge-services). Within its monthly price, each pricing plan includes a fixed number of pipelines, and a certain amount of egress cache data. Any consumption that exceeds the limits of the plan is charged at an additional rate.
+To use Edge Services, you must subscribe to a [pricing plan](https://www.scaleway.com/en/pricing/network/#edge-services). Within its monthly price, each pricing plan includes a fixed number of pipelines, and a certain amount of egress cache data. Any consumption that exceeds the limits of the plan is charged at an additional rate.
Find out more about how Edge Service subscription plans and billing works on our [Understanding Edge Services pricing](/edge-services/reference-content/understanding-pricing/) page, or follow the steps below to subscribe.
@@ -39,6 +42,8 @@ Find out more about how Edge Service subscription plans and billing works on our
Your subscription is created, and you are returned to the Edge Services dashboard, on the **Pipelines** tab. All your Edge Services pipelines will display here.
+ On the **Plans** tab you can view your current subscription plan, and your Edge Services consumption in relation to your plan's limits on pipelines, cache and WAF.
+
## How to create an Edge Services pipeline
You can create [pipelines](/edge-services/concepts/#pipeline) for either Object Storage buckets or Load Balancer origins.
@@ -72,7 +77,11 @@ You can create [pipelines](/edge-services/concepts/#pipeline) for either Object
6. Enter a name for this Edge Services pipeline, or leave the auto-generated name in place.
- 7. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
+ 7. Optionally, configure **Advanced Settings:**
+ - **Cache**: When enabled, content from your Load Balancer origin is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+ - **WAF**: When enabled, requests to your Load Balancer origin are evaluated by a **W**eb **A**pplication **F**irewall. Malicious requests are blocked or logged, depending on your settings. Set a paranoia level to determine WAF's aggressivity, and a mode (block or log) for dealing with malicious requests. [Find out more about WAF](/edge-services/reference-content/understanding-waf/).
+
+ 8. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
@@ -85,7 +94,10 @@ You can create [pipelines](/edge-services/concepts/#pipeline) for either Object
6. Enter a name for the pipeline, or leave the randomly generated name in place.
- 7. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
+ 7. Optionally, configure **Advanced Settings:**
+ - **Cache**: When enabled, content from your origin bucket is cached with Edge Services and served directly to users from Edge Services' servers. Set a **Lifetime** value, in seconds, to dictate how long objects should remain in the cache before being freshly retrieved from the origin. [Find out more about caching](/edge-services/how-to/configure-cache/).
+
+ 8. Check the summary cost for the pipeline, and click **Create Edge Services pipeline**.
Your bucket's [visibility](/object-storage/concepts/#visibility) can be set to **private**, but any objects within it that you want to expose via Edge Services must be set to [**public** visibility](/object-storage/how-to/manage-object-visibility/). However, in the case that you are using Edge Services with bucket website, objects can remain private.
@@ -161,31 +173,13 @@ If you already own a domain, you can customize an Edge Services pipeline endpoin
Your customized domain is set up, and you are returned to the Edge Services dashboard. The customized domain displays in the Endpoint panel. When you access your Object Storage or Load Balancer origin through this domain, its content will be served via Edge Services.
-## How to configure your cache
-
-The cache feature allows you to cache your origin's content with Edge Services. This means that content can be served directly to users from Edge Services' servers, instead of from your Object Storage bucket or Load Balancer origin, enhancing performance.
-
-You can disable and enable caching at will, as well as control the lifetime of an object in the cache. You can also purge your entire cache, or specific objects within it. A log is displayed to help you track your purge events.
-
-1. In the Scaleway console, navigate to the Edge Services dashboard for the Object Storage bucket or Load Balancer pipeline for which you want to enable caching:
-
-
-
-2. In the **Cache** panel, use the icon to enable the cache.
-
- The **Lifetime** configuration box displays. This enables you to define, in seconds, how long an object can be stored in the cache before it must be retrieved freshly from the origin (Object Storage bucket or Load Balancer).
-
-
-
-
- As an example, a value of 0 means that objects will not be cached, unless they have a separately-defined caching directive. Note that in any case, if an object has a caching directive, the caching directive always takes precedence over any lifetime setting defined here in Edge Services.
-
+## How to configure caching and WAF
-3. Leave the default value of 1 hour in place, or enter another value.
+Enabling a cache and/or a **W**eb **A**pplication **F**irewall on your Edge Services pipeline are both optional steps.
-The cache is now enabled.
+- Enabling a **cache** means that Edge Services stores copies of files from your origin, and can serve them directly to users from this cache rather then fetching them freshly from your bucket or Load Balancer origin each time. This reduces load on your origin and can improve performance. [Find out how to configure a cache](/edge-services/how-to/configure-cache/)
-For information on purging your cache, see our [dedicated documentation](/edge-services/how-to/configure-cache/).
+- Enabling **WAF** means that Edge Services can filter out and block potentially malicious requests to your origin. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set exclusions to define traffic that shouldn't be filtered by WAF. [Find out how to configure WAF](/edge-services/how-to/configure-waf/)
## How to delete an Edge Services pipeline
diff --git a/pages/edge-services/reference-content/understanding-pricing.mdx b/pages/edge-services/reference-content/understanding-pricing.mdx
index 207528d07c..12fdc9c309 100644
--- a/pages/edge-services/reference-content/understanding-pricing.mdx
+++ b/pages/edge-services/reference-content/understanding-pricing.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Find answers to all your questions about how pricing for Edge Services works, how to calculate your billing, and the different subscription plans available. Different scenarios are presented, with explanations of how you would be billed in each one
tags: edge-services general-availability pricing billing subscription-plan pro-rata
dates:
- validation: 2025-04-24
+ validation: 2025-05-14
creation: 2024-10-16
categories:
- network
@@ -30,7 +30,7 @@ When you subscribe to a plan, you are billed its flat monthly fee, which allows
- Filter a fixed maximum amount of requests through [WAF](/edge-services/concepts/#waf)
-WAF is currently in Public Beta and therefore **free of charge**. For now it is only available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console. When WAF enters General Availability, the free pricing model will end.
+WAF is currently in Public Beta and therefore **free of charge**. When WAF enters General Availability, the free pricing model will end. See [below](#waf) for details on how it will be billed in the future.
If you subscribe to a plan, and exceed its monthly limits for pipelines, cache data, or WAF requests you will incur additional charges that month.
@@ -45,11 +45,7 @@ You can check the number of pipelines you have at any one time in the **Pipeline
## WAF
-
-WAF is in Public Beta, and currently available free of charge and only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
-
-
-Although it is currently available free of charge, read on to find out more about how it will be charged once in General Availability
+Although WAF is currently in Public Beta and available free of charge, read on to find out more about how it will be charged once in General Availability
Each plan (except Starter plan) will include a fixed amount of WAF requests to use across all your pipelines. If you exceed the amount of WAF requests in a month that is allowed on your plan (or by the Starter add-on), you will be charged a fee per million additional requests.
diff --git a/pages/edge-services/reference-content/understanding-waf.mdx b/pages/edge-services/reference-content/understanding-waf.mdx
index c8be5c47fb..9599eaf8ed 100644
--- a/pages/edge-services/reference-content/understanding-waf.mdx
+++ b/pages/edge-services/reference-content/understanding-waf.mdx
@@ -7,23 +7,23 @@ content:
paragraph: Learn how to protect your web applications with Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
tags: edge-services web-application-firewall waf paranoia-levels exclusions
dates:
- validation: 2025-04-17
+ validation: 2025-05-14
creation: 2025-03-03
categories:
- network
---
-WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
+WAF is currently in Public Beta.
-You can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature on your Edge Services pipeline for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
+You can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature on your Edge Services pipeline, for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
## WAF overview
When enabled, WAF protects your origin from potential threats.
-It does so by evaluating each request to the origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
+It does so by evaluating each request to your origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
For requests judged to be malicious, WAF can either block them from passing to your origin (as shown in the diagram below), or simply log them but allow them to pass, depending on the settings you choose.
@@ -35,6 +35,7 @@ You can set **exclusions**, so that certain requests are not evaluated by WAF an
In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
+
If you have both WAF and cache enabled, requests that can be served by the cache will not go through WAF. Only requests that cannot be served by the cache will be filtered by WAF, and allowed to pass to the origin or not depending on your WAF configuration.
@@ -91,7 +92,7 @@ Each exclusion can consist of:
## WAF limitations
-- WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/).
+- WAF is currently in Public Beta.
- WAF protects your origin only, and not your cache.
- You can add a maximum of 100 WAF exclusions
-- You cannot currently specify exclusions at the individual rule level. Requests matching exclusion filters bypass WAF entirely.
\ No newline at end of file
+- You cannot currently specify exclusions at the individual rule level. Requests matching exclusion filters bypass WAF entirely.