Fastly Next-Gen WAF edge deployment

Fastly’s Next-Gen WAF is the most flexibly deployed on the market and offers the ability to deploy on-premises, in any cloud, at the Fastly edge, or a hybrid of these. While we can secure apps wherever they live, organizations favor edge deployment for four main reasons: faster deployment and maintenance, threat mitigation away from their origin, inherent DDoS (distributed denial of service) protection, and the ability to scale security capabilities and beyond without adding unnecessary latency (image 1).

Image 1: Fastly edge deployment architecture

Fast deployment and simplified maintenance

Fastly’s edge deployment is ideal if you’re unable to install software on existing infrastructure. It takes just minutes and only requires an API call to route traffic through the Fastly network and enable WAF inspection. Edge deployment also reduces ongoing maintenance as all updates happen automatically without downtime.

Threat mitigation further from business-critical infrastructure

Fastly’s edge refers to our globally distributed network of 100+ modern servers, or points of presence (POPs). With Tier 1 transit and solid-state drive (SSD)-powered servers, we’ve built a modern network that requires less hardware to deliver comprehensive global reach (image 2). 

Image 2: Fastly network map as of July 2024

By deploying the Next-Gen WAF at the edge, you scan and fight malicious requests at Fastly’s servers instead of your origin infrastructure. Depending on your architecture, fighting malicious threats away from origin can have one of two additional benefits. For customers working primarily on-prem, deploying at the edge reduces the computational load on origin infrastructure, limiting any impact on your machines and their limited resources. For customers deployed in the cloud, it likely offers cost savings as malicious requests aren’t processed by your origin, reducing inflated traffic bills.

Automatic DDoS protection

Deploying at the edge comes with our network’s built-in security and DDoS mitigation benefits (image 3). 

Image 3: Fastly’s platform DDoS protection

With 330+ Tbps of global capacity as of June 30, 2024, Fastly’s network absorbs malicious volumetric Layer 3/4 traffic to stop common attacks like Network Time Protocol (NTP), Domain Name System (DNS), and other amplification/reflection. We’ve also built platform security features to reduce unwanted traffic at Layer 7 dynamically:

• Fastly only transits relevant traffic and automatically drops any non-http/https traffic before it hits your services.

• Fastly uses proprietary techniques to intelligently stop massive Layer 7 DDoS attacks. When hit with complicated attacks, our attribute unmasking techniques rapidly extract accurate fingerprints from the network traffic for mitigation. It ingests the metadata from inbound requests on our network and considers the traffic’s characteristics like Layer 3 and Layer 4 headers, TLS info, Layer 7 details, and more. Borrowing concepts from AI, it systematically extracts the elements that match the shape and volume of traffic with the volume of the attack to identify the optimal fingerprint and begin mitigation.

The robust infrastructure you gain by deploying at the edge enables you to scale your traffic capacity instantly and on demand, even during peak traffic events like product launches, viral marketing campaigns, or volumetric attacks.

Granular traffic control

All edge deployments have access to their subset of our network’s underlying Varnish Configuration Language (VCL). VCL is the domain-specific language Fastly uses to automatically define how incoming requests and outgoing responses are accessed, cached, and delivered. Customizable VCL provides fine-grained control and empowers your developers to optimize performance and achieve bespoke security outcomes.

Scale without performance impacts

All Fastly products run on every POP, offering consistent capabilities across the network. This means you can deploy the Next-Gen WAF and other Fastly products like Bot Management, Edge Rate Limiting, real-time caching, load balancing, origin shielding, or TLS encryption in one location, minimizing latency and ensuring a robust security posture without compromising user experience.

Fastly products like our Content Delivery Network (CDN) and Compute typically sit under NetOps and DevOps, respectively, but running them on Fastly’s platform offers integrated insights for teams and better economies of scale for procurement. Running additional products on Fastly’s platform also enables synergies between teams to emerge as they gain visibility into shared data and additional capabilities to manage traffic spikes, or custom code at the edge for security and beyond.

Deploy your Next-Gen WAF at Fastly’s edge

While Fastly’s Next-Gen WAF can deploy anywhere you need it, deploying at the edge is impactful for security teams and beyond. Contact us to learn more and schedule a proof of concept.