feat(edge-services): add documentation for WAF (#4599)

* feat(edge): add waf doc

* feat(waf): continue doc

* feat(es): more waf

* feat(edge): more waf

* feat(edge): continue waf

* fix(waf): diagrams and flows

* fix(waf): fix faq

* fix(edge): fixed todo

* feat(edge-services): doc for api public beta

* fix(edge-services): images

* fix(edge): corrections

* Update pages/edge-services/reference-content/understanding-waf.mdx

Author: RoRoJ

faq/edge-services.mdx

@@ -5,7 +5,7 @@ meta:
 content:
   h1: Edge Services
 dates:
-  validation: 2025-02-04
+  validation: 2025-03-03
 category: network
 productIcon: EdgeServicesProductIcon
 ---
@@ -30,4 +30,10 @@ Find out more about how Edge Service subscription plans and billing works on our
 
 ## If I customize my Edge Services endpoint with my own domain, can it serve content over HTTPS?
 
-Yes, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that subdomain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/).
+Yes, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that subdomain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/).
+
+## What is WAF?
+
+**W**eb **A**pplication **F**irewall is a feature available in Public Beta via Edge Services for Load Balancer origins. It is currently available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/) only, but will be coming to the Scaleway console soon.
+
+When enabled, WAF filters requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).

menu/navigation.json

@@ -3429,6 +3429,10 @@
                     "label": "CNAME records for Edge Services",
                     "slug": "cname-record"
                   },
+                  {
+                    "label": "Understanding WAF",
+                    "slug": "understanding-waf"
+                  },
                   {
                     "label": "Understanding pricing",
                     "slug": "understanding-pricing"

pages/edge-services/concepts.mdx

@@ -7,7 +7,7 @@ content:
   paragraph: Understand Scaleway Edge Services terminology with our glossary of the core concepts underpinning this product. Learn about key features, architecture, and best practices.
 tags: edge-services edge services pipeline custom-domain cache
 dates:
-  creation: 2024-07-24
+  creation: 2025-03-03
   validation: 2024-10-14
 categories:
   - networks
@@ -64,4 +64,12 @@ You can create an Edge Services pipeline for each of your Object Storage buckets
 
 ## Protocol
 
-The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sending requests to an origin Load Balancer. HTTPS is recommended, but you should choose the protocol that corresponds with your Load Balancer setup.
+The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sending requests to an origin Load Balancer. HTTPS is recommended, but you should choose the protocol that corresponds with your Load Balancer setup.
+
+## WAF
+
+<Message type="note">
+Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/) and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming to the Scaleway console soon.
+</Message>
+
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).

pages/edge-services/how-to/configure-cache.mdx

@@ -17,6 +17,12 @@ The cache feature allows you to cache your origin's content with Edge Services.
 
 You can disable and enable caching at will, as well as control the lifetime of an object in the cache. You can also purge your entire cache, or specific objects within it. A log is displayed to help you track your purge events.
 
+<Macro id="requirements" />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An Edge Services pipeline for a [Load Balancer](/edge-services/how-to/create-pipeline-lb/) or [Object Storage bucket](/edge-services/how-to/create-pipeline-bucket/) origin
+
 ## How to enable the cache
 
 1. In the Scaleway console, navigate to the Edge Services dashboard for the Object Storage or Load Balancer pipeline on which you want to enable caching:

pages/edge-services/index.mdx

@@ -6,9 +6,9 @@ meta:
 
 <Alert
   sentiment="info"
-  title="Edge Services is now in General Availability!"
+  title="Edge Services WAF is now available via the Edge Services API!"
 >
-  Edge Services for Object Storage and Load Balancers is now in General Availability, and a subscription-based pricing plan applies. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-ga/).
+  Web Application Firewall (WAF) for Edge Services is now in Public Beta and available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). Enable WAF to protect your Load Balancer origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
 </Alert>
 
 <ProductHeader 

pages/edge-services/reference-content/assets/scaleway-edge-services-pipeline-diag.webp

@@ -27,8 +27,13 @@ When you subscribe to a plan, you are billed its flat monthly fee, which allows
 
 - Run a fixed maximum number of Edge Services [pipelines](/edge-services/concepts/#pipeline) for the month. They can be for Object Storage or Load Balancer origins, or a mixture of both.
 - Egress a fixed maximum amount of data from all your pipelines' [caches](/edge-services/concepts/#cache).
+- Filter a fixed maximum amount of requests through [WAF](/edge-services/concepts/#waf)
 
-If you subscribe to a plan, and exceed its monthly limits for pipelines or cache data, you will incur additional charges that month. 
+<Message type="note">
+WAF is currently in Public Beta and therefore **free of charge**. For now it is only available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console. When WAF enters General Availability, the free pricing model will end.
+</Message>
+
+If you subscribe to a plan, and exceed its monthly limits for pipelines, cache data, or WAF requests you will incur additional charges that month. 
 
 Essentially, your Edge Services monthly bill is made up of your **monthly subscription plan price** + **any additional pipeline charges incurred** + **any additional cache charges incurred**.
 
@@ -38,6 +43,20 @@ For full details of the price and limits of each plan, refer to the [pricing pag
 
 You can check the number of pipelines you have at any one time in the **Pipelines** tab of the Edge Services dashboard in the Scaleway console. [Scaleway Cockpit](/edge-services/how-to/monitor-cockpit/) can be used to monitor the data egressing from your Edge Services caches.
 
+## WAF
+
+<Message type="note">
+WAF is in Public Beta, and currently available free of charge and only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
+</Message>
+
+WAF is only compatible with Load Balancer origin pipelines, not with Object Storage bucket pipelines.
+
+Although it is currently available free of charge, read on to find out more about how it will be charged once in General Availability
+
+Each plan (except Starter plan) will include a fixed amount of WAF requests to use across all your pipelines. If you exceed the amount of WAF requests in a month that is allowed on your plan (or by the Starter add-on), you will be charged a fee per million additional requests.
+
+The **Starter** plan will be the only plan that does not include a set amount of WAF requests. To use WAF on this plan, you must pay an additional monthly add-on charge. This add-on will then let you enable WAF on all your pipelines, and use a fixed amount of WAF requests for that month across all pipelines.A ny WAF requests that exceed this amount will be charged additionally.
+
 ## Included usage vs additional charges
 
 Additional charges apply when you either:
@@ -160,5 +179,4 @@ The example prices and limits used below are subject to change. You should alway
 You consumed 200 GB of cache data that was not included within your monthly Starter plan, between November 1-10. For the rest of the month, you were within the limits of your new Professional plan. Your November Edge Services billing, in terms of the additional cache charges, is therefore calculated as follows:
 
 `{Fee per GB of additional cache} * 200 GB` <br/>
-e.g. `0.0135 * 200 = €2.70`
-
+e.g. `0.0135 * 200 = €2.70`

pages/edge-services/reference-content/assets/scaleway-edge-services-waf-diag.webp

@@ -0,0 +1,98 @@
+---
+meta:
+  title: Understanding Edge Services Web Application Firewall (WAF)
+  description: Learn how to protect your web applications with Scaleway Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
+content:
+  h1: Understanding Edge Services Web Application Firewall (WAF)
+  paragraph: Learn how to protect your web applications with Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
+tags: edge-services web-application-firewall waf paranoia-levels exclusions
+dates:
+  validation: 2025-03-03
+  creation: 2025-03-03
+categories: 
+  - network
+---
+
+<Message type="note">
+WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
+</Message>
+
+If your Edge Services pipeline points towards a Load Balancer origin, you can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature, for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
+
+## WAF overview
+
+When enabled, WAF protects your Load Balancer backend from potential threats.
+
+It does so by evaluating each request to your Load Balancer origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
+
+For requests judged to be malicious, WAF can either block them from passing to your origin (as shown in the diagram below), or simply log them but allow them to pass, depending on the settings you choose.
+
+You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your Load Balancer origin. Exclusion filters are based on the request path and/or HTTP request type.
+
+<Lightbox src="scaleway-edge-services-waf-diag.webp" alt="A diagram shows how Edge Services WAF deals with three different types of HTTP request. A request meeting the criteria for WAF exclusion is passed directly to the Load Balancer origin. A benign request is first checked by the WAF rules, then allowed to pass to the Load Balancer origin. A malicious request is checked by the rules, and blocked from passing to the Load Balancer origin." />
+
+## WAF in an Edge Services pipeline
+
+In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
+
+<Lightbox src="scaleway-edge-services-pipeline-diag.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
+
+If you have both WAF and cache enabled, requests that can be served by the cache will not go through WAF. Only requests that cannot be served by the cache will be filtered by WAF, and allowed to pass to the origin or not depending on your WAF configuration.
+
+## WAF ruleset and paranoia levels
+
+Scaleway Edge Services WAF uses the [OWASP **C**ore **R**ule **S**et (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack such as SQL injection and cross-site scripting. Full details are available in the [OWASP CRS documentation](https://coreruleset.org/docs/).
+
+**Paranoia level settings** are an integral part of the core ruleset. They dictate how aggressive the ruleset should be when judging whether a given request is malicious or not. The paranoia level is rated from 1 to 4, which each being more aggressive and more sensitive to potential threats than the last.
+
+The four levels are:
+
+- **1 - Minimal protection**: Basic security, suitable for environments with low sensitivity, prioritizing minimal false alerts.
+- **2 - Moderate protection**: Solid protection for environments dealing with real-world customer data.
+- **3 - Strong protection**: Banking-standard security, prioritizing safety but prone to frequent false alerts.
+- **4 - Maximum protection**: Hyper-paranoid rules, fit for protecting the most critical and sensitive assets.
+
+The higher the paranoia level, the more likely you are to have **false positives**. This is when WAF classes a request as malicious, when in fact it is not. 
+
+- At level 1, the ruleset is unlikely to trigger false positives, however it is also more likely to miss threats and aggressions and classify them as benign.
+
+- At level 4, the ruleset is so aggressive that it detects almost every possible attack, however it is also highly likely to trigger a significant number of false positives whereby a lot of legitimate traffic will be classed as malicious.
+
+|  | Level 1 | Level 2 | Level 3 | Level 4 |
+|---|---|---|---|---|
+| Number of threats detected | Lowest | Moderately Low | Moderately High | Highest |
+| Number of false positives | Lowest | Moderately Low | Moderately High | Highest |
+
+Choosing a paranoia level therefore means trading off **how hard it is for an attacker to go undetected** against **how much legitimate traffic is incorrectly classified as malicious**. This depends on your use case, and the sensitivity of the application and assets being protected by WAF.
+
+- Anyone running an HTTP server on the internet could benefit from level 1 protection.
+- If real user data is involved, consider level 2.
+- For online banking, consider level 3
+- For crown-jewel level assets, consider level 4.
+
+Find out more about paranoia levels in the [official OWASP CRS documentation](https://coreruleset.org/docs/2-how-crs-works/2-2-paranoia_levels/).
+
+Read on to find out how you can use **exclusions** to mitigate the effect of some false positives.
+
+## WAF exclusions
+
+WAF **exclusions** are filters that allow matching requests (based on **path** and/or **HTTP request type**) to bypass WAF entirely.
+
+You can set up to 100 exclusions after enabling WAF on a given pipeline.
+
+- **Path filter**: Define a regular expression to filter for in request paths, e.g. `/api/v1/.*`
+- **HTTP request filter**: Define one or more HTTP request types to filter requests for, e.g. `GET`, `DELETE`, `POST` etc.
+
+Each exclusion can consist of:
+
+- A path filter only, OR
+- An HTTP request filter only (which itself can filter for multiple request types on an `ANY` basis), OR
+- One path filter and one HTTP request filter. In this case, only requests matching **both** filters will be considered to meet the criteria for exclusion.
+
+## WAF limitations
+
+- WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/).
+- WAF is only compatible with Load Balancer origins. It cannot be enabled for Object Storage bucket origins.
+- WAF protects your origin only, and not your cache.
+- You can add a maximum of 100 WAF exclusions
+- You cannot currently specify exclusions at the individual rule level. Requests matching exclusion filters bypass WAF entirely.