feat(es): more waf

RoRoJ · RoRoJ · commit e6cede38618f · 2025-04-17T11:35:07.000+02:00
diff --git a/pages/edge-services/reference-content/assets/scaleway-edge-services-pipeline.webp b/pages/edge-services/reference-content/assets/scaleway-edge-services-pipeline.webp
diff --git a/pages/edge-services/reference-content/understanding-pricing.mdx b/pages/edge-services/reference-content/understanding-pricing.mdx
@@ -30,39 +30,34 @@ When you subscribe to a plan, you are billed its flat monthly fee, which allows
 - Filter a fixed maximum amount of requests through [WAF](/edge-services/concepts/#waf)
 
 <Message type="note">
-WAF is currently in Public Beta and therefore **free of charge**. For now it is only available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console. When WAF enters General Availability, the free pricing model will end.
+The Starter plan does not include WAF. To use WAF on this plan, you must may an additional monthly add-on charge (see [below](#waf-add-on)).
 </Message>
 
 If you subscribe to a plan, and exceed its monthly limits for pipelines, cache data, or WAF requests you will incur additional charges that month. 
 
-Essentially, your Edge Services monthly bill is made up of your **monthly subscription plan price** + **any additional pipeline charges incurred** + **any additional cache charges incurred**.
+Essentially, your Edge Services monthly bill is made up of your **monthly subscription plan price** + **any additional pipeline charges incurred** + **any additional cache charges incurred** + **optional WAF add-on** (Started plan only) + **any additional WAF charges incurred**.
 
 For full details of the price and limits of each plan, refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services). Subscription plans are scoped to a single Scaleway [Project](/organizations-and-projects/concepts/#project).
 
 ## Keeping track of your Edge Services consumption
 
 You can check the number of pipelines you have at any one time in the **Pipelines** tab of the Edge Services dashboard in the Scaleway console. [Scaleway Cockpit](/edge-services/how-to/monitor-cockpit/) can be used to monitor the data egressing from your Edge Services caches.
 
-## WAF
+## WAF add-on
 
-<Message type="note">
-WAF is in Public Beta, and currently available free of charge and only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
-</Message>
-
-WAF is only compatible with Load Balancer origin pipelines, not with Object Storage bucket pipelines.
+The Starter plan is the only plan that does not include WAF. To use WAF on this plan, you must may an additional monthly add-on charge (see [pricing page]([pricing page](https://www.scaleway.com/en/pricing/network/#edge-services)). 
 
-Although it is currently available free of charge, read on to find out more about how it will be charged once in General Availability
+This add-on then lets you enable WAF on all your pipelines, and use a fixed amount of WAF requests for that month across all pipelines. Any WAF requests that exceed this amount will be charged additionally, as described below.
 
-Each plan (except Starter plan) will include a fixed amount of WAF requests to use across all your pipelines. If you exceed the amount of WAF requests in a month that is allowed on your plan (or by the Starter add-on), you will be charged a fee per million additional requests.
-
-The **Starter** plan will be the only plan that does not include a set amount of WAF requests. To use WAF on this plan, you must pay an additional monthly add-on charge. This add-on will then let you enable WAF on all your pipelines, and use a fixed amount of WAF requests for that month across all pipelines.A ny WAF requests that exceed this amount will be charged additionally.
+WAF is only compatible with Load Balancer origin pipelines, not with Object Storage bucket pipelines.
 
 ## Included usage vs additional charges
 
 Additional charges apply when you either:
 
 - Have more pipelines in existence (at any given time) than the limit of your monthly plan
 - Egress more data from all your pipelines' caches combined, than the limit of your monthly plan
+- Filter more requests through WAF, for all of your pipelines combined, than the limit of your monthly plan or add-on.
 
 Read on to understand more about how additional charges are applied.
 
@@ -111,6 +106,30 @@ You consumed 200 GB of cache data that was not included within your monthly plan
 `{Fee per GB of additional cache} * 200 GB` <br/>
 e.g. `0.0135 * 200 = €2.70`
 
+### Additional WAF charges
+
+WAF consumption is based on the number of requests processed by all your Edge Services pipelines' Web Application Firewalls combined, in a given month. Requests that are served by the cache are **not** processed by WAF, as WAF protects only your origin.
+
+For every million requests processed by Edge Services WAF in a month, **beyond** the limit of your monthly plan (or add-on, in the case of the Starter plan), an additional charge applies.
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- For the entire month of November, you are subscribed to the **Professional** plan, which has a limit of 5M WAF requests.
+- Over the course of the month, a total of 8M requests were processed by WAF across all your Edge Services pipelines. 
+
+You used 3M extra WAF requests that were not included within your monthly plan. Your November Edge Services billing, in terms of additional WAF charges, is therefore calculated as follows:
+
+`{Fee per additional 1M WAF requests} * 3` <br/>
+e.g. `0.5 * 3 = €1.50`
+
+<Message type="note">
+You are charged proportionally for additional WAF requests, even though the price is set per million. If, for example, you only make 500,000 additional WAF requests in a month, you will be charged `{Fee per additional 1M WAF requests} / 2`.
+</Message>
+
 ## Changing your subscription plan
 
 You can upgrade or downgrade your subscription plan at any time. Read on to understand how changing plan mid-month affects your billing.
@@ -179,4 +198,51 @@ The example prices and limits used below are subject to change. You should alway
 You consumed 200 GB of cache data that was not included within your monthly Starter plan, between November 1-10. For the rest of the month, you were within the limits of your new Professional plan. Your November Edge Services billing, in terms of the additional cache charges, is therefore calculated as follows:
 
 `{Fee per GB of additional cache} * 200 GB` <br/>
-e.g. `0.0135 * 200 = €2.70`
+e.g. `0.0135 * 200 = €2.70`
+
+### WAF charges
+
+Any additional WAF request charges accumulated when you exceeded your previous plan's limit will remain on your monthly bill. From the moment you change your plan, your WAF request consumption resets to 0. During the rest of the month, you can consume WAF requests up to the new plan's limit without being charged.  
+
+<Message type="note">
+- If you **downgrade** your plan, all the WAF requests made within the hour of changing plans will count towards the WAF request consumption of the new plan. 
+- If you **upgrade** your plan, all the WAF requests made within the hour of changing plans will count towards the cache consumption of the old plan.
+</Message>
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- From November 1-10 you are subscribed to the **Professional** plan, which has a limit of 5M WAF requests.
+- From November 1-10 you make 10M WAF requests.
+- On November 11, you upgrade to the **Advanced** plan, which has a limit of 50M WAF requests. Your WAF request usage resets to 0.
+- Between November 11 and the end of the month, you make 50M WAF requests.
+
+You made 5M WAF requests that were not included within your monthly Professional plan, between November 1-10. For the rest of the month, you were within the limits of your new Advanced plan. Your November Edge Services billing, in terms of the additional cache charges, is therefore calculated as follows:
+
+`{Fee per additional 1M WAF requests} * 5` <br/>
+e.g. `0.5* 5 = €2.50`
+
+### WAF add-on
+
+This scenario applies to a user who is subscribed to the Starter plan and pays the WAF add-on price, then upgrades to a higher level plan.
+
+You will be billed pro-rata for the add-on charge, based on how long you were subscribed Starter with an add-on before upgrading, during the billing month. 
+
+For example:
+
+<Message type="important">
+The example prices and limits used below are subject to change. You should always refer to the [pricing page](https://www.scaleway.com/en/pricing/network/#edge-services) for the most up to date information.
+</Message>
+
+- From November 1-10 you are subscribed to the **Starter** plan and **WAF add-on** 
+- On November 11, you switch to the **Professional** plan.
+- You remain subscribed to the **Professional** plan for the rest of the month (ending November 30)
+
+There are 30 days in the month of November, and you spent 10 of them subscribed to the Starter plan with the WAF add-on. When you upgrade to the Professional plan, the WAF add-on was no longer applicable because WAF was automatically included in your subscription plan. Your November Edge Services billing, in terms of the WAF add-on, is therefore calculated as follows:
+
+`({Monthly price for WAF add-on} / 30 days) * 10 days` <br/>
+e.g. `(4 / 30) * 10 = 1.33`
+
diff --git a/pages/edge-services/reference-content/understanding-waf.mdx b/pages/edge-services/reference-content/understanding-waf.mdx
@@ -21,17 +21,21 @@ When enabled, WAF protects your Load Balancer origin or Object Storage bucket fr
 
 It does so by evaluating each request to your origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
 
-For requests judged to be malicious, WAF can either block them from passing to your origin, or simply log them but allow them to pass, depending on the settings you choose.
+For requests judged to be malicious, WAF can either block them from passing to your origin (as shown in the diagram below), or simply log them but allow them to pass, depending on the settings you choose.
 
 You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your origin. Exclusion filters are based on the request path and/or HTTP request type.
 
-TODO WAF diagram?
+<Lightbox src="scaleway-edge-services-waf-diag.webp" alt="A diagram shows how Edge Services WAF deals with three different types of HTTP request. A request meeting the criteria for WAF exclusion is passed directly to the Load Balancer origin. A benign request is first checked by the WAF rules, then allowed to pass to the Load Balancer origin. A malicious request is checked by the rules, and blocked from passing to the Load Balancer origin." />
 
 ## WAF in an Edge Services pipeline
 
 In an Edge Services pipeline, WAF sits before the origin stage. This means that WAF only protects your origin, it does not protect or filter requests towards the cache.
 
+<<<<<<< HEAD
 <Lightbox src="scaleway-edge-services-pipeline-diag.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
+=======
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
+>>>>>>> 11133a9e9 (feat(es): more waf)
 
 If you have both WAF and cache enabled, requests that can be served by the cache will not go through WAF. Only requests that cannot be served by the cache will be filtered by WAF, and allowed to pass to the origin or not depending on your WAF configuration.
 
@@ -52,7 +56,11 @@ The higher the paranoia level, the more likely you are to have **false positives
 
 - At level 1, the ruleset is unlikely to trigger false positives, however it is also more likely to miss threats and aggressions and classify them as benign.
 
+<<<<<<< HEAD
 - At level 4, the ruleset is so aggressive that it detects almost every possible attack, however it is also highly likely to trigger a significant number of false positives whereby a lot of legitimate traffic will be classed as malicious.
+=======
+- At level 4, the ruleset is so aggressive that it detects almost every possible attack, however it is also highly likely to trigger a significant number of false positives whereby a lot of legitimate traffic will be classes as malicious.
+>>>>>>> 11133a9e9 (feat(es): more waf)
 
 |  | Level 1 | Level 2 | Level 3 | Level 4 |
 |---|---|---|---|---|
