feat(edge): add doc for using WAF in the console

macros/edge-services/edge-services-bucket-benefits.mdx

@@ -7,4 +7,4 @@ macro: edge-services-bucket-benefits
 - Enhance performance by caching your stored objects, to be served directly by Edge Services from the cache
 - Finely control your cached objects via purging (cache invalidation)
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline-nowaf.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />

macros/edge-services/edge-services-lb-benefits.mdx

@@ -4,12 +4,13 @@ macro: edge-services-lb-benefits
 
 Creating an Edge Services pipeline for your Load Balancer helps to reduce load on your Load Balancer's backend servers. The origin configuration you define is used by Edge Services to connect to your Load Balancer and request content, which is then stored in the cache. Then, when your Load Balancer origin is accessed via its customizable Edge Services endpoint, the requested content is served from the cache (if present), without the need to fetch this content via the Load Balancer and its backend servers.
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline-diag.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
 
 Edge Services lets you:
 
 - Define the specific origin (Load Balancer, frontend port, and host) for a given pipeline and its associated cache
 - Choose the TTL for cached objects, and purge the entire cache or specific cached objects at any time (cache invalidation)
+- Configure a [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
 - Customize your Edge Services pipeline endpoint using a subdomain of your own domain
 - Add an SSL/TLS certificate so that Edge Services can serve content over HTTPS for your subdomain
 

menu/navigation.json

@@ -3670,6 +3670,10 @@
                     "label": "Configure a cache",
                     "slug": "configure-cache"
                   },
+                  {
+                    "label": "Configure WAF",
+                    "slug": "configure-waf"
+                  },
                   {
                     "label": "Monitor with Cockpit",
                     "slug": "monitor-cockpit"

pages/edge-services/concepts.mdx

@@ -7,7 +7,7 @@ content:
   paragraph: Understand Scaleway Edge Services terminology with our glossary of the core concepts underpinning this product. Learn about key features, architecture, and best practices.
 tags: edge-services edge services pipeline custom-domain cache
 dates:
-  creation: 2025-05-05
+  creation: 2025-05-14
   validation: 2025-03-03
 categories:
   - networks
@@ -29,14 +29,21 @@ The CNAME record pointing your subdomain to the Edge Services endpoint, if you h
 
 ## Edge Services
 
-Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides a [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin), and a customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
+Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides:
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin)
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity
+- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice.
 
 ## Endpoint
 
 The endpoint from which a given Edge Services pipeline can be accessed, e.g. `https://pipeline-id.svc.edge.scw.cloud`. When a client requests content from the Edge Services endpoint, it is served by Edge Services and its cache, rather than from the origin (Object Storage bucket or Load Balancer backend servers) directly. Edge Services automatically manages redirection from HTTP to HTTPS.
 
 The endpoint can be customized with a user-defined subdomain, allowing you to replace the standardized endpoint with the subdomain of a domain you already own, e.g. `http://my-own-domain.com`. An associated [certificate](#certificate), and [CNAME record](#cname-record) will be required, in this case.
 
+## Exclusions
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), exclusions let you define filters for requests that should not be evaluated by WAF, but rather pass straight to the Load Balancer origin. Learn more about [creating exclusions](/edge-services/how-to/configure-waf/#how-to-set-exclusions)
+
 ## Origin
 
 The primary source from which a Scaleway Edge Services pipeline retrieves and caches data. An origin can consist of either:
@@ -54,22 +61,22 @@ The origin host must be associated with the origin Load Balancer / its backend s
 
 The Load Balancer defined by the user as origin for a given Edge Services pipeline. The pipeline connects to this Load Balancer, on the specified frontend port to request content.
 
+## Paranoia level
+
+In the context of an Edge Services [Web Application Firewall](#web-application-firewall), the paranoia level determines how sensitive the request-evaluation mechanism is to potential threats. Four paranoia levels are available, with level 1 being the least sensitive, and level 4 being the most sensitive. The higher the paranoia level, the more likely it is that a given request will be judged to be malicious. For full details on paranoia levels, see our [detailed documentation](/edge-services/reference-content/understanding-waf/#waf-ruleset-and-paranoia-levels).
+
 ## Pipeline
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
-An Edge Services pipeline consists of an [origin](#origin) for which Edge Services requests and [caches](#cache) content, and an [endpoint](#endpoint) from which this content is served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. 
+An Edge Services pipeline consists of an [origin](#origin), which Edge Services can protect from threats with a [Web Application Firefall](#web-application-firewall), and for which it also requests and [caches](#cache) content. Each pipeline also has an [endpoint](#endpoint) from which content is accessed served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. Edge Services can also protect 
 
-You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that the cache can be enabled and disabled at will, so it is an optional part of the pipeline, as is the customization of the endpoint.
+You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that caching and WAF can be enabled and disabled at will, so are optional parts of the pipeline, as is the customization of the endpoint. WAF is only available for Load Balancer origins, not Object Storage buckets.
 
 ## Protocol
 
 The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sending requests to an origin Load Balancer. HTTPS is recommended, but you should choose the protocol that corresponds with your Load Balancer setup.
 
 ## WAF
 
-<Message type="note">
-Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/) and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming to the Scaleway console soon.
-</Message>
-
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the [paranoia level](#paranoia-level) to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more about [configuring a WAF](/edge-services/how-to/configure-waf/).

pages/edge-services/faq.mdx

@@ -5,18 +5,20 @@ meta:
 content:
   h1: Edge Services FAQ
 dates:
-  validation: 2025-03-03
+  validation: 2025-05-14
 category: network
 productIcon: EdgeServicesProductIcon
 ---
 
 ## What is Edge Services?
 
-Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. Creating Edge Services [pipelines](/edge-services/concepts/#pipeline) towards your Load Balancers or Object Storage buckets provides: 
--A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and 
+Edge Services is a feature for Scaleway Load Balancers and Object Storage buckets. Creating Edge Services [pipelines](/edge-services/concepts/#pipeline) towards your Load Balancers or Object Storage buckets provides:
+
+- A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and 
+- A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity, and
 - A customizable and secure endpoint for accessing content via Edge Services, which can be set to a subdomain of your choice and secured with an SSL/TLS certificate.
 
-<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer" />
+<Lightbox src="scaleway-edge-services-pipeline.webp" alt="A diagram shows the elements and workflow of an Edge Services pipeline. The user connects to the customizable Edge Services endpoint (with its SSL/TLS certificate), which fetches content from the Edge Services cache, which itself fetches content to cache from an origin which is either an Object Storage bucket or Load Balancer. A Web Application Firewall sits between the cache and origin, protecting the origin from threats." />
 
 ## Which products are compatible with Edge Services?
 
@@ -34,6 +36,18 @@ Yes, if you choose to [customize your Edge Services endpoint with your own subdo
 
 ## What is WAF?
 
-**W**eb **A**pplication **F**irewall is currently available in Public Beta via Edge via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/) only. It will be coming to the Scaleway console soon.
+**W**eb **A**pplication **F**irewall is a feature available via Edge Services. It is currently in Public Beta. When enabled, WAF filters requests to your origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
+
+## How can I use WAF with a different type of Scaleway resource?
+
+For now, WAF is only compatible with Load Balancers and Object Storage. You must put other resources behind a Load Balancer in order to benefit from WAF. Watch this space for other solutions in the future.
+
+## Can I use WAF and caching simultaneously?
+
+Yes, you can have both of these features enabled at the same time on the same Load Balancer pipeline. WAF protects your Load Balancer origin only: it does not filter requests served by the cache.
+
+## What ruleset is used by WAF? Is it updated automatically?
+
+Scaleway Edge Services WAF uses the [OWASP **C**ore **R**ule **S**et (CRS)](https://coreruleset.org/). This is an industry standard, open source ruleset for WAF, which protects against multiple categories of attack such as SQL injection and cross-site scripting. Full details are available in the [OWASP CRS documentation](https://coreruleset.org/docs/).
 
-When enabled, WAF filters requests to your Load Balancer origin or Object Storage bucket to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
+We handle the automatic updating of rules, removing this hassle from you the user.