Integrating the Ambassador Edge Stack with the Signal Sciences Web Application Firewall

With a new integration between the Ambassador Edge Stack, the most popular Kubernetes-native API gateway and Signal Sciences WAF, platform teams can now further protect cloud-native applications built on Kubernetes while enabling developers to deploy microservice improvements independently.

Why do we need to address routing management differently with microservices?

Today, organizations are leveraging a microservices architecture to revolutionize their products and improve user experiences with faster, more frequent releases. However, to realize the full value of microservices, development teams need the ability to build, test, and deploy services without the centralized, operational control. However, policies like security need to be enforced centrally. Especially with the shift to Kubernetes, more services are exposed at the edge, increasing vulnerabilities to attacks at the surface. Hence, securing applications and protecting against malicious attacks is inherently more difficult while also trying to decentralize microservice deployments and edge policy configurations. API Gateways and Web Application Firewalls are commonly used tools to address these concerns.

Integrating the Ambassador Edge Stack with Signal Sciences Web Application Firewall

The Ambassador Edge Stack integration with Signal Sciences Web Application Firewall (WAF) empowers developers to adhere to an organization’s security policies while supporting their ability to build and deploy services fast. Teams can feel confident that the right security measures are put in place to protect against malicious threats — such as authentication, rate-limiting, TLS encryption, and now WAF configuration — without impacting developer productivity.

This integration makes it easier for organizations to configure a next-generation WAF for all incoming traffic at the cluster edge through their API gateway. With the integration, a filter and plug-in enable teams to send the metadata of all incoming requests to the WAF from Ambassador. Depending on whether the WAF allows or denies the request, Ambassador will either allow or block traffic from entering the cluster. View installation instructions.

Why Do You Need a Next-Gen WAF?

Signal Sciences next‑gen WAF provides superior protection for applications and APIs by delivering the following benefits over legacy appliance‑based WAF solutions.

Scalability on Demand
Signal Sciences protects modern applications and APIs across different stacks and clouds, allowing organizations to scale up and down based on demand. Unlike legacy WAFs, our elastic technology runs anywhere without adding the overhead of configuring and deploying new instances and rule sets. Scaling is vastly simplified: your teams don’t have to write new rules when deploying new apps or updating existing ones.

Protection Without Impacting Performance
Signal Sciences Cloud Engine currently protects over forty thousand sites and 1.6 trillion requests per month, and has protected the websites for big events like the Superbowl, the 2016 United States presidential election, and Black Friday for many retailers, with no noticeable impact on quality of service. Our lightweight agents run wherever you run Ambassador, without requiring an additional network hop like appliance‑based WAFs. The operational metrics on our dashboard show that the WAF introduces only minimal latency, on average just 1 to 2 milliseconds.

Advanced Threat Coverage
Customers with traditional WAFs are rightfully wary about the high false positive rates that come with rules defined by regular expression, and often never deploy in blocking mode. Additionally, customers also need additional protection for their APIs, Microservices, and other advanced attacks. 95% of Signal Sciences customers run in blocking mode because they are confident in our threat protection from OWASP Top 10, Account Takeover, Bots, Volumetric Attacks, and more. For deeper, more customizable blocking options, Signal Sciences Power Rules also give customers the flexibility to adapt blocking rules to their own environment based on a number of criteria.

Why Do You Need an Edge Stack?

The Ambassador Edge Stack provides a way for developers to easily expose, secure, and manage traffic to your Kubernetes microservices of any type.

Self-Service
The Ambassador Edge Stack enables platform teams to provide edge-as-a-service to application developers, improving agility and velocity while ensuring best practices are being followed. This frees platform teams from having to manage tickets and frees developers to work with more autonomy and velocity to drive better products.

Comprehensive
With all the functionality of a cloud native API gateway, the Ambassador Edge Stack provides the broad spectrum of functionality necessary to support edge microservices today, reducing complexity and overhead. The variety of supported integrations and tools enables each developer the flexibility to choose the right technologies for their microservice. The Ambassador Edge Stack includes load balancing, authentication with popular IdPs (Keycloak, Azure Active Directory, Okta, etc.), rate-limiting for DDOS attacks, TLS encryption, observability with Prometheus and Grafana, distributed tracing with Zipkin, and integrations with service meshes (Istio, Consul, and LinkerD).

What’s Next?

With this integration, we look forward to working collaboratively together to continue to provide value to our customers.

The Ambassador Edge Stack is available with the integration today.

• Developers can install their free copy from getambassador.io
• Installation instructions are available. Read more.
• Several other integrations are available with the Ambassador Edge Stack. Learn more.
• Signal Sciences maintains integrations with many other technologies. Learn more.