Akamai Edgeworker
  • 06 Nov 2024
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Akamai Edgeworker

  • Dark
    Light
  • PDF

Article summary

This document provides a step-by-step guide to setting up data collection on Akamai using the Traceable Platform Agent (TPA). Integrating with Akamai's EdgeWorker allows you to capture and export request and response data to Traceable for monitoring and analysis.

Akamai EdgeWorker is a serverless environment that allows you to run JavaScript at the edge of the Akamai network. This enables efficient processing of web traffic closer to the end user, reducing latency and improving performance. By leveraging EdgeWorker with Traceable, you can capture rich insights directly at the edge, allowing for enhanced observability and faster real-time detection of potential security issues. Following is a high-level deployment diagram:

  1. User Request:

    • User sends an API request, which is received by Akamai's edge.

  2. Data Capture by Akamai EdgeWorker:

    • The Akamai EdgeWorker processes the request, capturing and duplicating the traffic data.

    • Original traffic continues to downstream applications (API Gateways, Load Balancers, or Apps).

  3. Duplicate Traffic Sent to TPA:

    • The EdgeWorker sends duplicated traffic over HTTPS to a TCP Load Balancer in the data center/cloud.

  4. Traffic Distribution to TPA Instances:

    • The TCP Load Balancer distributes traffic across multiple Traceable Platform Agent (TPA) instances.

  5. Data Processing and Forwarding:

    • Each TPA instance processes the traffic data for security insights and forwards relevant data to the Traceable Platform for monitoring and analysis.


Before you begin

  • TPA Deployment: Ensure a TPA instance is deployed and exposed on port 443.

Steps Overview

This integration involves four key steps:

  1. Create EdgeWorker in Akamai

  2. Add Property Manager Variables

  3. Add Origin Connectivity Rule

  4. Add Invoke EdgeWorker Rule

Note

  • The EdgeWorker that will be created in Step 1 can be shared across multiple properties.

  • However, Steps 2-4 (Property Variables, Origin Connectivity Rule, and EdgeWorker Rule) must be configured separately for each property.


Deployment steps

Step 1 — Create EdgeWorker in Akamai

An Akamai EdgeWorker is a serverless environment that enables JavaScript code execution at the edge of the Akamai network. We use EdgeWorker to capture data on incoming requests and responses in this setup.

  1. Download the Latest EdgeWorker Script
    Obtain the latest traceable-akamai EdgeWorker JavaScript file.

  2. Create EdgeWorker in Akamai

    • In Akamai, navigate to EdgeWorkers.

    • Click Create EdgeWorker ID.

    • Enter the required fields: Name, Contract, and Subscription.

  3. Upload the EdgeWorker Code

    • Navigate to the newly created EdgeWorker.

    • Select Create Version and then Open Editor.

    • Paste the downloaded JavaScript bundle into the editor and save.

  4. Activate EdgeWorker

    • Activate the EdgeWorker version in either Staging or Production.

      Note

      The EdgeWorker will not process traffic until attached to a property in later steps.

At this point, you have successfully deployed the EdgeWorker.


Step 2 — Configure Property Variables

Each property that uses the EdgeWorker needs to have specific Property Variables configured.

  1. Navigate to Property Manager

    • In Akamai, go to Property Manager and select the property you want to integrate.

  2. Create New Version

    • Click New Version to create a new version of the property.

  3. Add Property Variables

    • Configure the following variables as shown below:

      Variable Name

      Value

      Default Value

      Visibility

      Note

      TRACEABLE_HOST

      string

      undefined

      Visible

      Must be supplied (e.g., agents.traceable.ai, ec2-1.2.3.4-us-east2.amazon.aws.com)

      TRACEABLE_GUID

      string

      undefined

      Hidden

      Required if exporting data directly to Traceable.

      TRACEABLE_TIMEOUT

      int

      100

      Visible

      Time in milliseconds to allow the async export to complete.

      TRACEABLE_SERVICE_NAME

      string

      Akamai

      Visible

      Service name that will appear in the Traceable UI.


Step 3 — Add Origin Connectivity Rule

The Origin Connectivity Rule ensures that the Traceable endpoint is recognized as part of the Akamai network. This is essential because EdgeWorkers can only make subrequests to HTTPS hosts within the Akamai network.

  1. Navigate to Property Configuration Settings

    • In Property Manager, select Property Configuration Settings.

  2. Create a New Rule

    • Click + Rules and select Blank Rule Template.

    • Provide a rule name, such as Traceable Origin Connectivity Rule.

  3. Define Criteria and Behaviors

    • Criteria:

      • Set Path to Matches one of and add /ext_cap/v1/req_res_cap. traceable_akamai_edgeworker_origin_connectivity_rule

    • Behavior:

      • Click + Behavior and choose Standard Property Behavior.

      • Select Origin Server.

      • Configure the fields as follows:

        Field

        Value

        Origin Type

        Your Origin

        Origin Server Hostname

        {{user.PMUSER_TRACEABLE_HOST}}

        Forward Host Header

        Custom Value

        Custom Forward Host Header

        {{user.PMUSER_TRACEABLE_HOST}}

        Cache Key Hostname

        Origin Hostname

        IPv6 Origin Support

        IPv4-Only

        Supports gzip Compression

        Yes

        Send True Client IP Header

        Yes

        True Client IP Header Name

        True-Client-IP

        Verification Settings

        Choose Your Own

        Use SNI TLS Extension

        Yes

        Match CN/SAN to

        {{Origin Hostname}}, {{Forward Host Header}}

        Trust

        • If using Traceable Hosted Platform Agent, use Akamai-managed Certificate Authorities Set

        • If running TPA on your own infrastructure with custom or self-signed certificates, use Custom Certificate Authority Set and upload your rootCA.crt.

        HTTP Port

        80

        HTTPS_PORT

        443

        Minimum TLS version

        Akamai Supported


Step 4 — Add EdgeWorker Invoke Rule

The EdgeWorker Invoke Rule specifies when the EdgeWorker should be triggered based on path patterns and exclusions for specific file types.

  1. Navigate to Property Configuration Settings

    • In Property Manager, select Property Configuration Settings.

  2. Create a New Rule

    • Click + Rules and select Blank Rule Template.

    • Provide a rule name, such as Invoke Traceable EdgeWorker.

  3. Define Criteria for Invoking EdgeWorker

    • Criteria:

      • Set Path to Matches one of and add /* to capture all traffic.

      • Optionally, to narrow the scope, you can use patterns like /api/* to capture API traffic only.

    • Exclude Static Assets:

      • Add a condition to exclude static assets by setting:

        • File Extension to Is not one of with the following list:

          avi, flv, mka, mkv, mov, mp4, mpeg, mpg, mp3, flac, ogg, ogm, opus, wav, webm, webp,
          bmp, gif, ico, jpeg, jpg, png, svg, svgz, swf, eot, otf, ttf, woff, woff2, css, less, js
  4. Select EdgeWorker Behavior

    • For Behaviors, select EdgeWorkers.

    • Ensure Enable is selected and choose the EdgeWorker created in Step 1.

  5. Deploy the New Property Version

    • After setting the rule, deploy the new property version.

    • Activate it in Staging or Production, depending on the deployment stage.

  6. Verify Data Collection

    • Once activated, wait up to 15 minutes for the configuration to go live.

    • Send some traffic and confirm that traces appear in the Traceable platform.


Was this article helpful?

What's Next