- 06 Nov 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Akamai Edgeworker
- Updated on 06 Nov 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
This document provides a step-by-step guide to setting up data collection on Akamai using the Traceable Platform Agent (TPA). Integrating with Akamai's EdgeWorker allows you to capture and export request and response data to Traceable for monitoring and analysis.
Akamai EdgeWorker is a serverless environment that allows you to run JavaScript at the edge of the Akamai network. This enables efficient processing of web traffic closer to the end user, reducing latency and improving performance. By leveraging EdgeWorker with Traceable, you can capture rich insights directly at the edge, allowing for enhanced observability and faster real-time detection of potential security issues. Following is a high-level deployment diagram:
User Request:
User sends an API request, which is received by Akamai's edge.
Data Capture by Akamai EdgeWorker:
The Akamai EdgeWorker processes the request, capturing and duplicating the traffic data.
Original traffic continues to downstream applications (API Gateways, Load Balancers, or Apps).
Duplicate Traffic Sent to TPA:
The EdgeWorker sends duplicated traffic over HTTPS to a TCP Load Balancer in the data center/cloud.
Traffic Distribution to TPA Instances:
The TCP Load Balancer distributes traffic across multiple Traceable Platform Agent (TPA) instances.
Data Processing and Forwarding:
Each TPA instance processes the traffic data for security insights and forwards relevant data to the Traceable Platform for monitoring and analysis.
Before you begin
TPA Deployment: Ensure a TPA instance is deployed and exposed on port 443.
Steps Overview
This integration involves four key steps:
Create EdgeWorker in Akamai
Add Property Manager Variables
Add Origin Connectivity Rule
Add Invoke EdgeWorker Rule
Note
The EdgeWorker that will be created in Step 1 can be shared across multiple properties.
However, Steps 2-4 (Property Variables, Origin Connectivity Rule, and EdgeWorker Rule) must be configured separately for each property.
Deployment steps
Step 1 — Create EdgeWorker in Akamai
An Akamai EdgeWorker is a serverless environment that enables JavaScript code execution at the edge of the Akamai network. We use EdgeWorker to capture data on incoming requests and responses in this setup.
Download the Latest EdgeWorker Script
Obtain the latesttraceable-akamai
EdgeWorker JavaScript file.Create EdgeWorker in Akamai
In Akamai, navigate to EdgeWorkers.
Click Create EdgeWorker ID.
Enter the required fields: Name, Contract, and Subscription.
Upload the EdgeWorker Code
Navigate to the newly created EdgeWorker.
Select Create Version and then Open Editor.
Paste the downloaded JavaScript bundle into the editor and save.
Activate EdgeWorker
Activate the EdgeWorker version in either Staging or Production.
Note
The EdgeWorker will not process traffic until attached to a property in later steps.
At this point, you have successfully deployed the EdgeWorker.
Step 2 — Configure Property Variables
Each property that uses the EdgeWorker needs to have specific Property Variables configured.
Navigate to Property Manager
In Akamai, go to Property Manager and select the property you want to integrate.
Create New Version
Click New Version to create a new version of the property.
Add Property Variables
Configure the following variables as shown below:
Variable Name
Value
Default Value
Visibility
Note
TRACEABLE_HOST
string
undefined
Visible
Must be supplied (e.g., agents.traceable.ai, ec2-1.2.3.4-us-east2.amazon.aws.com)
TRACEABLE_GUID
string
undefined
Hidden
Required if exporting data directly to Traceable.
TRACEABLE_TIMEOUT
int
100
Visible
Time in milliseconds to allow the async export to complete.
TRACEABLE_SERVICE_NAME
string
Akamai
Visible
Service name that will appear in the Traceable UI.
Step 3 — Add Origin Connectivity Rule
The Origin Connectivity Rule ensures that the Traceable endpoint is recognized as part of the Akamai network. This is essential because EdgeWorkers can only make subrequests to HTTPS hosts within the Akamai network.
Navigate to Property Configuration Settings
In Property Manager, select Property Configuration Settings.
Create a New Rule
Click + Rules and select Blank Rule Template.
Provide a rule name, such as
Traceable Origin Connectivity Rule
.
Define Criteria and Behaviors
Criteria:
Set Path to Matches one of and add
/ext_cap/v1/req_res_cap
.
Behavior:
Click + Behavior and choose Standard Property Behavior.
Select Origin Server.
Configure the fields as follows:
Field
Value
Origin Type
Your Origin
Origin Server Hostname
{{user.PMUSER_TRACEABLE_HOST}}
Forward Host Header
Custom Value
Custom Forward Host Header
{{user.PMUSER_TRACEABLE_HOST}}
Cache Key Hostname
Origin Hostname
IPv6 Origin Support
IPv4-Only
Supports gzip Compression
Yes
Send True Client IP Header
Yes
True Client IP Header Name
True-Client-IP
Verification Settings
Choose Your Own
Use SNI TLS Extension
Yes
Match CN/SAN to
{{Origin Hostname}}, {{Forward Host Header}}
Trust
If using Traceable Hosted Platform Agent, use Akamai-managed Certificate Authorities Set
If running TPA on your own infrastructure with custom or self-signed certificates, use Custom Certificate Authority Set and upload your rootCA.crt.
HTTP Port
80
HTTPS_PORT
443
Minimum TLS version
Akamai Supported
Step 4 — Add EdgeWorker Invoke Rule
The EdgeWorker Invoke Rule specifies when the EdgeWorker should be triggered based on path patterns and exclusions for specific file types.
Navigate to Property Configuration Settings
In Property Manager, select Property Configuration Settings.
Create a New Rule
Click + Rules and select Blank Rule Template.
Provide a rule name, such as
Invoke Traceable EdgeWorker
.
Define Criteria for Invoking EdgeWorker
Criteria:
Set Path to Matches one of and add
/*
to capture all traffic.Optionally, to narrow the scope, you can use patterns like
/api/*
to capture API traffic only.
Exclude Static Assets:
Add a condition to exclude static assets by setting:
File Extension to Is not one of with the following list:
avi, flv, mka, mkv, mov, mp4, mpeg, mpg, mp3, flac, ogg, ogm, opus, wav, webm, webp, bmp, gif, ico, jpeg, jpg, png, svg, svgz, swf, eot, otf, ttf, woff, woff2, css, less, js
Select EdgeWorker Behavior
For Behaviors, select EdgeWorkers.
Ensure Enable is selected and choose the EdgeWorker created in Step 1.
Deploy the New Property Version
After setting the rule, deploy the new property version.
Activate it in Staging or Production, depending on the deployment stage.
Verify Data Collection
Once activated, wait up to 15 minutes for the configuration to go live.
Send some traffic and confirm that traces appear in the Traceable platform.