- 29 Nov 2024
- 7 Minutes to read
- Print
- DarkLight
- PDF
Fastly
- Updated on 29 Nov 2024
- 7 Minutes to read
- Print
- DarkLight
- PDF
This guide outlines the steps to deploy the Traceable Agent on Fastly as a Compute@Edge service. Fastly is a robust content delivery network (CDN) and edge cloud platform that provides fast, secure, and scalable application delivery. Integrating Traceable with Fastly enables real-time observability and monitoring of API traffic, empowering organizations to analyze, secure, and optimize their API ecosystem.
The Traceable Agent acts as an individual compute service, processing upstream requests, forwarding them to the origin/backend, and asynchronously sending cloned request and response data to the Traceable Platform Agent (TPA).
When invoked, the agent:
Forwards the request to the origin/backend.
Clones the request and response objects.
Forwards the response back to the client.
The request and response data is sent in an asynchronous call to the TPA.
By default, all compute agents in Fastly have a public endpoint. Invoking this endpoint triggers a session/execution of the compute agent.
The agent's placement in the data flow can be configured based on the desired interception point. For example:
Client ---> CDN/another compute service ---> traceable-compute-agent ---> backend/origin
In this case:
The CDN’s backend would point to the traceable-compute-agent.
The compute agent’s backend would point to the backend/origin.
Before you begin
Before deploying the agent, ensure the following prerequisites are met:
Traceable Platform agent (TPA)
Make sure that TPA is installed and configured. For more information on TPA installation, see the Installation topic.Fastly Account
Create a Fastly account. A free trial is available for functional testing.Install the Fastly CLI
macOS: Run
brew install fastly/tap/fastly
.Linux: Download the appropriate version from the Fastly GitHub Releases.
Generate an API Token
Go to Fastly Web UI → Account → Personal Profile → API Tokens → Create Token.
Provide a name and select Global API access with the required expiration date.
Authenticate Fastly CLI with the API Token
Run the following command to authenticate the CLI. Enter the API token when prompted.fastly profile create
Set up the agent
Complete the following steps to set up the agent:
Step 1 — Download the Agent
Download the agent tar file from Traceable’s download site.
Step 2 — Deploy the Agent on Fastly
To deploy the Traceable Agent on Fastly, run the deployment command using the Fastly CLI in your terminal or command prompt. The Fastly CLI must already be installed and authenticated with your Fastly account (as covered in the Before you begin section).
Run the following command to deploy the agent:
fastly compute deploy -p <path_to_agent_tar>
If this is your first deployment, the CLI will prompt you to create a new service. Type Y to confirm.
If you already have an existing service, use the following command to deploy to that service instead:
fastly compute deploy --service-id=<service_id> -p <path_to_agent_tar>
Step 3 — Update the public endpoint (optional)
When you deploy the Traceable Agent on Fastly, a public endpoint is automatically allocated to your compute service. This endpoint is a unique URL (e.g., https://your-service-name.edgecompute.app
) that allows external systems to access the deployed agent. Simply put, it is how other services and clients interact with your Fastly compute service. Update it via the Fastly UI:
Navigate to Compute → Agent Name → Service Configuration → Domains.
Step 4 — Create a config store
The Traceable Agent retrieves its configurations from a Config Store in Fastly. This store is a key-value storage feature that allows you to manage and supply configurations to your compute service.
Select Your Service:
In the Fastly dashboard, locate and select the service corresponding to your compute agent.
Navigate to Config Stores:
In the left-hand navigation menu, look for Configuration Stores or Edge Dictionaries (depending on your Fastly plan and terminology).
Click Create Config Store or a similar option.
Name the Config Store:
Provide a name for the configuration store, such as
traceable-config
.
Add Key-Value Pairs:
After creating the store, populate it with the required keys and their values (as listed below).
Use the Add Key button or an equivalent UI feature to enter each key and its corresponding value.
Link the Config Store to Your Service:
Go to your service’s configuration settings.
Under the Compute Settings or Config Stores section, link the newly created
traceable-config
store to the service.
Key | Description | Default Value |
---|---|---|
| Service name of the agent | ext_cap |
| Name of the TPA backend | - |
| TPA endpoint (e.g., http://<tpa-ip>) | - |
| Common origin backend name | - |
| Enables Fastly real-time logging ( |
|
| Logging endpoint for real-time logging (if enabled) | - |
| Comma-separated allowed content types |
|
| Capture request body ( |
|
| Capture response body ( |
|
| Capture request headers ( |
|
| Capture response headers ( |
|
| Max body size for capture (in bytes) | 131072 |
| Host name to capture in |
|
| Reads the body of request and response in chunks of at most the given max number of bytes. | 8192 |
| To enable upstream header authorization ( |
|
| Name of the secret store to look for secrets | - |
| Key to look in secret store for authorization token value | - |
| Name of the request header used for authorization | Authorization |
| Message to send back in case of authorization failure | Unauthorized |
| To stream logs via the Fastly log tailing feature ( |
|
Step 5 — Create Backends/Origins
In Fastly, a backend (or origin) refers to the server or service that processes requests forwarded by your compute service. Think of it as the destination where your agent sends traffic for further processing. For the Traceable Agent to work effectively, it requires two backends:
TPA Backend:
This is the Traceable Platform Agent (TPA) backend that the Traceable Agent communicates with to send cloned request and response data. It’s essential for enabling observability and analytics in Traceable.Customer Backend (Origin):
This is the application or service where the agent forwards the original requests it receives. The customer backend processes these requests and generates responses that are eventually sent to the client.
What Happens in Step 5?
When a request is received:
The Traceable Agent forwards the original request to the customer's Backend (Origin).
The Customer Backend processes the request and returns a response to the agent. The agent returns the response to the client.
Simultaneously, the Traceable Agent clones the request and response and forwards this cloned data to the TPA Backend for analysis and monitoring.
This two-backend setup ensures:
Your customer-facing application continues to operate without disruptions.
Observability data is sent to Traceable for security and monitoring purposes.
Configure Backends/Origins in Fastly
Log in to the Fastly UI:
Navigate to Compute → Agent Name → Service Configuration → Origins → Hosts.
Add TPA Backend:
Enter the TPA backend details:
Host: The hostname or IP address of your Traceable Platform Agent (TPA).
Port: The port used for TPA communication (e.g., 5442 for HTTP or 5443 for HTTPS).
TLS Settings: If HTTPS is used, configure the following:
CA Certificate: Add the appropriate certificate authority.
SNI Hostname: Provide the expected SNI hostname for TLS.
Certificate Hostname: Add the certificate hostname for validation.
Add Customer Backend:
Enter the customer backend details:
Host: The hostname or IP address of your application or API.
Port: The port your application uses (e.g., 80 for HTTP or 443 for HTTPS).
Override Host: Specify the hostname for the request header if needed.
Save and Deploy Configuration:
Ensure both backends are correctly added.
Save and deploy the updated configuration to Fastly.
Example Use Case:
TPA Backend:
Host:
traceable-platform.yourcompany.com
Port:
443
TLS Enabled with appropriate certificates.
Customer Backend:
Host:
api.yourcompany.com
Port:
443
Override Host:
api.yourcompany.com
TLS Configuration
Enable TLS, verify certificates, and provide required details (e.g., SNI hostname and CA certificate).
Step 6 — Add health check to the TPA backend
A health check ensures the Traceable Platform Agent (TPA) backend is available and functioning correctly. Fastly periodically performs these checks to monitor the health of the TPA origin and prevent traffic from being sent to an unavailable or misconfigured backend. If the health check fails, Fastly can mark the backend as unhealthy, allowing you to investigate and resolve issues without disrupting end users.
Create a health check with the following settings:
Request Type: GET
Path:
/health
Expected Response:
200 OK
Check Frequency: High
Link the health check to the TPA origin. Complete the following steps:
Open the Fastly UI:
Log in to your Fastly account.
Navigate to the Compute@Edge Service where the agent is deployed.
Edit Service Configuration:
Go to Service Configuration for the compute agent.
Find the Backends or Origins section, where the TPA backend is configured.
Select the TPA Backend:
Locate the backend you created for the Traceable Platform Agent (e.g.,
tpa-backend
).Click to edit the configuration for this backend.
Associate the Health Check:
Look for the Health Check field in the backend settings.
From the dropdown menu, select the health check created in Step 5 (e.g.,
tpa-health-check
).Save your changes.
After the health check is linked:
Fastly starts sending periodic GET requests to the
/health
endpoint of the TPA backend.Based on the response (expected:
200 OK
), Fastly determines whether the backend is healthy or unhealthy.If the backend is marked as unhealthy:
Fastly stops forwarding traffic to it.
The backend status can be viewed in the Fastly dashboard under Origins.
Step 7 — Update CDN’s backend
Configure the traceable-compute-agent
service as a backend/origin for the primary compute service or CDN. Previously, the Customer Backend was directly configured as the backend for the compute service or CDN. This step ensures the Traceable Agent is placed in the data flow between the compute service/CDN and the Customer Backend.
Client ---> CDN/another compute service ---> traceable-compute-agent ---> backend/origin