Fastly
  • 29 Nov 2024
  • 7 Minutes to read
  • Dark
    Light
  • PDF

Fastly

  • Dark
    Light
  • PDF

Article summary

This guide outlines the steps to deploy the Traceable Agent on Fastly as a Compute@Edge service. Fastly is a robust content delivery network (CDN) and edge cloud platform that provides fast, secure, and scalable application delivery. Integrating Traceable with Fastly enables real-time observability and monitoring of API traffic, empowering organizations to analyze, secure, and optimize their API ecosystem.

The Traceable Agent acts as an individual compute service, processing upstream requests, forwarding them to the origin/backend, and asynchronously sending cloned request and response data to the Traceable Platform Agent (TPA).

When invoked, the agent:

  • Forwards the request to the origin/backend.

  • Clones the request and response objects.

  • Forwards the response back to the client.

  • The request and response data is sent in an asynchronous call to the TPA.

By default, all compute agents in Fastly have a public endpoint. Invoking this endpoint triggers a session/execution of the compute agent.

The agent's placement in the data flow can be configured based on the desired interception point. For example:

Client ---> CDN/another compute service ---> traceable-compute-agent ---> backend/origin

In this case:

  • The CDN’s backend would point to the traceable-compute-agent.

  • The compute agent’s backend would point to the backend/origin.


Before you begin

Before deploying the agent, ensure the following prerequisites are met:

  1. Traceable Platform agent (TPA)
    Make sure that TPA is installed and configured. For more information on TPA installation, see the Installation topic.

  2. Fastly Account
    Create a Fastly account. A free trial is available for functional testing.

  3. Install the Fastly CLI

    • macOS: Run brew install fastly/tap/fastly.

    • Linux: Download the appropriate version from the Fastly GitHub Releases.

  4. Generate an API Token

    • Go to Fastly Web UIAccountPersonal ProfileAPI TokensCreate Token.

    • Provide a name and select Global API access with the required expiration date.

  5. Authenticate Fastly CLI with the API Token
    Run the following command to authenticate the CLI. Enter the API token when prompted.

    fastly profile create

Set up the agent

Complete the following steps to set up the agent:

Step 1 — Download the Agent

Download the agent tar file from Traceable’s download site.

Step 2 — Deploy the Agent on Fastly

To deploy the Traceable Agent on Fastly, run the deployment command using the Fastly CLI in your terminal or command prompt. The Fastly CLI must already be installed and authenticated with your Fastly account (as covered in the Before you begin section).

Run the following command to deploy the agent:

fastly compute deploy -p <path_to_agent_tar>
  • If this is your first deployment, the CLI will prompt you to create a new service. Type Y to confirm.

  • If you already have an existing service, use the following command to deploy to that service instead:

    fastly compute deploy --service-id=<service_id> -p <path_to_agent_tar>

Step 3 — Update the public endpoint (optional)

When you deploy the Traceable Agent on Fastly, a public endpoint is automatically allocated to your compute service. This endpoint is a unique URL (e.g., https://your-service-name.edgecompute.app) that allows external systems to access the deployed agent. Simply put, it is how other services and clients interact with your Fastly compute service. Update it via the Fastly UI:

  • Navigate to ComputeAgent NameService ConfigurationDomains.

Step 4 — Create a config store

The Traceable Agent retrieves its configurations from a Config Store in Fastly. This store is a key-value storage feature that allows you to manage and supply configurations to your compute service.

  1. Select Your Service:

    • In the Fastly dashboard, locate and select the service corresponding to your compute agent.

  2. Navigate to Config Stores:

    • In the left-hand navigation menu, look for Configuration Stores or Edge Dictionaries (depending on your Fastly plan and terminology).

    • Click Create Config Store or a similar option.

  3. Name the Config Store:

    • Provide a name for the configuration store, such as traceable-config.

  4. Add Key-Value Pairs:

    • After creating the store, populate it with the required keys and their values (as listed below).

    • Use the Add Key button or an equivalent UI feature to enter each key and its corresponding value.

  5. Link the Config Store to Your Service:

    • Go to your service’s configuration settings.

    • Under the Compute Settings or Config Stores section, link the newly created traceable-config store to the service.

Key

Description

Default Value

TA_SERVICE_NAME

Service name of the agent

ext_cap

TA_REPORTING_BACKEND (Mandatory)

Name of the TPA backend

-

TA_REPORTING_ENDPOINT (Mandatory)

TPA endpoint (e.g., http://<tpa-ip>)

-

ORIGIN_BACKEND_NAME (Mandatory)

Common origin backend name

-

REALTIME_LOGGING_ENABLED

Enables Fastly real-time logging (true/false)

false

LOGGING_ENDPOINT

Logging endpoint for real-time logging (if enabled)

-

TA_DATA_CAPTURE_ALLOWED_CONTENT_TYPES

Comma-separated allowed content types

json,graphql,x-www-form-urlencoded,xml

TA_DATA_CAPTURE_HTTP_BODY_REQUEST

Capture request body (true/false)

true

TA_DATA_CAPTURE_HTTP_BODY_RESPONSE

Capture response body (true/false)

true

TA_DATA_CAPTURE_HTTP_HEADERS_REQUEST

Capture request headers (true/false)

true

TA_DATA_CAPTURE_HTTP_HEADERS_RESPONSE

Capture response headers (true/false)

true

TA_DATA_CAPTURE_BODY_MAX_SIZE_BYTES

Max body size for capture (in bytes)

131072

HOST_TO_CAPTURE

Host name to capture in ext_cap payload
Allowed values: host, upstream, origin
Default: compute agent host name (host)      

host

MAX_BODY_CHUNK_SIZE

Reads the body of request and response in chunks of at most the given max number of bytes.      

8192

AUTH_ENABLED

To enable upstream header authorization (true/false)      

false

AUTH_SECRET_STORE_NAME

Name of the secret store to look for secrets

-

AUTH_SECRET_KEY

Key to look in secret store for authorization token value

-

AUTH_REQUEST_HEADER

Name of the request header used for authorization

Authorization

AUTH_FAILURE_MESSAGE

Message to send back in case of authorization failure

Unauthorized

LOG_TAILING_ENABLED

To stream logs via the Fastly log tailing feature (true/false)

false

Step 5 — Create Backends/Origins

In Fastly, a backend (or origin) refers to the server or service that processes requests forwarded by your compute service. Think of it as the destination where your agent sends traffic for further processing. For the Traceable Agent to work effectively, it requires two backends:

  1. TPA Backend:
    This is the Traceable Platform Agent (TPA) backend that the Traceable Agent communicates with to send cloned request and response data. It’s essential for enabling observability and analytics in Traceable.

  2. Customer Backend (Origin):
    This is the application or service where the agent forwards the original requests it receives. The customer backend processes these requests and generates responses that are eventually sent to the client.

What Happens in Step 5?

When a request is received:

  1. The Traceable Agent forwards the original request to the customer's Backend (Origin).

  2. The Customer Backend processes the request and returns a response to the agent. The agent returns the response to the client.

  3. Simultaneously, the Traceable Agent clones the request and response and forwards this cloned data to the TPA Backend for analysis and monitoring.

This two-backend setup ensures:

  • Your customer-facing application continues to operate without disruptions.

  • Observability data is sent to Traceable for security and monitoring purposes.

Configure Backends/Origins in Fastly

  1. Log in to the Fastly UI:

    • Navigate to ComputeAgent NameService ConfigurationOriginsHosts.

  2. Add TPA Backend:

    • Enter the TPA backend details:

      • Host: The hostname or IP address of your Traceable Platform Agent (TPA).

      • Port: The port used for TPA communication (e.g., 5442 for HTTP or 5443 for HTTPS).

      • TLS Settings: If HTTPS is used, configure the following:

        • CA Certificate: Add the appropriate certificate authority.

        • SNI Hostname: Provide the expected SNI hostname for TLS.

        • Certificate Hostname: Add the certificate hostname for validation.

  3. Add Customer Backend:

    • Enter the customer backend details:

      • Host: The hostname or IP address of your application or API.

      • Port: The port your application uses (e.g., 80 for HTTP or 443 for HTTPS).

      • Override Host: Specify the hostname for the request header if needed.

  4. Save and Deploy Configuration:

    • Ensure both backends are correctly added.

    • Save and deploy the updated configuration to Fastly.

Example Use Case:

  • TPA Backend:

    • Host: traceable-platform.yourcompany.com

    • Port: 443

    • TLS Enabled with appropriate certificates.

  • Customer Backend:

    • Host: api.yourcompany.com

    • Port: 443

    • Override Host: api.yourcompany.com

TLS Configuration

  • Enable TLS, verify certificates, and provide required details (e.g., SNI hostname and CA certificate).

Step 6 — Add health check to the TPA backend

A health check ensures the Traceable Platform Agent (TPA) backend is available and functioning correctly. Fastly periodically performs these checks to monitor the health of the TPA origin and prevent traffic from being sent to an unavailable or misconfigured backend. If the health check fails, Fastly can mark the backend as unhealthy, allowing you to investigate and resolve issues without disrupting end users.

  1. Create a health check with the following settings:

    • Request Type: GET

    • Path: /health

    • Expected Response: 200 OK

    • Check Frequency: High

  2. Link the health check to the TPA origin. Complete the following steps:

    1. Open the Fastly UI:

      • Log in to your Fastly account.

      • Navigate to the Compute@Edge Service where the agent is deployed.

    2. Edit Service Configuration:

      • Go to Service Configuration for the compute agent.

      • Find the Backends or Origins section, where the TPA backend is configured.

    3. Select the TPA Backend:

      • Locate the backend you created for the Traceable Platform Agent (e.g., tpa-backend).

      • Click to edit the configuration for this backend.

    4. Associate the Health Check:

      • Look for the Health Check field in the backend settings.

      • From the dropdown menu, select the health check created in Step 5 (e.g., tpa-health-check).

      • Save your changes.

After the health check is linked:

  • Fastly starts sending periodic GET requests to the /health endpoint of the TPA backend.

  • Based on the response (expected: 200 OK), Fastly determines whether the backend is healthy or unhealthy.

  • If the backend is marked as unhealthy:

    • Fastly stops forwarding traffic to it.

    • The backend status can be viewed in the Fastly dashboard under Origins.

Step 7 — Update CDN’s backend

Configure the traceable-compute-agent service as a backend/origin for the primary compute service or CDN. Previously, the Customer Backend was directly configured as the backend for the compute service or CDN. This step ensures the Traceable Agent is placed in the data flow between the compute service/CDN and the Customer Backend.

Client ---> CDN/another compute service ---> traceable-compute-agent ---> backend/origin


Was this article helpful?

What's Next