Instrumentation

  • Updated on Apr 1, 2025
  • Published on Mar 14, 2025
  • 3 minute(s) read
Prev Next

Traceable's Edge Deployment Instrumentation secures your traffic by acting as a security enforcement layer that processes and filters incoming requests before they reach your backend. This deployment extends beyond traditional Web Application Protection (WAP) functionality by enabling full Web Application and API Protection (WAAP) instrumentation at the edge. WAAP enables organizations to protect their applications from API threats, bot attacks, and malicious requests while ensuring seamless traffic routing and security policy enforcement.

Traceable Edge Deployment supports two models, allowing flexibility based on your infrastructure:

  1. CDN/Gateway Ahead of Traceable WAAP – Traffic is first routed through a CDN (e.g., AWS CloudFront) or another gateway before reaching Traceable WAAP. WAAP then inspects traffic, applies security policies, and forwards legitimate requests to your backend.

    • Ideal for users who already use a CDN or gateway for caching, performance, or DDoS protection.

  2. DNS-Based Traffic Steering (Direct Proxying through WAAP) – Traffic is directly routed through Traceable WAAP by modifying DNS records (CNAME configuration). WAAP processes requests inline, applying WAP, bot detection, API security, and Layer 7 DDoS mitigation before forwarding them to your backend.

    • Best suited for organizations seeking a fully managed, security-first traffic routing solution.

Traceable assigns a unique subdomain for each deployment model, ensuring secure traffic routing and seamless integration with your infrastructure.

How It Works

Traffic Flow Overview

  1. User Request – A client (browser, API, or bot) sends a request to your public domain (e.g., customer.com).

  2. Traffic Processing:

    • If using CDN/Gateway Routing, the request first passes through the CDN or gateway, which then forwards it to Traceable WAAP.

    • If using DNS-Based Traffic Steering, the request is directly routed to Traceable WAAP through a CNAME record.

  3. Security Inspection – WAAP filters, inspects, and blocks malicious requests based on configured security policies.

  4. Validated Request Forwarding – Only clean, validated traffic is sent to your backend (for example, real-customer.com).

Before you begin

Before deploying Traceable's Cloud WAAP, ensure the following configurations are in place:

1. Deployment Requirements

  • Domain Configuration:

    • If using DNS-Based Traffic Steering (Direct Proxying through WAAP), update your DNS settings (e.g., AWS Route 53) to point traffic to Traceable’s WAAP subdomain.

    • If using CDN/Gateway Deployment, configure your CDN or gateway to forward traffic through Traceable WAAP.

  • Backend Security: Restrict backend servers from accepting traffic only from Traceable’s WAAP cluster.

2. Secure Network Configuration

  • Allow Traceable’s AWS subnets to only allow authorized traffic to reach your backend.

  • Restrict backend servers from accepting direct internet traffic.

3. Configuration Data Requirements

Ensure you have the following details for deployment:

  • Public domain(s): The primary domain(s) you want to protect (e.g., customer.com).

  • Backend hostname or IP address: The origin where WAAP will forward validated traffic (e.g., real-customer.com).

  • Traceable-assigned subdomain: Provided during deployment, used for secure traffic routing (e.g., customer.waap.traceable.ai).

Deployment Options

Option 1: CDN/Gateway Ahead of Traceable WAAP

Traffic Flow

CDN/Gateway → Traceable WAAP → Origin

Steps to Deploy

  1. Assign a WAAP Subdomain & Configure Traffic Routing:

    • Traceable assigns you a unique subdomain (e.g., customer.waap.traceable.ai).

    • Configure your CDN (e.g., AWS CloudFront, Cloudflare) or Gateway to forward all traffic to this subdomain.

    • This ensures that all traffic first passes through WAAP, where security policies are applied.

  2. Secure Origin Communication:

    • Provide Traceable with your Origin hostname or IP address (e.g., real-customer.com), including port and protocol (e.g., TLS on 443).

    • Allowlist Traceable’s AWS subnets to allow only authorized traffic to reach your origin.

Option 2: DNS-Based Traffic Steering (Direct Proxying through WAAP)

Traffic Flow

DNS → Traceable WAAP → Origin

Explanation of Domains

  • customer.com – This is your primary public domain where end users send requests. All traffic to this domain is routed to Traceable’s WAAP for security enforcement before reaching your backend.

  • customer.waap.traceable.ai – This is the unique subdomain assigned by Traceable to act as an entry point for all traffic before it reaches your backend. Your DNS configuration must be updated to forward traffic to this subdomain, ensuring WAAP processes and secures all incoming requests.

Steps to Deploy

  1. Secure Traffic with SSL/TLS Certificates:

    • Generate an SSL/TLS certificate for your domain (customer.com).

    • Provide the certificate and private key in the Traceable console.

  2. Secure Origin Communication:

    • Provide Traceable with your origin hostname or IP address (e.g., real-customer.com).

    • Allowlist Traceable’s AWS subnets to ensure only authorized traffic reaches your origin servers.

  3. Assign and update DNS records:

    • Traceable assigns you a unique subdomain (e.g., customer.waap.traceable.ai).

    • Update your DNS provider (e.g., AWS Route 53) to point your domain (customer.com) to WAAP using a CNAME record.