This is an optional step that seeks to simplify your usage of the Edge Services API.
Edge Services API
Introduction
Edge Services allows you to easily, securely and reliably expose your HTTP service to the internet via a single entry point. With Edge Services, you can enhance performance by enabling caching on Scaleway Object Storage buckets (S3) or Scaleway Load Balancers, security by enabling WAF (Web Application Firewall) as well as customize your endpoints with your own domain and SSL/TLS certificate.
Quickstart
This quickstart shows you how to set up Edge Services on a Scaleway Load Balancer with Caching and WAF enabled.
-
Configure your environment variables.
Noteexport SCW_SECRET_KEY="<API secret key>"export SCW_PROJECT_ID="<Scaleway Project ID>" -
Create a Pipeline: run the following command to create an empty pipeline. This pipeline is the main Edge Services object and represents how an HTTP request to your Object Storage bucket or Load Balancer via Edge Services will be processed.
curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines" \-d '{"project_id":"'$SCW_PROJECT_ID'","name":"mypipeline","description":"my-pipeline"}' -
Create a Backend Stage: run the following command to create a backend stage, which defines the origin service which Edge Services will point to. In this example, we point to a Scaleway Load Balancer. We need to define the Load Balancer
id
, thefrontend_id
and thezone
where the LB is located, as well as the domain (Host Header) to be used by Edge Services when fetching content from it. Ensure that you replace<PIPELINE_ID>
in the URL with the ID of the pipeline.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/backend-stages" \-d '{"scaleway_lb": {"lbs": [{"id": "<LOAD_BALANCER_ID>","zone": "fr-par-1","frontend_id": "<LB_FRONTEND_ID>","is_ssl": true,"domain_name": "mydomain.com"}]}}' -
Create a WAF Stage: run the following command to create a WAF (Web Application Firewall) stage, in order to protect your origin (defined by the backend stage) from malicious requests. In this example, we configure the WAF in a
log_only
mode, resulting in having malicious requests being logged into Cockpit but not rejected. This behavior is useful for pre-production environments. Theparanoia_level
settings allows to define the WAF sensitivity. With a high level, requests are more likely to be classed as malicious, and false positives are expected. With a lower level, requests are more likely to be classed as benign. Ensure that you replace<BACKEND_STAGE_ID>
with the ID of the previously created backend stage and<PIPELINE_ID>
in the URL with the ID of the pipeline.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/waf-stages" \-d '{"mode":"log_only","paranoia_level":1,"backend_stage_id":"<BACKEND_STAGE_ID>"}' -
Create a Cache Stage: run the following command to create a cache stage, which defines the caching configuration for Edge Services to distribute the content from the defined origin (the previously-defined backend stage). The example below sets the a custom TTL of 30 minutes for the cache. Ensure that you replace
<WAF_STAGE_ID>
with the ID of the previously created WAF stage and<PIPELINE_ID>
in the URL with the ID of the pipeline. If you don't need WAF to protect your origin, then directly specify thebackend_stage_id
.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/cache-stages" \-d '{"fallback_ttl":"1800s","waf_stage_id":"<WAF_STAGE_ID>"}' -
Create a TLS Stage: run the following command to create a TLS stage, which defines the SSL/TLS certificate for Edge Services on the previously-defined backend stage (origin). In the example below, an auto-created Saleway-managed Let's Encrypt certificate is configured. Ensure that you replace
<CACHE_STAGE_ID>
with the ID of the previously created cache stage and<PIPELINE_ID>
in the URL with the ID of the pipeline. If you don't need caching, then directly specify thebackend_stage_id
or thewaf_stage_id
.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/tls-stages" \-d '{"managed_certificate":true,"cache_stage_id":"<CACHE_STAGE_ID>"}' -
Create a DNS Stage: run the following command to create a DNS stage, which defines a custom domain as an endpoint for Edge Services on your backend stage (origin). You must already own the domain. In the example below we use
myendpoint.example.com
. Ensure that you replace<TLS_STAGE_ID>
with the ID of the previously created TLS stage and<PIPELINE_ID>
in the URL with the ID of the pipeline.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/dns-stages" \-d '{"fqdns":["myendpoint.example.com"],"tls_stage_id":"<TLS_STAGE_ID>"}' -
Define the Head of the Pipeline: run the following command to set the previously created DNS stage as first stage or
Head
of the Pipeline, to trigger the Pipeline configuration. Ensure that you replace<PIPELINE_ID>
in the URL with the ID of the pipeline.curl -X POST \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>/set-head-stage" \-d '{"add_new_head_stage":{"new_stage_id":"<DNS_STAGE_ID>"}}' -
Access your endpoint: Once you have created a CNAME record pointing towards the Edge Services default endpoint, yan can run the following command to test your pipeline. Ensure that you customize the URL according to the domain you set in step 7, and that you replace
path/to/my/content
with an appropriate URL path that is actually reachable through your Load Balancer. You can also test the URL through your web browser. Edge Services will serve the requested object. Once your content is cached, you can inspect the HTTP headerX-Cache
and see that the response ishit-fresh
.curl -i https://myendpoint.example.com/path/to/my/content -
Delete your pipeline: run the following command to delete a pipeline. Ensure that you replace
<PIPELINE_ID>
in the URL with the ID of the pipeline you want to delete. Note that it will also delete all of the associated stages.curl -X DELETE \-H "X-Auth-Token: $SCW_SECRET_KEY" \"https://api.scaleway.com/edge-services/v1beta1/pipelines/<PIPELINE_ID>"
- You have a Scaleway account
- You have created an API key and that the API key has sufficient IAM permissions to perform the actions described on this page
- You have installed
curl
- You have created a Scaleway Load Balancer
Technical information
Availability
Scaleway Edge Services is currently available globally. Find out about product availability in our dedicated documentation.
Edge Services is currently available for Scaleway Object Storage and Load Balancer backends only.
Pipeline Stages
An Edge Services pipeline contains a set of interlinked stages.
The following links are possible :
- Pipeline > DNS stage > TLS stage > Cache stage > Route stage > WAF stage > Backend stage
- Pipeline > DNS stage > TLS stage > Cache stage > WAF stage > Backend stage
- Pipeline > DNS stage > TLS stage > Cache stage > Backend stage
- Pipeline > DNS stage > TLS stage > WAF stage > Backend stage
- Pipeline > DNS stage > TLS stage > Backend stage
If you wish to set up Edge Services without customizing the domain (that is, using the default endpoint), you can create empty TLS and DNS stages.
- Create the TLS stage with only the
pipeline_id
andbackend_stage_id
(orcache_stage_id
if caching feature is needed) parameters. - Create the DNS stage with only the
pipeline_id
andtls_stage_id
parameters.
If you use the WAF stage and need to exclude some requests from being inspected by the WAF (that is, bypass the WAF), define a route stage pointing towards the WAF stage, and setup route rules to override the default route stage behavior: requests matching the defined route rules will be directly sent to the backend stage and won't be inspected by the WAF. The route stage must be referenced by either a cache stage or TLS stage to be part of the pipeline.
Technical limitations
- A backend stage must point either to a Scaleway Object Storage bucket (
scalewayS3
) or to a Scaleway Load Balancer (scalewayLb
) - Only one pipeline is allowed per Object Storage bucket
- The TLS stage currently only supports one SSL/TLS certificate
- The DNS stage currently only supports one FQDN (Fully Qualified Domain Name)
Going further
For more help using Scaleway Edge Services, check out the following resources:
- Our main documentation
- The #edge-services channel on our Slack Community
- Our support ticketing system.
Pipelines
The main Edge Services object. A pipeline is made up of ordered stages and represents how an HTTP request will be processed, from the source (client) to the destination (origin).
GET
/edge-services/v1beta1/pipelines
POST
/edge-services/v1beta1/pipelines
GET
/edge-services/v1beta1/pipelines/{pipeline_id}
PATCH
/edge-services/v1beta1/pipelines/{pipeline_id}
DELETE
/edge-services/v1beta1/pipelines/{pipeline_id}
DNS stages
A DNS stage is part of a pipeline. It allows you to customize the domain of your Edge Services endpoint with a subdomain of a domain you own. This is useful if you do not want to use the default domain endpoint provided by Scaleway. Edge Services will then serve content from your customized domain. A TLS stage is also necessary to provide an SSL/TLS certificate so that Edge Services can serve traffic for your customized domain over HTTPS.
GET
/edge-services/v1beta1/dns-stages/{dns_stage_id}
PATCH
/edge-services/v1beta1/dns-stages/{dns_stage_id}
DELETE
/edge-services/v1beta1/dns-stages/{dns_stage_id}
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/dns-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/dns-stages
TLS stages
A TLS stage is part of a pipeline. It allows you to provide an SSL/TLS certificate for your customized domain (DNS stage) - without this, Edge Services cannot serve traffic for your customized domain over HTTPS. This could be a custom certificate stored in Scaleway Secret Manager, or a Let's Encrypt certificate generated and managed by Scaleway.
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/tls-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/tls-stages
GET
/edge-services/v1beta1/tls-stages/{tls_stage_id}
PATCH
/edge-services/v1beta1/tls-stages/{tls_stage_id}
DELETE
/edge-services/v1beta1/tls-stages/{tls_stage_id}
Cache stages
A cache stage is part of a pipeline. It allows you to cache your origin's content, so it will be served directly to users from a cache on Edge Services' servers, enhancing performance. Note that including a cache stage in your pipeline is optional.
GET
/edge-services/v1beta1/cache-stages/{cache_stage_id}
PATCH
/edge-services/v1beta1/cache-stages/{cache_stage_id}
DELETE
/edge-services/v1beta1/cache-stages/{cache_stage_id}
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/cache-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/cache-stages
WAF stages
A WAF stage is part of a pipeline. It allows you to protect your origin from malicious requests, enhancing security. You can choose to either block or log the threats that are identified, and set a paranoia level to determine the sensitivity of the threat detection engine. Note that including a WAF stage in your pipeline is optional.
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/waf-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/waf-stages
GET
/edge-services/v1beta1/waf-stages/{waf_stage_id}
PATCH
/edge-services/v1beta1/waf-stages/{waf_stage_id}
DELETE
/edge-services/v1beta1/waf-stages/{waf_stage_id}
Route stages
A route stage is part of a pipeline. It allows you to configure routes towards other stages of the Edge Services pipeline, based on a defined set of rules (using HTTP method or path). For now, the main use case for a route stage is to allow all requests that match certain rules to bypass a WAF stage and route directly to the backend stage. More functionality for the route stage is planned for the future. Note that including a route stage in your pipeline is optional.
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/route-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/route-stages
GET
/edge-services/v1beta1/route-stages/{route_stage_id}
PATCH
/edge-services/v1beta1/route-stages/{route_stage_id}
DELETE
/edge-services/v1beta1/route-stages/{route_stage_id}
GET
/edge-services/v1beta1/route-stages/{route_stage_id}/route-rules
POST
/edge-services/v1beta1/route-stages/{route_stage_id}/route-rules
PUT
/edge-services/v1beta1/route-stages/{route_stage_id}/route-rules
Backend stages
A backend stage is part of a pipeline. It defines the source of the content that Edge Services will serve to clients. It could be either a Scaleway Object Storage bucket ("S3") or a Scaleway Load Balancer.
GET
/edge-services/v1beta1/backend-stages/{backend_stage_id}
PATCH
/edge-services/v1beta1/backend-stages/{backend_stage_id}
DELETE
/edge-services/v1beta1/backend-stages/{backend_stage_id}
GET
/edge-services/v1beta1/pipelines/{pipeline_id}/backend-stages
POST
/edge-services/v1beta1/pipelines/{pipeline_id}/backend-stages
Purge requests
A purge request allows you to remove content from the cache (if a cache stage has been created). You can choose to purge the entire cache, or limit the purge to specified assets.
GET
/edge-services/v1beta1/purge-requests
POST
/edge-services/v1beta1/purge-requests
GET
/edge-services/v1beta1/purge-requests/{purge_request_id}