Use Terraform with Link11 WAAP

Link11 WAAP infrastructure can be managed using Terraform. The provider is here, along with its documentation.

If you're unfamiliar with L11WAAP (especially the API), the information below is recommended reading. Resources are described below in two ways:

According to traffic flow through the system, to understand the resources' roles.
According to internal relationships, to understand dependencies and configuration.

For each resource, a link is provided to an in-depth description of that feature in the UI. Sometimes the UI will provide more configuration options than the resource does, but the links should be helpful in understanding the purpose and use of each resource.

When Link11 WAAP is updated via the provider, the updates must be published before they will take effect.

This can be done through the UI, API, or the link11waap_publish resource.

Resources according to traffic flow

Consider a request originating at a client, and destined for the origin server. Here are the Terraform resources (shown in bold) that are involved as the request flows through the system.

Client connection to Link11 WAAP

Certificates and Load Balancers

These are necessary for the connection between the client and Link11. More info: Certificates and Load Balancers.

Traffic Source Verification

Trusted Networks

Link11 WAAP will only accept traffic from the trusted sources listed in Planet Trusted Networks. These can be:

Specific IP addresses, e.g. of load balancers
Or the traffic sources specified in one or more Global Filters, e.g., a CDN.

Mobile Application Group (optional)

Link11 customers who publish native iOS or Android applications for their clients can include the Link11 WAAP Mobile SDK: a unique client certification mechanism for iOS and Android apps.

If the client is using an SDK-enabled app, then a Mobile Application Group will define the necessary parameters for Link11 WAAP to authenticate the client.

Policy Mapping and Traffic Routing

Server Group

Within Link11 WAAP, the request's destination domain parameters are defined as a Server Group.

Proxy Template

Link11 WAAP acts as a proxy. The Proxy Template defines its characteristics in this role; the Server Group is based upon this template.

Security Policy

A Security Policy assigns security rulesets (those that will be enforced in the next stage) to destination paths within the Server Group.

They also determine the Edge Functions and Backend Service (see below) that will be used for the request.

Traffic Processing

Global Filters

Global Filters analyze incoming requests and attach a variety of tags, according to the request's characteristics. They can also be configured to block certain requests.

As the name implies, Global Filters apply to all requests, regardless of their destination paths.

Rate Limits

Rate Limit Rules block traffic sources that send an excessive number of requests within a defined time period.

ACL Profile

Depending on a request's tags, an ACL Profile can block it, exempt it from further processing, or perform other actions.

Edge Functions (optional)

Edge Functions are custom Lua code that can be run at various points during traffic processing, to extend Link11 WAAP's capabilities.

Forward Legitimate Requests

Backend Service

Link11 WAAP will pass legitimate traffic through to the server(s) specified in the Backend Service.

The Backend Service definition that will be used is specified in the Security Policy.

Config, Publishing, and Users

These resources are necessary for administering Link11 WAAP.

Config: Most resources include a config_id parameter. A configuration is a complete definition of L11WAAP's behavior for a specific environment; a customer can maintain multiple configurations (e.g., development, staging, and production). The default value for config_id is prod.
Publishing: When L11WAAP's configuration is updated, the updates must be published before they will take effect.
Users: This resource is for administering users of the Link11 WAAP system.

Resources according to internal relationships

This diagram illustrates the relationships among some of the infrastructure resources.

The foundational resource is a Server Group, which usually represents a domain. Each Server Group is based upon a Proxy Template, has one or more certificates associated with it, and can incorporate an optional Mobile Application Group.

Each Server Group contains at least one Security Policy, or (more commonly) contains a set of Security Policies defined for different paths within the Server Group.

Each Security Policy associates a destination path with several types of security rulesets and other settings.

The current Terraform version does not provide a resource for Content Filter Profiles (which define how requests are filtered according to threat signatures). The system will use a default Profile.

More information

L11WAAP's Terraform provider is primarily a wrapper around the API. If there are questions about resource parameters or other issues, it can be helpful to read the reference guide for the equivalent API operation, which can be found in the list of API namespaces.

PreviousStream event data to a SIEM solution or other destination NextThe Link11 WAAP API

Last updated 20 days ago

Was this helpful?

hashtagResources according to traffic flow

hashtagClient connection to Link11 WAAP

hashtagCertificates and Load Balancers

hashtagTraffic Source Verification

hashtagTrusted Networks

hashtagMobile Application Group (optional)

hashtagPolicy Mapping and Traffic Routing

hashtagServer Group

hashtagProxy Template

hashtagSecurity Policy

hashtagTraffic Processing

hashtagGlobal Filters

hashtagRate Limits

hashtagACL Profile

hashtagEdge Functions (optional)

hashtagForward Legitimate Requests

hashtagBackend Service

hashtagConfig, Publishing, and Users

hashtagResources according to internal relationships

hashtagMore information