惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

Fastly Blog

Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Fastly Six Common Live Streaming Mistakes (And How to Avoid Them) How Fastly and Skyfire Enable Trusted Agentic Commerce at the Edge Bot Defense is Table Stakes. Machine Traffic Requires a Business Strategy AI Traffic Grew 6.5x Faster Than Human Traffic This Year Python SDK Beta: How the Language of AI Runs Faster and Safer with Fastly Give AI Agents the Markdown They Actually Want How to Configure Local Logging for an On-Prem Next-Gen WAF Agent Accountability Without Control Is Breaking Security Leadership Fastly Joins the Agentic AI Foundation (AAIF) to Guide Edge AI Interoperability The E-commerce Industry in the AI Era: Has the Agentic Flood Hit? No Margin for Error: What the FIFA World Cup Teaches Us About Performance at the Edge Why iGaming Infrastructure is Breaking and What Comes Next The Publishing Industry in the AI Era: Why Bot Strategy is Now a Business Strategy Bad Performance Kills SaaS/PaaS Growth — Why Your CDN Matters Why your code is safe from Copy Fail on Fastly Compute Myth or Marvel: Claude Mythos and What it Means for Security Introducing Compliance Audit Reports Supporting Google Private AI Compute with Privacy-Preserving Edge Infrastructure Fastly Nearly Half the Web Isn’t Human: Inside Fastly’s Threat Insight Report Media over QUIC: Can Streaming Finally Have Both Scale and Low Latency? Introducing Fastly’s Redesigned Homepage: Your Central Hub for Actionable Insights The False Choice of Indiscriminate Blocking: Why Technical Precision is the New Standard for an Open Internet What is CVE-2026-23869? React Server Components Security Alert Fastly enables first-party tagging for Google Advertisers Shrink Your Bill With Efficient Software Your AI coding agent just got better at Fastly Fastly Ranked as a Leader in the 2026 Forrester Wave™ for Edge Development Platforms Fastly at RSAC 2026: New Advances in AppSec, Bot Management, and Deception Mastering the Edge: What Golf Can Teach Us About Speed, Precision, and Performance Real-Time CDN Monitoring for Live Events with Bronto Imperva Alternatives Fastly + Scalepost: Extending the Fastly platform to manage AI Crawlers Best content delivery networks for bot management Vibe Shift? Senior Developers Ship nearly 2.5x more AI Code than Junior Counterparts Maximizing Compute Performance with Log Explorer & Insights Fastly CDN Expands Scaling Fastly Network: Balancing Requests | Fastly Best Practices for Multi-CDN Implementations | Fastly Compute@Edge: Serverless Insights by Company | Fastly Fastly can teach you about the Wasm future in just 6 talks Fastly's Observability Unleashed: New Updates and Insights Optimizing your multi-CDN infrastructure to improve performance Stay ahead of attackers by pushing your security perimeter to the edge Are APIs the Key to Digital Innovation or a Trojan Horse? Fastly Academy: on-demand learning at your fingertips. | Fastly 30 Years of Web: Building for Tomorrow 4 Ways Legacy WAF Fails to Protect Your Apps Adobe boosts performance and MTTR with Epsagon and Fastly logs | Fastly Beta" A New Serverless Compute Environment Early TLS at Fastly Technical trainings & the future of edge delivery at Altitude 2016: a year in review Innovation Capacity Defined: Tech Stack Values | Fastly Deep Log Visibility Offered by Logentries | Fastly Caching the Uncacheable: CSRF Security Increase Your Hit Ratio With This Simple Tip
Fastly
Alisha Stull · 2026-06-18 · via Fastly Blog

Partner Engineer, Google Cloud

An illustration of a hand holding a megaphone with shield and lock icons blaring out

What if your load balancer could stop attacks before your web application even sees them?

Google Cloud Service Extensions now enables real-time traffic inspection directly within the load balancer pipeline, and when combined with Fastly's Next-Gen WAF, organizations can achieve enterprise-grade security without sacrificing performance.

In this post, we'll explore how this powerful integration works and why it matters for modern cloud architectures, and walk through a practical deployment that you can implement today.

Real-World Impact: Performance Meets Protection

Let's look at what this means in practice with a realistic scenario:

The Setup: An e-commerce platform running on Google Kubernetes Engine (GKE) serving 10,000 requests per second across multiple regions.

The Challenge: Protecting against credential stuffing attacks, SQL injection, and bot traffic while maintaining sub-200ms response times.

The Solution: Deploy the Next-Gen WAF as a Service Extension callout, enabling:

  • Zero-latency security decisions at the load balancer level

  • Automatic scaling with your existing GKE infrastructure 

  • Regional deployment for optimal performance

  • Fail-open configuration to maintain availability during agent maintenance

How Fastly's Next-Gen WAF Works with Google Cloud Service Extensions

Google Cloud Service Extensions offers two ways to insert custom logic: plugins and callouts.

Callouts let you use Cloud Load Balancing to make Envoy gRPC calls to Google Cloud services and user-managed services during data processing.

Fastly’s Next-Gen WAF can run as general-purpose gRPC server on user-managed compute VMs, on GKE Pods on GKE Multi-Cloud, or on on-premises environments.

Implementation Deep Dive: From Zero to Protected

The integration leverages Envoy's external processing protocol (ExtProc) via gRPC, enabling the WAF to inspect and act on traffic at critical stages:

1. REQUEST_HEADERS: Analyze incoming request headers against threat intelligence

2. REQUEST_BODY: Stream and inspect payload data for malicious content 

3. RESPONSE_HEADERS: Monitor outbound responses for data leakage

This granular inspection capability means threats are identified and blocked before they ever reach your application backend.

Deployment from scratch involves creating and configuring an application load balancer that supports extensions.

To deploy a callout backend service using the Next-Gen WAF agent, one can use our ready made docker image.  In the terminal snippets below, we’ll create a VM instance to house, configure and deploy the Next-Gen WAF agent in the load balancers network.

More detailed information can be found on Fastly’s documentation site.

gcloud compute instances create callouts-vm \
 --zone=$ZONE \
 --network=lb-network \
 --subnet=backend-subnet \
 --machine-type=e2-medium \
 --image-family=cos-stable \
 --image-project=cos-cloud \
 --tags=allow-ssh,load-balanced-backend \
 --metadata-from-file=startup-script=startup-script-tls.sh
#!/bin/bash

# Create certificate directory
mkdir -p /etc/ssl/certs/sigsci

# Generate self-signed certificates for the gRPC service
openssl req -x509 -newkey rsa:4096 \
 -keyout /etc/ssl/certs/sigsci/key.pem \
 -out /etc/ssl/certs/sigsci/cert.pem \
 -days 365 -nodes \
 -subj "/C=US/ST=CA/L=SF/O=Fastly/CN=ext11.com"

# Set proper permissions for the sigsci user inside the container
chmod 644 /etc/ssl/certs/sigsci/key.pem
chmod 644 /etc/ssl/certs/sigsci/cert.pem

# Start Signal Sciences agent with TLS configuration
docker run -d \
 --name sigsci-agent \
 --restart unless-stopped \
 -p 443:443 \
 -v /etc/ssl/certs/sigsci:/etc/ssl/certs/sigsci:ro \
 -e SIGSCI_ACCESSKEYID=<YOUR ACCESS KEY> \
 -e SIGSCI_SECRETACCESSKEY=<YOUR SECRET KEY> \
 -e SIGSCI_ENVOY_GRPC_ADDRESS=0.0.0.0:443 \
 -e SIGSCI_ENVOY_EXTPROC_ENABLED=true \
 -e SIGSCI_ENVOY_GRPC_CERT=/etc/ssl/certs/sigsci/cert.pem \
 -e SIGSCI_ENVOY_GRPC_KEY=/etc/ssl/certs/sigsci/key.pem \
 -e SIGSCI_DEBUG_LOG_VERBOSITY=3 \
  signalsciences/sigsci-agent:latest

# Log startup completion
echo "Signal Sciences agent with TLS started at $(date)" >> /var/log/startup.log

Ready to Deploy?

The integration of Fastly's Next-Gen WAF with Google Cloud Service Extensions offers a compelling path forward for organizations serious about cloud security. The combination of real-time threat protection, cloud-native deployment, and enterprise-scale performance makes this architecture suitable for the most demanding production environments.

The future of web application security is here, and it's deeply integrated with your cloud infrastructure. Time to make the move.

Want to learn more? Check out our comprehensive setup guide for detailed implementation steps and troubleshooting tips.