Cequence API Edge Protection augments API Spartan deployments with web application firewall (WAF), distributed denial of service (DDoS) protection, and transport layer security (TLS) certificate provisioning. Cequence API Edge Protection is available in any AWS region that makes AWS CloudFront and WAF available.

Configuring CloudFront

1. Log in to CloudFront.
2. Click Create Distribution.
   Fill in the fields as required by your implementation.
3. Choose your Protocol policy.
   The origin protocol policy determines the protocol (HTTP or HTTPS) that you want CloudFront to use when connecting to the origin. You can choose the following options.
   HTTP Only: CloudFront uses only HTTP to access the origin. This is the default setting when the origin is an Amazon S3 static website hosting endpoint and cannot be changed.
   HTTPS Only: CloudFront uses only HTTPS to access the origin. <we currently set https only>
   Match Viewer: CloudFront communicates with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. To match HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin domain.
4. Name your Origin.
5. (Optional) Add custom headers.
6. Open the Default Cache Behavior panel.
7. Choose what methods to cache.
8. Choose a cache policy.
9. Set the Origin Request Policy to AllViewer in order to pass all client headers, cookies, and request strings through CloudFront to the origin.
10. (Optional) Add other functions.
11. Choose a Price Class.
12. Close a WAF ACL if one is open.
    Any WAF ACLs created later are also added at this screen.
13. Add CNAMES, if any are in use.
    These are publicly routable hostnames that route through CloudFront.
14. Choose a certificate. Any certificates created later are also added at this screen.
15. Choose Create Distribution.

Configuring the WAF

1. Click Create web ACL.
   Fill in the appropriate fields as required.
2. Choose CloudFront Distribution, if applicable.
   The fields refresh and erase any information that has already been input and not submitted.
3. Name your Web ACL and add associated resources such as your CloudFront distribution.
4. Add Rules and Groups.
5. Select Add Rules.
6. Select Add managed rule groups.
7. In Core rule set, click the action slider.
   The core rule set is now added.
8. Select Edit.
9. Select Set all rule actions to count.
   This changes the rule action to Alert.
10. Click Save.
11. Choose Add rules.
12. Verify that Default action is set to Allow.
13. (Optional) Add custom headers.
14. Choose Next.
15. Set a rule priority.
16. Choose Next.
17. Configure metric settings if needed.
18. Click Next.
19. Click Confirm.
20. Click Create your Web ACL.
21. Return to your CloudFront Distribution, and add your new Web ACL.

When you are ready to block traffic, disable 'Set all rule actions to count” as in the above step, where it was enabled. This will cause requests which trigger CRS rules to be blocked.

Generating the certificate

1. Click Request.
2. Click Next.
3. Complete the certificate request form.
4. Enter your FQDN.
5. Choose DNS Validation.
6. Enter tags.
   Typically, these are Name and Customer, with the value of the customer name.
7. Click Request.
   An entry is automatically created in Route 53.
8. Provide this CNAME to the customer, for them to create an CNAME to route to this CloudFront CNAME. Alternately, you can change this Record to reflect your FQDN.
9. Change the record to route traffic from your new CNAME to your CloudFront distribution. The automatically-created record is a placeholder.
10. Add the certificate to your CloudFront distribution.
11. Add the newly created certificate to your origin or load balancer.