Cequence's Web Application and API Protection (WAAP) solution is a cloud-based security service that consolidates the following security services in a single platform: 

• Web Application Firewall (WAF)
• Bot Management
• API Security
• DDoS Protection

The Cequence WAAP integrates multiple security layers, combining an AWS Web Application Firewall (WAF) with an Amazon Application Load Balancer to deliver comprehensive DDoS protection and web traffic filtering. Additionally, the Cequence WAAP leverages the Cequence Unified API Protection (UAP) platform for advanced API security and sophisticated bot management. 

In this architecture, traffic flows through AWS WAF, then to an Amazon Application Load Balancer (ALB), and finally to Cequence Defenders, which are the data-plane component of the Cequence UAP platform.

When a client makes a request to your application, the request first passes through the AWS WAF for initial filtering, then routes through the Amazon ALB for load distribution. The ALB forwards traffic to Cequence Defenders, which perform deep inspection using machine learning models and behavioral analysis to identify sophisticated bot attacks, API abuse, and anomalous traffic patterns. After analysis, Defenders forward legitimate traffic to your origin applications, such as API gateways, firewalls, or application servers.

This layered defense architecture combines the signature-based protection of AWS WAF with Cequence's advanced bot detection and API security capabilities. Cequence Defenders are regionally deployed to match your application's hosting location, ensuring optimal latency and performance. The service initially operates in detection-only mode, enabling you to observe traffic patterns and validate functionality before you enable active blocking policies.

What you'll need

To get started with AWS WAF integration, you'll need to provide the following items.

• The application hostname(s) that you're using the AWS WAF to protect. You'll need full hostnames, such as dev-api.example.com)
• AWS WAF and ALB configuration details to establish the integration points.
• Origin application endpoint(s) where Cequence Defenders forward validated traffic. Endpoints can be IP addresses or FQDNs.
• Hosting region of origin applications to ensure optimal Defender deployment
• For applications that use HTTPS, you'll also need SSL certificates. Specify an existing certificate or provision a new certificate for validation using DNS CNAME.

Cequence will provide the following details.

• ALB routing information. Cequence provides an AWS ALB endpoint. Your application traffic flows through this endpoint after being protected by WAF and Defender.
• Egress NAT IP addresses. Cequence Defenders use these egress NAT IPs when forwarding traffic to your application origins. Whitelist these IP addresses on your application's firewall or security groups to enable inbound connections from Cequence.

You'll also need to able to do the following tasks.

• Update DNS configuration to redirect application traffic through the AWS WAF and ALB to Cequence Defenders
• Configure ALB target groups to route traffic to Cequence Defenders
• Coordinate with Cequence during the cutover and validation phases

The onboarding process involves provisioning your dedicated Cequence Defenders, configuring the AWS WAF and ALB integration, establishing traffic routing between components, validating SSL certificates through DNS records, and performing a coordinated DNS cutover with final traffic validation.

Architectural concepts

Understanding how WAF integration processes traffic is essential for effective configuration and troubleshooting. The system uses a header-based approach where AWS WAF adds specific headers to requests that match threat detection rules, rather than blocking them immediately.

Header processing workflow

When AWS WAF detects potential threats, the WAF adds headers that follow the x-amzn-waf-* naming convention, as required by AWS. These headers flow with the request to Cequence Defenders, which evaluate the headers and apply appropriate blocking policies based on configured rules. This two-stage approach allows for more sophisticated threat analysis while maintaining the speed of cloud-native WAF detection.

Confirming functionality

To confirm that your SaaS Cequence Unified API Protection (UAP) platform's WAF functionality is working, log in to the UAP instance and check System Components.

1. Log in to the Cequence UAP platform.
2. Click the gear icon at the top right.
3. Select Diagnostics.

The Diagnostics page opens to the System Components tab. Examine the tab for a pane matching this example.