How to instantiate edge functions in your edge firewall

1. Access Azion Console > select Edge Firewall.
2. Click the edge firewall you want to configure.
3. In the Main Settings tab, enable the Edge Functions module switch to enable functions.
4. Click the Save button.
5. Go to the Functions Instances tab.
6. Click + Function Instance.
7. Name your function instance. For example: Deny Geoip function.
8. On the Edge Functions dropdown, select the function you want to use. In this example, Deny Geoip function.

• If you want, you can edit the Arguments.

9. Click the Save button.

The functions page now lists the newly created instance. However, this new function isn’t yet active in your application. You need to define what will trigger the function.

Still on the Edge Firewall page:

1. Navigate to the Rules Engine tab.
2. Click the + Rule button.
3. Give a name to your rule.
4. Under the Criteria section, select the variable Network.
5. As a comparison operator, select matches.
6. As an argument, select the network list of the Countries type you want to use. For example: Blocked Countries Geoip.
7. In the Behaviors section, select Run Function from the behavior list.
8. Select the function you want to use. In this example, Deny Geoip function.
9. Click the Save button.

Once your application receives a request generated from one of the countries in the network list, the function in your firewall will deny the request based on the geo IP.

1. Access Real-Time Manager (RTM) > select Edge Firewall.
2. Click the edge firewall you want to configure.
3. In the Main Settings tab, enable the Edge Functions module switch to enable functions.
4. Click the Save button.
5. Go to the Functions tab.
6. Click Add Function.
7. Name your function instance. For example: Deny Geoip function.
8. On the Edge Functions dropdown, select the function you want to use. In this example, Deny Geoip function.

• You can’t change the Code, but if you want, you can edit the Args.

9. Click the Save button.

The functions page now lists the newly created instance. However, this new function isn’t yet active in your application. You need to define what will trigger the function.

Still on the Edge Firewall page:

1. Navigate to the Rules Engine tab.
2. Click the New Rule button.
3. Give a name to your rule.
4. Under the Criteria section, select the variable Network.
5. As a comparison operator, select matches.
6. As an argument, select the network list of the Countries type you want to use. For example: Blocked Countries Geoip.
7. In the Behaviors section, select Run Function from the behavior list.
8. Select the function you want to use. In this example, Deny Geoip function.
9. Click the Save button.

Once your application receives a request generated from one of the countries in the network list, the function in your firewall will deny the request based on the geo IP.

1. Run the following PATCH request in your terminal, replacing [TOKEN VALUE] with your personal token and the <edge_firewall_id> variable with your edge firewall ID to activate the Edge Functions module:

curl --location --request PATCH 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "edge_functions_enabled": true
}'

2. You’ll receive a response with the updated value.
3. Run the following GET request to retrieve the edge_function_id of the Deny Geoip function function:

curl --location 'https://api.azionapi.net/edge_functions' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'

4. You’ll receive a response similar to this:

{
  "count": 1,
  "total_pages": 1,
  "schema_version": 3,
  "links": {
    "previous": null,
    "next": null
  },
  "results": [
    {
      "id": 13426,
      "name": "Deny Geoip function",
      "language": "javascript",
      "code": "async function firewallHandler(event){\n    // Access the country code through geoip\n    let countryCode = event.request.metadata[\"geoip_country_code\"]\n\n    // Do some logic here\n    // In this example, we are blocking access from Brazil\n    if (countryCode === \"BR\"){\n        event.deny();\n    }\n\n    // Then, if it comes from any other country,\n    // the processing continues\n    event.continue();\n}\n\naddEventListener(\"firewall\", (event)=>event.waitUntil(firewallHandler(event)));",
      "json_args": {
        "value": "hello_world"
      },
      "function_to_run": "",
      "initiator_type": "edge_firewall",
      "active": true,
      "last_editor": "user@email.com",
      "modified": "2023-11-14T20:09:48.657555Z",
      "is_proprietary_code": false,
      "reference_count": 1
    }
  ]
}

5. Copy the <edge_function_id> value.
6. Run the following POST request, replacing the <edge_firewall_id> variable with your edge firewall ID and the <edge_function_id> value with the value you received in the previous response:

curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/functions_instances' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Deny Geoip",
      "edge_function": <edge_function_id>,
      "json_args": {}
}'

7. You’ll receive a response similar to this:

{
  "results": {
    "name": "Another function",
    "json_args": {},
    "edge_function": 13426,
    "last_modified": "2023-11-22T18:50:11.812819Z",
    "last_editor": "hannah.kahn+rtm@azion.com",
    "id": 2806
  },
  "schema_version": 3
}

8. Run the following GET to retrieve the id of the Blocked Countries Geoip network list:

curl --location 'https://api.azionapi.net/network_lists' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'

9. You’ll receive a response similar to this:

{
  "count": 2,
  "total_pages": 1,
  "schema_version": 3,
  "links": {
    "previous": null,
    "next": null
  },
  "results": [
    {
      "id": 6217,
      "last_editor": "hannah.kahn+rtm@azion.com",
      "last_modified": "2023-11-14T21:35:39.808175Z",
      "list_type": "countries",
      "name": "Deny Geoip",
      "country_list": [
        "Brazil"
      ],
      "ip_list": []
    }
  ]
}
}

10. Run the following POST request in your terminal, replacing [TOKEN VALUE] with your personal token, the <edge_firewall_id> variable with your edge firewall ID, the <edge_function_instance_id> value with the function instance ID, and the <<network_list_id>> value with the network list ID:

curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Create rule",
    "is_active": true,
    "behaviors": [
        {
            "name": "run_function",
            "argument": <edge_function_instance_id>
        }
    ],
    "criteria": [
        [
            {
                "variable": "network",
                "operator": "is_in_list",
                "conditional": "if",
                "argument": <network_list_id>
            }
        ]
    ]
}'

11. You’ll receive a response similar to this, confirming your function was created successfully:

{
  "results": {
    "name": "Create rule",
    "is_active": true,
    "behaviors": [
      {
        "name": "run_function",
        "argument": 2718
      }
    ],
    "criteria": [
      [
        {
          "variable": "network",
          "operator": "is_in_list",
          "conditional": "if",
          "argument": 6217
        }
      ]
    ],
    "last_modified": "2023-11-22T17:57:28.584143Z",
    "last_editor": "hannah.kahn+rtm@azion.com",
    "id": 28370,
    "order": 1
  },
  "schema_version": 3
}

12. Wait a few minutes for the changes to propagate.

Once your application receives a request generated from one of the countries in the network list, the function in your firewall will deny the request based on the geo IP.