How to instantiate edge functions in your edge firewall

Instantiate serverless functions directly within your edge firewall.

This guide uses the configured Deny a request based on Geoip function. You can repeat this process using any function already available on Azion Marketplace or develop other functions.

This guide will also presume you have a network list of the Countries type.

Via Azion Console

Access Azion Console > select *Edge Firewall.
Click the edge firewall you want to configure.
Enable the Edge Functions module switch to enable functions.
Click the Save button.
Go to the Functions tab.
Click Add Function.
Name your function instance. For example: Deny Geoip function.
On the Edge Functions dropdown, select the function you want to use. In this example, Deny Geoip function.
- You can’t change the Code, but if you want, you can edit the Args.
Click the Save button.

The functions page now lists the newly created instance. However, this new function isn’t yet active in your application. You need to define what will trigger the function.

Still on the Edge Firewall page:

Navigate to the Rules Engine tab.
Click the Add Rule button.
Give a name to your rule.
Under the Criteria section, select the variable Network.
As a comparison operator, select matches.
As an argument, select the network list of the Countries type you want to use. For example: Blocked Countries Geoip.
In the Behaviors section, select Run Function from the behavior list.
Select the function you want to use. In this example, Deny Geoip function.
Click the Save button.

Once your application receives a request generated from one of the countries in the network list, the function in your firewall will deny the request based on the geo IP.

Via API

Run the following PATCH request in your terminal, replacing [TOKEN VALUE] with your personal token and the <edge_firewall_id> variable with your edge firewall ID to activate the Edge Functions module:

curl --location --request PATCH 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "edge_functions_enabled": true
}'

You’ll receive a response with the updated value.
Run the following GET request to retrieve the edge_function_id of the Deny Geoip function function:

curl --location 'https://api.azionapi.net/edge_functions' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'

You’ll receive a response similar to this:

{
  "count": 1,
  "total_pages": 1,
  "schema_version": 3,
  "links": {
    "previous": null,
    "next": null
  },
  "results": [
    {
      "id": 13426,
      "name": "Deny Geoip function",
      "language": "javascript",
      "code": "async function firewallHandler(event){\n    // Access the country code through geoip\n    let countryCode = event.request.metadata[\"geoip_country_code\"]\n\n    // Do some logic here\n    // In this example, we are blocking access from Brazil\n    if (countryCode === \"BR\"){\n        event.deny();\n    }\n\n    // Then, if it comes from any other country,\n    // the processing continues\n    event.continue();\n}\n\naddEventListener(\"firewall\", (event)=>event.waitUntil(firewallHandler(event)));",
      "json_args": {
        "value": "hello_world"
      },
      "function_to_run": "",
      "initiator_type": "edge_firewall",
      "active": true,
      "last_editor": "user@email.com",
      "modified": "2023-11-14T20:09:48.657555Z",
      "is_proprietary_code": false,
      "reference_count": 1
    }
  ]
}

Copy the <edge_function_id> value.
Run the following POST request, replacing the <edge_firewall_id> variable with your edge firewall ID and the <edge_function_id> value with the value you received in the previous response:

curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/functions_instances' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Deny Geoip",
      "edge_function": <edge_function_id>,
      "json_args": {}
}'

You’ll receive a response similar to this:

{
  "results": {
    "name": "Another function",
    "json_args": {},
    "edge_function": 13426,
    "last_modified": "2023-11-22T18:50:11.812819Z",
    "last_editor": "hannah.kahn+rtm@azion.com",
    "id": 2806
  },
  "schema_version": 3
}

Key	Description
`name`	Name of the instantiated function
`edge_function`	The ID of the edge function. This isn’t the same as the ID of the instantiated function, which is unique for each application’s function instance
`json_args`	Definition of arguments required for the function. Some functions don’t take arguments

Run the following GET to retrieve the id of the Blocked Countries Geoip network list:

curl --location 'https://api.azionapi.net/network_lists' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'

You’ll receive a response similar to this:

{
  "count": 2,
  "total_pages": 1,
  "schema_version": 3,
  "links": {
    "previous": null,
    "next": null
  },
  "results": [
    {
      "id": 6217,
      "last_editor": "hannah.kahn+rtm@azion.com",
      "last_modified": "2023-11-14T21:35:39.808175Z",
      "list_type": "countries",
      "name": "Deny Geoip",
      "country_list": [
        "Brazil"
      ],
      "ip_list": []
    }
  ]
}
}

Key	Description
`name`	Name of the network list
`id`	ID of the network list
`list_type`	Definition of the type of the network list
`country_list`	Items that compose the list

Run the following POST request in your terminal, replacing [TOKEN VALUE] with your personal token, the <edge_firewall_id> variable with your edge firewall ID, the <edge_function_instance_id> value with the function instance ID, and the <<network_list_id>> value with the network list ID:

curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Create rule",
    "is_active": true,
    "behaviors": [
        {
            "name": "run_function",
            "argument": <edge_function_instance_id>
        }
    ],
    "criteria": [
        [
            {
                "variable": "network",
                "operator": "is_in_list",
                "conditional": "if",
                "argument": <network_list_id>
            }
        ]
    ]
}'

You’ll receive a response similar to this, confirming your function was created successfully:

{
  "results": {
    "name": "Create rule",
    "is_active": true,
    "behaviors": [
      {
        "name": "run_function",
        "argument": 2718
      }
    ],
    "criteria": [
      [
        {
          "variable": "network",
          "operator": "is_in_list",
          "conditional": "if",
          "argument": 6217
        }
      ]
    ],
    "last_modified": "2023-11-22T17:57:28.584143Z",
    "last_editor": "hannah.kahn+rtm@azion.com",
    "id": 28370,
    "order": 1
  },
  "schema_version": 3
}

Wait a few minutes for the changes to propagate.

Once your application receives a request generated from one of the countries in the network list, the function in your firewall will deny the request based on the geo IP.

Contributors