ContactSign in

Functions Instances for Firewall

By activating the Functions module, you can instantiate serverless functions in your Firewall at Azion, as well as set up the conditions for its execution. Available for Application and Firewall products, its use allows you to run serverless functions in our robust distributed network of Edge Nodes, responding to events closer to the end user, ensuring greater scalability and availability.

How it works

In Firewall, you will have to activate the Functions module, so it is possible to use existing functions provided by Azion Marketplace. For example:

  • Bot Manager Lite
  • Secure Token
  • JWT

When instantiating an Function, it is not possible to change its source code, just inform the arguments that will be passed to the context of the function’s execution, in JSON, through the Args tab.

Argument Hierarchy and Override Behavior

It’s important to understand how arguments work between the function definition and the function instance:

Definition on the Function Page: When you create or edit a function, you can define the default arguments. These values are used as the basis for any instance of that function.

Instance in the Edge Firewall: When you add a function to the Edge Firewall, you can configure the specific arguments for that instance. These values override the arguments defined in the original function.

This hierarchy allows for flexibility, as you can reuse the same function with different configurations depending on the context in which it will be used.

Example: Argument Override Flow

Function Definition (default arguments):

{
  "threshold": 100,
  "action": "deny",
  "log_level": "info"
}

Function Instance in Edge Firewall (override arguments):

{
  "threshold": 50,
  "action": "block"
}

Final arguments passed to function execution:

{
  "threshold": 50,
  "action": "block",
  "log_level": "info"
}

In this example, threshold and action are overridden by the instance configuration, while log_level uses the default value from the function definition.

Practical Usage Examples

Bot Manager Configuration

{
  "threshold_score": 3,
  "action": "deny",
  "custom_response": {
    "status_code": 403,
    "content_body": "Access denied by security policy"
  }
}

JWT Validation Configuration

{
  "secret_key": "${jwt_secret}",
  "algorithm": "HS256",
  "required_claims": ["sub", "exp", "iat"],
  "bypass_paths": ["/health", "/status"]
}

Secure Token Configuration

{
  "token_name": "secure_token",
  "secret": "${token_secret}",
  "timestamp_tolerance": 300,
  "ip_validation": true
}
Go to instantiate functions guide

To associate an execution trigger, you simply need to associate the instance with a Behavior of a Rules Engine Rule, in Request. Thus, when a request meets the criteria defined in the Rules Engine rules, the Function will be invoked and executed directly on Azion’s Edges Nodes.

Go to work with rules engine guide