WAF-as-a Service (WAF SaaS)

Overview

CloudGuard WAF SaaS (also known as WAF-as-a-Service or WAFaaS) is a fully managed, cloud-native Web Application & API Firewall delivered over the internet.

You simply update your DNS to route traffic through our global points of presence (PoPs). They handle SSL termination (issuing and renewing certificates), DDoS and bot mitigation, and then securely forward legitimate traffic to your servers

The SaaS service implements a Reverse proxy function with CloudGuard WAF's security.

Using standard SSL/TLS technology ensures traffic remains secure and confidential from the moment it leaves the application client until it reaches you. Initially, data is transmitted and encrypted from the application client. Upon arrival at our WAF SaaS entry point, the data is decrypted for security inspection. Once inspected, it is re-encrypted and transmitted to the application securely.

Data Regions and Points of Presence (PoPs)

When creating an account to manage your security, a Data Region was selected. Data Residency refers to physical region where your configuration and logs are stored. Data Regions are currently available in:

• EU

• US

• India

• Australia

With WAF SaaS there are also Points of Presence (PoPs). They are the physical locations where WAF workloads are deployed and traffic is actually inspected . For optimal performance, it is recommended to choose a PoP as close to your application servers as possible - this proximity ensures optimal latency.

Current available PoPs:

DDoS Protection

CloudGuard WAF SaaS provides comprehensive L3-L7 DDoS Protection, see here:

Prerequisites

• Ownership of the DNS configuration for the protected domain.

• Accessibility - You must be able to configure your internal web server to be accessible from the IP addresses of WAF SaaS PoPs.

• Limiting access to your backend - you must be able to limit access to your back-end from WAF SaaS PoPs only so it is not exposed directly to the Internet.

For deployment instructions see here: