# Deploying the Native Node from Docker Image The [Wallarm Native Node](https://docs.wallarm.com/installation/nginx-native-node-internals.md), which operates independently of NGINX, is designed for deployment with some connectors. You can run the Native Node from the official Docker image on your containerized services. ## Use cases * When deploying a Wallarm node as part of a [connector](https://docs.wallarm.com/installation/nginx-native-node-internals.md#connectors_1) solution on a self-hosted Linux OS machine. Use the installer in `connector-server` mode. * When you need a gRPC-based external processing filter for APIs managed by [Istio](https://docs.wallarm.com/installation/connectors/istio.md) or [Gloo Gateway](https://docs.wallarm.com/installation/connectors/gloo.md). Use the installer in `envoy-external-filter` mode. The Docker image for the Native Node is ideal if you are already using container orchestration platforms like AWS ECS or other Docker-based environments. The Wallarm node runs as a Docker container within your service, enabling security filtering and traffic inspection for your API management platform. ## Requirements * [Docker](https://docs.docker.com/engine/install/) installed on your host system * Inbound access to your containerized environment from your API management platform * Outbound access from your containerized environment to: * `https://hub.docker.com/r/wallarm` to download the Docker images required for the deployment * `https://us1.api.wallarm.com` or `https://api.wallarm.com` or `https://me1.api.wallarm.com` for US/EU/ME Wallarm Cloud * IP addresses and their corresponding hostnames (if any) listed below. This is needed for downloading updates to attack detection rules and [API specifications](https://docs.wallarm.com/api-specification-enforcement/overview.md), as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted](https://docs.wallarm.com/user-guides/ip-lists/overview.md) countries, regions, or data centers **US Cloud:** ``` node-data0.us1.wallarm.com - 34.96.64.17 node-data1.us1.wallarm.com - 34.110.183.149 us1.api.wallarm.com - 35.235.66.155 34.102.90.100 34.94.156.115 35.235.115.105 ``` **EU Cloud:** ``` node-data1.eu1.wallarm.com - 34.160.38.183 node-data0.eu1.wallarm.com - 34.144.227.90 api.wallarm.com - 34.90.110.226 ``` **ME Cloud:** ``` node-data0.me1.wallarm.com - 34.166.82.208 node-data1.me1.wallarm.com - 34.166.82.208 me1.api.wallarm.com - 34.166.82.208 ``` * A **trusted** SSL/TLS certificate is required for the load balancer in front of the ECS instance with the Native Node * In addition to the above, you should have the **Administrator** role assigned in Wallarm Console ## Limitations * Self-signed SSL certificates are not supported for securing the load balancer. * [Custom blocking page and blocking code](https://docs.wallarm.com/admin-en/configuration-guides/configure-block-page-and-code.md) configurations are not yet supported. * [Rate limiting](https://docs.wallarm.com/user-guides/rules/rate-limiting.md) by the Wallarm rule is not supported. ## Deployment ### 1. Pull the Docker image ``` docker pull wallarm/node-native-aio:0.25.0 ``` ### 2. Prepare the configuration file Create the `wallarm-node-conf.yaml` file with the following minimal configuration for the Native Node: **connector-server:** ```yaml version: 4 mode: connector-server connector: address: ":5050" ``` **envoy-external-filter:** ```yaml version: 4 mode: envoy-external-filter envoy_external_filter: address: ":5080" tls_cert: "/path/to/cert.crt" tls_key: "/path/to/cert.key" ``` [All configuration parameters](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md) (they are identical for both the Docker image and the Native Node all-in-one installer) ### 3. Prepare Wallarm token To install node, you will need a token for registering the node in the Wallarm Cloud. To prepare a token: 1. Open Wallarm Console → **Settings** → **API tokens** in the [US Cloud](https://us1.my.wallarm.com/settings/api-tokens) or [EU Cloud](https://my.wallarm.com/settings/api-tokens), or [ME Cloud](https://me1.my.wallarm.com/settings/api-tokens). 1. Find or create API token with the `Node deployment/Deployment` usage type. 1. Copy this token. ### 4. Run the Docker container To run the Docker image, use the following commands. Mount the `wallarm-node-conf.yaml` file to the container. **US Cloud:** ```bash docker run -d -e WALLARM_API_TOKEN='XXXXXXX' -e WALLARM_LABELS='group=' -e WALLARM_API_HOST='us1.api.wallarm.com' -v ./wallarm-node-conf.yaml:/opt/wallarm/etc/wallarm/go-node.yaml -p 80:5050 wallarm/node-native-aio:0.25.0 ``` **EU Cloud:** ```bash docker run -d -e WALLARM_API_TOKEN='XXXXXXX' -e WALLARM_LABELS='group=' -e WALLARM_API_HOST='api.wallarm.com' -v ./wallarm-node-conf.yaml:/opt/wallarm/etc/wallarm/go-node.yaml -p 80:5050 wallarm/node-native-aio:0.25.0 ``` **ME Cloud:** ```bash docker run -d -e WALLARM_API_TOKEN='XXXXXXX' -e WALLARM_LABELS='group=' -e WALLARM_API_HOST='me1.api.wallarm.com' -v ./wallarm-node-conf.yaml:/opt/wallarm/etc/wallarm/go-node.yaml -p 80:5050 wallarm/node-native-aio:0.25.0 ``` Environment variable | Description| Required --- | ---- | ---- `WALLARM_API_TOKEN` | API token with the `Node deployment/Deployment` usage type. | Yes `WALLARM_LABELS` | Sets the `group` label for node instance grouping, for example:
`WALLARM_LABELS="group="` will place node instance into the `` instance group (existing, or, if does not exist, it will be created). | Yes `WALLARM_API_HOST` | Wallarm API server:
  • `us1.api.wallarm.com` for the US Cloud
  • `api.wallarm.com` for the EU Cloud
  • `me1.api.wallarm.com` for the ME Cloud
By default: `api.wallarm.com`. | Yes `WALLARM_APID_ONLY` (0.12.1 and higher) | In this mode, attacks detected in your traffic are blocked locally by the node (if [enabled](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md#available-filtration-modes)) but not exported to Wallarm Cloud. Meanwhile, [API Discovery](https://docs.wallarm.com/api-discovery/overview.md) and some other features remain fully functional, detecting your API inventory and uploading it to the Cloud for visualization. This mode is for those who want to review their API inventory and identify sensitive data first, and plan controlled attack data export accordingly. However, disabling attack export is rare, as Wallarm securely processes attack data and provides [sensitive attack data masking](https://docs.wallarm.com/user-guides/rules/sensitive-data-rule.md) if needed. [More details](https://docs.wallarm.com/installation/native-node/all-in-one.md#apid-only-mode)
By default: `false`. | No `WALLARM_WSTORE__SERVICE__PROTOCOL` (0.19.0 and higher) | Specifies the protocol family that **wstore** uses for incoming connections. Possible values:
  • `"tcp"` - dual-stack mode (listens on both IPv4 and IPv6)
  • `"tcp4"` - IPv4 only
  • `"tcp6"` - IPv6 only
By default: `"tcp4"`. | No [`WALLARM_WSTORE__METRICS__LISTEN_ADDRESS`](https://docs.wallarm.com/admin-en/native-node-metrics-wstore.md) (0.20.0 and higher) | Specifies the host and port on which **wstore** exposes Prometheus metrics.By default: `"127.0.0.1:9001"`. | No [`WALLARM_WSTORE__METRICS__PROTOCOL`](https://docs.wallarm.com/admin-en/native-node-metrics-wstore.md) (0.20.0 and higher) | Specifies the protocol family that **wstore** uses to expose the Prometheus metrics endpoint. Possible values:
  • `"tcp"` - dual-stack mode (listens on both IPv4 and IPv6)
  • `"tcp4"` - IPv4 only
  • `"tcp6"` - IPv6 only
By default: `"tcp4"`. | No * The `-p` option maps host and container ports: * The first value (`80`) is the host's port, exposed to external traffic. * The second value (`5050`) is the container's port, which should match the `connector.address` or `envoy_external_filter.address` setting in the `wallarm-node-conf.yaml` file. * The configuration file must be mounted as `/opt/wallarm/etc/wallarm/go-node.yaml` inside the container. ### 5. Apply Wallarm code to an API management service After deploying the node, the next step is to apply the Wallarm code to your API management platform or service in order to route traffic to the deployed node. 1. Contact sales@wallarm.com to obtain the Wallarm code bundle for your connector. 1. Follow the platform-specific instructions to apply the bundle on your API management platform: * [MuleSoft Mule Gateway](https://docs.wallarm.com/installation/connectors/mulesoft.md#2-obtain-and-upload-the-wallarm-policy-to-mulesoft-exchange) * [MuleSoft Flex Gateway](https://docs.wallarm.com/installation/connectors/mulesoft-flex.md#2-obtain-and-upload-the-wallarm-policy-to-mulesoft-exchange) * [Apigee](https://docs.wallarm.com/installation/connectors/apigee.md#2-obtain-the-connector-code-bundle) * [Akamai](https://docs.wallarm.com/installation/connectors/akamai-edgeworkers.md#2-obtain-the-wallarm-code-bundle-and-create-edgeworkers) * [Cloudflare](https://docs.wallarm.com/installation/connectors/cloudflare.md#2-obtain-and-deploy-the-wallarm-worker-code) * [Standalone Kong API Gateway](https://docs.wallarm.com/installation/connectors/standalone-kong-api-gateway.md#2-prepare-the-wallarm-lua-plugin) * [Amazon CloudFront](https://docs.wallarm.com/installation/connectors/aws-lambda.md#2-obtain-and-deploy-the-wallarm-lambdaedge-functions) * [Amazon API Gateway](https://docs.wallarm.com/installation/connectors/aws-api-gateway.md) * [Broadcom Layer7 API Gateway](https://docs.wallarm.com/installation/connectors/layer7-api-gateway.md#2-add-the-nodes-ssltls-certificate-to-the-policy-manager) * [Fastly](https://docs.wallarm.com/installation/connectors/fastly.md#2-deploy-wallarm-code-on-fastly) * [Envoy/Istio](https://docs.wallarm.com/installation/connectors/istio.md#2-configure-istio-envoy-to-forward-traffic-to-the-wallarm-node) * [Envoy/Gloo Gateway](https://docs.wallarm.com/installation/connectors/gloo.md#2-configure-gloo-gateway-to-forward-traffic-to-the-wallarm-node) * [IBM DataPower](https://docs.wallarm.com/installation/connectors/ibm-api-connect.md) * [Azure API Management](https://docs.wallarm.com/installation/connectors/azure-api-management.md) ## Verifying the node operation To verify the node is detecting traffic, you can check the logs: * The Native Node logs are written to `/opt/wallarm/var/log/wallarm/go-node.log` by default, with additional output available in stdout. * [Standard logs](https://docs.wallarm.com/admin-en/configure-logging.md) of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory `/opt/wallarm/var/log/wallarm`. * For additional debugging, set the [`log.level`](https://docs.wallarm.com/installation/native-node/all-in-one-conf.md#loglevel) parameter to `debug`. You can also verify the Node operation by checking its [Prometheus metrics](https://docs.wallarm.com/admin-en/native-node-metrics.md) exposed at `http://:9000/metrics.` ## Upgrade To upgrade the node, follow the [instructions](https://docs.wallarm.com/updating-migrating/native-node/docker-image.md).