Deploying the Native Node from Docker Image¶
The Wallarm Native Node, which operates independently of NGINX, is designed for deployment with some connectors. You can run the Native Node from the official Docker image on your containerized services.
Use cases¶
Deploy the Native Node when setting up a Wallarm connector for MuleSoft, Cloudflare, Amazon CloudFront, Broadcom Layer7 API Gateway, Fastly and require a self-hosted node.
The Docker image for the Native Node is ideal if you are already using container orchestration platforms like AWS ECS or other Docker-based environments. The Wallarm node runs as a Docker container within your service, enabling security filtering and traffic inspection for your API management platform.
Requirements¶
-
Docker installed on your host system
-
Inbound access to your containerized environment from your API management platform
-
Outbound access from your containerized environment to:
https://hub.docker.com/r/wallarm
to download the Docker images required for the deploymenthttps://us1.api.wallarm.com
orhttps://api.wallarm.com
for US/EU Wallarm Cloud-
IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers
-
A trusted SSL/TLS certificate is required for the load balancer in front of the ECS instance with the Native Node
-
In addition to the above, you should have the Administrator role assigned in Wallarm Console
Limitations¶
-
Self-signed SSL certificates are not supported for securing the load balancer.
-
Custom blocking page and blocking code configurations are not yet supported.
-
Rate limiting by the Wallarm rule is not supported.
-
Multitenancy is not supported yet.
Deployment¶
1. Pull the Docker image¶
2. Prepare the configuration file¶
Create the wallarm-node-conf.yaml
file with the following minimal configuration for the Native Node:
All configuration parameters (they are identical for both the Docker image and the Native Node all-in-one installer)
3. Prepare Wallarm token¶
To install node, you will need a token for registering the node in the Wallarm Cloud. To prepare a token:
-
Open Wallarm Console → Settings → API tokens in the US Cloud or EU Cloud.
-
Find or create API token with the
Deploy
source role. -
Copy this token.
4. Run the Docker container¶
To run the Docker image, use the following commands. Mount the wallarm-node-conf.yaml
file to the container.
Environment variable | Description | Required |
---|---|---|
WALLARM_API_TOKEN | API token with the Deploy role. | Yes |
WALLARM_LABELS | Sets the group label for node instance grouping, for example:WALLARM_LABELS="group=<GROUP>" will place node instance into the <GROUP> instance group (existing, or, if does not exist, it will be created). | Yes |
WALLARM_API_HOST | Wallarm API server:
api.wallarm.com . | No |
-
The
-p
option maps host and container ports:- The first value (
80
) is the host's port, exposed to external traffic. - The second value (
5050
) is the container's port, which should match theconnector.address
setting in thewallarm-node-conf.yaml
file.
- The first value (
-
The configuration file must be mounted as
/opt/wallarm/etc/wallarm/go-node.yaml
inside the container.
5. Apply Wallarm code to an API management service¶
After deploying the node, the next step is to apply the Wallarm code to your API management platform or service in order to route traffic to the deployed node.
-
Contact sales@wallarm.com to obtain the Wallarm code bundle for your connector.
-
Follow the platform-specific instructions to apply the bundle on your API management platform:
Verifying the node operation¶
To verify the node is detecting traffic, you can check the logs:
-
The Native Node logs are written to
/opt/wallarm/var/log/wallarm/go-node.log
by default, with additional output available in stdout. -
Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory
/opt/wallarm/var/log/wallarm
.
For additional debugging, set the log.level
parameter to debug
.
Upgrade¶
To upgrade the node, follow the instructions.