For Edge Public Cloud management (both UI and APIs), Apigee does not use a web application firewall (WAF). Apigee uses our own product, Edge, to manage and secure the calls to the management interface of Edge Public Cloud. Apigee does not place a WAF in front of the management UI/API or in front of API proxies. Some Apigee customers use a third-party WAF in front of their API Proxies in Edge Public Cloud, but this is an exception and not the norm.
Edge itself is a tool in the security practitioner's toolbox to defend and protect the APIs being proxied by Apigee. To protect APIs, Apigee provides several policies out of the box, such as rate limiting and spike arrest, along with other policies that can be custom developed for specific use cases. For API calls, Apigee Edge protects your APIs at a deeper level than a common WAF due to our deep understanding of API traffic and calls. For this reason, Apigee does not use or recommend a WAF in front of API proxies.
For PCI compliance with section 6.6, a WAF may be used for annual vulnerability assessments. Because Apigee believes that Edge provides features above and beyond a WAF, we believe that Apigee itself is a WAF for APIs. In addition, we also perform annual vulnerability assessments.