Managed Fastly CDN
Back to home
On this page
Instead of starting your own Fastly subscription and managing your CDN yourself, you can take advantage of a Fastly CDN provided by Upsun. These CDNs are exclusively set up and managed by Upsun.
To modify any settings for a managed Fastly CDN, open a support ticket. To add a managed Fastly CDN to your project, contact sales.
Note
Upsun does not write nor debug any custom VCL on Managed Fastly CDN services.
Monitor CDN metrics
You can access a summary of your monthly traffic usage under the “Traffic this month” section at the Project level inside Console. This will help you monitor your monthly bandwidth and requests consumption.
In this summary, you will find specific details about:
-
Origin Bandwidth: Data transferred from origin servers (in TB).
-
Origin Requests: Requests served by origin servers (in millions of requests).
-
CDN Bandwidth & CDN Requests: Shown if you have Fastly CDN enabled.
This data is updated daily and will reflect your traffic usage throughout the billing period.
Set up traffic alerts
You can also set up consumption alerts for your resource usage. Click the Alert button in the “Traffic this month” block within Console to configure usage thresholds. For more information, head to the Pricing docs page.
How Managed Fastly works 
Upsun’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features.
The Fastly CDN must be provisioned and managed by Upsun. Features such as the Upsun Web Application Firewall (WAF), edge rate limiting, and image optimization depend on this managed integration and cannot be used with a customer-managed Fastly account.
Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge.
Feature dependencies
- The Upsun WAF requires the Upsun Managed Fastly CDN.
- Customers cannot attach the WAF to an existing third-party Fastly service.
- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace.
Domain control validation
When you request for a new domain to be added to your Fastly service,
Upsun support provides you with a CNAME record for domain control validation.
To add this CNAME record to your domain settings,
see how to configure your DNS provider.
Transport Layer Security (TLS) certificates
By default, two TLS certificates are included: an apex and a wildcard one. This allows for encryption of all traffic between your users and your app.
If you use a Fastly CDN provided by Upsun, you can provide your own third-party TLS certificates for an additional fee.
To do so, if you don’t have one, set up a mount that isn’t accessible to the web. Use an environment with access limited to Upsun support and trusted users. Transfer each certificate, its unencrypted private key, and the intermediate certificate to the mount. To notify Upsun that a certificate is to be added to your CDN configuration, open a support ticket.
If you need an Extended Validation TLS certificate, you can get it from any TLS provider. To add it to your CDN configuration, open a support ticket.
Note that when you add your own third-party TLS certificates, you are responsible for renewing them in due time. Failure to do so may result in outages and compromised security for your site.
Retrieve your Fastly API token
The API token for your managed Fastly CDN is stored in the FASTLY_API_TOKEN or the FASTLY_KEY environment variables.
This variable is usually set in the /master/settings/variables folder of your project,
and you can access it from a shell
or directly in your app.
Dynamic ACL and rate limiting
For details about updating an access control list (ACL) and applying rate limiting, check out the Working with Upsun rate-limiting implementation article in the Upsun Community.
Edge-level rate limiting
Upsun provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window.
Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns.
What Edge-level rate limiting can do
- Protect sensitive endpoints such as
/login,/admin, or checkout paths - Limit request floods from a single IP or IP range
- Reduce application load during traffic spikes
- Enable Upsun Support to better handle attacks or high-traffic events by throttling traffic at the edge
Edge-level rate limiting is available as a standalone add-on (without the WAF).
Configuration and defaults
There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via Upsun Support.
Rules can be scoped by:
- Request path
- Request type
- IP address or network
- Custom thresholds and actions (block, allow, log)
Limitations
Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not:
- Identify bots automatically
- Present CAPTCHA or JavaScript challenges
- Provide AI-driven mitigation
For advanced bot and scraper protection, Upsun offers separate third-party integrations.