Managed Fastly CDN
Back to home
On this page
Tier availability
This feature is available for Upsun Fixed Elite and Enterprise customers. Compare the Upsun Fixed tiers on our pricing page, or contact our Sales team for more information.
Instead of starting your own Fastly subscription and managing your CDN yourself, you can take advantage of a Fastly CDN provided by Upsun Fixed. For example, Dedicated projects include a managed Fastly CDN by default. These CDNs are exclusively set up and managed by Upsun Fixed.
To modify any settings for a managed Fastly CDN, open a support ticket. To add a managed Fastly CDN to your project, contact sales.
Note
Upsun Fixed does not write nor debug any custom VCL on Managed Fastly CDN services.
Monitor CDN metrics
You can access a summary of your monthly traffic usage under the “Traffic this month” section at the Project level inside Console. This will help you monitor your monthly bandwidth and requests consumption.
In this summary, you will find specific details about:
-
Origin Bandwidth: Data transferred from origin servers (in TB).
-
Origin Requests: Requests served by origin servers (in millions of requests).
-
CDN Bandwidth & CDN Requests: Shown if you have Fastly CDN enabled.
This data is updated daily and will reflect your traffic usage throughout the billing period.
Set up traffic alerts
You can also set up consumption alerts for your resource usage. Click the Alert button in the “Traffic this month” block within Console to configure usage thresholds. For more information, head to the Pricing docs page.
How Managed Fastly works 
Upsun Fixed’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features.
The Fastly CDN must be provisioned and managed by Upsun Fixed. Features such as the Upsun Fixed Web Application Firewall (WAF), edge rate limiting, and image optimisation depend on this managed integration and cannot be used with a customer-managed Fastly account.
Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge.
Feature dependencies
- The Upsun Fixed WAF requires the Upsun Fixed Managed Fastly CDN.
- Customers cannot attach the WAF to an existing third-party Fastly service.
- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace.
Domain control validation
When you request for a new domain to be added to your Fastly service,
Upsun Fixed support provides you with a CNAME record for domain control validation.
To add this CNAME record to your domain settings,
see how to configure your DNS provider.
Transport Layer Security (TLS) certificates
By default, Enterprise and Elite plans include two TLS certificates, an apex and a wildcard one. This allows for encryption of all traffic between your users and your app.
If you use a Fastly CDN provided by Upsun Fixed, you can provide your own third-party TLS certificates for an additional fee.
To do so, if you don’t have one, set up a mount that isn’t accessible to the web. Use an environment with access limited to Upsun Fixed support and trusted users. Transfer each certificate, its unencrypted private key, and the intermediate certificate to the mount. To notify Upsun Fixed that a certificate is to be added to your CDN configuration, open a support ticket.
If you need an Extended Validation TLS certificate, you can get it from any TLS provider. To add it to your CDN configuration, open a support ticket.
Note that when you add your own third-party TLS certificates, you are responsible for renewing them in due time. Failure to do so may result in outages and compromised security for your site.
Retrieve your Fastly API token
The API token for your managed Fastly CDN is stored in the FASTLY_API_TOKEN or the FASTLY_KEY environment variables.
This variable is usually set in the /master/settings/variables folder of your project,
and you can access it from a shell
or directly in your app.
Note
Dedicated (gen2) projects may not have the FASTLY_* environment variable(s) set.
In this case, the Fastly API token is stored in a text file called fastly_tokens.txt on the server,
typically located at /mnt/shared/fastly_tokens.txt.
Dynamic ACL and rate limiting
For details about updating an access control list (ACL) and applying rate limiting, check out the Working with Upsun Fixed rate-limiting implementation article in the Upsun Community.
Edge-level rate limiting
Upsun Fixed provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window.
Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns.
What Edge-level rate limiting can do
- Protect sensitive endpoints such as
/login,/admin, or checkout paths - Limit request floods from a single IP or IP range
- Reduce application load during traffic spikes
- Enable Upsun Support to better handle attacks or high-traffic events by throttling traffic at the edge
Edge-level rate limiting is:
- Included with all Upsun Fastly Next-Gen WAF tiers
- Available as a standalone add-on (without the WAF)
Configuration and defaults
There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via Upsun Fixed Support.
Rules can be scoped by:
- Request path
- Request type
- IP address or network
- Custom thresholds and actions (block, allow, log)
Limitations
Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not:
- Identify bots automatically
- Present CAPTCHA or JavaScript challenges
- Provide AI-driven mitigation
For advanced bot and scraper protection, Upsun Fixed offers separate third-party integrations.