Fastly services overview
Fastly provides the following services to optimize and secure content delivery operations for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure projects. These services are included with ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure at no additional cost.
-
Content Delivery Network (CDN)—Varnish-based service that caches your site pages, assets, CSS, and more in backend data centers you set up. As customers access your site and stores, the requests hit Fastly to load cached pages faster. The CDN service provides the following features:
-
Cache management—Cache your site pages, assets, CSS, and more in back-end data centers that you set up to reduce bandwidth load and costs
-
Use Fastly custom VCL snippets (Varnish 2.1 compliant) to modify how caching responds to requests
-
Set up GeoIP service support
-
Customize Fastly timeout settings to prevent 503 responses on bulk operation requests
-
Create custom error response pages
-
-
Security—After you enable Fastly services for ÃÛ¶¹ÊÓƵ Commerce sites, additional security features are available to protect your sites and network:
-
Web Application Firewall (WAF)—Managed web application firewall service that provides PCI-compliant protection to block malicious traffic before it can damage your production ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure sites and network. The WAF service is available on Pro and Starter Production environments only.
-
Distributed Denial of Service (DDoS) protection—Built-in DDoS protection against common attacks like Ping of Death, Smurf attacks, and other ICMP-based flood attacks.
-
SSL/TLS certificates—The Fastly service requires an SSL/TLS certificate to serve secure traffic over HTTPS.
ÃÛ¶¹ÊÓƵ Commerce provides a Domain-validated Let’s Encrypt SSL/TLS certificate for each Staging and Production environment. ÃÛ¶¹ÊÓƵ Commerce completes domain validation and certificate provisioning during the Fastly set up process.
-
-
Origin cloaking—Prevents traffic from bypassing the Fastly WAF and hides the IP addresses of your origin servers to protect them from direct access and DDoS attacks.
Origin cloaking is enabled by default on ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Pro Production projects. To enable origin cloaking on ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Starter Production projects, submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket. If you have traffic that does not require caching, you can customize the Fastly service configuration to allow requests to bypass the Fastly cache.
-
Image optimization—Offloads image processing and resizing load to the Fastly service so that servers can process orders and conversions more efficiently.
-
Fastly CDN and WAF logs—For ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Pro projects, you can use the New Relic Logs service to review and analyze Fastly CDN and WAF log data.
Fastly CDN module for Magento 2
Fastly services for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure use the installed in the following environments: Pro Staging and Production, Starter Production (master
branch).
On initial provisioning or upgrade of your ÃÛ¶¹ÊÓƵ Commerce project, ÃÛ¶¹ÊÓƵ installs the latest version of the Fastly CDN module in your Staging and Production environments. When Fastly releases module updates, you receive notifications in the Admin for your environments. ÃÛ¶¹ÊÓƵ recommends that you update your environments to use the latest release. See Upgrade Fastly.
Fastly service account and credentials
ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure projects are not given a dedicated Fastly account. The Fastly service is managed in a centralized account registered to ÃÛ¶¹ÊÓƵ, and the management dashboard is only accessible to the Cloud Support team.
Instead, each Staging and Production environment has unique Fastly credentials (API token and service ID) to configure and manage Fastly services from the Commerce Admin. The Fastly API is available for performing advanced management of the Fastly service, which will require the credentials to submit those requests.
During project provisioning, ÃÛ¶¹ÊÓƵ adds your project to the Fastly service account for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure and adds the Fastly credentials to the configuration for the Staging and Production environments. See Get Fastly credentials.
Change Fastly API token
Submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket to change the Fastly API token credential. When you receive the new token, update your Staging or Production environment to use the new token.
To change the Fastly API token credential:
-
Submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket requesting new Fastly API credentials.
Include your ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure project ID and the environments that require a new credential.
-
After you receive the new API token, update the API token value in the Fastly credentials configuration in the Admin or from the Cloud Console environment variables.
-
After you update the credential, submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket to delete the old API token.
Multiple Fastly accounts and assigned domains
Fastly only allows you to assign an apex domain and associated subdomains to one Fastly service and account. If you have an existing Fastly account that links the same apex and subdomains used for your ÃÛ¶¹ÊÓƵ Commerce site, you have the following options:
-
Remove the apex and subdomains from the existing account before requesting Fastly service credentials for your ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure project environments. See in the Fastly documentation.
Use this option to link the apex domain and all subdomains to the Fastly service account for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure.
-
Submit an ÃÛ¶¹ÊÓƵ Commerce support ticket to request domain delegation so that apex and subdomains can be linked to different accounts.
Use this option if you have an apex domain that has multiple subdomains for ÃÛ¶¹ÊÓƵ Commerce and non-ÃÛ¶¹ÊÓƵ Commerce sites, and you want to link these subdomains to different Fastly accounts.
Request domain delegation
Scenario 1:
The apex domain (testweb.com
and www.testweb.com
) is linked to an existing Fastly account. You have an ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure project configured with the following subdomains: mcstaging.testweb.com
and mcprod.testweb.com
. You do not want to move the apex domain to the Fastly service account for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure.
Submit a requesting that the subdomains be delegated from the existing Fastly account to the Fastly account for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure. Include your ÃÛ¶¹ÊÓƵ Commerce project ID in the ticket.
After the delegation is complete, your project subdomains can be added to the Fastly service account for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure. See Get Fastly credentials.
Scenario 2:
The apex domain (testweb.com
and www.testweb.com
) is linked to the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Fastly service account. You want to manage Fastly services for the service.testweb.com
and product-updates.testweb.com
subdomains from a different Fastly account.
Submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket requesting that the subdomains be delegated from the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Fastly service account to the Fastly account. Include the service ID for the Fastly account in the ticket.
DDoS protection
DDOS protection is built in to the Fastly CDN service. Once you have enabled Fastly services for your ÃÛ¶¹ÊÓƵ Commerce sites, Fastly filters all web and admin traffic to detect and block potential attacks.
-
For attacks targeting layer 3 or 4, the Fastly service filters out traffic based on port and protocol, inspecting only HTTP or HTTPS requests. ICMP, UDP, and other network-initiated attacks are dropped at our network edge. This includes reflection and amplification attacks, which use UDP services like SSDP or NTP. By providing this level of protection, we effectively block multiple common attacks like Ping of Death, Smurf attacks, and other ICMP-based floods.
Fastly manages TCP level attacks at the cache layer. This strategy provides the necessary scale and context per client to deal with a SYN flood attack and its many variants, including TCP stack, resource attacks, and TLS attacks within Fastly systems.
-
Fastly also provides protection against Layer 7 attacks. If your store is experiencing performance issues and you suspect a Layer 7 DDoS attack, submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket. ÃÛ¶¹ÊÓƵ can create and apply custom rules to the Fastly service to inspect for and filter out malicious requests based on header, payload, or a combination of attributes that identify the attack traffic. See Checking for DDoS attacks and How to block malicious traffic in the ÃÛ¶¹ÊÓƵ Commerce Help Center.