Fastly

To maintain PCI compliance for Adobe Commerce sites deployed on the Cloud platform, you must set up Fastly on your Starter master, Pro Production, and Pro Staging environments. If you are using Adobe Commerce in a headless deployment, we highly recommend that you use Fastly to cache GraphQL responses. See Caching with Fastly in the GraphQL Developer Guide.

Fastly provides the following services to optimize and secure content delivery operations for your Adobe Commerce on cloud infrastructure projects. These services are included with your Adobe Commerce on cloud infrastructure subscription at no additional cost.

  • Content delivery network (CDN)—Varnish-based service that caches your site pages, assets, CSS, and more in backend data centers you set up. As customers access your site and stores, the requests hit Fastly to load cached pages faster. The CDN service provides the following features:

  • Security—After you set up your Adobe Commerce on cloud infrastructure project to use the Fastly CDN, additional security features are available to protect your sites and network.
    • DDoS protection—Built-in protection against common attacks like Ping of Death, Smurf attacks, as well as other ICMP-based floods.

    • Web Application Firewall—Managed web application firewall service that provides PCI-compliant protection to block malicious traffic before it can damage your production Adobe Commerce on cloud infrastructure sites and network. The WAF service is available on Pro and Starter Production environments only.

    • SSL/TLS certificates–The Fastly service requires an SSL/TLS certificate to serve secure traffic over HTTPS. Adobe Commerce provides a Domain-validated Let’s Encrypt SSL/TLS certificate for each Staging and Production environment. Adobe Commerce completes domain validation and certificate provisioning during the Fastly set up process. See TLS and Fastly.

    • Origin cloaking–Adobe can enable Origin Cloaking for all Adobe Commerce on cloud infrastructure projects. This option hides the IP addresses of your origin servers to protect them from direct access. When this feature is enabled, all traffic to your Cloud infrastructure must route through the Fastly CDN or another secure channel. Any traffic sent directly to the Origin servers is blocked. If you have traffic that does not require caching, you can customize the Fastly service configuration to allow requests to bypass the Fastly cache.

  • Image optimization—Offloads image processing and resizing load to the Fastly service freeing servers to process orders and conversions efficiently. See Fastly image optimization.

  • Fastly CDN and WAF logs–For Adobe Commerce on cloud infrastructure Pro projects, you can use the New Relic Logs service to review and analyze Fastly CDN and WAF log data. See New Relic.

Fastly CDN module for Magento 2

Fastly services for Adobe Commerce on cloud infrastructure use the Fastly CDN module for Magento 2 installed in the following environments: Pro Staging and Production, Starter Production (master branch).

On initial provisioning or upgrade of your Adobe Commerce on cloud infrastructure project, we install the latest version of the Fastly CDN module in your Staging and Production environments. When Fastly releases module updates, you receive notifications in the Admin UI for your environments. We recommend that you update your environments to use the latest release. See Upgrade Fastly.

Fastly service account and credentials

Adobe Commerce on cloud infrastructure projects do not require a dedicated Fastly account or account owner. Instead, each Staging and Production environment has unique Fastly credentials (API token and service ID) to configure and manage Fastly services from the Admin UI. You also need the credentials to submit Fastly API requests.

During project provisioning, Adobe adds your project to the Fastly service account for Adobe Commerce on cloud infrastructure and adds the Fastly credentials to the configuration for the Staging and Production environments. See Get Fastly credentials.

Change Fastly API token

If you need to change the Fastly API token credential, you must submit a Adobe Commerce support ticket to request a new token, and then update your Staging or Production environment with the new value.

To change the Fastly API token credential:

  1. Submit a Adobe Commerce support ticket requesting the new token.

    Include your Adobe Commerce on cloud infrastructure project ID and the environments that require a new credential.

  2. After you receive the new API token, update the API token value in the Fastly credentials configuration in the Admin UI or from the Project Web UI environment configuration variables.

  3. Test the new credential.

  4. After you have updated the credentials, submit a support ticket to delete the old API token.

Multiple Fastly accounts and assigned domains

Fastly only allows you to assign an apex domain and associated subdomains to one Fastly service and account. If you have an existing Fastly account that links the same apex and subdomains used for your Adobe Commerce on cloud infrastructure, you have the following options:

  • Remove the apex and subdomains from the existing account before requesting Fastly service credentials for your Adobe Commerce on cloud infrastructure project environments. See Working with Domains in the Fastly documentation.

    Use this option to link the apex domain and all subdomains to the Fastly service account for Adobe Commerce on cloud infrastructure.

  • Submit a support ticket to request domain delegation so that apex and subdomains can be linked to different accounts.

    Use this option if your apex domain has multiple subdomains for Adobe Commerce and non-Adobe Commerce sites that you want to link to different Fastly accounts.

Request domain delegation

Scenario 1:

The apex domain (testweb.com and www.testweb.com) is linked to an existing Fastly account. You have a Adobe Commerce on cloud infrastructure project configured with the following subdomains: mcstaging.testweb.com and mcprod.testweb.com. You do not want to move the apex domain to the Fastly service account for Adobe Commerce on cloud infrastructure.

Submit a Fastly support ticket requesting that the subdomains be delegated from the existing Fastly account to the Fastly account for Adobe Commerce on cloud infrastructure. Include your Adobe Commerce project ID in the ticket.

After the delegation is complete, your project subdomains can be added to the Fastly service account for Adobe Commerce on cloud infrastructure. See Get Fastly credentials.

Scenario 2:

The apex domain (testweb.com and www.testweb.com) is linked to the Adobe Commerce on cloud infrastructure Fastly service account. You want to manage Fastly services for the service.testweb.com and product-updates.testweb.com subdomains from a different Fastly account.

Submit a Adobe Commerce support ticket requesting that the subdomains be delegated from the Adobe Commerce on cloud infrastructure Fastly service account to the Fastly account. Include the service ID for the Fastly account in the ticket.

DDoS protection

DDOS protection is built-in to the Fastly CDN service. After you enable and configure the Fastly service for your Adobe Commerce on cloud infrastructure sites, Fastly filters all web and admin traffic to your site to detect and block potential attacks:

  • For attacks targeting layer 3 or 4, the Fastly service filters out traffic based on port and protocol, inspecting only HTTP or HTTPS requests. ICMP, UDP, and other network born attacks are dropped at our network edge. This includes reflection and amplification attacks, which use UDP services like SSDP or NTP. By providing this level of protection, we effectively block multiple common attacks like Ping of Death, Smurf attacks, as well as other ICMP-based floods. Fastly manages the TCP level attacks at the cache layer, addressing the necessary scale and context per client to deal with SYN flood and its many variants, including TCP stack, resource attacks, and TLS attacks within the Fastly systems.

  • Fastly also provides protection against Layer 7 attacks. If your store is experiencing performance issues and you suspect a Layer 7 DDoS attack, submit a Adobe Commerce support ticket. Adobe can create and apply custom rules to the Fastly service to inspect for and filter out malicious requests based on header, payload, or a combination of attributes that identify the attack traffic. See Checking for DDoS attacks and How to block malicious traffic in the Adobe Commerce Help Center.