They share a name, but play different roles. Here is how Fastly’s delivery and security layers work together in your Upsun environment.
When aiming for global reach, the Fastly Content Delivery Network (CDN) is essential: It caches content at the edge to slash application load times. But speed needs a partner: the Fastly Next-Gen Web Application Firewall (WAF), which protects your origin from threats.
The Airport Analogy: Two Desks, One Terminal
The Fastly CDN and Fastly WAF aren’t separate stops on a journey; they’re two different jobs handled by the same server at the network’s edge.
In airport terms, think of them as two specialized desks inside the same terminal:
- The Fastly CDN is the terminal: Its job is to get passengers (requests) to their gates as quickly as possible using moving walkways and clear signage (routing).
- The Fastly WAF is the security checkpoint: Before a passenger reaches the gate, the security checkpoint (WAF) inspects them for threats (like SQL injection or malicious bots) and stops them before they reach the “secure area” (your Upsun application code, database, and files running on Upsun servers).
The Division of Labor
They work in tandem, but you manage them differently within the Upsun ecosystem:
| Feature | Fastly CDN (Self-Service) | Fastly WAF (Specialized) |
|---|
| Primary goal | Performance and delivery | Security and threat mitigation |
| Where to manage | Directly in the Upsun console | Upsun Support or a dedicated WAF dashboard |
| Common tasks | Purging cache, managing IP allowlists (ACLs), Edge Dictionaries | Configuring security rules, tuning false positives |
Where They Meet: Visibility and Insights
Even though you don’t configure WAF rules in the Upsun console, the CDN integration is your window into WAF performance.
The CDN Insights tab logs every request the WAF blocks. This correlation is vital for troubleshooting:
- Identify Attacks: If you see a spike in “403 Forbidden” errors in your CDN logs, the WAF is successfully defending you.
- Debug Blocks: If a legitimate user is blocked, the CDN’s granular logs help you identify which rule was triggered so you can ask Support to tune it.
Get Started
To get both services running on your project:
1. Activate the Fastly CDN.
- Install the Fastly plugin directly within the Upsun console.
- On the Integrations or Fastly CDN tab that was added after the previous step, connect your service by using your Fastly Service ID and API Token (which you can find by running
upsun ssh "printenv | grep FASTLY" in your terminal).
For details about using Edge Dictionaries to manage dynamic configuration, see Fastly CDN in the Upsun product docs.
2. Enable the WAF.
Because WAF rules are highly specialized, enablement is a managed process:
- Choose your offer: Upsun offers Basic (managed by Upsun Support) or Basic Configurable (adds a dedicated security dashboard). For details, see Fastly WAF in the Upsun product docs.
- Contact our sales team to add the chosen offer to your Upsun plan. They will handle the initial onboarding and rule configuration to ensure your application is protected without blocking legitimate traffic.
Summary: Better Together
Ultimately, the Fastly CDN and WAF on Upsun provide a unified front:
- The CDN ensures legitimate users get a fast experience and provides the dashboard where you monitor overall traffic health.
- The WAF ensures malicious requests never touch your infrastructure, keeping your Upsun resources dedicated to serving real customers.
By using the Upsun console as your visibility bridge, you can confidently run applications that are fast, secure, and globally scalable. Last modified on April 14, 2026
