About Edge Rate Limiting

The Fastly Edge Rate Limiting web interface is designed to help you control the rate of requests sent to your origin servers. The feature allows you to count client requests and optionally penalize clients for exceeding rate limits you set. You can also access Edge Rate Limiting functionality in VCL.

Prerequisites

To use this feature you must purchase a Professional or Premier Platform subscription for the Fastly Next-Gen WAF (powered by Signal Sciences) and have a paid account for full-site delivery.

Limitations and caveats

Rate limits set by a rate limiting policy happen per Fastly site and counts are not shared across Fastly sites.

Edge Rate Limiting is compatible with Fastly’s origin shield feature and both can be used together. If you have shielding enabled, rate limits will be counted twice, once at the edge and once at the origin shield. This has different implications for where protection is occurring and how the client is identified.

Edge Rate Limiting feature is not intended to compute rates with high precision. The accuracy you can expect depends on the selected time window over which rates are calculated. Estimated percentage error boundaries under nominal conditions are as follows:

  • (+/-) ~50% for the 1 second time window
  • (+/-) ~25% for the 10 second time window
  • (+/-) ~10% for the 60 second time window

For example, if you are using a 10 second time window and a rate limit of 100 RPS, you may see up to 25% more RPS (125 requests per second) to your origin before the attack is detected by Edge Rate Limiting. Similarly, Edge Rate Limiting may report that a rate limit has tripped when the actual rate is 75% of the intended rate (75 requests per second).

About the Edge rate limiting dashboard

To access the Edge rate limiting dashboard, log in to the Fastly web interface and click the Secure link. Click the Edge rate limiting link. The Edge rate limiting dashboard displays a summary of all rate limiting policies currently in effect across your services. Each summary includes the following details:

  • Service: the name of the service
  • Policy name: the name of the rate limiting policy
  • Requests per second: the maximum number of requests per second within the detection window counted before enacting the rate limiting policy
  • Detection window: the duration of the rate limiting window
  • Action: the action taken once the rate limit is exceeded, either Block or Log only

Security products note

No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products do not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.

Back to Top