Last updated 2023-02-13
Fastly can automatically detect and, in real time, route around transient connection problems that occur when fetching content from your origin servers or when delivering content to end users from Fastly's Edge Cloud. Fastly uses different, automated techniques depending on where we observe a connection problem. This page describes two capabilities that Precision Path uses to automatically improve fetching and delivery of content to your users: origin connection rerouting and edge connection rerouting.
It's critical for Fastly to maintain high performance and reliable access to your origin services to fetch new or updated content when needed. The inability to do so, even temporarily, can result in 5xx HTTP server errors being returned to end users, regardless of how resilient and performant connections may be. Based on historical observations of our worldwide network, we estimate a significant portion of 5xx errors served to end users are due to the impact of transient internet performance issues (commonly called internet weather) on the connections between Fastly's point of presence (POP) locations and our customers' origin services. Origin rerouting is designed to address this.
Our origin connection rerouting capability monitors Fastly's connections to your origin services for signs of internet weather and, if detected, automatically attempts to route around them so they don't impact your services. The vast majority of the time you won't notice changes to those connections in your Fastly services because there will be no issues to route around. However, when the default route from one of our POPs across the internet to your origins experiences a severe enough problem, it will automatically test other available routes to your origin and, if any successful alternatives are found, will select the most viable alternative route with which to re-establish the connection. All of this will happen before TCP timeouts occur on the end user connection, thereby avoiding 5xx errors being returned to end users.
Precision Path's origin connection rerouting only works for origin connections using TLS. If your Fastly service has not been configured to use a TLS connection between Fastly and your origin server, you can enable TLS by following the instructions in our guide on working with hosts.
No special requirements are necessary to take advantage of Fastly's origin connection rerouting. This capability is enabled by default for all Fastly services using TLS for origin and shielding connections.
Many Fastly customers protect their origin services from security threats by implementing either a firewall service or IP address access control lists (ACLs). While this is a good security practice, you could be inadvertently blocking a subset of Fastly IP addresses from accessing your origins if these configurations aren't updated regularly.
To successfully implement origin connection rerouting on your Fastly services, ensure you aren't blocking any Fastly IP addresses. Fastly provides an API for you to obtain a complete list of the IPv4 and IPv6 address ranges owned by Fastly. Any firewalls or ACLs protecting your origin services should be updated to ensure all these IP address ranges are allowed to connect to your origins.
Fastly's real-time log streaming feature can be used to monitor for origin connection rerouting events that may occur on your Fastly services. The following VCL variables can be used to monitor origin connection rerouting activity:
beresp.used_alternate_path_to_origin- This boolean value indicates whether or not the request to origin was made over an alternate route selected by the origin connection rerouting mechanism. Counting the number of true values for this variable over any given time period in your logs will indicate how many times this origin rerouting mechanism has been triggered.
beresp.backend.src_ip- This variable indicates which Fastly source IP was used to make the request to origin. For most connections, this will be one of the most frequently used Fastly server IP addresses used for default routes across the Internet. If the origin rerouting mechanism was triggered by a problem with the original connection attempt over the default route, then this value will show an alternate Fastly server IP address from a pool of IPs reserved for alternate routes between that POP and your origin.
beresp.backend.alternate_ips- This variable lists all the possible source IP addresses available to the origin rerouting mechanism for the Fastly server handling this origin connection. This information can be used to identify the set of valid Fastly IP addresses from which you may see connection attempts to your origin from this Fastly server.
When delivering content from Fastly to your end users, Fastly tracks the health of every TCP connection. When we observe connection-impacting degradation (e.g., congestion), we automatically switch delivery to a new network path to route around the issue. This automatic mitigation is enabled by default on all of our POPs and applies to all Fastly traffic. No additional configuration is required.
No special requirements are necessary to take advantage of Fastly's edge connection rerouting. All traffic delivered from Fastly's POPs is assessed for connection issues and the fast path failover feature is applied only when necessary.
For more information on Precision Path or its individual features, contact support.