Using Fastly with apex domains
Last updated 2021-07-22
Some customers use only their second-level or apex domain (e.g.,
example.com rather than
www.example.com) as their canonical domain. Due to limitations in the DNS specification, we don't recommend placing a CNAME record at the apex domain or using the CNAME Flattening features offered by some DNS providers (e.g., ALIAS or ANAME).
Instead, we offer anycast IP addresses for content that must be hosted on a second-level or apex domain. Our anycast options allow you to add A (IPv4) or AAAA (IPv6) records that point your apex domain at Fastly, prioritizing either performance or cost, depending on the option you choose.
Because anycast addressing methods don't offer Fastly as much flexibility in routing requests, our anycast options may not be as performant as our CNAME-based system. We recommend using our CNAME-based system for as much content as possible, particularly for large resources or streaming video.
Our guide on generating redirects at the edge discusses how you can redirect all traffic for apex domains to WWW subdomains.
Fastly offers the following anycast options to all paid customers.
Global anycast option
Fastly offers anycast IP addresses that allow you to use our entire global network to route requests to the nearest Fastly POP (from a network perspective), without regard to the billing region in which that POP resides.
Choose this option to prioritize traffic routing performance and to avoid restricting traffic to specific POPs. We'll provide you with a list of anycast IP addresses, which you then enter into your DNS records.
Billing Zone anycast options
Billing Zone anycast options are part of a limited availability release. For more information, see our product and feature lifecycle descriptions.
Fastly offers anycast IP addresses that allow you to prioritize where requests get routed based on the cost of its travel through groups of specific billing regions called "zones."
Choose one of these options to prioritize cost savings over routing performance:
- Maximum Billing Zone (MBZ) 100: This option includes only the Fastly POPs located in the North America and Europe billing regions.
- Maximum Billing Zone (MBZ) 200: This option includes all Fastly POPs in MBZ 100 as well as those in the billing regions of Asia, Australia and New Zealand, and South America. It does not include POPs in the South Korea, India, and Africa billing regions.
Availability versus routing accuracy
Fastly prioritizes service availability over routing accuracy. Fastly will not offer invoice credits for traffic delivered from Fastly POPs outside of intended billing zones when that traffic is intentionally diverted to preserve the integrity or performance of Fastly services, for scheduled maintenance, or when the traffic routing changes are outside of Fastly’s control.
Because most anycast routing on the public internet is outside of our direct control, we cannot guarantee traffic routed to us will never arrive at POPs in higher billing zones. When routing changes on the public internet shift your traffic to higher priced Fastly POPs, however, we will make our best effort to investigate the cause and work with all parties involved to correct any problems discovered.
In addition to factors outside of our control, Fastly performs traffic engineering on a regular basis to ensure the availability of all Fastly services during incidents and scheduled maintenance to our network. When necessary, we may temporarily choose to route traffic to POPs outside of the chosen Billing Zones.
If you observe traffic being served from Fastly POPs outside of the intended Maximum Billing Zone, then before opening a support ticket:
- Check the Fastly Service Status page. Verify that there are no events that would explain the temporary rerouting of your traffic.
- Check the DNS records for your impacted domain names. Only the Fastly provided Billing Zone anycast IP addresses should be present in the DNS records of your impacted domain names.
If neither of the above issues explain your observed Fastly POP routing issue, open a support ticket within 30 days of the Fastly invoice date that reflects the billed traffic in question by emailing email@example.com.
Finding anycast IP addresses
When you choose a Billing Zone anycast option, we'll provide you with the list of anycast IP addresses for you to enter into your DNS records. Fastly will use these addresses to serve traffic only from the POPs included in the zones listed above, even if those POPs are unlikely to give the best performance for any given request.
When you have TLS configured
If TLS is configured for your Fastly service, you can obtain your global anycast IP addresses in the Fastly web interface by following these steps:
- Log in to the Fastly web interface and click the Configure link.
- Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS enabled.
Click the More details link for the domain you would like to route to Fastly via the global anycast option. The domain’s details page appears.
The A Records section contains the global anycast IP addresses for you to enter into your DNS records of this domain.
When you don’t have TLS configured
If you don’t have TLS configured for the domain you would like to use with the global anycast option or would like to use one of the new Billing Zone anycast options, you can request your anycast IP addresses by contacting firstname.lastname@example.org. We'll provide you with the anycast IP addresses appropriate for the option you choose so you can enter those addresses into your DNS records. Be sure to enter all of them to ensure maximum availability and reliability. We don’t charge extra for these options, however, you must be using one of Fastly's paid plans (with or without a contract) to take advantage of them.
Fastly's billing regions can be found on our pricing page. We announce changes to these regions via our network status page.
Apex domain problems and their workarounds
The DNS instructions in RFC1034 (section 3.6.2) state that, if a CNAME record is present at a node, no other data should be present. This ensures the data for a canonical name and its aliases cannot be different. Because an apex domain requires NS records and usually other records like MX to make it work, setting a CNAME at the apex would break the "no other data should be present" rule.
In general, the problem with apex domains happens when they fail to redirect to their www equivalents (
example.com points nowhere instead of pointing to
www.example.com). Two workaround options exist:
- only use Fastly for API or AJAX calls, images, and other static assets (e.g., serve
example.comyourself and CNAME to Fastly for assets at
- redirect from the apex domain to the version proxied by Fastly (e.g., redirect any requests for
Neither workaround, however, is ideal.
To use TLS with an apex domain, explicitly add it to a certificate using one of our TLS products. For wildcard entries on our shared certificates, add an apex domain as a separate SAN entry.