Fastly platform guide
Fastly Origin Shielding: Safe Configuration, Verification, and Rollout
Origin shielding concentrates cache-miss traffic through a selected Fastly POP. It can reduce duplicate origin fetches, but it changes the request path, cache interpretation, failure modes, and cost model.
Without shielding, each Fastly POP can independently fetch an object that is absent from its local cache. With shielding, a local edge miss goes to a designated shield POP first. If the shield has the object, it answers the edge POP without an origin request; only a shield miss reaches the origin. This creates a second shared cache layer and concentrates origin-bound traffic through one POP.
That topology is useful for cacheable, globally requested content and for controlling origin connection pressure. It is not access control, does not stop direct-origin traffic, and is not a universal latency improvement. An edge hit remains the shortest path. A local miss that travels to a shield adds an internal hop, and a poorly located shield can make the miss path worse. Measure the outcome for your routes and user regions rather than treating the feature as a default.
Shielding is an origin-load and cache-topology control
Keep origin firewalling, authentication, rate limits, health checks, and capacity planning in place. Shielding can reduce duplicate requests to an origin; it does not authorize clients or make an unavailable origin healthy.
Prerequisites and scope
Before changing the service, have an active Fastly service with a known-good version, a documented backend inventory, permission to clone and activate versions, access to origin and Fastly logs, and a representative test domain. Identify each backend's physical or cloud region, DNS name, TLS certificate name, expected Host header, cache policy, health-check path, and capacity limit.
Choose an initial scope of one cacheable, read-heavy backend and a small set of paths. Exclude authenticated pages, writes, payment or inventory flows, and intentionally uncached PASS traffic from the first experiment. Those requests can still transit a shield when forwarded to a backend, but they do not receive the same shared-cache benefit and can increase internal traffic.
Record a baseline for at least one normal traffic cycle: origin request rate and egress, origin connection count and p95 latency, Fastly cache status distribution, edge and origin errors, client p95/p99 latency by region, and delivery bandwidth. Define a rollback threshold before editing configuration.
1. Select a shield region per origin
Use the Fastly POP API or Fastly control panel to obtain valid shield identifiers. The human POP name and the shield identifier are not necessarily the same. For example, Fastly's shielding documentation distinguishes Amsterdam's POP name from its amsterdam-nl shield identifier.
Select the shield primarily by proximity and network quality to the backend, not by the average location of visitors. A shield near the origin can reduce the expensive origin leg and make a shared cache more effective. Then test the complete path from important user regions. A globally distributed audience with a single origin often benefits from one shield near that origin; geographically separate origins should normally have independently chosen shields.
Use this decision table before selecting a location:
| Question | Evidence to collect | Decision impact |
|---|---|---|
| Where does this backend actually serve from? | Cloud region, anycast behavior, origin logs, network traces | Choose a shield close to the backend, not a corporate office. |
| Is the response cacheable and reused across regions? | Cache headers, cache key, request distribution, object popularity | High cross-region reuse favors a shield; private or unique responses do not. |
| Is the backend regional or route-selected? | Backend map, failover design, health checks | Assign and test a shield per backend, not one blanket setting. |
| What happens if the shield cannot be reached? | Failure test and origin capacity plan | The request can bypass the shield and reach the origin directly. |
| Are user regions latency sensitive on a miss? | RUM and synthetic p95/p99 by region | Reject a shield choice that harms critical miss-path latency. |
Fastly documentation recommends selecting a data center close to the backend and notes that each backend can have its own shield. Do not select a shield based solely on a map. Test DNS resolution, TLS handshake, first byte, and sustained origin throughput through the intended path.
2. Clone the active version and assign the shield
Make this change in a new service version. In the Fastly control panel, select the service, choose Edit configuration, and clone the active version. Open Origins, choose the backend, and select the shield location in the Shielding menu. Save the backend change. Repeat for every backend in scope, using the selected location for that backend rather than copying one location blindly.
For API or CLI-managed configuration, set the backend object's shield property to the shield identifier. The Fastly CLI example follows this shape:
fastly backend create \
--name=app_origin \
--address=origin.example.net \
--shield=amsterdam-nl \
--service-id="$FASTLY_SERVICE_ID" \
--version=latest
Use the command only as a pattern for a new backend in the intended editable version. Production automation should also set its required TLS, timeout, health-check, host-override, and connection settings. Updating only shield on an existing backend is usually safer than recreating it, because an omitted setting can change backend behavior.
If you change the request Host header before it reaches the shield, add the modified hostname to the service's domain list. Fastly uses the incoming host to identify the service at the shield; an unknown altered host can produce a 500. Prefer the backend override_host setting for the final origin hop instead of changing Host early in custom logic.
Validate the cloned version and review the diff. Confirm that the selected backend still has the expected address, TLS certificate validation, SNI, health check, timeout budget, conditions, logging endpoints, and cache policy. Keep the active version untouched and immediately activatable as rollback.
3. Understand the cache-miss path before enabling it
For an object with a correct shared cache key, the request paths are:
- Edge HIT: the edge POP returns its cached object. Shielding and the origin are not involved.
- Edge MISS, shield HIT: the edge POP forwards to the shield. The shield returns its cached object, which can populate the edge POP. The origin receives no request.
- Edge MISS, shield MISS: the edge POP forwards to the shield, and the shield fetches from the origin. The response can be cached at both layers according to the cache policy.
- PASS or uncacheable backend request: the request still uses the shield path when it is forwarded to the backend, but it does not gain a reusable cache hit. Evaluate this traffic separately.
This is why shielding can reduce origin load without increasing every visitor's edge cache hit. It also explains why Fastly's global cache-hit ratio may appear lower than expected: an edge miss and shield hit count as both a miss and a hit, while an origin fetch through the shield can register two misses. Use raw request, hit, miss, shield, and origin metrics rather than one aggregate ratio as the sole success criterion.
Ensure the cache key does not mix users, entitlements, locale variants, or security-sensitive headers. Do not use the shield to paper over an unsafe Vary policy. If you change cache directives, prefer explicit Surrogate-Control for Fastly-facing freshness and Cache-Control for browser-facing freshness when those requirements differ.
4. Test safely on a non-production domain
Activate the cloned configuration first on a development or staging service, or use a representative isolated domain and origin. Warm a set of known public objects with repeated requests, then issue requests from more than one external region. Keep test objects separate from customer-specific content and use a short, documented TTL so the test is easy to invalidate.
Use curl -I or your HTTP test runner to capture headers and preserve output with the timestamp, test region, URL, response status, Age, cache-related headers, request ID, and deployment version. Fastly's exact debug headers and cache-status presentation depend on service configuration, so treat header names as diagnostic signals, not an application contract. Do not expose temporary debugging headers to all users.
At the origin, log a safe correlation ID plus the path template, status, latency, request source, and selected upstream identity. Run this sequence:
- Request a cold, public object from region A and confirm one expected origin fetch.
- Request the same object from region B after region A has populated the shield; confirm the expected response and look for a shield cache service rather than another origin fetch.
- Repeat after the TTL expires and during a controlled purge to observe miss coalescing behavior and origin capacity.
- Test an uncacheable route and a private route to ensure neither becomes shared-cache content.
- Temporarily make the staging origin slow or unhealthy and confirm the configured timeout, user-visible error behavior, alert, and rollback decision.
Local Compute testing can simulate shielding sites in fastly.toml, but it cannot prove Fastly's global routing, real cache topology, or inter-POP latency. Use it for logic tests; use a live isolated service for path and cache verification.
5. Observe headers, logs, and origin load
Add a dashboard that compares the baseline and rollout period by route, backend, and user region:
- edge hits, edge misses, shield hits, shield misses, and origin request rate
- Fastly and origin
4xx/5xxresponses, backend timeouts, and health-check state - client and backend p50/p95/p99 latency, split by hit and miss where possible
- origin connections, CPU, queueing, egress, and upstream rate-limit events
- Fastly request and bandwidth usage, including inter-POP traffic implications
Correlate Fastly logs and origin logs with a request or trace ID. Capture cache outcome, POP or region where permitted, backend name, version, origin duration, and a safe failure reason. Do not log cookies, authorization headers, signed query strings, or private response bodies.
Verify the expected behavior with evidence, not only a dashboard average. A successful trial shows fewer duplicate origin requests for the same cacheable object, stable or improved origin saturation, no unexpected cache leakage, and acceptable user-region latency. A shield hit avoids an origin fetch but may still be slower than a local edge hit; compare each path separately.
6. Roll out gradually and roll back quickly
Activate shielding for one backend or route group first. Observe it through a complete peak period, cache expiration cycle, and a routine origin deployment if possible. Expand only when the origin-load reduction and user latency results meet the agreed thresholds. If a configuration-management system supports environments, promote the reviewed version through them; do not make unexplained manual production edits between stages.
Rollback is simple only if prepared:
- Keep the current active version number and prior known-good version in the change record.
- If errors, latency, cache safety, or origin behavior exceed a stop condition, activate the earlier version without the shield assignment.
- Verify active-version state, synthetic requests, origin traffic, and cache-related logs after propagation.
- Preserve the failed version, logs, request samples with sensitive values removed, and metrics for root-cause analysis.
Do not try to solve an origin incident by enabling shielding blindly. If the origin is overloaded, shielding may reduce duplicate cache misses, but it cannot satisfy uncacheable workload or restore an unhealthy dependency. First apply the service's overload, failover, and stale-content policy where those are safe.
Redundancy, security, and configuration caveats
Shielding has important operational tradeoffs:
- Shield reachability: if a configured shield POP is inaccessible for a request, Fastly can send that request directly from the edge POP to the origin. Origin controls and capacity must tolerate this bypass path.
- Origin security: shielding is not an allowlist or firewall. Keep direct-origin access restricted with private networking or Fastly-source controls plus edge-to-origin authentication. Test the direct-origin path independently.
- Multiple origins: configure and assess shielding per backend. With automatic load balancing, Fastly documents that the configuration has constraints around using multiple shields; review the current product documentation before combining the two.
- Host handling: Fastly identifies the service using the host on the internal request. Preserve a service-recognized host until the final origin hop or use
override_hoston the backend. - Custom VCL and Compute: VCL executes at both the edge and shield when shielding is active. Compute shielding is explicit in the SDK and can execute twice. Make routing, header changes, metrics, and side effects idempotent and aware of execution context.
- Client address: at the shield, the immediate client can be another Fastly POP. Use Fastly's documented client-IP forwarding behavior only after defining the proxy trust boundary; do not treat an arbitrary forwarded header as authenticated identity.
- Cost and capacity: inter-POP traffic contributes requests and bandwidth. Measure the added Fastly traffic against origin egress and capacity savings.
Operational checklist
Before production activation, confirm each backend has a justified shield identifier; domains and host override work across the internal hop; TLS and health checks are intact; cache keys isolate private content; the origin can tolerate shield bypass; headers and logs prove the expected cache-miss path; dashboards separate edge, shield, and origin outcomes; and an unshielded known-good version is ready to activate.
Fastly primary references
- Shielding configuration guide
- Shielding concepts, effects, and advanced scenarios
- Backend API reference
- Fastly service version API reference
fastly.tomllocal-server reference- Testing and debugging on the Compute platform
Validate the cache path before it reaches production
Optimi can help assess Fastly cache topology, origin capacity, and observability so shielding delivers a measurable operational benefit.
Discuss origin delivery design