Upsun Fastly Rate-Limiting: How it works & how to tune it

For Upsun customers who have subscribed to our Rate-Limiting product this page explains how our Fastly-based rate limiting works in your service, and shows you how to adjust the limits or bypass rate limiting for trusted IPs using the Fastly CLI.

Interested in rate limiting at Upsun?
If you'd like to explore rate-limiting strategies, implementation support, or enterprise options, our team is here to help. Reach out to Upsun Sales or your CSM/AM to start a conversation.

Prerequisites

1. Install and Configure CDN Console Plugin

2. Fastly Service ID and Fastly API Token (These can be found by connecting to your environment via SSH and issuing the following):

   # env | grep -i fastly

What our VCL does (at a glance)

• We maintain two independent limiters:
  • Bot limiter keyed on the client IP, primarily for known bots or “bot-like” paths.
  • User limiter keyed on the client IP, for regular site traffic.
• When a client exceeds the configured threshold, we restart the request and return HTTP 429 “Too many requests” via a small error handler.
• Exclusions:
  • Requests to customer chosen paths skip the penalty-box check and the user limiter.
  • The user limiter also skips common static asset extensions.
• A penalty box (10 minutes by default) temporarily blocks clients that burst far above the threshold.
• You can bypass rate limiting altogether by adding IPs to the rate_limit_bypass ACL.
• Changes to excluded paths must be requested via a support ticket.

Default knobs you can change (recommended starting point)

These live in the Rate_Limit_Settings dictionary (key → value):

• BotLimit → default 30 (requests/minute/IP)
• UserLimit → default 100 (requests/minute/IP)

Dictionary items are versionless: changing them takes effect immediately (no clone/activate).

What counts toward each limiter

• Bot limiter runs for:
  • Traffic identified as client.class.bot
  • Paths like /cost-estimates, /search, /health

• User limiter runs for GET and POST (except the excluded paths / you choose and static file extensions: jpg, jpeg, png, gif, svg, svgz, css, js, map, ico, bmp, eot, woff, woff2, otf, ttf).

   

Tuning the limits (BotLimit / UserLimit)

Adjusting limiter thresholds 

1. Edit the Rate_Limit_Settings Dictionary
   

2. Adjust Bot_Limit or User_Limit as needed

   

No deploy needed for dictionary/ACL edits — they’re versionless and apply to the active service immediately.

Recommended starting points

• Bot-heavy sites: BotLimit = 20–50, UserLimit = 80–150
• Raise gradually while watching error rates and origin load.
• If customers report 429s unexpectedly, increase UserLimit first.

Bypassing rate limiting for trusted IPs

Add trusted IPs (offices, health checks, partners) to the rate_limit_bypass ACL.

1. Edit the rate_limit_bypass ACL

   

 2. Add IP/CIDR range and Save

No deploy needed for dictionary/ACL edits — they’re versionless and apply to the active service immediately.

What end users see when limited

Clients that exceed the limit receive HTTP 429 with a short “Too many requests” message.

Notes & gotchas

• Before enabling or tightening your Rate Limiter, audit your office VPNs and third-party external connections. Many organizations route all employee traffic through a single outbound NAT gateway or VPN. To the Rate Limiter, hundreds of unique internal users will appear as one single IP address.

  • The Risk: If you set a limit of 100 requests per minute, a single busy office or a fleet of automated internal tools could accidentally trigger a sitewide block for all your colleagues.

  • The Fix: Identify your corporate VPN/Office CIDR ranges and ensure they are appropriately accounted for or allow-listed (rate_limit_bypass) in your configuration before go-live.

• The upsun_origin_bypass ACL is a predefined list of Upsun’s origin outbound IP addresses. This is enabled by default so that:

  • Multi-app projects can communicate with each other without hitting limits.

  • Internal platform services that rely on other Upsun projects are not inadvertently throttled.

• If you dramatically lower your limits in one deployment, you risk blocking legitimate, high-velocity traffic.

  • Pro-tip: Start with "loose" limits to observe patterns, then tighten them incrementally based on real-world logs.

• Changes to excluded paths or specific file extensions (e.g., exempting certain API routes or static assets) currently require opening a support ticket. Plan your deployment timeline accordingly .

© Platform.sh — Fastly rate‑limiting reference