How to Update a Dynamic ACL and Dictionary Using the Fastly CLI
Fastly’s dynamic ACLs and edge dictionaries let you manage access controls and config values in real-time — no version cloning or activation required. Whether you're adding an IP to an allow-list or adjusting a rate-limit, the Fastly CLI makes it fast and scriptable.
In this post, you'll learn how to:
- ✅ Add, list, or remove IPs in a dynamic ACL (
rate_limit_bypass) - 🔑 Add or update key-value pairs in a dynamic dictionary (
Rate_Limit_Settings) - 📄 List items in a dynamic dictionary
All from the command line using the Fastly CLI.
⚙️ Prerequisites
Before you begin, make sure you have:
- Installed the Fastly CLI → Install instructions
- Logged in to your Fastly account:
fastly login
- Your Fastly Service ID
Tip: You can find this in your environment variables inside the Platform.sh Console — look forFASTLY_SERVICE_ID. - Names of your configuration objects:
- ACL:
rate_limit_bypass - Dictionary:
Rate_Limit_Settings
- ACL:
🔹 Working with the rate_limit_bypass ACL
The rate_limit_bypass ACL is used to exclude specific IP addresses from rate limiting. Add any IPs that should not be rate limited (such as internal teams or monitoring services) to this ACL.
List All ACLs:
fastly acl list --service-id <SERVICE_ID>
Look for the ACL named rate_limit_bypass and note its id.
List IPs in the ACL:
fastly acl-entry list \ --service-id <SERVICE_ID> \ --acl-id <ACL_ID>
Add an IP to the ACL:
fastly acl-entry create \ --service-id <SERVICE_ID> \ --acl-id <ACL_ID> \ --ip 203.0.113.42 \ --negated false \ --comment "Office IP"
✅ No version activation required — changes are live instantly.
Remove an IP from the ACL:
First, list the entries and find the entry_id for the IP you want to remove. Then run:
fastly acl-entry delete \ --service-id <SERVICE_ID> \ --acl-id <ACL_ID> \ --entry-id <ENTRY_ID>
🔸 Working with the Rate_Limit_Settings Dictionary
The Rate_Limit_Settings dictionary stores configuration values used in rate-limiting logic — such as thresholds or flags.
The main value is typically the allowed requests per minute per IP.
List All Dictionaries:
fastly dictionary list --service-id <SERVICE_ID>
Find the one named Rate_Limit_Settings and copy its dictionary_id.
List All Key-Value Pairs:
fastly dictionary-entry list \ --service-id <SERVICE_ID> \ --dictionary-id <DICTIONARY_ID>
Add or Update a Dictionary Value:
Example: Set the Limit to 50 requests per minute:
fastly dictionary-entry upsert \ --service-id <SERVICE_ID> \ --dictionary-id <DICTIONARY_ID> \ --key "Limit" \ --value "50"
This creates the key if it doesn't exist, or updates it if it does — no activation needed.
⚠️ HTTP Error Code 429: "Too Many Requests"
If you receive an HTTP Error Code 429 with the message "Too Many Requests", it means that your IP has been rate-limited for this service.. This typically occurs when an IP address exceeds the configured requests per minute threshold in the Rate_Limit_Settings dictionary.
To resolve this, you can either:
- Increase the request limit in the dictionary (if appropriate for your use case)
-
Ensure the IP address is bypassed from rate limiting by adding it to the
rate_limit_bypassACL
By making the necessary adjustments, you can avoid hitting this rate limit in the future.
✅ Summary
With the Fastly CLI and dynamic config objects, you can:
- Instantly update ACLs (
rate_limit_bypass) to bypass rate-limiting for trusted IPs - Adjust request limits per IP via the
Rate_Limit_Settingsdictionary - Make real-time updates with no version activation
💬 Interested in rate limiting at Upsun?
If you'd like to explore rate-limiting strategies, implementation support, or enterprise options, our team is here to help. Reach out to Upsun Sales or your CSM/AM to start a conversation.
Comments
Please sign in to leave a comment.