Acquia Cloud Edge powered by Cloudflare provides a global content delivery network (CDN), DDOS protection and web application firewall (WAF) for Acquia Cloud Enterprise and Site Factory customers.
Plan for a successful launch with Acquia Cloud Edge by following these 6 best practices to ensure your setup is both secure and performant.
1. Initial DNS Setup
After purchasing Acquia Cloud Edge, you will begin your onboarding with Acquia Ready, who will assist you with getting your domain setup for use on Cloud Edge.
The first step is to decide how you’d like to route traffic through Cloud Edge. You have two options here: Full DNS setup or a Partial (CNAME) setup.
There are pros/cons to both, depending on your ability to move your current DNS nameservers to those provided by CloudFlare.
For fast, secure, global authoritative DNS, you should use the Full DNS setup, by moving your nameservers to the ones provided by Acquia Cloud Edge. An additional benefit of the Edge authoritative DNS is that you can accelerate and/or protect your bare domain as well as any subdomains.
If you are unable to use the Full DNS configuration, you will need to use the Partial CNAME setup. With this approach, you will want to take into consideration the following constraint:
- The Cloud Edge performance, DDOS mitigation, and WAF benefits are only available for delegated subdomains, such as www.example.com. The root domain, such as example.com, cannot be protected or accelerated via Cloud Edge due to DNS RFCs limiting root domain resolution to using an A record.
By default, Cloud Edge provisions a single SAN certificate per domain, covering the bare domain and third-level wildcard domains. This certificate is automatically renewed and deployed each year as part of your Cloud Edge subscription. However, if you want more flexibility, you can choose to upload your own custom, dedicated SSL certificate instead that will be presented to your visitors passing through Cloud Edge. This allows you to use extended validation (EV) certificates if desired. Depending on your internal security policies, this can be the same certificate you have installed at origin in your Acquia Cloud production environment, or it can be a separate certificate.
With a valid, vendor-issued SSL certificate installed at origin in your Acquia Cloud production environment, we recommend the Full (Strict) SSL mode to ensure your protection against a man-in-the-middle attack on origin traffic to Acquia Cloud.
3. Drupal Caching Configuration
If you have purchased Cloud Edge CDN, you will automatically gain the benefits of static file caching once your site is activated and passing through the CDN. Cloud Edge will respect the cache-control headers set by your Drupal application for static assets. Drupal sets a two-week default cache period for static assets in the .htaccess file by default - so you can expect the static files to be stored on Cloud Edge CDN servers around the world for that long as well.
You can also use Page Rules to cache static html responses. If you need guidance setting these up, your Acquia Ready team is available to help you get the most performance benefits from your Cloud Edge CDN subscription during your onboarding process.
4. WAF and Security Configuration
If you have purchased Cloud Edge Protect, you will receive DDOS mitigation and WAF benefits once your site is activated and passing through the Edge network.
To ensure DDOS mitigation and WAF benefits are available for the root domain and all of its subdomains, you should use the Full DNS setup by moving your nameservers to the ones provided by Acquia Cloud Edge.
With the Full DNS setup, you are ensuring that all attack traffic that would otherwise directly hit your server is automatically routed to Acquia Cloud Edge Protect’s global Anycast network of data centers. Once attack traffic is shifted, we are able to leverage the global capacity of our Edge network, as well as the compute resources of thousands of servers, to absorb the flood of attack traffic at our network edge. This means that Acquia Cloud Edge Protect is able to prevent even a single packet of attack traffic from reaching a site protected by Acquia Cloud Edge Protect.
If you have specific areas of your Drupal site that need more or less threat protection, Page Rules are an excellent way to challenge visitors using a custom security level based on the path requested.
5. Cache Purging
While Acquia Cloud Edge provides a very simple and easy-to-use web interface for manually purging CDN cache, you may want to consider proactive purging.
If you are using Drupal 7, there is a contrib module available called Acquia Purge Cloudflare. That module hooks into the Acquia Purge module to synchronize purge URLs between Drupal and Varnish in the Acquia Cloud, and Acquia Cloud Edge.
After you’ve setup Acquia Cloud Edge, you should test its capabilities around the world before going live to ensure your Drupal application is ready for launch using Cloud Edge.
The goals of testing Acquia Cloud Edge are the following:
- Validate your origin DNS settings to Acquia Cloud are correct.
- Validate SSL Full (Strict) mode is working properly without error.
- Validate traffic is hitting a PoP close to the visitors location using webpagetest.org.
- (If using Cloud Edge CDN + China Network) Validate your ICP license and plan for renewal.
- Validate the requests are hitting Cloud Edge cache.
- (Optional) Validate your proactive purging strategy.
Additionally we recommend that you test all business critical functionality on your Drupal application to ensure all existing functionality is working as expected through Cloud Edge.
If all goes well, you should now be ready to launch your Drupal site using Acquia Cloud Edge!