diff --git a/sites/platform/src/administration/organizations.md b/sites/platform/src/administration/organizations.md index 9b8b303b6c..677c090b49 100644 --- a/sites/platform/src/administration/organizations.md +++ b/sites/platform/src/administration/organizations.md @@ -61,7 +61,22 @@ title=Using the Console {{< /codetabs >}} -## Create a new organization +## Create a Fixed organization + +**This option is available only to {{% vendor/name %}} customers under current contracts.** + +For all other customers, all new organization types are Flex organizations, which you can create yourself by using the Console or CLI as described in [Create a Flex organization](#create-flex-organization) below. + +To create a Fixed organization, please open a [support ticket](/learn/overview/get-support.md), and indicate the following information in your ticket: + +- Indicate that you are requesting the creation of a Fixed organization. +- **Category:** Access +- **Priority:** Low / Normal (as required) +- **Description:** Make sure to include the **organization name** you would like. + +Our Support team will verify your eligibility for a Fixed organization. Once approved, a Fixed organization will be created on your behalf. Support will notify you when the organization is ready, and your ticket will be closed. + +## Create a Flex organization {#create-flex-organization} You can create new organizations with different payment methods and billing addresses and organize your projects as you want. @@ -168,8 +183,6 @@ Ideal for workloads that evolve over time or have dynamic resource requirements. {{< /note >}} -### What can you do? -When creating a new organization, users will be able to select the organization type from a drop-down option based on their preference. Once the organization is created, users can manage their organizations like they do today. ### Feature differences @@ -248,6 +261,7 @@ When creating a new organization, users will be able to select the organization | PCI DSS Level 1-compatible | Yes | Yes | | HIPAA | Enterprise and Elite only in specific regions | Coming soon | + ### Fixed and Flex FAQs #### What happens to my URL? diff --git a/sites/upsun/src/add-services/elasticsearch.md b/sites/upsun/src/add-services/elasticsearch.md index 9507b7d753..76faa66be8 100644 --- a/sites/upsun/src/add-services/elasticsearch.md +++ b/sites/upsun/src/add-services/elasticsearch.md @@ -13,11 +13,6 @@ See the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsea ## Supported versions -{{% note title="Premium Service" theme="info" %}} -Elasticsearch versions 7.11 or later are no longer included in any {{< vendor/name >}} plan. -You need to add it separately at an additional cost. -To add Elasticsearch, [contact Sales]({{< vendor/urlraw "sales" >}}). -{{% /note %}} You can select the major and minor version. @@ -25,6 +20,14 @@ Patch versions are applied periodically for bug fixes and the like. When you dep {{< image-versions image="elasticsearch" status="supported" environment="grid" >}} +### Enterprise edition + +{{% note title="Premium Service" theme="info" %}} +Elasticsearch versions 7.11 or later are no longer included in any {{< vendor/name >}} plan. +You need to add it separately at an additional cost. +To add Elasticsearch, [contact Sales]({{< vendor/urlraw "sales" >}}). +{{% /note %}} + ## Deprecated versions The following versions are still available in your projects for free, diff --git a/sites/upsun/src/add-services/mongodb.md b/sites/upsun/src/add-services/mongodb.md index 80efaad067..a440e531c7 100644 --- a/sites/upsun/src/add-services/mongodb.md +++ b/sites/upsun/src/add-services/mongodb.md @@ -21,6 +21,14 @@ When you deploy your app, you always get the latest available patches. {{< image-versions image="mongodb-enterprise" status="deprecated" environment="grid" >}} +### Enterprise edition + +{{% note title="Premium Service" theme="info" %}} +MongoDB Enterprise isn’t included in any {{< vendor/name >}} plan. +You need to add it separately at an additional cost. +To add MongoDB Enterprise, [contact Sales](https://upsun.com/contact-us/). +{{% /note %}} + ### Legacy edition Previous non-Enterprise versions are available in your projects (and are listed below), diff --git a/sites/upsun/src/domains/cdn/managed-fastly.md b/sites/upsun/src/domains/cdn/managed-fastly.md new file mode 100644 index 0000000000..cac279f13a --- /dev/null +++ b/sites/upsun/src/domains/cdn/managed-fastly.md @@ -0,0 +1,142 @@ +--- +title: "Managed Fastly CDN" +sidebarTitle: "Managed Fastly CDN" +weight: 2 +description: Bring your content closer to users with a Fastly CDN fully managed by {{% vendor/name %}}. +keywords: + - mTLS +--- + +Instead of starting your own Fastly subscription and [managing your CDN yourself](/domains/cdn/fastly.md), +you can take advantage of a Fastly CDN provided by {{% vendor/name %}}. +These CDNs are exclusively set up and managed by {{% vendor/name %}}. + +To modify any settings for a managed Fastly CDN, open a [support ticket](/learn/overview/get-support.md). +To add a managed Fastly CDN to your project, [contact sales](https://upsun.com/contact-us/). + +{{< note theme="Info" >}} +{{% vendor/name %}} does not write nor debug any custom VCL on Managed Fastly CDN services. +{{< /note >}} + +{{< note theme="note" title="Monitor CDN metrics">}} + +You can access a summary of your monthly traffic usage under the "Traffic this month" section at the Project level inside [Console](https://console.upsun.com/). This will help you monitor your monthly bandwidth and requests consumption. + +In this summary, you will find specific details about: + +- **Origin Bandwidth:** Data transferred from origin servers (in TB). + +- **Origin Requests:** Requests served by origin servers (in millions of requests). + +- **CDN Bandwidth & CDN Requests:** Shown if you have Fastly CDN enabled. + +This data is updated daily and will reflect your traffic usage throughout the billing period. + +{{< /note >}} + +{{< note theme="info" title="Set up traffic alerts">}} + +You can also set up consumption alerts for your resource usage. Click the Alert button in the "Traffic this month" block within [Console](https://console.upsun.com/) to configure usage thresholds. For more information, head to the [Pricing docs page](/administration/pricing.html#monthly-traffic-alerts). + +{{< /note >}} + +## How Managed Fastly works + +{{% vendor/name %}}’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features. + +The Fastly CDN must be provisioned and managed by {{% vendor/name %}}. Features such as the {{% vendor/name %}} Web Application Firewall (WAF), edge rate limiting, and image optimization depend on this managed integration and cannot be used with a customer-managed Fastly account. + +Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge. + +{{< note theme="info" title="Feature dependencies">}} + +- The {{% vendor/name %}} WAF requires the {{% vendor/name %}} Managed Fastly CDN. +- Customers cannot attach the WAF to an existing third-party Fastly service. +- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace. + +{{< /note >}} + +### Domain control validation + +When you request for a new domain to be added to your Fastly service, +{{% vendor/name %}} [support](/learn/overview/get-support.md) provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification). +To add this `CNAME` record to your domain settings, +see how to [configure your DNS provider](/domains/steps/_index.md#2-configure-your-dns-provider). + +### Transport Layer Security (TLS) certificates + +By default, two [TLS certificates](/glossary/_index.md#transport-layer-security-tls) are included: an apex and a wildcard one. +This allows for encryption of all traffic between your users and your app. + +If you use a Fastly CDN provided by {{% vendor/name %}}, +you can provide your own third-party TLS certificates for an additional fee. + +To do so, if you don't have one, +set up a [mount](/create-apps/image-properties/mounts.md) that isn't accessible to the web. +Use an environment with access limited to {{% vendor/name %}} support and trusted users. +[Transfer](/development/file-transfer.md) each certificate, its unencrypted private key, +and the intermediate certificate to the mount. +To notify {{% vendor/name %}} that a certificate is to be added to your CDN configuration, +open a [support ticket](/learn/overview/get-support.md). + +If you need an Extended Validation TLS certificate, +you can get it from any TLS provider. +To add it to your CDN configuration, open a [support ticket](/learn/overview/get-support.md). + +Note that when you add your own third-party TLS certificates, +you are responsible for renewing them in due time. +Failure to do so may result in outages and compromised security for your site. + +### Retrieve your Fastly API token + +The API token for your managed Fastly CDN is stored in the `FASTLY_API_TOKEN` or the `FASTLY_KEY` environment variables. + +This variable is usually set in the `/master/settings/variables` folder of your project, +and you can access it [from a shell](/development/variables/use-variables.md#access-variables-in-a-shell) +or directly [in your app](/development/variables/use-variables.md#access-variables-in-your-app). + + +## Dynamic ACL and rate limiting + +For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community. + +## Edge-level rate limiting + +{{% vendor/name %}} provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window. + +Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns. + +### What Edge-level rate limiting can do + +- Protect sensitive endpoints such as `/login`, `/admin`, or checkout paths +- Limit request floods from a single IP or IP range +- Reduce application load during traffic spikes +- Enable {{% vendor/company_name %}} Support to better handle attacks or high-traffic events by throttling traffic at the edge + +Edge-level rate limiting is available as a standalone add-on (without the WAF). + + +### Configuration and defaults + +There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via {{% vendor/name %}} [Support](/learn/overview/get-support.md). + +Rules can be scoped by: + +- Request path +- Request type +- IP address or network +- Custom thresholds and actions (block, allow, log) + +### Limitations + +Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not: + +- Identify bots automatically +- Present CAPTCHA or JavaScript challenges +- Provide AI-driven mitigation + +For advanced bot and scraper protection, {{% vendor/name %}} offers separate third-party integrations. \ No newline at end of file diff --git a/sites/upsun/src/security/fasty-waf.md b/sites/upsun/src/security/fasty-waf.md new file mode 100644 index 0000000000..742aec77bf --- /dev/null +++ b/sites/upsun/src/security/fasty-waf.md @@ -0,0 +1,142 @@ +--- +title: Fastly WAF +description: "Find out about the offers you can choose from to subscribe to the Fastly Next-Gen Web Application Firewall (WAF) through {{% vendor/name %}}." +weight: 2 +banner: + type: tiered-feature +--- + +On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md), +you can subscribe to the Fastly Next-Gen Web Application Firewall (Next-Gen WAF) to further protect your app from security threats. + +## Available offers + +If you want to subscribe to the Fastly Next-Gen WAF through {{% vendor/name %}}, +you can choose from two offers: + +- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}}. +- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided. + +To view a list of all the features included in each offer, see the following table. + +{{< note theme="info" >}} + +Links to the official [Fastly Next-Gen WAF documentation](https://docs.fastly.com/products/fastly-next-gen-waf) are provided for reference only. +The offers described on this page have been designed specifically for {{% vendor/name %}} customers. +Included features may present limitations compared to those advertised by Fastly to their direct customers. + +{{< /note >}} + +| Capability | Basic offer | Basic configurable offer | +|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|-----------------------------------| +| Available modes | Block mode only | Block, not blocking, off modes | +| [Default attack signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/using-system-signals/#attacks) | Yes | Yes | +| [Default anomaly signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/using-system-signals/#anomalies) | Yes | Yes | +| [Virtual patching](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/working-with-templated-rules/#virtual-patching-rules) | No | Yes, in block mode only | +| [Default dashboards](https://docs.fastly.com/signalsciences/using-signal-sciences/web-interface/about-the-site-overview-page/) | No | During quarterly business reviews | +| [Custom response codes](https://docs.fastly.com/signalsciences/using-signal-sciences/custom-response-codes/) | No | No | +| [Custom signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/working-with-custom-signals/) | No | No | +| [Standard API & ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/working-with-templated-rules/) | No | No | + +To subscribe to a Fastly Next-Gen WAF offer through {{% vendor/name %}}, +[contact Sales](https://upsun.com/contact-us/). + +## Next-Gen WAF Tier Comparison + +#### Basic + +- Block-only mode +- Default attack and anomaly signals enabled +- No virtual patching +- No default dashboards +- No custom signals, response codes, or API/ATO signals + +This tier is best suited for baseline protection with minimal configuration requirements. + +#### Basic Configurable + +- Block, not blocking, and off modes +- Default attack and anomaly signals enabled +- Virtual patching available in block mode +- Default dashboards reviewed during quarterly business reviews +- No custom signals, response codes, or API/ATO signals + +This tier is best for customers needing custom rules, CVE protection, per-project visibility, or log integration. + +## How the Fastly Next-Gen WAF Works + +The Fastly Next-Gen WAF evaluates incoming requests using a combination of signals, conditions, actions, and thresholds. + +### Signals + +Signals classify and tag requests based on observed patterns, such as: + +- SQL injection attempts +- Cross-site scripting payloads +- Repeated 404 requests +- Known attack signatures + +Signals are informational and are not inherently “good” or “bad”. + +### Conditions + +Conditions define where and when a rule applies. Examples include: + +- Specific URL paths +- Request methods +- Geographic origin +- Presence of certain signals + +### Actions + +Actions define what happens when a rule matches (allow/log apply to the configurable offer): + +- Block the request +- Allow the request +- Log the request for analysis + +{{< note theme="info" >}} + +The Basic Next-Gen WAF offer operates in block-only mode. + +{{< /note >}} + +### Thresholds + +Thresholds define volume-based triggers. For example, block if more than `N` suspicious requests occur from the same IP within a defined time window to distinguish normal user behaviour from automated probing or attacks. + +### Virtual Patching + +Virtual patches are temporary WAF rules provided by Fastly to block known CVEs at the edge. They: + +- Protect against specific, identified vulnerabilities +- Buy time while application dependencies are patched +- Do not replace proper application updates + +{{< note theme="info" >}} + +Virtual patching is available only in the Basic Configurable Next-Gen WAF tier. + +{{< /note >}} + +## Scope and Limitations + +The Fastly Next-Gen WAF mitigates many common web-based attacks, including parts of the OWASP Top 10. However, it does not replace application-level security. The WAF does not automatically protect against: + +- Weak authentication or password policies +- Insecure application design +- Business-logic flaws +- All bot or scraper traffic +- All DDoS attack types + +Some attacks are mitigated at the CDN network layer, while others require identifiable patterns that can be enforced via WAF or rate-limiting rules. + +{{< note theme="info" title="No automatic challenges">}} + +{{% vendor/name %}}’s Fastly Next-Gen WAF does not provide automatic CAPTCHA or JavaScript challenges. Traffic is evaluated using rule-based signals, thresholds, and actions configured during onboarding or [via Support](/learn/overview/get-support.md). + +{{< /note >}} + +## Configuration and enablement + +Fastly Next-Gen WAF features are not self-service. Enablement and configuration occur during customer onboarding, or via a [Support request](/learn/overview/get-support.md) after purchase.