DocumentationCommerceCommerce on Cloud Guide

Custom VCL for allowing requests

Last update: May 14, 2026

CREATED FOR:

  • Admin
  • Developer

You can use a Fastly Edge ACL list with a custom VCL code snippet to filter incoming requests and allow access by IP address. The ACL list specifies the IP addresses to allow.

Create an allowlist to limit access to your Staging environment so that only requests from specified IP addresses for internal developers and approved external services are permitted. You can also create an allowlist to secure access to the Admin on Staging and Production environments.

The following example shows how to use a custom VCL snippet with a Fastly Access Control List (ACL) to secure access to the Admin for an Adobe Commerce on cloud infrastructure project environment. When you add the custom VCL snippet to the Cloud environment, Fastly allows only requests from IP addresses included in the ACL.

TIP
For Staging and integration environments that should not be publicly accessible, use the HTTP access control option available in the Cloud Console to manage access to the entire site by IP address.

Prerequisites:

  • Seu ambiente deve ser configurado para usar o Fastly CDN. Consulte Configurar serviços do Fastly.

  • Verifique se você está executando a versão mais recente do módulo CDN Fastly para o Magento 2. Consulte Atualizar o Módulo Fastly.

  • Verifique a configuração do ambiente para o serviço Fastly. Consulte Verificar cache rápido.

  • Você deve ter credenciais de Administrador para acessar os ambientes de Preparo e Produção.

  • List of client IP addresses to include on the allowlist

Create Edge ACL for allowing client IP addresses

Edge ACLs create IP address lists for managing access to your site. In this example, you create an Edge ACL and add the list of client IP addresses allowed to access the Admin for your project environment.

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Edge ACL.

  4. Create the ACL container:

    • Click Add ACL.

    • On the ACL Container page, enter an ACL nameallowlist.

    • Select Activate after the change to deploy your changes to the version of the Fastly service configuration that you are editing.

    • Click Upload to attach the ACL to your Fastly service configuration.

  5. Add the list of IP addresses allowed to access the Admin:

    • Click the Settings icon for the allowlist ACL.

    • Add and save the IP Value for each client IP address.

    • Click Cancel to return to the system configuration page.

  6. Click Save Config.

  7. Refresh the cache according to the notification at the top of the page.

Create the custom VCL snippet to secure Admin access

The following custom VCL snippet code (JSON format) shows the logic to filter requests to the Admin and allow access if the client IP address matches an address in the allowlist ACL.

{
  "name": "allowlist",
  "dynamic": "0",
  "type": "recv",
  "priority": "5",
  "content": "if ((req.url ~ \"^/admin\") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 \"Forbidden\"; }"
}

Before creating a custom snippet from this example, review the values to determine whether you need to make any changes. Then enter each value into the respective fields, such as type into the Type field, content into the Content field.

  • name — Name for the VCL snippet. For this example, allowlist.

  • priority — Determines when the VCL snippet runs. The priority is 5 to immediately run and check whether an Admin requests are coming from an allowed IP address. The snippet runs before any of the default Magento VCL snippets (magentomodule_*) assigned a priority of 50. Set the priority for each custom snippet higher or lower than 50 depending on when you want your snippet to run. Snippets with lower priority numbers run first.

  • type — Specifies a location to insert the snippet in the versioned VCL code. This VCL is a recv snippet type which adds the snippet code to the vcl_recv subroutine below the default Fastly VCL code and above any objects.

  • content — The snippet of VCL code to run. In this example, the code filters requests to the Admin and allows access if the client IP address matches an address in the allowlist ACL. If the address does not match, the request is blocked with a 403 Forbidden error.

    If the URL for your Admin was changed, replace the sample value /admin with the URL for your environment. For example, /company-admin.

In the code sample, the condition !req.http.Fastly-FF is important when using Origin Shielding. Do not remove or edit this code.

After reviewing and updating the code for your environment, use either of the following methods to add the custom VCL snippet to your Fastly service configuration:

Add the custom VCL snippet

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

  4. Click Create Custom Snippet.

  5. Add the VCL snippet values:

    • Nameallowlist

    • Typerecv

    • Priority5

    • Add the VCL snippet content:

      code language-conf 
      if ((req.url ~ "^/admin") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 "Forbidden";}

  6. Click Create to generate the VCL snippet file with the name pattern type_priority_name.vcl, for example recv_5_allowlist.vcl

  7. After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section to add the file to the Fastly service configuration.

  8. After the upload completes, refresh the cache according to the notification at the top of the page.

Fastly validates the updated version of the VCL code during the upload process. If the validation fails, edit the custom VCL snippet to fix the issue. Then, upload the VCL again.

Modificar o trecho de VCL personalizado

  1. Faça logon no Administrador.

  2. Clique em Lojas > Configurações > Configuração > Avançadas > Sistema.

  3. Expanda Cache de Página Inteira > Configuração Rápida > Trechos de VCL Personalizados.

    Gerenciar trechos de VCL personalizados

  4. Na coluna Ação, clique no ícone de configurações ao lado do trecho a ser editado.

  5. Depois que a página for recarregada, clique em Carregar VCL para Fastly na seção Configuração Fastly.

  6. Depois que o upload for concluído, atualize o cache de acordo com a notificação na parte superior da página.

WARNING
A opção Custom VCL snippets UI mostra apenas os trechos adicionados pelo Administrador do Adobe Commerce. Se você adicionar trechos usando a API Fastly, use a API para gerenciá-los.

Excluir o trecho de VCL personalizado

  1. Faça logon no Administrador.

  2. Clique em Lojas > Configurações > Configuração > Avançadas > Sistema.

  3. Expanda Cache de Página Inteira > Configuração Rápida > Trechos de VCL Personalizados.

    Gerenciar trechos de VCL personalizados

  4. Na coluna Ação, clique no ícone de lixeira ao lado do trecho a ser excluído.

  5. Na próxima janela modal, clique em DELETE e ative uma nova versão.

WARNING
A opção Custom VCL snippets UI mostra apenas os trechos adicionados pelo Administrador do Adobe Commerce. Se você adicionar trechos usando a API Fastly, use a API para gerenciá-los.
recommendation-more-help
commerce-on-cloud-help-cloud-guide