Understanding a managed CNAME setup

In a managed CNAME setup, you get an Acquia-managed domain that acts as the DNS target for your hostnames. This domain takes the form [codebase].acquiaedge.net where [codebase] is the name of the codebase for your application protected by Acquia Edge. You can use any hostnames specified as the Fully-Qualified Domain Name for any domains served by your application.


Managed CNAME setups are available only to new customers who started with Acquia Edge after January 1, 2021. To reference setups for pre-existing deployments, see Getting started with Acquia Edge Powered by Cloudflare.

Benefits of a managed CNAME setup

  • Proxy of “bare”/apex domains: DNS RFCs prohibit the use of a CNAME at the zone apex. Managed CNAME setups provide a dedicated IP pair that you can use to protect your bare domains. To retrieve these addresses, run a DNS query against [codebase].acquiaedge.net for the specific domain that Acquia supplied to you for your application.

  • Simplified support for “vanity” domains and redirects: You can manage any hostnames for your application in a single configuration, even if they do not share a parent in the DNS namespace.

DNS settings with a managed CNAME setup

The DNS tab is not used to manage any hostnames that you can use with Acquia Edge. You will see several Acquia-defined records resolving to your application.


Do not modify any records defined on the DNS tab unless the elastic IP addresses for your application change.

Adding custom hostnames

Custom hostnames are third-party hostnames that CNAME to your domain to receive performance and security benefits of Acquia Edge powered by Cloudflare.

  1. Confirm that the Fallback Origin status on SSL/TLS - Custom Hostnames is ACTIVE so that the system starts populating custom hostnames into your Cloudflare account.

    Fallback Origin acts as the default origin server for your hostnames, such as fallback.yoursite.acquiaedge.net. Fallback Origin is a proxied DNS record in your zone.


    If Fallback Origin is not set, contact your Account Manager or Acquia Support to have it set.

  2. Click Add Custom Hostname.

    The system displays the Add Custom Hostname section.

  3. In Custom Hostname, enter the domain for which you are creating the custom hostname.

  4. In Minimum TLS version, select TLS 1.2.


    The minimum TLS version is defined based on the hostname.

  5. In Certificate type, select Provided by Cloudflare.

    You can also use a custom certificate by selecting Custom certificate. Your custom certificate does not auto-renew so you are responsible for managing it. Acquia Edge only accepts the following types of publicly-trusted certificates:

    • SHA256WithRSA

    • SHA1WithRSA

    • ECDSAWithSHA256

    If you attempt to upload a self-signed certificate or a certificate of another type, it is rejected.

  6. In SSL certificate authority, select Google Trust Services or Let’s Encrypt.

    Acquia recommends you to use Google Trust Services or Let’s Encrypt instead of DigiCert. These certificates only last upto 90 days. However, they can be auto-renewed. For information about how to configure them to auto-renew, see Setting your SSL Certificates to Auto-Renew.

  7. In Certificate validation method, select TXT Validation.

    Acquia recommends you to select TXT Validation for initial setup. However, you can also select HTML Validation.

  8. Select the Enable wildcard checkbox.

    Acquia does not recommend Wildcard certificates as they cannot be renewed automatically. The Google Trust Services and Let’s Encrypt certificates match hostnames that you have entered.

  9. In Custom origin server, select Default origin server.

    Acquia recommends you to select Default origin server because in most cases your pair of Acquia dedicated load balancers is shared across your Acquia hosting environments. However, you can also select Custom origin server and specify its value.

  10. Click Add Custom Hostname.

Pre-validating certificates

If you use the TXT validation method, your certificates are issued before modifying DNS for any hostnames.

Acquia does not recommend you to use email validation unless you are a publicly listed administrator or webmaster in WHOIS for your domains.

After you create the custom hostname with TXT validation, Cloudflare generates two TXT records that must be added to your Authoritative DNS configuration.

  1. Add the TXT records through your Authoritative DNS provider.

  2. Verify that the Certificate status and Hostname status columns on the Custom Hostnames page display the status as Active.


Ensure that the TTL on your DNS records is as low as 5 minutes, so that this change propagates faster. It takes Cloudflare longer to validate your TXT Records depending on how long ago they were created.


The Edge Certificates section of the SSL/TLS tab is not used to view or manage any certificates for your domain in a managed CNAME setup.

Launching a domain with Cloudflare for SaaS

Prior to launch, Acquia recommends testing all DNS and SSL configurations.

To launch a domain using Cloudflare for SaaS (Managed CNAME for Acquia Edge), complete the following steps:

  1. Plan your CNAME records for launch.

    In this step, you do not update your DNS, but instead confirm that you have the correct CNAME records for your DNS update on your scheduled launch date.

    1. For each hostname, create a record in your authoritative DNS resolving to the acquiaedge.net domain for your application

      For example, for the hostname www.example.com with the codebase mysite:

      Type: CNAME
      Name: www.example.com
      Target: mysite.acquiaedge.net
    2. For any bare domains, you can use a record resolving the IP addresses returned when performing a DNS lookup against the [codebase].acquiaedge.net domain corresponding to your application.

      Type: A
      Name: example.com
  2. Sign in to your DNS provider.

  3. Add the planned records for your desired domain to your authoritative DNS provider.

  4. Verify whether the traffic is going through Acquia Edge.

Setting your SSL Certificates to Auto-Renew

After activating your hostnames you will want to ensure your Let’s Encrypt or Google Trust Services certificates will auto-renew. You can do this by changing the Validation method from TXT to HTTP post-activation. Wildcard certificates cannot be set to auto-renew. (HTTP Validation is not possible with wildcard certificates.) Note: Make sure the domain is pointing to CF. Usually it will have the CNAME record attached or it is pointing to a Cloudflare IP Address

  1. Select an activated Custom Hostname and click Edit.

  2. Change the Certificate validation method to HTTP Validation.

  3. Click Save.