---
title: "Custom Varnish configuration"
date: "2024-02-14T06:18:38+00:00"
summary: "Customize Varnish configurations on Cloud Platform Enterprise for enhanced caching and access control. Learn deployment processes, testing procedures, and ACL implementation for improved website performance."
image:
type: "page"
url: "/acquia-cloud-platform/custom-varnish-configuration"
id: "b7ac46a9-a6b5-48f1-b9ab-4c8d94e4a86d"
---

This document contains information about custom Varnish configuration for Cloud Platform Enterprise applications.

Note

Custom Varnish configurations are available only to Cloud Platform Enterprise subscriptions with [dedicated load balancers](/acquia-cloud-platform/manage-apps/infrastructure) and Site Factory customers with Technical Account Manager (TAM). CDNs do not support custom Varnish configurations.

Cloud Platform installs Varnish Cache, a caching reverse proxy, in front of all Cloud Platform load balancing infrastructure. To modify the behavior of Varnish, you must create a custom Varnish configuration using Varnish’s domain-specific programming language, [VCL](https://varnish-cache.org/docs/5.1/reference/vcl.html). For more information about how Varnish caching benefits your website, visit [Using Varnish](/acquia-cloud-platform/performance/varnish).

To deploy a custom Varnish configuration, [create a Support ticket](/service-offerings/support#contact-acquia-support). Acquia will provide you with a test balancer for one week to test your new custom VCL. However, creating and testing the custom VCL is your responsibility.

Cloud Platform Enterprise customers must [create a Support ticket](/service-offerings/support#contact-acquia-support) to request a copy of the customer-modifiable VCL, based on their contractual NDA. Acquia does not disclose the configuration of the Nginx infrastructure, as the configuration is both proprietary and subject to change without notice. Acquia Support does not provide support for specific VCL customizations.

Allowed Varnish configuration use case
--------------------------------------

The following is the only permitted use case for custom Varnish configurations in Cloud Platform:

*   _Varnish Access Control Lists (vACL)_: Allow or deny access to a website by IP address or range. Excluding based on paths is prohibited. For more information, visit [Customized ACLs on Cloud Platform](#cloud-custom-acl-reqs).

Custom Varnish configuration schedule
-------------------------------------

Acquia deploys custom Varnish configurations on a weekly schedule.

To deploy your custom Varnish configuration:

1.  [Create a Support ticket](/service-offerings/support#contact-acquia-support) to determine if one of the allowed VCL modifications is an appropriate solution for your needs.
2.  Request a copy of your current VCL from Acquia.
3.  Supply Acquia the list of environments in front of which you want to place the test load balancer.
4.  Choose to either supply a new VCL file, or request to reinstate the default Acquia VCL, by Monday at 12:00 PM Eastern Standard Time (EST) ([convert to UTC](http://www.worldtimebuddy.com/utc-to-est-converter)).
    
    *   If you choose to supply a new VCL file, you must supply the entire VCL file, and not only the lines you want to change.
    *   If you choose to reinstate the default Acquia VCL, explicitly state this request in your Support ticket. You do not need to submit a VCL file in this case.
        
        Note
        
        VCL files on Cloud Platform must be less than 128 KB in size.
        
    
    Acquia deploys a test load balancer with the new VCL no later than 17:00 Eastern (North America) Time on Tuesday.
    
5.  Test that the new features work as expected.
    
    To test the VCL on the test load balancer, [modify the hosts file on your local machine](/acquia-cloud-platform/help/92616-using-etchosts-file-custom-domains-during-development "Using an /etc/hosts file for custom domains during development") to point to the IP address of the test load balancer.
    
6.  If you encounter any issues requiring a revised VCL, submit a revised VCL no later than 09:00 Eastern (North America) Time on Wednesday for Acquia to apply the revised VCL to the test load balancer.
7.  Complete any testing and confirm your approval no later than 15:00 Eastern (North America) Time on Wednesday.
    
    Note
    
    *   Acquia performs code reviews between 15:00 Eastern (North America) Time on Wednesday and 15:00 Eastern (North America) Time on Thursday.
    *   Acquia releases VCL files during non-peak periods. For more information, see [Acquia release schedule](#release-schedule).
    
8.  Specify your preferred window in the Support ticket for the custom VCL update.
    
    After you test and approve the custom VCL, Acquia adds it to the tasks scheduled for that maintenance window.
    

### Acquia release schedule

VCL updates restart Varnish and clear Varnish cache. To minimize disruption, Acquia releases VCL files during non-peak periods, according to the following schedule:

Region

Data centers

Time

Asia-Pacific and Japan \*

AP-southeast-2, AP-southeast-1, AP-northeast-1

19:00–20:00 UTC Thursday

Europe and Africa

EU-central-1, EU-west-1

04:00–05:00 UTC Friday

Americas

SA-east-1, US-east-1, CA-central-1, US-west-2

07:00–08:00 UTC Friday

_\* Default window_

Customized ACLs on Cloud Platform
---------------------------------

Custom Varnish Access Control Lists (vACLs) provided as part of a custom VCL must have the following structure:

*   Multiple allowlist and denylist rules may be created for each application.
*   Individual rules may be applied to multiple domain names on multiple environments.
*   Access control rules must be organized by domain name, and must not reuse domain name references.
*   All IPv4 addresses must be requested from the customer.

Note

If a CDN is present, an Access Control List in a cVCL is not applied to cached traffic at the CDN level. If you have a CDN, ensure that you apply access restrictions through the CDN.

To configure an ACL:

1.  In the VCL file, locate the following section:
    
        ########################################################### <-- keep this line
        ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
        ########################################################### <-- keep this line
        # acl customername {                                        <-- uncomment + edit
        #   "10.10.9.1";     /* Website developer Annie.       */   <-- uncomment + edit
        #   "10.10.9.2";     /* Joe at Operations.             */   <-- uncomment + edit
        #   "10.10.10.0"/24; /* Entire team of editors.        */   <-- uncomment + edit
        #   ! "10.10.11.1";  /* Except Chris.                  */   <-- uncomment + edit
        # }                                                         <-- uncomment
        ########################################################### <-- keep this line
    
2.  Uncomment the editable lines:
    
        ########################################################### <-- keep this line
        ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
        ########################################################### <-- keep this line
        acl customername {
          "10.10.9.1";     /* Website developer Annie.       */
          "10.10.9.2";     /* Joe at Operations.             */
          "10.10.10.0"/24; /* Entire team of editors.        */
          ! "10.10.11.1";  /* Except Chris.                  */
        }
        ########################################################### <-- keep this line
    
3.  Change the name of the ACL:
    
        acl MyCustomer {
    
4.  Replace the template IP addresses with the IPv4 addresses that you want to allow:
    
        "233.163.58.255";     /* Office HQ                */
        "17.57.71.1";         /* European partner agency  */
        "238.243.52.0"/24;    /* Address range CI tooling */
    
5.  In the VCL file, locate the enforcement section:
    
        #########################################################        <-- keep this line
        ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######        <-- keep this line
        #########################################################        <-- keep this line
        # if (!req.http.X-Acquia-Request &&                              <-- uncomment
        #     std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls &&  <-- uncomment
        #     std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && <-- uncomment
        #     std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { <-- edit acl name
        #     return (synth(404, "Not Found"));                          <-- uncomment
        # }                                                              <-- uncomment
        #########################################################        <-- keep this line
    
6.  Uncomment the code section:
    
        #########################################################        <-- keep this line
        ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######        <-- keep this line
        #########################################################        <-- keep this line
        if (!req.http.X-Acquia-Request &&
            std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls &&
            std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal &&
            std.ip(req.http.client-ip, "127.0.0.2") !~ customername) {
            return (synth(404, "Not Found"));
        }
        #########################################################        <-- keep this line
    
7.  In the `std.ip(req.http.client-ip, "127.0.0.2") !~ customername) {` line, replace the text `customername` with the ACL name that you defined earlier.
8.  Save the VCL file.

Using Custom Varnish Configuration file with Acquia Purge
---------------------------------------------------------

If your Cloud Next application uses a Custom Varnish Configuration (cVCL) file to restrict access based on IP addresses, you might experience issues with the [Acquia Purge](https://www.drupal.org/project/acquia_purge) module. This occurs because purge requests originate from Web EIP addresses in Cloud Next. By default, such requests are blocked if you do not explicitly allowlist the Web EIPs in your cVCL.

_Workaround:_

*   Contact Acquia Support to enable Web EIPs.
    
*   Update your custom VCL to allowlist the Web EIP addresses.
    

Database backups following the VCL access list update
-----------------------------------------------------

After adding an access control list to your [Varnish configuration file](#), you may not be able to download database backups through the Cloud user interface. It happens because while limiting access to your sites, your access control list also limits access to your Acquia default domain, such as example.prod.acquia-sites.com, that is required for database downloads to function.

To perform database backups:

1.  In the access control list of your VCL, add the IP addresses that can download backups.
2.  Perform database downloads through the Cloud API.

Related topics
--------------

*   [Varnish 5.1 Documentation](https://varnish-cache.org/docs/5.1/)
*   [Varnish headers](/acquia-cloud-platform/performance/varnish/headers)
*   [Using Varnish](/acquia-cloud-platform/performance/varnish)
*   [Introduction to Varnish](/acquia-cloud-platform/help/92646-introduction-varnish "Introduction to Varnish")
*   [Simplified VCL for Varnish](/acquia-cloud-platform/help/92916-simplified-vcl-varnish "Simplified VCL for Varnish")
*   Using an `/etc/hosts` file for [custom domains during development](/acquia-cloud-platform/help/92616-using-etchosts-file-custom-domains-during-development "Using an /etc/hosts file for custom domains during development")