Industry: Software

Location: Fulton, MD

Customer since: July 2013

Favorite Features

Instant Purge
Custom VCL
Surrogate keys

Why Fastly

Cater to Developers
About Sonatype


Sonatype is the leader in software supply chain automation, with a long history of significant contributions to the open source community. Major contributors to the Apache Maven project and distributors of the open source Nexus Repository Manager, Sonatype also operates the largest repository (known as Central or Maven Central) for Java software components — analogous to npm for JavaScript, RubyGems for Ruby, PyPI for Python, etc. This repository is where open source software developers publish libraries and modules, and where developers expect to retrieve them in order to build applications. Sonatype served over 30 billion requests for such components in 2015, and continues to add thousands of new or updated components daily.

Why Fastly

Sonatype’s solutions are critical infrastructure that developers use every day. Fastly helps provide a reliable, secure experience for Sonatype's more than 10 million users worldwide as they continue to scale, more than doubling total monthly releases, tripling bandwidth and quadrupling total request traffic.

“Fastly allows us to get into the guts of our CDN; we can quickly configure things the way we need to configure them. With other providers, configuration was totally opaque — we’d have to go through customer support to get rules changed, and that’s pretty unwieldy and not very effective. Fastly has its own API, giving us ultimate flexibility.” — Jason Swank, Technical Operations Lead

“Knock on wood, but in the more than three years we have leveraged Fastly, we’ve delivered a huge global user base 100% uptime, coincident with exceptional network performance. In short, it just works… really, really well.” — Mike Hansen, SVP Product Development and Engineering

Support during growth

The exploding growth in both the production and usage of open source software has led to corresponding scale requirements in network delivery and the availability requirements dictated by part of the world’s critical development infrastructure. Fastly gives Sonatype the ability to cache millions of open source components while offering the flexibility to update content instantly, ensuring those components are always available. As a result, they’ve been able to readily support the enormous and rapid growth that continues year after year.


“We’ve had zero issues with Fastly’s service. Download requests from the Central Repository have increased by 3x and request traffic by 4x, all without skipping a beat. Fastly has helped us get there.” — Jason Swank, Technical Operations Lead

100% uptime

Maven Central is a free service, sometimes making it difficult for Sonatype to gather user feedback. Developers see the service as a utility, but maintaining reliability is key to ensuring that users don’t go elsewhere.

“Fastly helps us provide extremely reliable service for developers. Being able to readily meet the expectations of 100% uptime for a free service is just awesome.” — Mike Hansen, SVP Product Development and Engineering

Varnish: transparent & open source

One of the reasons Sonatype chose Fastly is because it’s built on Varnish, the open source web accelerator. This offers the benefits of open source, which includes an extensive, knowledgeable community and documentation.

“One big benefit to using Varnish is it allows us to run our own instances, letting us test things out very easily. With our previous provider, we had to wait for an engineer to make rules changes for us, so it was painful dealing with that feedback cycle.” — Jason Swank, Technical Operations Lead

Diagnosing problems in real time

Because Maven Central is used by developers around the world, it’s critical that Sonatype can look into their site health to ensure successful builds. This was challenging with their previous CDN, which didn’t offer visibility into their environment. Fastly offers real-time analytics that give Sonatype insight into events as they occur, allowing them to identify and fix security issues quickly. Sonatype streams logs to S3 endpoints to gather information and make changes as necessary.

“Being able to monitor and diagnose problems instantly was a huge selling point for Fastly. Now we can stream live syslog data, addressing problems as they happen. This is especially beneficial for security issues; by gathering together information gleaned from streaming logs, we can determine both the popularity and vulnerability of certain components. If there is a vulnerability, we can easily identify and fix it.” — Jason Swank, Technical Operations Lead

Real-time log streaming is also key to Sonatype’s commercial products, which include security mitigation, license mitigations, and popularity information.

“We have a pretty significant infrastructure around crunching data for our commercial products, and Fastly helps us streamline this process en route to our customers.” — Jason Swank, Technical Operations Lead

Surgical purging with surrogate keys

When a component changes in Sonatype’s repository, they need to effectively remove and update all related assets, including documentation, across their site. By using surrogate keys, they can tag a certain component, ensuring that all outdated versions are removed from their repository at once. This gives them precise purging while also saving time — instead of having to go through their site URL by URL, they can immediately purge all items associated with that tag.

“When there’s a new component, it’s not just releasing a new version — there’s a number of upstream things affected. When deployments happen we’re purging on a pretty regular basis. Surrogate keys let us be selective about what we’re purging, letting us update content in a very precise, surgical way.” — Jason Swank, Technical Operations Lead

Quickly implementing TLS

Sonatype users wanted increased security; they were concerned that unencrypted HTTP traffic could be tampered with, potentially compromising the applications they were building. Developers wanted Sonatype to offer Transport Layer Security (TLS) from the CDN, and Fastly worked quickly to get it implemented.

“Fastly really stepped up and implemented TLS really quickly. The onboarding process was so fast — we had everything sorted within a day or two.” — Jason Swank, Technical Operations Lead


Before they had a CDN in place, Sonatype could not really consider offering TLS because the amount of traffic they were seeing would mean a very intensive load on their origin. Their first CDN provider could not perform TLS certificate validation and were thus potentially susceptible to man-in-the-middle (MITM) attacks. With Fastly, they can validate certificates all the way through, decreasing load on origin while ensuring security for their users.