---
title: Core concepts
summary: >-
  Start with the basics and learn how Fastly lets you take advantage of the
  modern internet.
url: https://www.fastly.com/documentation/guides/concepts
---

Regardless of whether you are using [Compute](https://www.fastly.com/documentation/guides/compute) or [VCL](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl), your Fastly services need **domains** (to receive traffic), **backends** (to forward traffic onward), **TLS** (to secure connections between Fastly and end users), and **DNS** (to point your domains to Fastly).

## Setting up a backend

Backends are servers you can make requests to _from_ Fastly, usually your own servers, and are typically defined as part of your service configuration. To create a backend:

### Web interface

1. Log in to [manage.fastly.com](https://manage.fastly.com) and select the appropriate service. You can use the search box to search by ID, name, or domain.
2. Click **Edit configuration** and then select the option to clone the active version.
3. Click **Origins**.
4. If you don't see the Hosts field, click **Create a host**.
5. In the **Hosts** field, enter the hostname or IP address of your origin server.
6. Click **Add** to add your host.
7. _(Optional)_ Click the pencil icon next to the host to edit more detailed settings:
   - In **Name**, enter a derivative of the hostname (`example_com`) or the purpose of the backend (`primary_content`), using only lowercase alphanumeric characters and underscores.
   - In **Override host**, enter the same hostname as the backend's hostname.

### CLI

Use <kbd>fastly backend create</kbd> in the [Fastly CLI](https://www.fastly.com/documentation/reference/tools/cli):

````term
$ fastly backend create --version=latest --autoclone --name=example_com --address=example.com
SUCCESS: Created backend example_com (service 21eRnruIBLL4BwkKdUU11Y version 3)

### API

Use the [Backends API](/reference/api/services/backend):
```term
$ curl -i  -X POST "https://api.fastly.com/service/SU1Z0isxPaozGVKXdv0eY/version/1/backend" -H "Fastly-Key: YOUR_FASTLY_TOKEN" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "address=example.com&name=example_com&override_host=example.com&ssl_sni_hostname=example.com&ssl_cert_hostname=example.com"
````

### Vcl

In VCL services, backends can be created [using VCL code](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/working-with-custom-vcl) in custom VCL files or 'init' [VCL snippets](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/vcl-snippets/using-vcl-snippets):

```vcl
backend example_com {
  .dynamic = true;
  .share_key = "YOUR_SERVICE_ID";
  .host = "example.com";
  .port = "443";
  .ssl = true;
  .ssl_cert_hostname = "example.com";
  .ssl_check_cert = always;
  .ssl_sni_hostname = "example.com";
  .host_header = "example.com";
  .always_use_host_header = true;
}
```

For full details refer to the [`backend`](https://www.fastly.com/documentation/reference/vcl/declarations/backend) declaration in the VCL reference.

Compute services also support defining backends dynamically (at runtime). For more details and other things to consider when creating backends refer to [integrating with backend technologies](https://www.fastly.com/documentation/guides/integrations/non-fastly-services/developer-guide-backends).

## Setting up a domain

Domains [point traffic to your Fastly services](https://www.fastly.com/documentation/guides/concepts/routing-traffic-to-fastly/). To allow clients to connect to Fastly using your domain, Fastly must be able to establish a secure connection on your behalf. We have many TLS service options available (for full details consult [routing traffic to Fastly](https://www.fastly.com/documentation/guides/concepts/routing-traffic-to-fastly)), but if you are happy to use a default TLS configuration and have Fastly issue certificates on your behalf, create a TLS subscription for your domain.

To do this, clone the active version of your service, add the domain, and activate the new version. Next, add a TLS subscription for that domain to your account. Finally, configure your DNS provider or domain registrar to verify your domain ownership.

### Web interface

1. Log in to [manage.fastly.com](https://manage.fastly.com) and select the appropriate service. You can use the search box to search by ID, name, or domain.
2. Click **Edit configuration** and then select the option to clone the active version.
3. If you already have domains, click **Create domain**.
4. Enter a hostname or IP address.
5. Click **Add**.
6. From the **Activate** menu, select **Activate on Production**  to save and activate the new version of your service.
7. Click **Secure** in the top navigation bar.
8. Click **Manage certificates**. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
9. Click **Get started** if it is available. Otherwise, click the **Secure another domain** button and select **Use certificates Fastly obtains for you**.
10. In **Domain**, enter the domain name and click **Add**. If your account has access to multiple certification authorities or TLS configurations, [learn more about your options](https://www.fastly.com/documentation/guides/concepts/routing-traffic-to-fastly).
11. Click **Submit**.
12. Note the CNAME record required for verification.

### CLI

Run these commands while in the root directory of your project:

```term
# Add the domain to a new draft version of your service
$ fastly domain create --name=fastly.com --version=latest --autoclone
SUCCESS: Created domain fastly.com (service PS1Z4isxPaoZGVKVdv0eY version 3)

# Activate the new version
$ fastly service-version activate --version=latest
SUCCESS: Activated service PS1Z4isxPaoZGVKVdv0eY version 3

# Create a TLS subscription for the domain in your Fastly account
$ fastly tls-subscription create --domain=fastly.com
SUCCESS: Created TLS Subscription 'XfHLv310UUpJoEbsaJtY1Q' (Authority: lets-encrypt, Common Name: fastly.com)

# Display the subscription's challenge activation record
$ fastly tls-subscription describe --id='XfHLv310UUpJoEbsaJtY1Q' --include tls_authorizations --json
{
  "Authorizations": [{
    "Challenges": [
      {
        "RecordName": "_acme-challenge.fastly.com",
        "RecordType": "CNAME",
        "Values": [ "lxpqwv66ixn7e3bn4r.fastly-validations.com" ]
      }
    ]}
  ],
  "CertificateAuthority": "lets-encrypt",
  "Configuration": { "ID": "3TIFxmdUnUx6hOVYMHhlPg", "Type": "" },
  "Domains": [{ "ID": "fastly.com" }],
  "ID": "XfHLv310UUpJoEbsaJtY1Q",
  "State": "pending"
}
```

  The final command will produce a JSON object. The CNAME for the **verification challenge** is the record starting with `_acme-challenge`. Also note down the **TLS Configuration ID**, which is under `Configuration.ID`.

You now have the ACME challenge `CNAME` record required to prove that you own the domain. Log in to your DNS provider or domain registrar and configure the required record. For example:

- Record type: `CNAME`
- Subdomain: `_acme-challenge`
- Target host: `lxpqwv66ixn7e3bn4r.fastly-validations.com`

Fastly will periodically check for these records to be published. When verification is complete, the status of the subscription will change from "Pending verification" to "Activated".

Once the domain is activated, you can retrieve the DNS records that point traffic on your domain to Fastly:

### Web interface

1. Log in to [manage.fastly.com](https://manage.fastly.com).
2. Click **Secure** in the top navigation bar.
3. Click **Manage certificates**.
4. Find the domain you want and click **View details**.
5. Note the CNAME, A, and AAAA records.

### CLI

Using the **TLS configuration ID** that you noted down from the previous step:

```term
$ fastly tls-config describe --id="XLqo5lsrEb2FcYlE4Etpq2" --include dns_records --json
{
  "ID": "XLqo5lsrEb2FcYlE4Etpq2",
  "DNSRecords": [
    { "ID": "151.101.2.132", "RecordType": "A", "Region": "global" },
    { "ID": "151.101.66.132", "RecordType": "A", "Region": "global" },
    { "ID": "151.101.130.132", "RecordType": "A", "Region": "global" },
    { "ID": "151.101.194.132", "RecordType": "A", "Region": "global" },
    { "ID": "j.sni.global.fastly.net", "RecordType": "CNAME", "Region": "global" }
  ],
  "HTTPProtocols": [ "http/1.1", "http/2" ],
  "TLSProtocols": [ "1.2", "1.3" ]
}
```

  Note the CNAME, A and AAAA records.

Back in your DNS provider or domain registrar, add the DNS records to point your domain to Fastly.

- If the domain is a _subdomain_, such as `www.example.com` or `my-website.herokuapp.com`, use the **CNAME** records.
- If the domain is an _apex_, such as `example.com` or `example.co.uk`, use the **A** and **AAAA** records.

> **HINT:** Use subdomains if possible. We can do more resilient, faster routing if you use a CNAME with a subdomain instead of using an apex domain. [Find out more about routing traffic to Fastly](https://www.fastly.com/documentation/guides/concepts/routing-traffic-to-fastly/).

Once these records are configured, you should be able to visit your Fastly-hosted website by entering your new domain into the browser (you may need to wait some time for the DNS records to propagate across the Internet).

## Advanced concepts

Read more about all Fastly's features and technical principles:

- [Caching content with Fastly](https://www.fastly.com/documentation/guides/concepts/cache/)
- [Delivering compressed content through Fastly](https://www.fastly.com/documentation/guides/concepts/compression/)
- [Fastly-generated errors](https://www.fastly.com/documentation/guides/concepts/errors/)
- [Health checks](https://www.fastly.com/documentation/guides/concepts/healthcheck/)
- [IP-based geolocation and intelligence](https://www.fastly.com/documentation/guides/concepts/geolocation/)
- [Load balancing](https://www.fastly.com/documentation/guides/concepts/load-balancing/)
- [Points of presence](https://www.fastly.com/documentation/guides/concepts/pop/)
- [Rate limiting](https://www.fastly.com/documentation/guides/concepts/rate-limiting/)
- [Real time push messaging](https://www.fastly.com/documentation/guides/concepts/real-time-messaging/)
- [Redundancy and failover](https://www.fastly.com/documentation/guides/concepts/failover/)
- [Routing traffic to Fastly](https://www.fastly.com/documentation/guides/concepts/routing-traffic-to-fastly/)
- [Selecting a service type](https://www.fastly.com/documentation/guides/concepts/services/) - Explore the concept of Fastly services and the differences between VCL-powered delivery services and WebAssembly-powered Compute services.
- [Shielding](https://www.fastly.com/documentation/guides/concepts/shielding/)

Content served through Fastly is cached based on [freshness rules](https://www.fastly.com/documentation/guides/concepts/cache/cache-freshness) you define in `Cache-Control` headers or in the configuration of your Fastly service. Within each [Point of Presence (POP)](https://www.fastly.com/documentation/guides/concepts/pop), many servers act together in a [cluster](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/clustering-in-vcl) to provide a single large, efficient pool of cache storage.

Fastly POPs operate independently of each other and forward requests to your origin server if a request cannot be satisfied in that POP. Similar requests arriving at the same time in the same POP are [collapsed](https://www.fastly.com/documentation/guides/concepts/cache/request-collapsing) and only one is forwarded. However, using [shielding](https://www.fastly.com/documentation/guides/concepts/shielding/) you can opt to focus all origin requests from across the Fastly network to a single Fastly POP, greatly reducing origin traffic, especially if your customers are spread globally.

Our [purging](https://www.fastly.com/documentation/guides/concepts/cache/purging) system allows objects previously cached by Fastly to be marked [stale](https://www.fastly.com/documentation/guides/concepts/cache/stale) or invalidated entirely. Globally purging an object takes around 150ms.