Bukalapak accelerates migration and fortifies security with Fastly edge cloud platform

The challenge

Bukalapak faced significant operational friction with its legacy security vendor. The platform’s fragmented tooling and limited integration options made it difficult for the team to align security management with their DevOps and Infrastructure-as-Code (IaC) workflows. Configuration settings often required manual adjustments in the user interface rather than being fully automated through Terraform, slowing deployments and disrupting Bukalapak’s continuous integration and delivery (CI/CD) pipeline.

“The team also struggled with poor visibility into security events and a slow, cumbersome console that hindered quick investigation and response,” said Sugandi Tio, VP of Engineering. These challenges became increasingly burdensome as Bukalapak scaled to manage hundreds of domains and custom security rules across teams.

During migration planning, additional technical obstacles, such as oversized HTTP headers caused by the legacy provider’s tracking and session cookies, posed further risks to uptime and performance. Bukalapak needed a more flexible, developer-friendly edge platform that could streamline automation, improve visibility, and strengthen security without impacting user experience across Indonesia.

“Our legacy provider could protect us, but it wasn't designed for the kind of scale, speed and automation we required,” says Tio.

The solution

Effortless and Smooth Migration

Bukalapak chose Fastly’s edge cloud platform for its high-performance CDN, Terraform automation, next-generation Web Application Firewall (WAF), and robust observability tools. Migrating from its legacy provider gave Bukalapak greater operational control and stronger security. Bukalapak built a reusable Terraform repository skeleton for Fastly that standardized service creation and allowed teams to deploy sites by changing variables rather than rewriting configurations.

Unmatched Configurability with Fastly CDN and VCL

With Fastly’s highly configurable CDN platform, Bukalapak’s engineers gained fine-level control over their caching and request handling using the Fastly unified dashboard and Fastly Varnish Configuration Language (VCL). “The main factor is technical flexibility, with Fastly VCL affording us greater control to fine-tune caching and optimize delivery with greater precision,” says Tio.

Next-Level Outcomes with Next-Gen WAF

Bukalapak used Fastly’s ability to test services by pointing DNS in a staging/test environment before a production switch. This pre-cutover testing reduced risk. Fastly’s Next-Gen WAF and network intelligence gave Bukalapak richer dashboards and clearer attack telemetry than the prior vendor.

The improved signal correlation and detection, which were integrated into the team’s Grafana dashboards, made it easier to triage incidents and understand bot and IP-based traffic anomalies. Fastly also surfaced suspected bots and malicious IP categories, enabling Bukalapak to tune blocking and reduce false positives.

During the migration, Bukalapak encountered oversized request headers caused by duplicate tracking cookies from the legacy vendor. Engineers used VCL rules in Fastly to remove the offending cookies at the edge – a permanent fix that eliminated the proxy errors at cutover.

Results and Benefits

After the cutover, Bukalapak saw no measurable performance loss; users continued to enjoy the same experience, while the engineering team gained better control over caching. “We were also impressed by the fact that user experience did not wane because we are based out of Jakarta, Indonesia and Fastly’s point of presence (POP) is in Singapore,” said Sugandi, VP of Engineering.

The ability to test by pointing DNS to Fastly before production switch significantly reduced cutover risk and allowed the Bukalapak team to validate rules, origins and redirects in an environment that closely matched production.

Meanwhile, the reusable Terraform reduced per-site migration effort dramatically. “Building the initial repository took roughly a month; subsequent site migrations typically took around a week,” explains Tio.

Terraform integration and the ability to codify conditions and rules also removed a large amount of repetitive, manual console work. That freed the security and operations teams to focus on tuning rules and higher-value tasks.

In addition, Fastly’s WAF and threat intelligence gave Bukalapak much better visibility into attacks. “Fastly reported blocking approximately 1 million requests in a seven-day period during early monitoring, showing that the WAF was actively protecting traffic and reducing unwanted load,” says Tio.

Key takeaway

Bukalapak used Fastly to convert a risky, manual migration into an automated, testable process that delivered both operational speed and stronger attack visibility.
By standardizing deployment with a Terraform skeleton, taking advantage of Fastly’s flexibility, and using the Next-Gen WAF for richer telemetry, Bukalapak accelerated onboarding and improved security without impacting user experience.

plans to keep expanding its Terraform-driven automation and collaborate with Fastly on improving default behaviours and Terraform provider ergonomics.

“The team also intends to deepen use of Fastly’s bot detection and advanced WAF features, and to continue improving dashboards and alerting so business and security stakeholders have timely, actionable insights,” comments Tio. “Fastly helped us balance both security and developer agility while keeping performance steady during migration.”