From 61cf8a26a9716e46f4d198d49499bf6d51984d41 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 21 Apr 2026 15:24:51 +0200 Subject: [PATCH] feat(edge-services): update doc following root & wildcard domain support --- pages/edge-services/concepts.mdx | 33 +++++++-- pages/edge-services/faq.mdx | 12 +++- .../how-to/configure-custom-domain.mdx | 62 +++++++++------- .../how-to/create-pipeline-bucket.mdx | 2 +- pages/edge-services/quickstart.mdx | 37 +++++----- .../reference-content/cname-record.mdx | 71 ++++++++++++++----- .../reference-content/ssl-tls-certificate.mdx | 14 +++- .../understanding-multi-backend.mdx | 14 +++- .../troubleshooting/cname-errors.mdx | 25 ++++--- 9 files changed, 182 insertions(+), 88 deletions(-) diff --git a/pages/edge-services/concepts.mdx b/pages/edge-services/concepts.mdx index ec8c418ef1..40ea0a697d 100644 --- a/pages/edge-services/concepts.mdx +++ b/pages/edge-services/concepts.mdx @@ -17,20 +17,24 @@ Note that if an object has a caching directive, the caching directive always tak ## Certificate -The SSL/TLS certificate for your subdomain to enable Edge Services to serve content over HTTPS, if you have customized your [Edge Services endpoint](#endpoint). You can choose between uploading your own certificate held in Scaleway Secret Manager, or letting Edge Services generate a fully-managed Let's Encrypt certificate. +The SSL/TLS certificate for your custom domain to enable Edge Services to serve content over HTTPS, if you have customized your [Edge Services endpoint](#endpoint). You can choose between uploading your own certificate held in Scaleway Secret Manager, or letting Edge Services generate a fully-managed Let's Encrypt certificate. + +If you have enabled [wildcard subdomain support](#wildcard-subdomain-support), you must provide a wildcard certificate (Common Name: `*.yourdomain.com`). The Let's Encrypt managed option is not available in this case. ## CNAME record -The CNAME record pointing your subdomain to the Edge Services endpoint, if you have customized your [Edge Services endpoint](#endpoint). This is necessary to ensure that traffic for your customized subdomain is correctly directed towards the Edge Services endpoint by DNS servers. +A CNAME record pointing a **subdomain** to the Edge Services endpoint, if you have customized your [Edge Services endpoint](#endpoint) with a subdomain. This is necessary to ensure that traffic for your customized subdomain is correctly directed towards the Edge Services endpoint by DNS servers. + +Note that a CNAME record cannot be created at the root (apex) of a domain. If you are using a **root domain**, you must use an ALIAS record or Flattened CNAME instead. -Refer to [CNAME records for Edge Services](/edge-services/reference-content/cname-record/) for more information. +Refer to [DNS records for Edge Services](/edge-services/reference-content/cname-record/) for more information. ## Edge Services Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides: - A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](#origin) - A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity -- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice. +- A customizable and secure [endpoint](#endpoint) for accessing content via Edge Services, which can be set to a domain or subdomain of your choice. Read the [Edge Services Quickstart](/edge-services/quickstart/) to get started. @@ -38,7 +42,7 @@ Read the [Edge Services Quickstart](/edge-services/quickstart/) to get started. The endpoint from which a given Edge Services pipeline can be accessed, e.g. `https://pipeline-id.svc.edge.scw.cloud`. When a client requests content from the Edge Services endpoint, it is served by Edge Services and its cache, rather than from the origin (Object Storage bucket or Load Balancer backend servers) directly. Edge Services automatically manages redirection from HTTP to HTTPS. -The endpoint can be customized with a user-defined subdomain, allowing you to replace the standardized endpoint with the subdomain of a domain you already own, e.g. `http://my-own-domain.com`. An associated [certificate](#certificate), and [CNAME record](#cname-record) will be required, in this case. +The endpoint can be customized with a user-defined domain or subdomain, allowing you to replace the standardized endpoint with a domain you already own, e.g. `mycompany.com` or `blog.mycompany.com`. An associated [certificate](#certificate) and DNS record ([CNAME](#cname-record) for subdomains, or ALIAS/Flattened CNAME for root domains) will be required in this case. You can also optionally enable [wildcard subdomain support](#wildcard-subdomain-support). ## Exclusions @@ -57,6 +61,14 @@ In the case of a Load Balancer origin, the specific host for which Edge Services The origin host must be associated with the origin Load Balancer / its backend servers, and only one host may be set per pipeline. If your Load Balancer is in front of multiple hosts, you can create a separate Edge Services pipeline for each. Each host will therefore get its own Edge Services endpoint and cache. +## HOST routing condition + +A filter available when creating routing rules in a multi-backend Edge Services pipeline. The HOST condition checks the hostname of the incoming request and compares it against a given regular expression (e.g. `api[0-9]\.mycompany\.com`). Requests whose hostname matches the expression are routed to the associated backend. + +If not defined, the rule matches regardless of the request hostname. The HOST condition can be combined with [PATH and method filters](/edge-services/reference-content/understanding-multi-backend/) or used on its own. + +While the HOST condition can be set regardless of the [wildcard subdomain support](#wildcard-subdomain-support) setting, it is particularly useful when wildcard support is enabled, since in that scenario multiple different subdomains can reach the same pipeline and be routed to different backends based on the host. + ## Origin Load Balancer The Load Balancer defined by the user as origin for a given Edge Services pipeline. The pipeline connects to this Load Balancer, on the specified frontend port to request content. @@ -69,10 +81,19 @@ In the context of an Edge Services [Web Application Firewall](#waf), the paranoi -An Edge Services pipeline consists of an [origin](#origin), which Edge Services can protect from threats with a [Web Application Firewall](#web-application-firewall), and for which it also requests and [caches](#cache) content. Each pipeline also has an [endpoint](#endpoint) from which content is accessed and served via Edge Services. The pipeline's endpoint can be customized with a user-defined [subdomain](/domains-and-dns/concepts/#subdomain) and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. +An Edge Services pipeline consists of an [origin](#origin), which Edge Services can protect from threats with a [Web Application Firewall](#web-application-firewall), and for which it also requests and [caches](#cache) content. Each pipeline also has an [endpoint](#endpoint) from which content is accessed and served via Edge Services. The pipeline's endpoint can be customized with a user-defined domain or subdomain and associated [certificate](#certificate) so that Edge Services can serve content over HTTPS. You can create an Edge Services pipeline for each of your Object Storage buckets or Load Balancer origins. Note that caching and WAF can be enabled and disabled at will, so are optional parts of the pipeline, as is the customization of the endpoint. WAF is only available for Load Balancer origins, not Object Storage buckets. +## Wildcard subdomain support + +An optional setting available when [configuring a custom domain](/edge-services/how-to/configure-custom-domain/) for an Edge Services pipeline. When enabled, Edge Services exposes both the configured domain itself and any subdomain of it via this pipeline. For example, if the configured domain is `mycompany.com`, Edge Services will also serve traffic for `www.mycompany.com`, `api.mycompany.com`, and any other subdomain. + +When wildcard subdomain support is enabled: +- A [wildcard certificate](#certificate) is required (Common Name: `*.yourdomain.com`). The managed Let's Encrypt option is not available. +- No other Edge Services pipeline should be configured for any specific subdomain of the same domain, as this would result in unpredictable routing behavior. +- This setting applies to the custom domain only, not to the default Edge Services endpoint. + ## Protocol The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sending requests to an origin Load Balancer. HTTPS is recommended, but you should choose the protocol that corresponds with your Load Balancer setup. diff --git a/pages/edge-services/faq.mdx b/pages/edge-services/faq.mdx index 0078ccafa1..0f0cccc915 100644 --- a/pages/edge-services/faq.mdx +++ b/pages/edge-services/faq.mdx @@ -16,7 +16,7 @@ Edge Services is a feature for Scaleway Load Balancers and Object Storage bucket - A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin), and - A [Web Application Firewall](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity, and -- A customizable and secure endpoint for accessing content via Edge Services, which can be set to a subdomain of your choice and secured with an SSL/TLS certificate. +- A customizable and secure endpoint for accessing content via Edge Services, which can be set to a root domain or subdomain of your choice and secured with an SSL/TLS certificate. @@ -50,7 +50,15 @@ WAF can be configured via the console for Load Balancer pipelines only. To confi ### If I customize my Edge Services endpoint with my own domain, can it serve content over HTTPS? -Yes, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that subdomain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/). +Yes, if you choose to [customize your Edge Services endpoint with your own domain](/edge-services/how-to/configure-custom-domain/), you are prompted to generate or upload an SSL/TLS certificate for that domain so that Edge Services can serve content over HTTPS. This certificate can either be a Let's Encrypt certificate generated and managed by Scaleway, or you can import your own certificate. If you import your own certificate, it will be stored in Scaleway Secret Manager, and [billed accordingly](https://www.scaleway.com/en/pricing/security-and-account/). + +Note that if you enable [wildcard subdomain support](/edge-services/concepts/#wildcard-subdomain-support), the managed Let's Encrypt option is not available. You must provide a wildcard certificate (Common Name: `*.yourdomain.com`). + +### Can I expose multiple subdomains via a single pipeline? + +Yes. When [configuring a custom domain](/edge-services/how-to/configure-custom-domain/), you can enable **wildcard subdomain support**. With this option, Edge Services will serve traffic for both the configured domain itself and any subdomain of it via the same pipeline. For example, configuring `mycompany.com` with wildcard support enabled means Edge Services also handles `www.mycompany.com`, `api.mycompany.com`, and so on. + +Wildcard subdomain support requires a wildcard SSL/TLS certificate, and the managed Let's Encrypt option is not available. You should also ensure that no other Edge Services pipeline exists for any specific subdomain of the same domain, as this would lead to unpredictable routing behavior. ### Can I use WAF and caching simultaneously? diff --git a/pages/edge-services/how-to/configure-custom-domain.mdx b/pages/edge-services/how-to/configure-custom-domain.mdx index f682941473..23db516306 100644 --- a/pages/edge-services/how-to/configure-custom-domain.mdx +++ b/pages/edge-services/how-to/configure-custom-domain.mdx @@ -1,6 +1,6 @@ --- title: How to configure a custom domain for Edge Services -description: Learn how to configure an Edge Services endpoint with a custom subdomain. Access your Object Storage bucket or Load Balancer origin via your own domain name instead of the standardized endpoint. +description: Learn how to configure an Edge Services endpoint with a custom domain or subdomain. Access your Object Storage bucket or Load Balancer backend via your own domain name instead of the standardized endpoint. dates: validation: 2025-10-27 posted: 2024-07-24 @@ -14,11 +14,9 @@ import image5 from './assets/scaleway-edge-services-lb-dashboard.webp' import image6 from './assets/scaleway-edge-services-lb-dashboard.webp' -If you already own a domain, you can customize an Edge Services pipeline endpoint with a subdomain of your choice. This means you can access your Object Storage bucket or Load Balancer origin through Edge Services via your own subdomain, rather than the standardized Edge Services endpoint. +If you already own a domain, you can customize an Edge Services pipeline endpoint with a domain or subdomain of your choice. This means you can access your Object Storage bucket or Load Balancer backend through Edge Services via your own domain, rather than the standardized Edge Services endpoint. -For example, if you own `beautiful-domain.com`, you can customize the endpoint to be `whatever-i-want.beautiful-domain.com`. You must also add an SSL/TLS certificate so that Edge Services can securely serve your content via HTTPS. - -You cannot customize your endpoint with a primary domain directly (e.g. `beautiful-domain.com`), only with a subdomain of it. +For example, if you own `beautiful-domain.com`, you can customize the endpoint to be `beautiful-domain.com` itself, or a subdomain such as `whatever-i-want.beautiful-domain.com`. You must also add an SSL/TLS certificate so that Edge Services can securely serve your content via HTTPS. ## How to configure a custom domain @@ -30,16 +28,11 @@ The procedure for adding a customized endpoint is as follows: 2. In the **Endpoint** panel, click **Configure domain**. The following screen displays: - + -3. Set a subdomain from which your Object Storage bucket or Load Balancer origin will be accessible via its Edge Services pipeline. You must already own the primary domain. For example, if you own `beautiful-domain.com`, choose any subdomain you like and enter `my-chosen-subdomain.beautiful-domain.com` into the box. - - - It is **not** possible to use only a root domain (aka primary domain or apex domain), you must use a subdomain. This is because CNAME records, essential to point your domain to your Edge Services endpoint, cannot by definition be created for root domains, only for subdomains. - For example, - ✅ Use: `blog.mywebsite.com` - ❌ Don't use: `mywebsite.com`. - +3. Enter the domain from which your Object Storage bucket or Load Balancer backend will be accessible via its Edge Services pipeline. You must already own the domain. You can enter either: + - A **root domain** (apex domain), e.g. `beautiful-domain.com` + - A **subdomain**, e.g. `my-chosen-subdomain.beautiful-domain.com` 4. This step depends on whether the domain used in the previous step is managed with [Scaleway Domains and DNS](/domains-and-dns/), or an external domain provider. Choose the appropriate tab below. @@ -50,17 +43,25 @@ The procedure for adding a customized endpoint is as follows: - You [registered the domain](/domains-and-dns/how-to/register-internal-domain/) with Domains and DNS, or - You [transferred an externally-registered domain](/domains-and-dns/how-to/transfer-external-domain/) to Domains and DNS - If either of the above is true, Scaleway will auto-detect that the domain is managed by Domains and DNS, and a message will display confirming that you do not need to create a CNAME record. We will auto-generate the appropriate CNAME record in your domain's [DNS records](/domains-and-dns/how-to/manage-dns-records/), to point your subdomain to the Edge Services endpoint. This record is generated when you click `Customize domain` in step 6. + If you are using a **subdomain** and either of the above is true, Scaleway will auto-detect that the domain is managed by Domains and DNS, and a message will display confirming that you do not need to create a DNS record. We will auto-generate the appropriate CNAME record in your domain's [DNS records](/domains-and-dns/how-to/manage-dns-records/), to point your subdomain to the Edge Services endpoint. This record is generated when you click `Customize domain` in step 6. + + You should not attempt to modify or delete the auto-generated CNAME record, which will be visible among your [DNS records](/domains-and-dns/how-to/manage-dns-records/) in the Scaleway console. - You should not attempt to modify or delete the CNAME record, which will be visible among your [DNS records](/domains-and-dns/how-to/manage-dns-records/) in the Scaleway console. + + If you are using a **root domain**, Scaleway will not auto-manage the DNS record for you, even if the domain is managed with Domains and DNS. You must create the DNS record yourself. Because CNAME records cannot be created at the root of a domain, you must use an **ALIAS** record (also called a Flattened CNAME, depending on your provider). See the [DNS records for Edge Services](/edge-services/reference-content/cname-record/) documentation for more details. + - Scaleway cannot itself create the appropriate CNAME record to point your subdomain to Edge Services if your domain is managed by an external provider. You must create the CNAME record yourself. + Scaleway cannot itself create the appropriate DNS record to point your domain to Edge Services if your domain is managed by an external provider. You must create the record yourself. - Log in to your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services pipeline endpoint displayed in the Scaleway console. For help setting up CNAME records and troubleshooting any problems, [check out our dedicated documentation](/edge-services/reference-content/cname-record/). + Log in to your domain provider, and locate the DNS settings for your domain: + - If you are using a **subdomain**, create a **CNAME** record pointing your subdomain to the Edge Services pipeline endpoint displayed in the Scaleway console. + - If you are using a **root domain**, a CNAME record cannot be used at the apex of a domain. Depending on your DNS provider, you should create an **ALIAS** record or use **CNAME Flattening** instead. - Back in the Scaleway console, click the `Verify CNAME` button to check whether your CNAME record has been correctly configured. Edge Services will carry out a check, and if it is successful the following message displays: + For full details on DNS record types and troubleshooting any problems, [check out our dedicated documentation](/edge-services/reference-content/cname-record/). + + Back in the Scaleway console, click the `Verify DNS record` button to check whether your DNS record has been correctly configured. Edge Services will carry out a check, and if it is successful the following message displays: @@ -68,8 +69,17 @@ The procedure for adding a customized endpoint is as follows: -5. Provide an SSL/TLS certificate for your subdomain so that Edge Services can serve traffic for it over HTTPS. You have three options for this: - - Generate a free Let's Encrypt certificate, managed by Scaleway, including automatic renewals. +5. Optionally, enable **Wildcard subdomain support**. When enabled, Edge Services will expose both the configured domain itself and any subdomain of it via this pipeline, e.g. `beautiful-domain.com`, `www.beautiful-domain.com`, `api.beautiful-domain.com`, and so on. + + + Enabling wildcard subdomain support has the following requirements and implications: + - **Let's Encrypt certificates cannot be used.** You must provide your own wildcard certificate (Common Name: `*.beautiful-domain.com`). If a non-wildcard certificate is detected, Edge Services will display the error: _The Certificate is not a wildcard certificate and cannot match subdomains_. + - **No other pipeline should exist for any subdomain of this domain.** Since a wildcard pipeline already covers all subdomains, having another pipeline for a specific subdomain (e.g. `www.beautiful-domain.com`) would result in unpredictable behavior, with requests being randomly caught by either pipeline. + - **This setting applies to the custom domain only**, not to the default Edge Services endpoint. + + +6. Provide an SSL/TLS certificate for your domain so that Edge Services can serve traffic for it over HTTPS. You have three options for this: + - Generate a free Let's Encrypt certificate, managed by Scaleway, including automatic renewals. Note that this option is **not available** when wildcard subdomain support is enabled. - Select an existing certificate that you have stored in [Scaleway Secret Manager](/secret-manager/quickstart/). - Manually import a certificate into Scaleway Secret Manager: - Enter a name for your certificate (alphanumeric characters only) @@ -81,9 +91,9 @@ The procedure for adding a customized endpoint is as follows: For help with SSL/TLS certificates for Edge Services, and/or dealing with any errors you encounter importing a certificate into Secret Manager, see our [dedicated documentation](/edge-services/reference-content/ssl-tls-certificate/). -6. Click **Customize domain** to finish. +7. Click **Customize domain** to finish. -Your customized domain is set up, and you are returned to the Edge Services dashboard. The customized domain displays in the Endpoint panel. When you access your Object Storage or Load Balancer origin through this domain, its content will be served via Edge Services. +Your customized domain is set up, and you are returned to the Edge Services dashboard. The customized domain displays in the Endpoint panel. When you access your Object Storage or Load Balancer backend through this domain, its content will be served via Edge Services. If you chose to generate a managed Let's Encrypt certificate, allow a few minutes for the certificate to finish creating. When the process is complete and the certificate is ready, you will see a green status light for **SSL/TLS certificate** on your endpoint dashboard. @@ -102,7 +112,7 @@ After customizing your domain, you can edit it (or its certificate) at any time 2. In the **Endpoint** panel, click **Edit**. The **Edit Domain** screen displays. -3. Edit the subdomain as desired - do not forget to also set up a new CNAME record, if necessary. +3. Edit the domain as desired - do not forget to also update your DNS record, if necessary. 4. Edit your certificate options as required - choose to generate a managed Let's Encrypt certificate, managed by Scaleway including automatic renewals, or select a different certificate from Secret Manager, or manually import a new certificate for your custom domain. @@ -118,8 +128,8 @@ Even though the original Edge Services endpoint (e.g. `https://pipeline-id.svc.e 2. In the **Endpoint** panel, click **Reset**. - A screen displays, warning you that this will reset the pipeline's domain back to the default Edge Services endpoint. Edge Services will consider your customized subdomain as unknown. You should also remember to: - - Delete your CNAME record from your domain provider, unless your domain is managed with Scaleway Domains and DNS, in which case we take care of deletion for you. + A screen displays, warning you that this will reset the pipeline's domain back to the default Edge Services endpoint. Edge Services will consider your customized domain as unknown. You should also remember to: + - Delete your DNS record from your domain provider. If your domain is a subdomain managed with Scaleway Domains and DNS, we take care of this deletion for you. For root domains, or domains managed by an external provider, you must delete the record yourself. - Delete any SSL/TLS certificates you imported into Secret Manager (if no longer required elsewhere, so that you are no longer billed for it). If you generated a managed Let's Encrypt certificate however, Scaleway takes care of the deletion for you. 3. Click **Reset domain** to finish. \ No newline at end of file diff --git a/pages/edge-services/how-to/create-pipeline-bucket.mdx b/pages/edge-services/how-to/create-pipeline-bucket.mdx index 477a797016..d14bf06f1a 100644 --- a/pages/edge-services/how-to/create-pipeline-bucket.mdx +++ b/pages/edge-services/how-to/create-pipeline-bucket.mdx @@ -67,4 +67,4 @@ Once you have created an Edge Services pipeline for your bucket, you can access | `https://bucket-name.s3.nl-ams.scw.cloud` | The **Bucket settings** tab | Edge Services is bypassed when the bucket is accessed via this endpoint | | `https://pipeline-id.svc.edge.scw.cloud` | The **Edge Services** tab | Edge Services serves bucket content when this endpoint is used | -The two endpoints shown above are available as standard. However, with Edge Services, you can also choose to configure a **custom domain** from which your bucket can be accessed. Read more about this in [How to configure a custom domain](/edge-services/how-to/configure-custom-domain/). \ No newline at end of file +The two endpoints shown above are available as standard. However, with Edge Services, you can also choose to configure a **custom domain** (root domain or subdomain) from which your bucket can be accessed. Read more about this in [How to configure a custom domain](/edge-services/how-to/configure-custom-domain/). \ No newline at end of file diff --git a/pages/edge-services/quickstart.mdx b/pages/edge-services/quickstart.mdx index 7d7d1cea3f..9d89ef6efe 100644 --- a/pages/edge-services/quickstart.mdx +++ b/pages/edge-services/quickstart.mdx @@ -19,7 +19,7 @@ import image6 from './assets/scaleway-cname-success.webp' Edge Services is an additional feature for Scaleway Load Balancers and Object Storage buckets. It provides: - A [caching service](/edge-services/how-to/configure-cache/) to improve performance by reducing load on your [origin](/edge-services/concepts/#origin) - A [Web Application Firewall (WAF)](/edge-services/how-to/configure-waf/) to protect your origin from threats and malicious activity -- A customizable and secure [endpoint](/edge-services/concepts/#endpoint) for accessing content via Edge Services, which can be set to a subdomain of your choice +- A customizable and secure [endpoint](/edge-services/concepts/#endpoint) for accessing content via Edge Services, which can be set to a root domain or subdomain of your choice To use Edge Services, you must take out a subscription plan, which then enables you to create a certain number of Edge Services pipelines towards your Load Balancer origins or Object Storage buckets. @@ -113,7 +113,7 @@ You can create [pipelines](/edge-services/concepts/#pipeline) for either Object ## How to configure a custom domain -If you already own a domain, you can customize an Edge Services pipeline endpoint with a subdomain of your choice, e.g. `subdomain.mydomain.com`. This means you can access your Object Storage bucket or Load Balancer origin through Edge Services via your own subdomain rather than the standardized Edge Services endpoint. +If you already own a domain, you can customize an Edge Services pipeline endpoint with a domain or subdomain of your choice. This means you can access your Object Storage bucket or Load Balancer backend through Edge Services via your own domain rather than the standardized Edge Services endpoint. 1. In the Scaleway console, navigate to the Edge Services dashboard for the Object Storage bucket or Load Balancer pipeline whose domain you want to customize: @@ -121,16 +121,9 @@ If you already own a domain, you can customize an Edge Services pipeline endpoin 2. In the **Endpoint** panel, click **Configure domain**. The following screen displays: - + -3. Set a subdomain from which your Object Storage bucket or Load Balancer origin will be accessible via its Edge Services pipeline. You must already own the primary domain. For example, if you own `beautiful-domain.com`, choose any subdomain you like and enter `my-chosen-subdomain.beautiful-domain.com` into the box. - - - It is **not** possible to use only a root domain (aka primary domain or apex domain), you must use a subdomain. This is because CNAME records, essential to point your domain to your Edge Services endpoint, cannot by definition be created for root domains, only for subdomains. - For example, - ✅ Use: `blog.mywebsite.com` - ❌ Don't use: `mywebsite.com`. - +3. Enter the domain from which your Object Storage bucket or Load Balancer backend will be accessible via its Edge Services pipeline. You must already own the domain. You can use either a root domain (e.g. `beautiful-domain.com`) or a subdomain (e.g. `my-chosen-subdomain.beautiful-domain.com`). 4. This step depends on whether the domain used in the previous step is managed with [Scaleway Domains and DNS](/domains-and-dns/), or an external domain provider. Choose the appropriate tab below. @@ -141,17 +134,19 @@ If you already own a domain, you can customize an Edge Services pipeline endpoin - You [registered the domain](/domains-and-dns/how-to/register-internal-domain/) with Domains and DNS, or - You [transferred an externally-registered domain](/domains-and-dns/how-to/transfer-external-domain/) to Domains and DNS - If either of the above is true, Scaleway will auto-detect that the domain is managed by Domains and DNS, and a message will display confirming that you do not need to create a CNAME record. We will auto-generate the appropriate CNAME record in your domain's [DNS records](/domains-and-dns/how-to/manage-dns-records/), to point your subdomain to the Edge Services endpoint. This record is generated when you click `Customize domain` in step 6. + If you are using a **subdomain** and either of the above is true, Scaleway will auto-detect that the domain is managed by Domains and DNS, and a message will display confirming that you do not need to create a DNS record. We will auto-generate the appropriate CNAME record in your domain's [DNS records](/domains-and-dns/how-to/manage-dns-records/), to point your subdomain to the Edge Services endpoint. This record is generated when you click `Customize domain` in step 6. - You should not attempt to modify or delete the CNAME record, which will be visible among your [DNS records](/domains-and-dns/how-to/manage-dns-records/) in the Scaleway console. + You should not attempt to modify or delete the auto-generated CNAME record, which will be visible among your [DNS records](/domains-and-dns/how-to/manage-dns-records/) in the Scaleway console. + + If you are using a **root domain**, you must create the DNS record yourself (an ALIAS record or Flattened CNAME, depending on your provider), even if your domain is managed with Scaleway Domains and DNS. - Scaleway cannot itself create the appropriate CNAME record to point your subdomain to Edge Services if your domain is managed by an external provider. You must create the CNAME record yourself. + Scaleway cannot itself create the appropriate DNS record to point your domain to Edge Services if your domain is managed by an external provider. You must create the record yourself. - Log in to your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services pipeline endpoint displayed in the Scaleway console. For help setting up CNAME records and troubleshooting any problems, [check out our dedicated documentation](/edge-services/reference-content/cname-record/). + Log in to your domain provider, and locate the DNS settings for your domain. For a **subdomain**, create a CNAME record pointing it to the Edge Services pipeline endpoint. For a **root domain**, create an ALIAS record or use CNAME Flattening. For full details, [check out our dedicated documentation](/edge-services/reference-content/cname-record/). - Back in the Scaleway console, click the `Verify CNAME` button to check whether your CNAME record has been correctly configured. Edge Services will carry out a check, and if it is successful the following message displays: + Back in the Scaleway console, click the `Verify DNS record` button to check whether your record has been correctly configured. Edge Services will carry out a check, and if it is successful the following message displays: @@ -159,8 +154,8 @@ If you already own a domain, you can customize an Edge Services pipeline endpoin -5. Provide an SSL/TLS certificate for your subdomain so that Edge Services can serve traffic for it over HTTPS. You have three options for this: - - Generate a free Let's Encrypt certificate, managed by Scaleway, including automatic renewals. +5. Provide an SSL/TLS certificate for your domain so that Edge Services can serve traffic for it over HTTPS. You have three options for this: + - Generate a free Let's Encrypt certificate, managed by Scaleway, including automatic renewals. Note that this option is not available if you enable wildcard subdomain support in the next step. - Select an existing certificate that you have stored in [Scaleway Secret Manager](/secret-manager/quickstart/). - Manually import a certificate into Scaleway Secret Manager: - Enter a name for your certificate (alphanumeric characters only) @@ -174,6 +169,10 @@ If you already own a domain, you can customize an Edge Services pipeline endpoin 6. Click **Customize domain** to finish. + +You can also enable **wildcard subdomain support** when configuring your domain, allowing Edge Services to expose the configured domain and all its subdomains via this pipeline. This requires a wildcard SSL/TLS certificate. See the [full documentation](/edge-services/how-to/configure-custom-domain/) for details. + + Your customized domain is set up, and you are returned to the Edge Services dashboard. The customized domain displays in the Endpoint panel. When you access your Object Storage or Load Balancer origin through this domain, its content will be served via Edge Services. ## How to configure caching and WAF @@ -198,7 +197,7 @@ Enabling a cache and/or a **W**eb **A**pplication **F**irewall on your Edge Serv If you customized your pipeline's domain, remember to: - - Delete any CNAME records created for this pipeline from your domain provider, unless your domain is managed with Scaleway Domains and DNS, in which case we take care of deletion for you. + - Delete the DNS record created for this pipeline from your domain provider. If your domain is a subdomain managed with Scaleway Domains and DNS, we take care of this for you. For root domains, or domains managed by an external provider, you must delete the record yourself. - Delete any SSL/TLS certificates you imported into Secret Manager for this pipeline (if no longer required elsewhere), so that you are no longer billed for them. If you generated a managed Let's Encrypt certificate however, Scaleway takes care of the deletion for you. diff --git a/pages/edge-services/reference-content/cname-record.mdx b/pages/edge-services/reference-content/cname-record.mdx index a290ccefca..4823f190d4 100644 --- a/pages/edge-services/reference-content/cname-record.mdx +++ b/pages/edge-services/reference-content/cname-record.mdx @@ -1,16 +1,25 @@ --- -title: CNAME records and DNS for Edge Services -description: Learn how to set up and manage CNAME records for Scaleway Edge Services pipelines. Follow our detailed guide to configure your custom domain and enhance your cloud accessibility. -tags: edge-services pipeline cname dns +title: DNS records for Edge Services +description: Learn how to set up and manage DNS records for Scaleway Edge Services pipelines, including CNAME records for subdomains and ALIAS records for root domains. Follow our detailed guide to configure your custom domain. +tags: edge-services pipeline cname alias dns dates: validation: 2025-08-11 --- import image from './assets/scaleway-edge-services-configure-domain.webp' -This document contains information to help you successfully create a CNAME record for your customized [Edge Services](/edge-services/) domain, and troubleshoot any potential DNS problems. +This document contains information to help you successfully create the appropriate DNS record for your customized [Edge Services](/edge-services/) domain, and troubleshoot any potential DNS problems. -## What is a CNAME record? +## What type of DNS record do I need? + +The type of DNS record required depends on whether you are using a **subdomain** or a **root domain** (apex domain) for your Edge Services endpoint. + +| Domain type | Example | Record type to use | +|---|---|---| +| Subdomain | `blog.mywebsite.com` | CNAME | +| Root domain (apex) | `mywebsite.com` | ALIAS or Flattened CNAME | + +### CNAME records (for subdomains) A **C**anonical **Name** (CNAME) record is a type of [DNS record](/domains-and-dns/concepts/#dns-record). Generally, DNS records hold information for translating a domain or subdomain to an IP address, mail server or other domain/subdomain. They are crucial in directing internet traffic to the correct servers. More specifically, CNAME records map one domain name (an alias) to another (the canonical name). @@ -20,24 +29,36 @@ A CNAME record may look like the following: |----------------------------|-------------------------------| | `videos.example.com` | `otherdomain.com` | -In this case, when a DNS server sees this record for `videos.example.com` it will know not to direct traffic to `videos.example.com`'s own IP address, but to that of `otherdomain.com`. It will find `othercomain.com`'s IP address via its [A record](/domains-and-dns/reference-content/understanding-dns-records/#a-record). +In this case, when a DNS server sees this record for `videos.example.com` it will know not to direct traffic to `videos.example.com`'s own IP address, but to that of `otherdomain.com`. It will find `otherdomain.com`'s IP address via its [A record](/domains-and-dns/reference-content/understanding-dns-records/#a-record). When the client actually connects to `otherdomain.com`'s IP address, the web server can see that the requested URL was `videos.example.com`, and deliver the relevant content. -## When and why do I need to create a CNAME record for Edge Services? +### ALIAS records and Flattened CNAME (for root domains) + +By definition, a CNAME record cannot be created at the root (apex) of a domain. This is because the root domain must have an SOA record and NS records, and DNS standards do not allow other record types to coexist with those at the zone apex. + +For root domains, DNS providers offer alternative solutions that achieve the same effect as a CNAME: + +- **ALIAS record**: Supported by providers such as [Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html), DNSimple, and others. An ALIAS record at the root domain resolves to the IP address(es) of the target hostname, similarly to a CNAME. +- **CNAME Flattening**: Supported by Cloudflare and some other providers. When a CNAME is created at the root, the provider automatically "flattens" it to the resolved IP address(es), making it functionally equivalent to an A record. + +Check your DNS provider's documentation to find out which option is available to you. + +## When and why do I need to create a DNS record for Edge Services? -When you create an Edge Services pipeline to an [origin](/edge-services/concepts/#origin) (Object Storage bucket or Load Balancer), initially the origin content is served through the standard Edge Services endpoint, e.g. `pipeline-id.svc.edge.scw.cloud`. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about CNAME records. +When you create an Edge Services pipeline to a [backend](/edge-services/concepts/#origin) (Object Storage bucket or Load Balancer), initially the backend content is served through the standard Edge Services endpoint, e.g. `pipeline-id.svc.edge.scw.cloud`. If you do not want to customize the standard Edge Services endpoint, you do not need to worry about DNS records. -However, if you choose to [customize your Edge Services endpoint with your own subdomain](/edge-services/how-to/configure-custom-domain/), a CNAME record must be created to point your subdomain to the Edge Services endpoint. +However, if you choose to [customize your Edge Services endpoint with your own domain](/edge-services/how-to/configure-custom-domain/), a DNS record must be created to point your domain to the Edge Services endpoint. - - If your domain is managed with [Scaleway Domains and DNS](/domains-and-dns/quickstart/), we take care of auto-generating the appropriate CNAME record for you, as well as deleting it if and when you deactivate Edge Services. There is no action for you to take. You should not attempt to modify or delete the CNAME record (which will be visible among your Domains and DNS records in the console). - - If your domain is managed by an external provider, Scaleway is unable to create the appropriate CNAME record for you. You will be prompted, as part of the process for customizing your Edge Services domain, to create this record yourself with your domain provider. + - **Subdomain with Scaleway Domains and DNS**: If your domain is managed with [Scaleway Domains and DNS](/domains-and-dns/quickstart/), we take care of auto-generating the appropriate CNAME record for you, as well as deleting it if and when you deactivate Edge Services. There is no action for you to take. You should not attempt to modify or delete the CNAME record (which will be visible among your Domains and DNS records in the console). + - **Root domain with Scaleway Domains and DNS**: Even if your domain is managed with Scaleway Domains and DNS, we do not auto-manage DNS records for root domains. You must create the ALIAS or Flattened CNAME record yourself. + - **External provider (subdomain or root domain)**: Scaleway is unable to create the appropriate DNS record for you. You will be prompted, as part of the process for customizing your Edge Services domain, to create this record yourself with your domain provider. - + -## How to create a CNAME record +## How to create a DNS record for a subdomain -Log into your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services endpoint for your bucket or Load Balancer origin. This endpoint can be retrieved from the Scaleway console. +Log into your domain provider, and locate the DNS settings for your domain. Create a new CNAME record pointing your subdomain to the Edge Services endpoint for your bucket or Load Balancer backend. This endpoint can be retrieved from the Scaleway console. The interface used by different domain providers varies, but creating your CNAME record may look like one of the following examples: @@ -61,8 +82,24 @@ The interface used by different domain providers varies, but creating your CNAME The trailing dot at the end of the target endpoint (`pipeline-id.svc.edge.scw.cloud.`) is implicitly added by some domain and DNS providers, and must be explicitly added for others. Check with yours whether the dot is necessary. -You may also see a `TTL` field, which stands for **T**ime **T**o **L**ive. This tells the DNS resolver how long it can cache this record, before it must re-check the origin source in case something has changed. TTL is measured in seconds, and the default value is usually 12 hours (43200 seconds) or 24 hours (86400 seconds). +## How to create a DNS record for a root domain + +Log into your domain provider, and locate the DNS settings for your domain. Create an **ALIAS** record (or enable **CNAME Flattening**, depending on your provider) at the root of your domain, pointing to the Edge Services pipeline endpoint. This endpoint can be retrieved from the Scaleway console. + +The record will typically look like the following: + +| Host record | Record type | Points to | +|-------------|---------------------|----------------------------------------| +| `@` | `ALIAS` (or `ANAME`)| `pipeline-id.svc.edge.scw.cloud.` | + +If your DNS provider supports Cloudflare-style CNAME Flattening, you may instead create a CNAME record at `@`, and the provider will automatically flatten it. + + +If you are unsure which option your DNS provider supports, search their documentation for "ALIAS record", "ANAME record", or "CNAME Flattening at the apex". + + +You may also see a `TTL` field, which stands for **T**ime **T**o **L**ive. This tells the DNS resolver how long it can cache this record, before it must re-check the origin source in case something has changed. TTL is measured in seconds, and the default value is usually 12 hours (43200 seconds) or 24 hours (86400 seconds). - ## Troubleshooting DNS and subdomain errors +## Troubleshooting DNS errors -See our [dedicated documentation](/edge-services/troubleshooting/cname-errors/) for help resolving any error message you may get related to your CNAME record. \ No newline at end of file +See our [dedicated documentation](/edge-services/troubleshooting/cname-errors/) for help resolving any error message you may get related to your DNS record. \ No newline at end of file diff --git a/pages/edge-services/reference-content/ssl-tls-certificate.mdx b/pages/edge-services/reference-content/ssl-tls-certificate.mdx index 75f96820c3..f48bee0dda 100644 --- a/pages/edge-services/reference-content/ssl-tls-certificate.mdx +++ b/pages/edge-services/reference-content/ssl-tls-certificate.mdx @@ -70,10 +70,20 @@ Types of validation: Types of domain coverage: -- ✅ **Single domain certificate**. Secures a single domain or subdomain. Note that the certificate must be for `your-sub.domain.com`, where the subdomain corresponds to the [subdomain for Edge Services](/edge-services/how-to/configure-custom-domain/). A single domain certificate simply for `yourdomain.com` would not be acceptable, as it would not cover the subdomain for Edge Services. -- ✅ **Wildcard certificate**. Secures multiple subdomains for a domain, using a wildcard `*` symbol. The **Common Name** of the certificate should look like `*.yourdomain.com`. +- ✅ **Single domain certificate**. Secures a single domain or subdomain. The certificate must match the exact domain configured for Edge Services (e.g. `your-sub.domain.com` or `domain.com`). Note that if you have enabled [wildcard subdomain support](/edge-services/how-to/configure-custom-domain/), a single domain certificate is **not sufficient** — you must use a wildcard certificate. +- ✅ **Wildcard certificate**. Secures multiple subdomains for a domain, using a wildcard `*` symbol. The **Common Name** of the certificate should look like `*.yourdomain.com`. This is **required** when wildcard subdomain support is enabled on your Edge Services pipeline. - ✅ **Multi-domain (MD) / Subject Alternative Name (SAN) / Unified Communications Certificate (UCC) certificate**. Secures multiple explicitly-defined fully qualified domain names (`www.yourfirstdomain.com`, `sub.yourfirstdomain.com`, `yourfirstdomain.com`, `yourseconddomain.com`, `sub.yourseconddomain.com` etc.) +### Wildcard subdomain support and certificate requirements + +If you enable **wildcard subdomain support** on your Edge Services pipeline, the following constraints apply to your certificate: + +- **Let's Encrypt certificates (managed by Scaleway) cannot be used.** This option will be unavailable in the console when wildcard support is enabled. +- You must provide a **wildcard certificate**, with a Common Name of `*.yourdomain.com`. A certificate for `yourdomain.com` alone is not sufficient to cover its subdomains. +- If a non-wildcard certificate is detected when wildcard subdomain support is enabled, Edge Services will display the error: _The Certificate is not a wildcard certificate and cannot match subdomains_. + +For help obtaining a wildcard certificate, consult your preferred Certificate Authority or refer to the certbot documentation for a manual DNS challenge, which supports wildcard certificates. + ### PEM format certificate chain Edge Services requires that you import your certificate as a PEM-formatted certificate chain, which includes the private key. PEM format is Base64 encoded ASCII, and by definition includes lines stating `-----BEGIN x-----` and `-----END x-----`. diff --git a/pages/edge-services/reference-content/understanding-multi-backend.mdx b/pages/edge-services/reference-content/understanding-multi-backend.mdx index e9701d870a..b331274df6 100644 --- a/pages/edge-services/reference-content/understanding-multi-backend.mdx +++ b/pages/edge-services/reference-content/understanding-multi-backend.mdx @@ -16,7 +16,7 @@ import routeRulesList from './assets/scaleway-route-rules-list.webp' Routing and multi-backend for Edge Services pipelines is currently in Public Beta, and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). This feature will be coming soon to the Scaleway console. -Edge Services' new **routing** feature allows you to add **multiple backends** (previously termed **origins**) to a single pipeline, and route traffic towards them using path and method-based rules. This new setup also facilitates **separate WAF policies per backend**, so you can choose which backends need a firewall and configure different levels of protection for each. +Edge Services' **routing** feature allows you to add **multiple backends** (previously termed **origins**) to a single pipeline, and route traffic towards them using path, method, and host-based rules. This new setup also facilitates **separate WAF policies per backend**, so you can choose which backends need a firewall and configure different levels of protection for each. ## Multi-backend pipelines @@ -46,7 +46,17 @@ When creating a pipeline, you must designate a **default backend**, which receiv You can choose to add no further backends, if you only require a single-backend pipeline. In this case, you do not need to create any routing rules. -If you add more backends, you must create **route rules** in order for them to receive traffic. These rules set conditions for when requests should be routed to a specific backend, based on **URL path** and/or **HTTP method**. When creating a route rule, you can also choose whether it should send matching traffic directly to the specified backend, or to a WAF policy first, for firewall protection. +If you add more backends, you must create **route rules** in order for them to receive traffic. These rules set conditions for when requests should be routed to a specific backend, based on one or more of the following filters: + +- **PATH**: A regular expression matched against the request URL path (e.g. `^/api/.*`). +- **METHOD**: One or more HTTP methods (e.g. `GET`, `POST`). +- **HOST**: A regular expression matched against the request hostname (e.g. `api[0-9]\.mycompany\.com`). If not defined, the rule matches regardless of the hostname. + +Each filter is optional and can be used independently or in combination. When creating a route rule, you can also choose whether it should send matching traffic directly to the specified backend, or to a WAF policy first, for firewall protection. + + +The HOST filter is particularly useful when [wildcard subdomain support](/edge-services/concepts/#wildcard-subdomain-support) is enabled on the pipeline. Because multiple different subdomains can reach the same pipeline in that configuration, the HOST filter lets you route traffic to different backends based on the subdomain — for example, routing `www.mycompany.com` to a serverless container, `api.mycompany.com` to a Load Balancer, and `assets.mycompany.com` to an Object Storage bucket. + {/* */} diff --git a/pages/edge-services/troubleshooting/cname-errors.mdx b/pages/edge-services/troubleshooting/cname-errors.mdx index 3600af33d5..3a1beb8d4e 100644 --- a/pages/edge-services/troubleshooting/cname-errors.mdx +++ b/pages/edge-services/troubleshooting/cname-errors.mdx @@ -1,7 +1,7 @@ --- -title: I am experiencing problems with my Edge Services CNAME record -description: Troubleshoot issues that may arise when adding an CNAME record so that Scaleway Edge Services can serve content over HTTPS for your custom domain. -tags: edge-services custom domain cname record dns +title: I am experiencing problems with my Edge Services DNS record +description: Troubleshoot issues that may arise when adding a DNS record so that Scaleway Edge Services can serve content over HTTPS for your custom domain. +tags: edge-services custom domain cname alias record dns dates: validation: 2025-09-22 posted: 2025-03-14 @@ -10,11 +10,11 @@ import image from './assets/scaleway-edge-services-cname-error.webp' import image2 from './assets/scaleway-edge-services-dashboard-error.webp' -When setting up your customized subdomain with Edge Services, you have the option to carry out a verification check on the CNAME record (if your domain is managed with an external provider). Edge Services will query the subdomain and check that it resolves correctly to the Edge Services endpoint. If there is a problem, you will see an error message: +When setting up your customized domain with Edge Services, you have the option to carry out a verification check on the DNS record (if your domain is managed with an external provider). Edge Services will query the domain and check that it resolves correctly to the Edge Services endpoint. If there is a problem, you will see an error message: -An error message may also display at a later point from your Edge Services dashboard if a problem is detected at any point with your CNAME record or subdomain: +An error message may also display at a later point from your Edge Services dashboard if a problem is detected at any point with your DNS record or domain: @@ -22,13 +22,12 @@ The table below helps you resolve these errors: | Error message | Solution | |-------------------------------------------|---------------------------------------------------------------------| -| No CNAME record found | Make sure you have created a valid DNS record of type **CNAME** (not **A**, **AAAA** or another type), where your subdomain points to the Edge Services endpoint. | -| Incorrect CNAME | Make sure your CNAME record points to the Edge Services endpoint in the format `pipeline-id.svc.edge.scw.cloud.`, and that you have replaced `pipeline-id` with the ID of your bucket or Load Balancer's Edge Services pipeline. | -| Domain does not exist | You must own the domain name you are attempting to configure. If you do not already own the domain name, you cannot create a subdomain or CNAME record for it. Register the domain name, for example using our [Domains and DNS](/domains-and-dns/how-to/register-internal-domain/) product, then create a CNAME record for the subdomain. Otherwise, ensure you did not make a typo when entering the domain name into the Scaleway console. | -| scw.cloud is forbidden | You cannot use subdomains of the `scw.cloud` domain, as the domain is owned and managed by Scaleway and you cannot create DNS records for it. Use your own domain and subdomain. | +| No CNAME record found | If you are using a **subdomain**, make sure you have created a valid DNS record of type **CNAME** (not **A**, **AAAA** or another type), where your subdomain points to the Edge Services endpoint. If you are using a **root domain**, a CNAME record is not valid at the apex — create an **ALIAS** record or enable **CNAME Flattening** instead. See the [DNS records for Edge Services](/edge-services/reference-content/cname-record/) documentation for details. | +| Incorrect CNAME | Make sure your DNS record points to the Edge Services endpoint in the format `pipeline-id.svc.edge.scw.cloud.`, and that you have replaced `pipeline-id` with the ID of your bucket or Load Balancer's Edge Services pipeline. | +| Domain does not exist | You must own the domain name you are attempting to configure. If you do not already own the domain name, you cannot create a DNS record for it. Register the domain name, for example using our [Domains and DNS](/domains-and-dns/how-to/register-internal-domain/) product, then create the appropriate DNS record. Otherwise, ensure you did not make a typo when entering the domain name into the Scaleway console. | +| scw.cloud is forbidden | You cannot use subdomains of the `scw.cloud` domain, as the domain is owned and managed by Scaleway and you cannot create DNS records for it. Use your own domain. | | Invalid Top Level Domain | Make sure the Top-Level Domain (e.g. `.com`, `.fr`) you entered is correct. | -| Root domain not allowed | You cannot use a root domain alone to customize Edge Services (e.g. `example.com`. Make sure you use a subdomain (e.g. `blog.example.com`)) | | -| Subdomain must be a correctly-formatted, fully-qualified subdomain name | Make sure the subdomain name you entered is [correctly formatted](https://en.wikipedia.org/wiki/Domain_name#Domain_name_syntax), e.g. `foo.example.fr`. | -| Record already exists for this FQDN in your DNS zone | Choose a different subdomain, or delete the existing DNS record. | +| Domain must be a correctly-formatted, fully-qualified domain name | Make sure the domain name you entered is [correctly formatted](https://en.wikipedia.org/wiki/Domain_name#Domain_name_syntax), e.g. `foo.example.fr` or `example.fr`. | +| Record already exists for this FQDN in your DNS zone | Choose a different domain or subdomain, or delete the existing DNS record. | -Note that if your domain is managed by Scaleway Domains and DNS and you therefore have an auto-created CNAME record, you should **not** attempt to delete it or modify it in any way. Scaleway will take care of deleting the CNAME record if and when you deactivate Edge Services. +Note that if you are using a **subdomain** managed by Scaleway Domains and DNS and therefore have an auto-created CNAME record, you should **not** attempt to delete it or modify it in any way. Scaleway will take care of deleting the CNAME record if and when you deactivate Edge Services. For **root domains**, even if managed by Scaleway Domains and DNS, you are responsible for creating and deleting the DNS record yourself.