bunny.net — Overview¶
OWNER: karel
ALSO_USED_BY: stef (DNS/certs)
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: bunnynet Terraform provider (BunnyWay/bunnynet) latest
Overview¶
bunny.net is GE's CDN, WAF, DDoS protection, edge storage, and DNS provider.
European company with 119+ global PoPs and 150+ Tbps network capacity.
All client-facing traffic routes through bunny.net before hitting UpCloud origins.
Managed via Terraform using the official BunnyWay/bunnynet provider.
Product Suite in GE¶
| Product | GE Use | Page |
|---|---|---|
| CDN (Pull Zones) | Static asset delivery, origin shielding | wiki/docs/stack/bunnynet/cdn.md |
| Bunny Shield (WAF) | Web application firewall, bot detection | wiki/docs/stack/bunnynet/security.md |
| DDoS Protection | Volumetric + application-layer mitigation | wiki/docs/stack/bunnynet/security.md |
| Edge Storage | Static file storage with global replication | wiki/docs/stack/bunnynet/edge.md |
| Edge Scripting | Compute@edge, request routing | wiki/docs/stack/bunnynet/edge.md |
| Bunny DNS | Authoritative DNS with scripting | wiki/docs/stack/bunnynet/edge.md |
Why bunny.net¶
GE chose bunny.net for:
- European company — aligns with EU data sovereignty requirements
- Transparent pricing — no surprise bills, per-GB with volume discounts
- Integrated security — WAF + DDoS + bot detection in one platform
- Terraform provider — infrastructure-as-code via BunnyWay/bunnynet provider
- Edge compute — JavaScript/WASM at the edge, no separate platform needed
- No egress fees on Edge Storage — critical for cost control
Terraform Provider¶
terraform {
required_providers {
bunnynet = {
source = "BunnyWay/bunnynet"
version = "~> 0.5" # Check registry for latest
}
}
}
provider "bunnynet" {
api_key = var.bunnynet_api_key # From Vault
}
CHECK: API key comes from Vault, never hardcoded
CHECK: provider version pinned with pessimistic constraint
CHECK: .terraform.lock.hcl committed to git
IF: managing bunny.net resources
THEN: use Terraform — no manual dashboard changes for managed resources
Architecture: Traffic Flow¶
All public traffic hits bunny.net first.
bunny.net terminates TLS, applies WAF rules, serves cached content.
Cache misses are forwarded to UpCloud Managed Load Balancer (Zones 2+3)
or directly to k3s Traefik (Zone 1 dev).
GE-Specific Conventions¶
- One pull zone per client project (isolation)
- Shared pull zone for GE internal assets (wiki, admin UI)
- Bunny Shield enabled on ALL pull zones — no exceptions
- Origin Shield enabled to reduce origin load
- Cache purge via Terraform or API, never manual dashboard
- TLS certificates managed via bunny.net (free automatic SSL)
- Custom hostnames configured per client domain
Pricing¶
bunny.net pricing is per-GB with volume tiers:
| Product | Price | Notes |
|---|---|---|
| CDN (EU + NA) | ~$0.01/GB | Volume discounts available |
| Bunny Shield Basic | Free | Included with CDN |
| Bunny Shield Advanced | $9.50/month | AI WAF, advanced rules |
| Edge Storage | ~$0.005/GB/month | No egress fees |
| Edge Scripting | Usage-based | Per-request pricing |
| DNS | Free | Included with account |
CHECK: Bunny Shield Advanced is enabled for all production pull zones
CHECK: basic tier is acceptable for dev/staging
Cross-References¶
READ_ALSO: wiki/docs/stack/bunnynet/cdn.md
READ_ALSO: wiki/docs/stack/bunnynet/security.md
READ_ALSO: wiki/docs/stack/bunnynet/edge.md
READ_ALSO: wiki/docs/stack/bunnynet/pitfalls.md
READ_ALSO: wiki/docs/stack/bunnynet/checklist.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/index.md
READ_ALSO: wiki/docs/stack/kubernetes/networking.md