Skip to content

bunny.net — Pitfalls

OWNER: karel
ALSO_USED_BY: stef (DNS/certs)
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: bunnynet Terraform provider (BunnyWay/bunnynet) latest

Overview

Known failure modes and sharp edges when using bunny.net CDN, Shield,
Edge Storage, and DNS in GE. Every item here has caused real issues
or near-misses. This page grows as agents discover new pitfalls.

Cache Invalidation Timing

Severity: HIGH

Cache purge is not instant. After a purge API call, content may still
be served from edge PoPs for up to 30 seconds. With Origin Shield enabled,
the shield cache adds another layer of delay.

IF: purged content still serving after 30 seconds
THEN: wait up to 60 seconds for Origin Shield cache to expire
THEN: verify purge was successful via API response code (200)

ANTI_PATTERN: purging and immediately verifying from a single PoP
FIX: wait 60 seconds, then verify from multiple locations

ANTI_PATTERN: purging the entire pull zone for a single changed file
FIX: purge specific URLs — full purge causes origin traffic spike

IF: time-critical content update (security patch, legal takedown)
THEN: purge specific URL + update origin simultaneously
THEN: set short max-age temporarily until fully propagated

ADDED_FROM: client-content-update-2026-02, stale content served for 2 minutes

Origin Overload After Purge

Severity: HIGH

Purging a large pull zone causes all 119+ PoPs to request fresh content
from origin simultaneously. This can overwhelm the origin server.

IF: full pull zone purge is necessary
THEN: ensure origin can handle the traffic spike
THEN: prefer off-peak hours for large purges
THEN: Origin Shield mitigates this — only shield requests from origin, not all PoPs

CHECK: Origin Shield is enabled before any full purge
CHECK: origin server has headroom for 10x normal traffic during purge

ANTI_PATTERN: scheduled full purges every hour "just in case"
FIX: use proper cache headers and purge only when content actually changes

ADDED_FROM: origin-overload-2026-02, UpCloud LB saturated after full purge

SSL Certificate Propagation

Severity: MEDIUM

Free automatic SSL certificates (via Let's Encrypt) require DNS validation.
After adding a custom hostname, certificate provisioning takes 5-15 minutes.
During this window, HTTPS requests fail.

IF: HTTPS fails on newly added hostname
THEN: wait 15 minutes for certificate provisioning
THEN: verify DNS CNAME is correctly pointed to {pullzone}.b-cdn.net

IF: certificate does not provision after 15 minutes
THEN: check DNS propagation
RUN: dig CNAME app.example.com
THEN: verify the CNAME target matches the pull zone hostname

IF: using CAA records on the domain
THEN: add letsencrypt.org to CAA allowed issuers
THEN: CAA record must be present BEFORE requesting the certificate

ANTI_PATTERN: adding hostname and immediately testing HTTPS
FIX: allow 15 minutes for certificate provisioning, test HTTP first

ADDED_FROM: ssl-provisioning-delay-2026-03, client reported "not secure" warning

Pricing Gotchas

Severity: MEDIUM

Shield Advanced Billing

Bunny Shield Advanced is billed per pull zone per month ($9.50/zone).
With 20+ client projects, this adds up. Budget accordingly.

CHECK: Shield Advanced only on production pull zones
CHECK: dev/staging pull zones use Shield Basic (free)

Edge Scripting Costs

Edge Scripting is billed per request. High-traffic scripts can
generate unexpected costs.

IF: edge script handles every request
THEN: estimate monthly cost: daily_requests * 30 * per_request_price
THEN: consider using Edge Rules (free) instead for simple logic

Storage Zone Replication

Each replication region incurs additional storage cost.
Replicated data is charged per region.

CHECK: only replicate to regions where clients have actual users
CHECK: EU-only clients need EU region only — no replication

ADDED_FROM: billing-review-2026-03, 4x storage cost from unnecessary replication

Edge Rule Conflicts

Severity: MEDIUM

Edge Rules execute in order. A broad rule early in the list can
override or conflict with more specific rules later.

IF: edge rule seems to have no effect
THEN: check rule execution order
THEN: verify no earlier rule is matching the same traffic

CHECK: most specific rules are ordered FIRST
CHECK: catch-all rules are LAST

ANTI_PATTERN: adding new rules at the end without checking existing rules
FIX: review the full rule chain before adding

Origin Host Header

Severity: HIGH

If add_host_header is not set on the pull zone, bunny.net forwards
the CDN hostname (e.g., xyz.b-cdn.net) as the Host header to origin.
This causes 404s or routing errors on origins that use virtual hosts.

CHECK: add_host_header matches the origin's expected hostname
IF: origin returns 404 for valid paths
THEN: check the Host header being sent to origin
THEN: set add_host_header to the origin's hostname

ADDED_FROM: origin-404-2026-02, missing host header caused all requests to 404

Stale-While-Revalidate Misconfiguration

Severity: LOW

bunny.net supports stale-while-revalidate but if the origin is slow
to respond, stale content can be served for much longer than expected.

IF: content updates are not visible despite origin having new content
THEN: check if stale-while-revalidate is set too high
THEN: reduce to 60 seconds maximum for dynamic content

Terraform State Drift

Severity: MEDIUM

Changes made in the bunny.net dashboard are not reflected in Terraform state.
Running terraform apply after dashboard changes can revert those changes.

ANTI_PATTERN: making changes in the bunny.net dashboard for Terraform-managed resources
FIX: all changes via Terraform — dashboard is read-only for managed resources

IF: emergency dashboard change was necessary
THEN: update Terraform config to match the dashboard change immediately
THEN: run terraform plan to verify no drift

Cross-References

READ_ALSO: wiki/docs/stack/bunnynet/index.md
READ_ALSO: wiki/docs/stack/bunnynet/cdn.md
READ_ALSO: wiki/docs/stack/bunnynet/security.md
READ_ALSO: wiki/docs/stack/bunnynet/edge.md
READ_ALSO: wiki/docs/stack/bunnynet/checklist.md