Search
varnish-controller7    concepts    vclgroups
Varnish Controller 7 Changelog Version 7 Known Issues Upgrading Previous Versions Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Git Tag Files Domain Certificates Roles VCLGroup ACME API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Private Agents Debugging Multiple Regions OIDC - Microsoft Entra (Azure AD) Drain Traffic Config/ConfigSet Organizations

VCLGroup

A VCLGroup is a container of configuration that defines what and how to deploy VCL files and how to route requests via the request router. Each VCLGroup is deployed independently with its own file versions. This allows precise control, efficient deployments, and rollbacks that affect only the targeted VCLGroup.

The VCLGroup can no longer be assigned files directly via creation or modification. The files used by a VCLGroup are only applied once they have been validated and successfully compiled via deployment of the VCLGroup. Hence, the VCLGroup only contains configuration for how to deploy it. Routingrules, domains and deployment type remains the same.

A VCLGroup configuration consists of:

  • Domains - One or more domains that should be handled by Varnish and the Router.
  • TagSets - Set of tags that defines to which agents (varnish servers) the VCLGroup should be deployed to.
  • Root - True/False and defines the type of deployment (see Deployment Types).
  • TrackLatest - If automatic deployments of new file versions should be done (both git and regular files).
  • RoutingRules - The optional routingrules that defines the behavior of the request router for the domains.
  • GitConfig - Optional specification how to deploy from a git repository.

Note that RoutingRules is optional and are only used if the VCLGroup should be used with the Request Router. Same goes with the GitConfig that is only used if the VCLGroup should be managed by Git.

Domains

The domains specified in the VCLGroup will be the ones handled by Varnish if the VCLGroup is deployed as a shared deployment (default). The VCL files deployed for this VCLGroup will then get all requests for these domains. These domains are also used for request routing when the Request Router is in use. Similarly, during invalidation via the Controller, these domains are targeted for invalidation.

Tag-Sets

Tag-Sets define where a VCLGroup should be deployed (previously called deployments). A tag-set is an array of tags, and multiple tag-sets can be specified. For deployment, all tags in a tag-set must match the tags on an agent. If agents have different tag combinations, multiple tag-sets are needed to match and deploy the VCLGroup to all desired agents.

Example:

VCLGroup.TagSets: [x,y], [x,z]

Agent1: [x,z]
Agent2: [x,y,q]
Agent3: [x,y]

The TagSet consists of 2 set of tags, [x,y] and [x,z]. The first set [x,y] will match agents Agent2 and Agent3. The second set [x,z] will match Agent1. So both sets will therefore match all agents in the example and the VCLGroup will be deployed to all of them.

Deployment Types

Root Deployment

A root deployment is a deployment of only one VCLGroup toward an agent, that is, one VCL loaded into Varnish. The deployed VCLGroup will be responsible for domain routing. This is basically deploying one single VCL into Varnish.

When deploying a VCLGroup as a root deployment, the agent will not accept any other deployments to that agent. This means that any other VCLGroups that potentially could be deployed to the same agent will not validate successfully.

Shared/Cloud Deployment

The default way of deploying a VCLGroup is a none-root deployment, also known as shared/cloud deployment. This type of deployment shares a Varnish between multiple VCLGroups with different domains. The domain routing is handled automatically and for each request, the host is matched to the corresponding domain and routed to the correct VCLGroups VCL.

Track Latest

The track latest feature makes the VCLGroup automatically compile/validate and deploy the latest version of any given file. This also applies to Git managed VCLGroups. The Controller will automatically check for a new version or a new git commit and then validate on one random matching server, to make sure that the files compile correctly. Then deploy the latest versions. If it fails, the status can be seen in the Deploy Status for a VCLGroup. If it fails, the old deployed files will still be deployed.

Note that if this is enabled for a VCLGroup, as soon as a new commit or a new file version is created, it will directly try to deploy it.

RoutingRules

Routingrules is used to define how to route to the domains of the VCLGroup. See Routing Rules. Also take a look at the examples for request routing found here.

VCL Files

A VCLGroup is deployed with one or more files. These are deployed onto the Varnish servers via the Controller agent. The files are then loaded into varnish for the given VCLGroup.

Main VCL

This file must be valid VCL. The MainVCL handles all requests for the VCLGroup and is compiled and loaded into the Varnish server.

Includes

Includes can be empty. But if the MainVCL is using include statements, these included files need to be added to the Includes field of the VCLGroup. Any other files used by the VCL can also be added to the Includes field.

Varnish Enterprise,vmod_utils supports a function called lookup_file() that can be used to find files in the vcl_path. The Controller agent will load the VCL with a VCLGroup unique path set in the parameter vcl_path. Hence, using the lookup_file(), this path can be found and used to find files that has been included via the “includes” of the VCLGroup. This can be useful for reading some ACL files or other none-VCL files.

Deploy a VCLGroup

A VCLGroup can be deployed using a deploy-configuration that consists of:

  • MainVCL - The main VCL file to use
  • Includes - the included files to deploy, either used by the MainVCL or any other file that should be placed on the servers.
  • Deploy Method - All, Random or Agents (on which servers to validate the deployment)
  • Agents - List of agent IDs if Deploy Method is set of agents. These agents will be used to verify the deployment, they must have matching tags.
  • Root - If the VCLGroup should be root deployed.
  • Detached - Detaches the deployment and allows status checks using deploy-status for the VCLGroup. Without this flag, the request waits (blocks) until the deployment completes or fails.
  • GitSHA - For Git deployments, which Git SHA (commit/tag) to use for the deployment. With GitSHA specified, there is no need to specify includes or main VCL.

A deployment is applied to a VCLGroup only if it validates and compiles successfully. If the Random method is used (default), a random matching agent is selected to compile the VCL files. If All is used, all matching agents will compile the VCL files. This runs in parallel but may take longer depending on agent server load. If Agents is specified with a list of agents, compilation occurs only on those agents, provided the VCLGroup matches their tags.

Example of a deploying with detached:

# Deploy an existing VG with ID 1 (will return immediately)
vcli vg deploy 1 --vcl 1 -d

# Check compile status
vcli vg status 1

# Check deployment state on agents (available when the compile succeeded)
vcli vg state 1

# Verify/Compile on a given set of agents (specified with IDs)
# This will NOT deploy, only compile given files.
# --vcl: MainVCL with ID 1 and version 2
# --includes: File with ID 2 (latest versions) and file with ID 3 and version 1
# --validate: on agents with ID 1,2,3 (only matching agents will be used of the given ones)
vcli vg compile 1 --vcl 1:2 --includes 2,3:1 --validate agents=1,2,3

# Same as above but only compile on a random matching agent (default)
vcli vg compile 1 --vcl 1:2 --includes 2,3:1 --validate random

# Same as above but compile on ALL matching agents
vcli vg compile 1 --vcl 1:2 --includes 2,3:1 --validate all

# Compile can be exchanged with deploy, where an actual deploy will be made
# if the validation/compilation succeeds.
vcli vg deploy 1 --vcl 1:2 --includes 2,3:1 --validate agents=1,2,3
vcli vg deploy 1 --vcl 1:2 --includes 2,3:1 --validate random
vcli vg deploy 1 --vcl 1:2 --includes 2,3:1 --validate all

A successful deployment of a VCLGroup sets the deployed files as the MainVCL and Includes for that VCLGroup. These are updated only through a deploy or rollback and cannot be manually modified.

If a VCLGroups is undeployed and deployed again, it will use the same files as previously deployed.

# Undeploy a deployed VCLGroup
vcli vg undeploy 1

# Redeploy the VCLGroup with last deployed files.
# A compilation/validation will be made beforehand on a random matching agent.
vcli vg deploy 1

Reload

Reloading a VCLGroup triggers re-compilation of its VCL files on all agents where it is deployed. This can be used to refresh things like DNS lookups defined in the VCL files.

Agent states

Agent states of a VCLGroup show the current status for each agent it can be deployed to. To view deployment details for a specific Varnish server, check the agent states of the VCLGroup.This displays the deployment status for that server and any errors that may have occurred.

Rollback

Rollback of a VCLGroup only applies to the files that has been deployed for the VCLGroup. Every time a VCLGroup is successfully deployed a deploy log entry will be created for the VCLGroup that specifies which files and versions that are currently deployed. The rollback will basically take the previous deploy log entry and apply these files back to the VCLGroup. The Controller will before re-applying the previous deployment verify that it can still be deployed and will compile/validate the files on a random matching server before deploying to all matching servers. A rollback will also create a deploy log entry with the deployed files.

Deploy Logs

A deploy log contains the MainVCL and includes that where used when the VCLGroup was successfully deployed. It also contains a created timestamp to show when the deploy log was created (hence, when the deployment were successfully performed). Deploy logs are tied to a certain VCLGroup.

A rollback can be performed on any deploy log entry for the VCLGroup. When performing a rollback the ID of the deploy log entry can be specified to rollback to that specific deploy log entry.

Examples

# List deploy log entries for a VCLGroup with ID 1
vcli vg deploylogs 1

# Rollback a deployed VCLGroup with ID 1 to the previous deployed files.
vcli vg rollback 1

# Rollback a deployed VCLGroup with ID 1 to the deploy log entry with ID 2
vcli vg rollback 1 -l 2

# Remove a old deploy log entry with ID's 1, 2 and 3 for VCLGroup 1
vcli vg deploylogs 1 -d 1,2,3
Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Controller 7.0.0
Varnish Enterprise vulnerability in MSE4 when handling range requests
HTTP/1 client-side desync vulnerability
Varnish Controller 6.6.8
Container images updated to Debian bookworm
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203