About locations
A location is a public IP address or a named collection of public IP addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or your company headquarters. A location allows you to implement Zero Trust architecture by segmenting your network into multiple microperimeters. Locations are secured with āSIAā policy. For more information on policies, see About policies.
Organizations can also configure a dynamic DNS domain name for a location. For more information, see Dynamic DNS.
āSIAā includes a default location for unidentified IP addresses. This location applies to roaming users or users who are usually remote and make DNS requests from unexpected IP addresses. The Unidentified IPs location is not configured with any IP address or CIDRs. You also cannot edit this location.
From the Locations page, you can add, edit, and delete locations. You can also select whether to allow or block traffic from the Unidentified IPs location.
When creating a location, remember:
-
You need to provide the public IP address of your AD or other local DNS server that is used to communicate with āSIAā.
-
You cannot assign a location IP address to other āSIAā locations in your network.
-
You cannot configure a location with an IP address that is claimed or used by another organization. If you believe your organization owns an IP address that you cannot configure as a location, contact āAkamaiā Support.
-
For a location, āSIAā currently supports a maximum CIDR block of /16 for IPv4 and /48 for IPv6.
-
A location configuration requires a policy assignment. If you do not assign a policy to the location, the location is automatically assigned to the default policy. You can assign the same policy to multiple locations or you can create different policies for locations in your network.
-
You can associate a sub-location to a location configuration. For more information, see Sub-locations.
When you create, modify, or delete a location or sub-location, you need to deploy these updates to the āSIAā network. Changes to location settings, as well as other configuration settings such as policies or custom lists, are captured in the Pending Changes window for you to review. After you click the deploy button, the deploy operation typically completes in 20-30 seconds.
An enterprise can add a maximum of 7,000 CIDR entries for locations or sub-locations. If your organization needs to add more CIDR entries, contact your āAkamaiā representative.
Sub-locations
āSecure Internet Access Enterpriseā also allows you to define sub-locations. Sub-locations are associated with locations. A sub-location represents a segment in your network that's routed to the Internet with the same IP address as the parent location. You can assign a different policy to a location and its sub-locations, allowing you to define granular access to segments of your network.
When creating a sub-location, note that:
-
You can configure sub-locations with IPv4 in the private address space (RFC 1918) and with IPv6 as long as they use site-local (fec0::/10) and unique local addresses (fc00::/7).
-
Internal IP masking when creating sub-locations is enabled by default. You can configure sub-locations with a subnet thatās up to /28 for IPv4 or /56 for IPv6. You can disable this option to configure addresses with a subnet thatās up to /32 for IPv4 or /128 for IPv6.
-
Multiple sub-locations can use the same IP address as long as they are associated with different locations.
-
You can deploy a sub-location in a separate deployment from the parent location.
-
If a sub-location consumes too many resources, for example, as a result of too many connections, a rate limit is triggered on the sub-location. The rate limit may also be triggered on the parent location and other associated sub-locations to avoid latency issues or service interruption. To resolve this issue, you can configure the sub-location as a location with a new public IP address. This ensures that the rate limit is applied only to the new location and it's not applied to the original location or the other sub-locations.
-
If you do not assign a policy to a sub-location, the policy of the parent location is automatically assigned.
-
If there is a conflict between the policy that's assigned to a location and sub-location, the policy action for the location takes precedence only when it applies the bypass or block action to a domain.
-
You cannot assign a sub-location while you're configuring or managing a policy. You can only assign a policy to a sub-location while creating or managing a sub-location on the Locations page.
-
If your organization uses HTTP Forwarder, make sure you enable the proxy in all policies that are associated with the sub-location and the location. Without enabling the proxy, the forwarder directs traffic from the sub-location to the origin.
Dynamic DNS
Dynamic DNS (DDNS) providers allow organizations to register IP addresses that change dynamically with a persistent DNS hostname. Some organizations cannot use static IP addresses from their Internet service provider (ISP) and instead rely on IP addresses that are assigned dynamically and change from time to time.
If your Internet connection uses dynamic IP addresses, you can use a dynamic DNS provider to assign a permanent DNS hostname for a location. When the IP address changes, your router can then communicate with the dynamic DNS provider and update that hostname with the associated dynamic IP addresses.
By configuring a location with a hostname that's registered with the dynamic DNS provider, āSIAā can detect when the IP address assigned to your location is changed by the ISP.
The Location page alerts administrators when a location is assigned a domain that no longer resolves to a valid IP address. Administrators can also see if there is a problem with resolution when creating or modifying a location with dynamic DNS. Errors occur when no response is detected from the IP address or a domain resolves to a private or reserved IP address.
To see which locations generate invalid DNS errors, administrators can download a spreadsheet with these locations and configure a user to receive an email notification for system issues. On the Locations page, administrators can download a spreadsheet that contains locations with invalid DNS entries. You can use this spreadsheet to identify the location configurations that require immediate attention. If an āSIAā user or administrator is configured to receive email notifications for system issues, the user or administrator receives a notification that lists locations with invalid DNS entries.
To resolve these issues, administrators can update the location configuration or they can correct the dynamic DNS entries registered with the dynamic DNS provider.
Considerations
āSIAā resolves dynamic IP addresses every 24 hours. While most ISPs allocate IP addresses for a long period of time, there may be a window of time when the IP address changes before āSIAā discovers it. If this occurs, the default policy applies. Until the new IP address is discovered, events and network traffic are reported under the Unidentified IPs location.
Make sure your dynamic DNS hostname resolves to an IP address that is not specified in another āSIAā location.
Updated about 1 month ago