To understand this API and the data it exchanges, familiarize yourself with these concepts:

  • Policy domains. Policy domains are administrative partitions within IP Protect. Partitioning enables Policy Domain A to have a different configuration and a different set of administrators than Policy Domain B. Currently, the Akamai services team creates policy domains for you. When Akamai creates a policy domain, values are also set for the number of virtual IP addresses available for use, and the number of ports you can configure on those addresses.

  • Virtual IP addresses. When you subscribe to IP Protect, Akamai assigns a set of virtual IP addresses that you match to your internal web servers. For example, you might map the virtual IP address 192.168.1.1 to your internal IP address 10.0.0.1. By modifying DNS records, you then direct incoming Internet traffic to the VIP address 192.168.1.1 instead of your internal address. The virtual IP address receives the incoming traffic and routes that traffic through an Akamai scrubbing center. The scrubbing center removes any DDoS packets and then forwards the sanitized traffic to your internal servers by using an Akamai Management IP address. That's the good news. The even better news? This routing and rerouting adds an average of just six milliseconds to a web transaction.

    Note that compliance and security concerns require you to keep virtual IP addresses for the length of your contract. There's no way to return unused or unneeded virtual IP addresses without engaging your Akamai account team.

  • Back-end IPs. IP addresses of the servers and subnets on your internal network. Administrators match each Akamai virtual IP address to one of your back-end IP addresses, using either the IP Protect API or Control Center. Each server or subnet requiring protection on your network is mapped to a virtual IP address.

  • Management IP addresses. Forwards processed traffic from an Akamai scrubbing center to your internal network. As much as possible, configure your firewalls to only accept incoming transmission from the Akamai Management IP addresses.

  • Ports. Ports open for network connections. You can specify port assignments using any of these methods:

    • Individually. For example: 443.
    • As a comma-delimited string of ports: 80, 443, 867.
    • As a range of ports: 80-150.
    • As a combination of individual ports and ranges of ports: 80, 100-120, 443, 600-800.

    The preceding examples allow both TCP and UDP traffic. You can limit a port to accepting only TCP or UDP traffic by using syntax similar to this:

      TCP/90, UDP/900
    

    IP Protect also works with these non-ported protocols:

    • GRE. Generic Routing Encapsulation.
    • ESP. Encapsulating Security Protocol.
    • ICMP. Internet Control Messaging Protocol for IPv4 addresses. Use ICMPv6 for IPv6 addresses.
    • AH. Authentication Header.

    To use any of the non-ported protocols, include the protocol identifier preceded by IP/. For example, this syntax enables the use of the ICMP protocol:

      IP/ICMP
    
  • Configuration. Detailed information about a policy domain, including the domain's subnets and virtual IP addresses.

  • Health status. Health status for a back-end IP, based on the percentage of active locations for the IP address. IP Protect calculates health status by using these criteria:

    Percentage of Active LocationsHealth Status
    Greater than or equal to 70%Healthy
    30% to 69%Possible connectivity issues
    1% to 29%Connectivity issues
    0%Down
    Location percentage not availableUnknown