Guide
TrainingSupportCommunity

Create an ACL rule set

Suggest Edits

NetStorage allows access from all IP addresses by default. Create an Access Control List (ACL) rule set to allow or block access to a storage group. Do this with a list of IP addresses or geographic regions ("Geos") based on their IP.

An ACL serves as an added method of security for non-secure access methods (FTP), in that they help to prevent "man-in-the-middle password sniffing."

📘

ACL rule sets apply only to FTP and SSH-supported protocols, and not the HTTP Usage API.

Add an ACL Rule Set

You can access the interface by navigating from within ​Control Center​:

  1. Open the application. Go to ORIGIN SERVICESNetStorage.
  2. If necessary, access the ACL Rule Sets entity.
  3. Click + Add New Rule Set to access a wizard.
The summary window

Here's a short summary. You can find more details below.

  1. Rule Set Details. Here, you define a name, description, and access control group for the rule set.
  2. Rule Set IPs. IP addresses or CIDR blocks entered here will be allowed or denied access to the applicable storage groups.
  3. Rule Set GEOs. These define how you want the upload account to access its storage group. Each tab represents a unique access method:
  4. Upload Accounts. Assign the rule set to an upload account.
  5. Finally, you need to review the summary. All of the settings you've applied to the rule set are displayed, and you use this window to save them.

Remember that propagation takes time to complete

Changes require propagation to the NetStorage network, and this can take from 60 – 120 minutes to complete. Any changes you make are not accessible until this propagation completes.

Rule Set Details

  • Access Control Group. These groups (ACGs) define specific access for the active user account. This includes things such as alerts, CP codes and origin domains.) If your user account has been set up with access to multiple ACGs, ensure the one that offers access to the appropriate upload account CP code is selected.
  • Rule Set Name. Input the desired name for the ACL rule set. It is recommended that you use a unique, easy-to-remember value to allow for easy recognition throughout this interface.
  • Rule Set Description. (Optional) Input a description for this ACL rule set, if desired.

Rule Set IPs

  • Deny IPs. IP addresses entered here will be denied access to the applicable Storage Group. (ACL Rule Sets are associated with a specific upload account which controls access to the Storage Group.) Input an individual address and click outside the field or press Enter. Click this field again and repeat this process to add additional entries. If desired, click the associated "Bad IP Reports" link to access a separate UI that lists IP Addresses that have unsuccessfully attempted to access the target Storage Group.
  • Allow IPs. IP addresses/CIDR blocks entered here will be allowed access to the applicable Storage Group. (ACL Rule Sets are associated with a specific Upload Account which controls access to the Storage Group.) Input an individual address and click outside the field or press Enter. Click this field again and repeat this process to add additional entries. If desired, click the associated Good IP Reports link to access a separate UI that lists IP Addresses that have successfully accessed the target Storage Group.

Rule Set GEOs

  • Allow/Deny GEOs. Use this functionality to determine if various geographic regions ("GEOs") should be allowed or denied access to the applicable Storage Group. If desired, click "Good GEO Reports" to access a separate UI that lists GEOs that have successfully ("Good") accessed the target Storage Group, or have unsuccessfully attempted access ("Bad").
  • Location Type. Select the desired GEO location type, an entire Country or an individual Region (currently, the Region selection only supports states within the United States).
  • List of Locations. Click this field to reveal a list of locations for selection (based on what is set in the Location Type drop-down.

Upload Accounts

Locate an applicable upload account and click to select it. This should be an account that has been configured with the desired access methods, and has been associated with an upload directory in the desired storage group. Multiple accounts can be selected.

The Summary window

Review the settings applied. If desired, you can click the specific window's numbered entry in the left panel to return it, or click Previous. When you're satisfied with all settings, click Create.

Associate an ACL Rule Set with an upload account

ACL rule sets are applied to an upload account, either during its creation, or when editing an existing one. (You use options in the Advanced Settings content panel.)

The ACL rule sets functionality for an upload account

How to associate a rule set

  1. Click Select Rule Sets.
  2. In the drop-down that is revealed, select the applicable rule set.
  3. To remove a rule set, click the entry's X icon.

View an existing ACL Rule Set

Perform these steps to view an existing ACL Rule Set (but not make edits to it):

  1. Access the ACL Rule Sets entity.
  2. To filter results to the specific rule set, input its ACL Rule Set Name in the Filter field.
  3. Click the entry in the table to open it in Detail View.

Edit or delete an ACL rule set

  1. Access the ACL Rule Sets entity.
  2. To filter results to the specific rule set, input its ACL Rule Set Name in the Filter field.
  3. Click the edit or delete icon in the Actions column.

📘

Remember that an ACL rule set can be applied to more than one upload account, thereby protecting more than one storage group. It's recommended that you view the existing ACL rule set before editing or deleting it.

What you should see
Deleting an ACL Rule Set will automatically remove it from all upload accounts that have it applied.

Remove an ACL rule set from an upload account

If you have added an ACL rule set to a specific upload account and you need to remove it, this is done by editing the account to access the Advanced Settings content panel. Locate the target set in the Select Rule Sets field and click the entry's X icon.

The ACL rule set will remain in your library for use. It will also maintain its associations with any other upload accounts.

Origin Firewall Rules and Notifications

Edge server IP addresses periodically refresh for routine maintenance. With Firewall Rules Notification, you can manage who receives email notifications about the planned changes. ​Akamai​ provides six to eight weeks of advance notice before activating the IP addresses.

It’s important that you update your company’s firewall to accept traffic from new IP addresses, or remove access to decommissioned ones. Keeping your firewall rules current ensures that requests served through the IPs listed in our CIDR blocks reach your origin.

You can get the latest CIDR block information and IP addresses from the Firewall Rules Notification documentation and API.

Updated over 2 years ago