Migrate from Site Shield to Origin IP ACL

Origin IP Access Control List offers a convenient and scalable way to manage ​Akamai​ IPs on your origin firewall, including IPv6 addresses. It also supports all ​Akamai​ Media Delivery products. If you’re already using Site Shield, but wish to take advantage of Origin IP ACL capabilities, you need to perform a few steps to migrate to the new solution.


OIPACL and SureRoute

If your Akamai account team has specifically advised you to disable SureRoute or you are using SureRoute with a Custom Map, you shouldn’t use OIPACL.

How to

  1. Add these addresses to your origin server’s firewall for access. At this point, you should still keep your Site Shield CIDR blocks in the allow list.
  2. In Property Manager, edit your property to add the Origin IP Access Control List behavior to the applicable rule. Make sure the behavior’s Enable option is set to On. See Set up Origin IP ACL for specific details.
  3. In Property Manager, edit the property that uses the Site Shield map you want to replace with OIPACL:
    1. Delete the Site Shield behavior from your rule tree.
    2. If applicable, add the Tiered Distribution behavior for cacheable content to ensure best caching performance.
  4. Save and activate the property.

You can use OIPACL for a subset of the traffic to your property using match criteria, for example Hostname or Path, while still continuing to use Site Shield for the rest of the traffic. In that case, keep the Site Shield CIDR blocks on your origin server.

If none of your properties uses the Site Shield map any more, you can remove the Site Shield CIDR blocks from your origin server’s firewall. Contact your account representative for help deleting the map that’s no longer in use.

If you have more than one Site Shield map configured, repeat these steps for each map instance.

Caveats and known issues

  • OIPACL CIDR blocks contain much larger IP space than Site Shield.
  • While the CIDRs aren't exclusive to one customer in either OIPACL or Site Shield, OIPACL CIDR blocks are shared across a larger set of customers.
  • If you're using Site Shield Private regions or maps with custom handling, reach out to your account team to verify whether you can migrate to OIPACL.