Guide
TrainingSupportCommunity

Migrate from Site Shield to Origin IP ACL

Suggest Edits

Origin IP Access Control List offers a convenient and scalable way to manage ​Akamai​ IPs on your origin firewall, including IPv6 addresses. It also supports all ​Akamai​ delivery products. If you’re already using Site Shield, but wish to take advantage of Origin IP ACL capabilities, you need to perform a few steps to migrate to the new solution.

🚧

Origin IP Access Control List and SureRoute

If your ​Akamai Technologies, Inc.​ account team has specifically advised you to disable SureRoute or you are using SureRoute with a Custom Map, you shouldn’t use Origin IP Access Control List.

How to

  1. Add these addresses to your origin server’s firewall for access. At this point, you should still keep your Site Shield CIDR blocks in the allow list.
  2. In Property Manager, edit your property to add the Origin IP Access Control List behavior to the applicable rule. Make sure the behavior is enabled. See Set up Origin IP ACL for specific details.
  3. In Property Manager, edit the property that uses the Site Shield map you want to replace with OIPACL:
    1. Delete the Site Shield behavior from your rule tree.
    2. If applicable, add the Tiered Distribution behavior for cacheable content to ensure best caching performance.
  4. Save and activate the property.

You can use Origin IP Access Control List for a subset of the traffic to your property using match criteria, for example Hostname or Path, while still continuing to use Site Shield for the rest of the traffic. In that case, keep the Site Shield CIDR blocks on your origin server.

If your properties no longer use the Site Shield map, you can remove the Site Shield CIDR blocks from your origin server’s firewall. Talk to your account team if you need help deleting a map that’s no longer in use.

If you have more than one Site Shield map configured, repeat these steps for each map instance.

Caveats and known issues

  • Origin IP Access Control List CIDR blocks contain a much larger IP space than Site Shield.
  • While the CIDRs aren't exclusive to one customer in either Origin IP Access Control List or Site Shield, Origin IP Access Control List CIDR blocks are shared across a larger set of customers.
  • If you're using Site Shield private regions or maps with custom handling, reach out to your account team to verify whether you can migrate toOrigin IP Access Control List.

Updated 2 months ago