Caveats and recommendations
Consider these points before you add Origin IP ACL:
- Origin IP ACL isn't a substitute for authentication. To further enhance your origin security, use it in combination with other Akamai protection methods. If it fits with your origin setup, you can use Cloud Access Manager in your delivery workflow. You can also add protections like signature header authentication or mutual authentication. Talk to your Akamai account team for help with these.
- The list of IP addresses for this feature almost never changes. You can use the Firewall Rules Notification tool in Akamai Control Center to subscribe and get notifications if it does.
- Enable IPv6 support for a custom origin. Turn on IPv6 Origin Support in the Origin Server behavior. This will reduce the probability of malicious scanning finding the origin IPs.
Incompatible products
Origin IP ACL can't be used with certain Akamai products and services.
Product/Service | Details |
---|---|
NetStorage | Origin IP ACL only applies to custom or third-party origin servers. NetStorage exists within the Akamai network, so this protection isn't necessary. |
China CDN support | If your origin server is located in China, don't include the Origin IP Access Control List behavior. As an alternative, you could use the SiteShield service. |
Image and Video Manager | This service can cause conflicts when one of its behaviors is included in a rule tree that also uses Origin IP ACL. Talk to your Akamai account team about a potential workaround. |
Bot Manager | This service can conflict with Origin IP ACL. Talk to your Akamai account team about a potential workaround. |
Page Integrity Manager | This service can conflict with Origin IP ACL. Talk to your Akamai account team about a potential workaround. |
Resource Optimizer | This is a feature that's available with Adaptive Acceleration for Ion. If you have it enabled in your property, talk to your Akamai account team about a potential workaround. |
Application Load Balancer Cloudlet | This service can conflict with Origin IP ACL. Talk to your Akamai account team about a potential workaround. |
SalesForce Cloudlet | This service can conflict with Origin IP ACL. Talk to your Akamai account team about a potential workaround. |
Protocol Downgrade (Legacy) | Also referred to as Protocol Downgrade v1, this legacy behavior is not supported for use with Origin IP ACL. |
Updated 2 months ago