Caveats and recommendations

Consider these points before you add Origin IP ACL:

  • Origin IP ACL isn't a substitute for authentication. To further enhance your origin security, use it in combination with other ​Akamai​ protection methods. If it fits with your origin setup, you can use Cloud Access Manager in your delivery workflow. You can also add protections like signature header authentication or mutual authentication. Talk to your ​Akamai​ account team for help with these.
  • The list of IP addresses for this feature almost never changes. You can use the Firewall Rules Notification tool in ​​Akamai Control Center​ to subscribe and get notifications if it does.
  • Enable IPv6 support for a custom origin. Turn on IPv6 Origin Support in the Origin Server behavior. This will reduce the probability of malicious scanning finding the origin IPs.

Incompatible products

Origin IP ACL can't be used with certain ​Akamai​ products and services.

Product/ServiceDetails
NetStorageOrigin IP ACL only applies to custom or third-party origin servers. NetStorage exists within the ​Akamai​ network, so this protection isn't necessary.
China CDN supportIf your origin server is located in China, don't include the Origin IP Access Control List behavior. As an alternative, you could use the SiteShield service.
Image and Video ManagerThis service can cause conflicts when one of its behaviors is included in a rule tree that also uses Origin IP ACL. Talk to your ​Akamai​ account team about a potential workaround.
Bot ManagerThis service can conflict with Origin IP ACL. Talk to your ​Akamai​ account team about a potential workaround.
Page Integrity ManagerThis service can conflict with Origin IP ACL. Talk to your ​Akamai​ account team about a potential workaround.
Resource OptimizerThis is a feature that's available with Adaptive Acceleration for Ion. If you have it enabled in your property, talk to your ​Akamai​ account team about a potential workaround.
Application Load Balancer CloudletThis service can conflict with Origin IP ACL. Talk to your ​Akamai​ account team about a potential workaround.
SalesForce CloudletThis service can conflict with Origin IP ACL. Talk to your ​Akamai​ account team about a potential workaround.
Protocol Downgrade (Legacy)Also referred to as Protocol Downgrade v1, this legacy behavior is not supported for use with Origin IP ACL.