Origin IP Access Control List

An Origin IP access control list provides an additional layer of security for your origin by restricting traffic to it.

How it works

We maintain a small and stable list of IP addresses that you use in policy rules in your origin server's firewall. These IP addresses are represented in a list using classless inter-domain routing (CIDR). CIDR is an IP addressing scheme that improves the allocation of IP addresses by using a single IP address with a prefix at the end to designate many, unique IP addresses.

Implementation

  1. Edit your origin's firewall settings to allow access to these addresses:

IPv4

IPv6

23.32.0.0/11
23.192.0.0/11
2.16.0.0/13
104.64.0.0/10
184.24.0.0/13
23.0.0.0/12
95.100.0.0/15
92.122.0.0/15
172.232.0.0/13
184.50.0.0/15
88.221.0.0/16
23.64.0.0/14
72.246.0.0/15
96.16.0.0/15
96.6.0.0/15
69.192.0.0/16
23.72.0.0/13
173.222.0.0/15
118.214.0.0/16
184.84.0.0/14

2a02:26f0::/32
2600:1400::/24
2405:9600::/32

  1. Set the Enable slider in the Origin IP Access Control List behavior to On.

As requests are processed by your property, connection attempts to your origin from the โ€‹Akamaiโ€‹ edge network will come from one of these IP addresses. Essentially, this lets you control access to your origin: You could set up a firewall policy on your origin that only allows requests from these addresses.

Tips and best practices

  • The list of IP addresses we maintain for this feature almost never changes. You can use the Firewall Rules Notification tool in โ€‹Akamai Control Centerโ€‹ to subscribe and get notifications.

  • Origin IP Access Control List works similarly to our SiteShield feature. But, both are not substitutes for authentication. To further enhance your origin security, use them in combination with authentication methods such as authentication tokens. Other types of authentication are also possible, depending on your origin infrastructure. Talk to your โ€‹Akamaiโ€‹ account team for details on other protections.

  • If your property supports IPv6, turn on IPv6 Origin Support in the Origin Server behavior. This will reduce the probability of malicious scanning finding the origin IPs.

  • This is a recommended feature for API Acceleration properties. You can also download text and comma-separated files containing the IP addresses from your API Acceleration property.

    1. Log in to โ€‹Akamai Control Centerโ€‹ using an account that has access to API Acceleration.
    2. Access its Download Center repository.
    3. Open Origin IP Access Control List addresses.
    4. Select the appropriate .txt or .xlsx (comma-separated) file youโ€™d like to download.

Did this page help you?