Site Shield Stable CIDRs overview

You must perform routine maintenance when using Site Shield, such as updating your origin firewall ACLs and acknowledging those CIDR changes via the Akamai Control Center Site Shield application. Not performing these regular maintenance tasks could lead to performance issues, impacting user experience on your website protected by Site Shield. Such routine tasks could become operationally challenging, especially when you manage many origin firewalls and/or Site Shield maps. To overcome this, we’ve introduced the concept of Stable CIDRs in Site Shield.

When you enable stable CIDRs for a specific map, the Site Shield management application will always return larger Akamai-owned CIDR blocks that fully encompass the /24 and /25 CIDRs that comprise your map today. Changes to the map, such as removing decommissioned Akamai service locations or adding capacity, are all done within these larger, mostly static, CIDR blocks. This reduces the operational challenges of frequently keeping the map updated and limits the changes required on your origin firewalls.

If you don’t want to use Stable CIDRS, you must continue updating your firewall ACLs and acknowledging those changes in the Akamai Control Center at intervals of 30, 60, or 90 days, depending on how the map is configured. Now, this state represents operating in the original mode.

📘

To make the map static, the Stable CIDRs feature uses Supernet IP blocks, i.e. larger CIDR blocks such as /13, /11, etc. These IP ranges are owned by Akamai. Once you subscribe to stable CIDRs, your Site Shield map will use such larger IP blocks, which must be allowlisted in your origin firewall(s). Enabling the Supernet Blocks does not increase the current bandwidth limits inherent with Site Shield maps.

Caveats and considerations

Before you enable Site Shield, consider that:

  • Site Shield isn't a substitute for authentication. To further enhance your origin security, use it with other ​Akamai​ protection methods. If it fits your origin setup, you can use Cloud Access Manager in your delivery workflow. You can also add protections like signature header authentication or mutual authentication. Contact your ​Akamai​ account team for help.
  • You should stay current with IP address lists. Changes to the lists of IP address blocks are announced through a notification sent to the Site Shield application in your portal.
  • Stable CIDRs feature uses large CIDR blocks such as /13, /10, etc. that come from a shared pool of CIDR ranges with multiple services or products including, but not limited to: Origin IP ACL, Global Traffic Management (GTM), Application Load Balancer (ALB) and Secure Internet Access using such ranges. If you choose to use this feature, we recommend using origin authentication measures such as signature header authentication or mutual authentication to minimize risk to your origin that arises due to the shared nature of such large blocks between different services on the platform.

Don't miss out on updates

While this feature's list of IP addresses rarely changes, you should closely monitor and act on the notifications. It's the one definitive way to keep your map updated with the latest CIDR list.