Site Shield Stable CIDRs overview
You must perform routine maintenance when using Site Shield, such as updating your origin firewall ACLs and acknowledging those CIDR changes via the Akamai Control Center Site Shield application. Not performing these regular maintenance tasks could lead to performance issues, impacting user experience on your website protected by Site Shield. Such routine tasks could become operationally challenging, especially when you manage many origin firewalls and/or Site Shield maps. To overcome this, we’ve introduced the concept of Stable CIDRs in Site Shield.
When you enable stable CIDRs for a specific map, the Site Shield management application will always return larger Akamai-owned CIDR blocks that fully encompass the /24 and /25 CIDRs that comprise your map today. Changes to the map, such as removing decommissioned Akamai service locations or adding capacity, are all done within these larger, mostly static, CIDR blocks. This reduces the operational challenges of frequently keeping the map updated and limits the changes required on your origin firewalls.
If you don’t want to use Stable CIDRS, you must continue updating your firewall ACLs and acknowledging those changes in the Akamai Control Center at intervals of 30, 60, or 90 days, depending on how the map is configured. Now, this state represents operating in the original mode.
To make the map static, the Stable CIDRs feature uses Supernet IP blocks, i.e. larger CIDR blocks such as /13, /11, etc. These IP ranges are owned by Akamai. Once you subscribe to stable CIDRs, your Site Shield map will use such larger IP blocks, which must be allowlisted in your origin firewall(s). Enabling the Supernet Blocks does not increase the current bandwidth limits inherent with Site Shield maps.
Caveats and considerations
If you enabled the Stable CIDRs feature for your Site Shield map, entries in the Removed column are still used only if the entries in the Removed CIDR overlaps with the one of proposed CIDR. Your origin firewall must update the entries of Added & Removed CIDRs at the same time. Additionally, to ensure a safe rollback, delete the addresses in the removed section from the allow list 7 days after acknowledging the map proposal.
This is a different behavior from Site Shield maps without the Stable CIDRs feature, where entries in the Removed column are immediately no longer in service and are safe to delete from your firewall at any time.
Before you enable Site Shield, consider that:
- Site Shield isn't a substitute for authentication. Always implement allowlist protections alongside solutions that let requests from the Akamai network authenticate to your origin. Read best practices for using Site Shield in combination with connection and application authentication. If need be, contact your Akamai account team for help.
- You should stay current with IP address lists. Changes to the lists of IP address blocks are announced through a notification sent to the Site Shield application in your portal.
- Stable CIDRs feature uses large CIDR blocks such as /13, /10, etc. that come from a shared pool of CIDR ranges with multiple services or products including, but not limited to: Origin IP ACL, Global Traffic Management (GTM), Application Load Balancer (ALB) and Secure Internet Access using such ranges. If you choose to use this feature, we recommend using origin authentication measures such as signature header authentication or mutual authentication to minimize risk to your origin that arises due to the shared nature of such large blocks between different services on the platform.
Don't miss out on updates
While this feature's list of IP addresses rarely changes, you should closely monitor and act on the notifications. It's the one definitive way to keep your map updated with the latest CIDR list.
Updated 26 days ago