You can add the list of Edge Security Acceleration (ESA) point of presence (POP) IP addresses to your origin firewall settings. This enables only traffic routed through verified IP addresses to reach your origin and thereby safeguard your business.
Feature description
To shield your origin against malicious attacks or unauthorized access from external IP addresses, you can configure firewall rules to maintain an IP address whitelist. This way, only requests from trusted IP addresses can reach your origin.
After you enable origin protection, ESA lists the IPv4 and IPv6 addresses of all POPs. You must add these IP addresses to the whitelist in your origin firewall settings.
Usage notes
If you pause ESA for your website, you must manually modify the firewall rules of your origin to ensure successful subsequent access to the origin.
If your origin is deployed on an Elastic Compute Service (ECS) instance, you can modify the inbound rules in the security group to allow requests from only IP addresses in the whitelist to be routed to your origin. For more information, see Modify a security group rule.
Enable origin protection
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose
On the Origin Protection page, click Configure.
In the Origin Protection section, turn on the Status switch. In the message that appears, select I understand the risks and click Enable.
In the Origin Protection section, click OK. The feature status then changes to Enabled, and the system displays the IP addresses of all ESA POPs.
Copy the IP addresses in the IP Addresses section to the whitelist settings of your origin server.
Update the IP address list for origin protection
Any updates to the POP IP address list will be sent to you by internal messages and emails. You can then adjust the firewall and security group settings accordingly, ensuring that ESA POPs can access your origin as expected.
Procedure
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose
In the Origin Protection section, add all IP addresses in the IP Addresses section to your origin whitelist. Then, click Review.
In the Review Latest IP List panel, click I Have Applied and Confirm to Enable the Latest IP List. In the message that appears, click OK.
Disable origin protection
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose
In the Origin Protection section, click Configure, turn off the Status switch. In the message that appears, select I understand the risks and click OK.
In the Origin Protection section, click OK. The feature status changes to Disabled.
Feature availability
The following table describes the availability of origin protection in different plans.
Entrance | Pro | Premium | Enterprise | |
Available or not | No | No | Yes | Yes |