All Products
Search

This Product

    Edge Security Acceleration:Origin protection

    Document Center

    Edge Security Acceleration:Origin protection

    Last Updated:Apr 17, 2025

    You can add the list of Edge Security Acceleration (ESA) point of presence (POP) IP addresses to your origin firewall settings. This enables only traffic routed through verified IP addresses to reach your origin and thereby safeguard your business.

    What is origin protection

    To shield your origin against malicious attacks or unauthorized access from external IP addresses, you can configure firewall rules to maintain an IP address whitelist. This way, only requests from trusted IP addresses can reach your origin.

    After you enable origin protection, ESA lists the IPv4 and IPv6 addresses of all POPs. You must add these IP addresses to the whitelist in your origin firewall settings.

    Before you begin

    • If you pause ESA for your website, you must manually modify the firewall rules of your origin to ensure successful subsequent access to the origin.

    • If your origin is deployed on an Elastic Compute Service (ECS) instance, you can modify the inbound rules in the security group to allow requests from only IP addresses in the whitelist to be routed to your origin. For more information, see Modify a security group rule.

    Enable origin protection

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane, choose Security > Origin Protection.

    3. On the Origin Protection page, click Configure.

      image

    4. In the Origin Protection section, turn on the Status switch. In the message that appears, select I understand the risks and click Enable.

      image

    5. In the Origin Protection section, click OK. The system displays the IP addresses of all ESA POPs. Copy the IP addresses in the IP Addresses section to the whitelist settings of your origin server. image

    Update the IP address list for origin protection

    Note

    Any updates to the POP IP address list will be sent to you by internal messages and emails. You can then adjust the firewall and security group settings accordingly, ensuring that ESA POPs can access your origin as expected.

    Procedure

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane, choose Security > Origin Protection.

    3. In the Origin Protection section, add all IP addresses in the IP Addresses section to your origin whitelist. Then, click Review.

      image

    4. In the Review Latest IP List panel, click I Have Applied and Confirm to Enable the Latest IP List. In the message that appears, click OK.

      Note

      Before you update the IP address list, the existing IP addresses are still being protected. To ensure timely protection, we recommend that you update the IP address list regularly to get the latest ESA POPs.

      image

    Disable origin protection

    Note

    To prevent service interruption, you must delete the IP address whitelist from your origin firewall settings and then disable origin protection.

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane, choose Security > Origin Protection.

    3. In the Origin Protection section, click Configure, turn off the Status switch. In the message that appears, select I understand the risks and click OK.

      image

    4. In the Origin Protection section, click OK. The feature status changes to Disabled.

    Availability

    The origin protection feature is supported only in the Premium and Enterprise plans.