Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Configuring Web Protection Policy
    • Managed rules
    • CC attack defense
    • Bandwidth Abuse Protection
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • Mutual Authentication
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling
    • Refer
      • Using OpenSSL to Generate Self-Signed Certificates
      • Certificate Format Requirements
    • Using Keyless Certificate
Docs Overview/
Edge Security/
Origin Protection/

Origin Protection

This document introduces how to obtain and update EdgeOne's IP address range for configuration of origin server firewall rules, only allowing traffic to the origin server that transits through fixed IP addresses, implementing origin protection.

Obtaining Origin IP Address Range

1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. On the Origin Protection page, click Use Now, carefully read the Origin Protection Enablement Conditions of Use, and click Confirm to Enable after confirming the content of the "Special Agreement" is acceptable.
4. Click Enable for origin protection status, select the site acceleration/Layer 4 proxy resource to be protected, and click Submit.
5. After successfully enabled, you can see the current origin-pull IP list used by these resources. Update it to your origin server firewall rules.
Warning:
1. EdgeOne may update the origin IP range irregularly to enhance network stability and reliability, improve security, handle expansion needs, or respond to compliance requirements. EdgeOne will notify you 14 days, 7 days, 3 days, and 1 day before the change via Message Center, SMS, or email. To ensure you receive the change notification, please verify that you have selected EdgeOne product service notifications in the Tencent Cloud Message Center Console and configured the correct Message Recipient. For setup details, refer to message subscription management.



2. Upon receiving Tencent's "Origin IP Address Range Change Notification", please complete the update operation for the origin IP address range by referring to Update Origin IP Address Range within no more than 14 calendar days. For example, if EO sends the "Origin IP Address Range Change Notification" at 12:00:00 (GMT+8) on January 1, 2025, you need to complete the update operation for the origin IP address range by 12:00:00 (GMT+8) on January 15, 2025.
3. If you fail to complete the above operations within the agreed time limit, Tencent is authorized to take actions including but not limited to [forcibly updating the origin-pull IP range to the latest version]. Please understand and recognize that any adverse consequences arising therefrom, such as [origin-pull failure] or [live business unavailability], will be borne by you. This situation is not covered under the service availability assurance of the EdgeOne Service Level Agreement.
4. If you cannot complete the update in time, it is advisable to adopt the origin-pull mutual authentication solution to ensure your origin server security. If you need to use this solution, contact us.

Updating Origin IP Address Range

Note:
The IP range for origin servers is updated every 3-6 months on average.
Upon receiving the notification about the origin IP range change, you need to refer to the following steps to view the updated origin IP and complete the update within 14 calendar days to prevent service disruption caused by origin-pull failure.
1. Log in to the EdgeOne console, enter Service Overview in the left menu bar, and click the site in the Message Center/email that needs to be changed under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. Click Go to update.



4. After updating the latest origin IP range to the origin server firewall, click I have updated to the latest origin IP range.



5. After confirming the update, the console shows "Origin IP ACL CIDRs is the latest version" to indicate the update is complete.




Automating Updates through API

If you wish to periodically obtain EdgeOne's latest origin IP range through automation scripts to avoid possible service interruption caused by untimely manual updates, you can leverage the API interface provided by EdgeOne to implement the following process:
1. Periodically call the API: Infrequent periodic DescribeOriginACL API calls, recommended every three days.
2. Check update flag: In the interface return data, pay close attention to the NextOriginACL field. If this field returns not null, it indicates new origin IP ranges are available for update.
"NextOriginACL": {
                "Version": "mlc-1.0.1-20250422",
                "PlannedActiveTime": "2014-12-30T10:00:00Z",
                "EntireAddresses": {
                    "IPv4": [
                        "11.11.11.11/24",
                        "22.22.22.22/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                },
                "AddedAddresses": {
                    "IPv4": [
                        "22.22.22.22/24"
                    ],
                    "IPv6": []
                },
                "RemovedAddresses": {
                    "IPv4": [],
                    "IPv6": []
                },
                "NoChangeAddresses": {
                    "IPv4": [
                        "11.11.11.11/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                }
            }
3. Synchronize configuration: After the script detects an update, it should automatically synchronize the new IP range to your origin server firewall or security group policy.
4. Confirm update: After synchronization, continue calling the ConfirmOriginACLUpdate API so that the system stops pushing related change notifications.

Special Note

If the origin-pull IP range change operation is not carried out within the agreed deadline, EdgeOne will forcibly update the origin-pull IP range to the latest version according to the Origin Protection Enablement Conditions of Use. You will bear adverse consequences such as [origin-pull failure] and [live business unavailability] arising therefrom. This situation is not within the scope of service availability assurance in the EdgeOne Service Level Agreement.