Dedicated egress IP address
Learn how to set up and use dedicated egress IP address, which allows outbound connections from AEM to originate from a dedicated IP.
What is dedicated egress IP address?
Dedicated egress IP address allows requests from AEM as a Cloud Service to use a dedicated IP address, allowing the external services to filter incoming requests by this IP address. Like flexible egress ports, dedicated egress IP lets you egress on non-standard ports.
A Cloud Manager Program can only have a single network infrastructure type. Ensure dedicated egress IP address is the most appropriate type of network infrastructure for your AEM as a Cloud Service before executing the following commands.
Prerequisites
The following are required when setting up dedicated egress IP address using Cloud Manager APIs:
-
Cloud Manager API with Cloud Manager Business Owner permissions
-
Access to Cloud Manager API authentication credentials
- Organization ID (aka IMS Org ID)
- Client ID (aka API Key)
- Access Token (aka Bearer Token)
-
The Cloud Manager Program ID
-
The Cloud Manager Environment IDs
For more details review how to setup, configure, and obtain Cloud Manger API credentials,to use them to make a Cloud Manager API call.
This tutorial uses curl to make the Cloud Manager API configurations. The provided curl commands assume a Linux/macOS syntax. If using the Windows command prompt, replace the \ line-break character with ^.
Enable dedicated egress IP address on the program
Start by enabling and configuring the dedicated egress IP address on AEM as a Cloud Service.
Dedicated egress IP address can be enabled using Cloud Manager. The following steps outline how to enable dedicated egress IP address on AEM as a Cloud Service using the Cloud Manager.
-
Log in to the Adobe Experience Manager Cloud Manager as a Cloud Manager Business Owner.
-
Navigate to the desired Program.
-
In the left menu, navigate to Services > Network Infrastructures.
-
Select the Add network infrastructure button.
-
In the Add network infrastructure dialog, select the Dedicated egress IP address option, and select the Region to create the dedicated egress IP address.
-
Select Save to confirm the addition of the dedicated egress IP address.
-
Wait for the network infrastructure to be created and marked as Ready. This process can take up to 1 hour.
With the Dedicated egress IP address created, you can now configure it using the Cloud Manager APIs as described below.
Dedicated egress IP address can be enabled using Cloud Manager APIs. The following steps outline how to enable Dedicated egress IP address on AEM as a Cloud Service using the Cloud Manager API.
-
First, determine the region in which the Advanced Networking is needed, by using the Cloud Manager API listRegions operation. The
region nameis required to make subsequent Cloud Manager API calls. Typically, the region the Production environment resides in is used.Find your AEM as a Cloud Service environment’s region in Cloud Manager under the environment’s details. The region name displayed in Cloud Manager can be mapped to the region code used in the Cloud Manager API.
listRegions HTTP request
code language-shell $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/regions \ -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \ -H 'x-api-key: <CLIENT_ID>' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'Content-Type: application/json' -
Enable dedicated egress IP address for a Cloud Manager Program using the Cloud Manager API createNetworkInfrastructure operation. Use the appropriate
regioncode obtained from the Cloud Manager APIlistRegionsoperation.createNetworkInfrastructure HTTP request
code language-shell $ curl -X POST https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructures \ -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \ -H 'x-api-key: <CLIENT_ID>' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "kind": "dedicatedEgressIp", "region": "va7" }'Wait 15 minutes for the Cloud Manager Program to provision the network infrastructure.
-
Check that the program has finished dedicated egress IP address configuration using the Cloud Manager API getNetworkInfrastructure operation, using the
idreturned from thecreateNetworkInfrastructureHTTP request in the previous step.getNetworkInfrastructure HTTP request
code language-shell $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructure/{networkInfrastructureId} \ -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \ -H 'x-api-key: <CLIENT_ID>' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'Content-Type: application/json'Verify that the HTTP response contains a status of ready. If not yet ready, recheck the status every few minutes.
With the Dedicated egress IP address created, you can now configure it using the Cloud Manager APIs as described below.
Configure dedicated egress IP address proxies per environment
-
Configure the dedicated egress IP address configuration on each AEM as a Cloud Service environment using the Cloud Manager API enableEnvironmentAdvancedNetworkingConfiguration operation.
enableEnvironmentAdvancedNetworkingConfiguration HTTP request
code language-shell $ curl -X PUT https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \ -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \ -H 'x-api-key: <CLIENT_ID>' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'Content-Type: application/json' \ -d @./dedicated-egress-ip-address.jsonDefine the JSON parameters in a
dedicated-egress-ip-address.jsonand provided to curl via... -d @./dedicated-egress-ip-address.json.Download the example dedicated-egress-ip-address.json. This file is only an example. Configure your file as required based on the optional/required fields documented at enableEnvironmentAdvancedNetworkingConfiguration.
code language-json { "nonProxyHosts": [ "example.net", "*.example.org", ], "portForwards": [ { "name": "mysql.example.com", "portDest": 3306, "portOrig": 30001 }, { "name": "smtp.sendgrid.net", "portDest": 465, "portOrig": 30002 } ] }Dedicated egress IP address configuration’s HTTP signature only differs from flexible egress port in that it also supports the optional
nonProxyHostsconfiguration.nonProxyHostsdeclares a set of hosts for which port 80 or 443 should be routed through the default shared IP address ranges rather than the dedicated egress IP.nonProxyHostsmay be useful as traffic egressing through shared IPs is optimized automatically by Adobe.For each
portForwardsmapping, the advanced networking defines the following forwarding rule:table 0-row-5 1-row-5 Proxy host Proxy port External host External port AEM_PROXY_HOSTportForwards.portOrig→ portForwards.nameportForwards.portDest -
For each environment, validate the egress rules are in effect using the Cloud Manager API getEnvironmentAdvancedNetworkingConfiguration operation.
getEnvironmentAdvancedNetworkingConfiguration HTTP request
code language-shell $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \ -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \ -H 'x-api-key: <CLIENT_ID>' \ -H 'Authorization: <YOUR_TOKEN>' \ -H 'Content-Type: application/json' -
Dedicated egress IP address configurations can be updated using the Cloud Manager API enableEnvironmentAdvancedNetworkingConfiguration operation. Remember
enableEnvironmentAdvancedNetworkingConfigurationis aPUToperation, so all rules must be provided with every invocation of this operation. -
Obtain the dedicated egress IP address by using a DNS Resolver (such as DNSChecker.org) on the host:
p{programId}.external.adobeaemcloud.com, or by runningdigfrom the command line.code language-shell $ dig +short p{programId}.external.adobeaemcloud.comThe hostname cannot be
pinged, as it is an egress and not and ingress.Note that the dedicated egress IP address is shared by all AEM as a Cloud Service environments in the program.
-
Now, you can use the dedicated egress IP address in your custom AEM code and configuration. Often when using dedicated egress IP address, the external services AEM as a Cloud Service connects to are configured to only allow traffic from this dedicated IP address.
Connecting to external services over dedicated egress IP address
With the dedicated egress IP address enabled, AEM code and configuration can use the dedicated egress IP to make calls to external services. There are two flavors of external calls that AEM treats differently:
- HTTP/HTTPS calls to external services
- Includes HTTP/HTTPS calls made to services running on ports other than the standard 80 or 443 ports.
- non-HTTP/HTTPS calls to external services
- Includes any non-HTTP calls, such as connections with Mail servers, SQL databases, or services that run on other non-HTTP/HTTPS protocols.
HTTP/HTTPS requests from AEM on standard ports (80/443) are allowed by default but they do not use the dedicated egress IP address if not configured appropriately as described below.
HTTP/HTTPS
When creating HTTP/HTTPS connections from AEM, when using dedicated egress IP address, HTTP/HTTPS connections are automatically proxied out of AEM using the dedicated egress IP address. No additional code or configuration is required to support HTTP/HTTPS connections.
Code examples
Java™ code example making HTTP/HTTPS connection from AEM as a Cloud Service to an external service using HTTP/HTTPS protocol.
Non-HTTP/HTTPS connections to external services
When creating non-HTTP/HTTPS connections (ex. SQL, SMTP, and so on) from AEM, the connection must be made through a special host name provided by AEM.
AEM_PROXY_HOSTSystem.getenv("AEM_PROXY_HOST")$[env:AEM_PROXY_HOST]Connections to external services are then called through the AEM_PROXY_HOST and the mapped port (portForwards.portOrig), which AEM then routes to the mapped external hostname (portForwards.name) and port (portForwards.portDest).
AEM_PROXY_HOSTportForwards.portOrigportForwards.nameportForwards.portDestCode examples
SQL connection using JDBC DataSourcePool
Java™ code example connecting to external SQL databases by configuring AEM's JDBC datasource pool.
SQL connection using Java™ APIs
Java™ code example connecting to external SQL databases using Java™'s SQL APIs.
