Learn how to connect AEM as a Cloud Service with your VPN to create secure communication channels between AEM and internal services.
Virtual Private Network (VPN) allows an AEM as a Cloud Service customer to connect the AEM environments within a Cloud Manager Program to an existing, supported VPN. This allows secure, and controlled connections between AEM as a Cloud Service and services within the customer’s network.
A Cloud Manager Program can only have a single network infrastructure type. Ensure that Virtual Private Network is the most appropriate type of network infrastructure for your AEM as a Cloud Service before executing the following commands.
Please note, connecting the build environment from Cloud Manager to a VPN is not supported. If you must access binary artifacts from a private repository, you must set up a secure and password-protected repository with a URL that is available on the public internet as described here.
The following are required when setting up Virtual Private Network:
For more details watch the following walkthrough for how to setup, configure, and obtain Cloud Manger API credentials, and how to use them to make a Cloud Manager API call.
This tutorial uses curl
to make the Cloud Manager API configurations. The provided curl
commands assume a Linux/macOS syntax. If using the Windows command prompt, replace the \
line-break character with ^
.
Start by enabling the Virtual Private Network on AEM as a Cloud Service.
First, determine the region in which the Advanced Networking will be set up by using the Cloud Manager API listRegions operation. The region name
will be required to make subsequent Cloud Manager API calls. Typically, the region the Production environment resides in is used.
listRegions HTTP request
$ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/regions \
-H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
-H 'x-api-key: <CLIENT_ID>' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json'
Enable Virtual Private Network for a Cloud Manager Program using Cloud Manager APIs createNetworkInfrastructure operation. Use the appropriate region
code obtained from the Cloud Manager API listRegions
operation.
createNetworkInfrastructure HTTP request
$ curl -X POST https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructures \
-H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
-H 'x-api-key: <CLIENT_ID>' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json'
-d @./vpn-create.json
Define the JSON parameters in a vpn-create.json
and provided to curl via ... -d @./vpn-create.json
.
Download the example vpn-create.json
{
"kind": "vpn",
"region": "va7",
"addressSpace": [
"10.104.182.64/26"
],
"dns": {
"resolvers": [
"10.151.201.22",
"10.151.202.22",
"10.154.155.22"
],
"domains": [
"wknd.site",
"wknd.com"
]
},
"connections": [{
"name": "connection-1",
"gateway": {
"address": "195.231.212.78",
"addressSpace": [
"10.151.0.0/16",
"10.152.0.0/16",
"10.153.0.0/16",
"10.154.0.0/16",
"10.142.0.0/16",
"10.143.0.0/16",
"10.124.128.0/17"
]
},
"sharedKey": "<secret_shared_key>",
"ipsecPolicy": {
"dhGroup": "ECP256",
"ikeEncryption": "AES256",
"ikeIntegrity": "SHA256",
"ipsecEncryption": "AES256",
"ipsecIntegrity": "SHA256",
"pfsGroup": "ECP256",
"saDatasize": 102400000,
"saLifetime": 3600
}
}]
}
Wait 45-60 minutes for the Cloud Manager Program to provision the network infrastructure.
Check that the environment has finished Virtual Private Network configuration using the Cloud Manager API getNetworkInfrastructure operation, using the id
returned from the createNetworkInfrastructure HTTP request in the previous step.
getNetworkInfrastructure HTTP request
$ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructure/{networkInfrastructureId} \
-H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
-H 'x-api-key: <CLIENT_ID>' \
-H 'Authorization: <YOUR_BEARER_TOKEN>' \
-H 'Content-Type: application/json'
Verify that the HTTP response contains a status of ready. If not yet ready recheck the status every few minutes.
Enable and configure the Virtual Private Network configuration on each AEM as a Cloud Service environment using the Cloud Manager API enableEnvironmentAdvancedNetworkingConfiguration operation.
enableEnvironmentAdvancedNetworkingConfiguration HTTP request
$ curl -X PUT https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \
-H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
-H 'x-api-key: <CLIENT_ID>' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json' \
-d @./vpn-configure.json
Define the JSON parameters in a vpn-configure.json
and provided to curl via ... -d @./vpn-configure.json
.
Download the example vpn-configure.json
{
"nonProxyHosts": [
"example.net",
"*.example.org"
],
"portForwards": [
{
"name": "mysql.example.com",
"portDest": 3306,
"portOrig": 30001
},
{
"name": "smtp.sendgrid.com",
"portDest": 465,
"portOrig": 30002
}
]
}
nonProxyHosts
declares a set of hosts for which port 80 or 443 should be routed through the default shared IP address ranges rather than the dedicated egress IP. nonProxyHosts
may be useful as traffic egressing through shared IPs may be further optimized automatically by Adobe.
For each portForwards
mapping, the advanced networking defines the following forwarding rule:
Proxy host | Proxy port | External host | External port | |
---|---|---|---|---|
AEM_PROXY_HOST |
portForwards.portOrig |
→ | portForwards.name |
portForwards.portDest |
If your AEM deployment only requires HTTP/HTTPS connections to external service, leave the portForwards
array empty, as these rules are only required for non-HTTP/HTTPS requests.
For each environment, validate the vpn routing rules are in effect using the Cloud Manager API’s getEnvironmentAdvancedNetworkingConfiguration operation.
getEnvironmentAdvancedNetworkingConfiguration HTTP request
$ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \
-H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
-H 'x-api-key: <CLIENT_ID>' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-H 'Content-Type: application/json'
Virtual private network proxy configurations can be updated using the Cloud Manager API’s enableEnvironmentAdvancedNetworkingConfiguration operation. Remember enableEnvironmentAdvancedNetworkingConfiguration
is a PUT
operation, so all rules must be provided with every invocation of this operation.
Now you can use the Virtual Private Network egress configuration in your custom AEM code and configuration.
With the Virtual Private Network enabled, AEM code and configuration can use them to make calls to external services via the VPN. There are two flavors of external calls that AEM treats differently:
HTTP/HTTPS requests from AEM on standard ports (80/443) are allowed by default and need no extra configuration or considerations.
When creating HTTP/HTTPS connections to non-standard ports (not-80/443) from AEM, the connection must be made through special host and ports, provided via placeholders.
AEM provides two sets of special Java™ system variables that map to AEM’s HTTP/HTTPS proxies.
Variable name | Use | Java™ code | OSGi configuration | Apache web server mod_proxy configuration |
---|---|---|---|---|
AEM_HTTP_PROXY_HOST |
Proxy host for HTTP connections | System.getenv("AEM_HTTP_PROXY_HOST") |
$[env:AEM_HTTP_PROXY_HOST] |
${AEM_HTTP_PROXY_HOST} |
AEM_HTTP_PROXY_PORT |
Proxy port for HTTP connections | System.getenv("AEM_HTTP_PROXY_PORT") |
$[env:AEM_HTTP_PROXY_PORT] |
${AEM_HTTP_PROXY_PORT} |
AEM_HTTPS_PROXY_HOST |
Proxy host for HTTPS connections | System.getenv("AEM_HTTPS_PROXY_HOST") |
$[env:AEM_HTTPS_PROXY_HOST] |
${AEM_HTTPS_PROXY_HOST} |
AEM_HTTPS_PROXY_PORT |
Proxy port for HTTPS connections | System.getenv("AEM_HTTPS_PROXY_PORT") |
$[env:AEM_HTTPS_PROXY_PORT] |
${AEM_HTTPS_PROXY_PORT} |
Requests to HTTP/HTTPS external services should be made by configuring the Java™ HTTP client’s proxy configuration via AEM’s proxy hosts/ports values.
When making HTTP/HTTPS calls to external services on non-standard ports, no corresponding portForwards
must be defined using Cloud Manager API’s __enableEnvironmentAdvancedNetworkingConfiguration
operation, as the port forwarding “rules” are defined “in code”.
See AEM as a Cloud Service’s Virtual Private Network documentation for the full set of routing rules.
![]() Java™ code example making HTTP/HTTPS connection from AEM as a Cloud Service to an external service on non-standard HTTP/HTTPS ports. |
When creating non-HTTP/HTTPS connections (ex. SQL, SMTP, and so on) from AEM, the connection must be made through a special host name provided by AEM.
Variable name | Use | Java™ code | OSGi configuration |
---|---|---|---|
AEM_PROXY_HOST |
Proxy host for non-HTTP/HTTPS connections | System.getenv("AEM_PROXY_HOST") |
$[env:AEM_PROXY_HOST] |
Connections to external services are then called through the AEM_PROXY_HOST
and the mapped port (portForwards.portOrig
), which AEM then routes to the mapped external hostname (portForwards.name
) and port (portForwards.portDest
).
Proxy host | Proxy port | External host | External port | |
---|---|---|---|---|
AEM_PROXY_HOST |
portForwards.portOrig |
→ | portForwards.name |
portForwards.portDest |
The Virtual Private Network configuration limits access to AEM as a Cloud Service environments to a VPN.
![]() Configure an IP allowlist such that only VPN traffic can access AEM. |
![]() Require VPN access for specific paths on AEM Publish. |