Outbound Requests Not Using Dedicated Egress IP in AEMaaCS
In AEMaaCS, outbound HTTP and HTTPS requests are expected to use a configured dedicated egress IP address when integrating with third‑party systems that enforce IP whitelisting. In some environments, requests intermittently originate from other public IP addresses, resulting in access issues with external APIs. To fix this, verify proxy usage, review custom connection logic, compare third‑party logs, and confirm that outbound calls consistently use the dedicated egress IP.
Description description
Environment
- Product: AEM as a Cloud Service - Sites
- Constraints: Dedicated egress IP is configured, Advanced networking is enabled
Issue/Symptoms
- Outbound HTTP/HTTPS requests sometimes originate from the expected dedicated egress IP and other times from different public IP addresses.
- Third‑party services that use strict whitelisting rules reject any request that doesn’t originate from the dedicated egress IP.
- The issue persists regardless of request method or Java version.
- No recent changes were made to code or proxy configuration on affected environments.
Resolution resolution
-
In Cloud Manager, open the environment details for the affected AEMaaCS environment and review the networking/advanced networking section to confirm that Advanced Networking and a dedicated egress IP are enabled.
-
Ensure that outbound HTTP/HTTPS connections use the platform system proxy configured for AEMaaCS:
- For
Apache HttpClient, verify that system properties are used so proxy settings are applied automatically. - For Java 11+ HTTP clients, confirm that default clients respect system proxy settings unless explicitly overridden.
- For
-
Review all custom outbound-connection code to ensure it doesn’t bypass system proxy settings.
-
If you use connection pooling for outbound HTTP clients, confirm in your AEM codebase that it is implemented according to Adobe’s HTTP client guidelines for AEMaaCS so high connection volume doesn’t cause failed connections.
-
Validate with third-party server logs which source IP addresses are being received for each request and compare them against your configured dedicated egress IP.
-
If requests still originate from unexpected public IPs, escalate internally for an infrastructure review of server‑side networking.
-
After making any updates, retest outbound API calls and monitor third‑party logs to confirm consistent use of the dedicated egress IP.
-
Verify that all successful requests now originate only from the configured dedicated egress IP.
Notes:
- Request outcomes vary based on the source IP used at runtime, which impacts scheduled integrations or batch jobs that rely on whitelisted access.
- The behavior occurs across multiple environments without correlation to request methods or specific code changes.
- Some observed public IPs belong to external network providers and not AEM traffic; include only traffic routed through AEM advanced networking in your analysis.