Fix CDN routing and header issues in AEMaaCS

Custom CDN configurations in AEMaaCS fail due to incorrect origin settings, missing required headers, or misconfigured routing rules. AEM always routes traffic through Adobe-managed Fastly, which requires correct hostname targeting and specific headers to accept requests. Misconfiguration results in routing failures, SSL mismatches, and errors such as 421 or unknown domain. Fix origin configuration, header forwarding, and cdn.yaml routing to resolve the issue and restore proper request flow.

Description description

Environment

  • Adobe Experience Manager as a Cloud Service (AEMaaCS)
  • AEM Managed Services
  • Adobe Developer App Builder

Issue/Symptoms

  • Requests to AEM fail with Fastly 421or unknown domain errors.
  • Customer CDN cannot reach publish endpoint.
  • Routing failures or SSL mismatch occur.
  • Caching inconsistencies appear.
  • Header-based authentication fails when required headers are removed or overwritten.

Root cause

AEM as a Cloud Service routes all traffic through Fastly before reaching the publish tier. Requests from a customer CDN must include required headers such as Host, SNI, and X-AEM-Edge-Key while targeting the correct publish hostname. Missing or incorrect configuration results in Fastly rejecting or misrouting requests.

Resolution resolution

To resolve this issue, follow these steps:

  1. Identify the publish hostname from Cloud Manager Environments and verify it by loading the URL directly in a browser where it returns a 403 or similar response. Configure the CDN or WAF origin to point to the exact publish hostname and set the Host header, SNI, protocol HTTPS, and port 443 so that the SSL handshake succeeds.
  2. Forward required headers from the CDN to Fastly by configuring X-AEM-Edge-Key, X-Forwarded-Host, X-Forwarded-Proto, and optionally X-Forwarded-Forso Fastly recognizes the request as trusted, then verify header forwarding using logs and curl testing.
  3. If custom routing is required, commit the cdn.yaml file in the Cloud Manager Git repository under /config and add origin selector rules, then run the Config Pipeline to ensure successful deployment.
  4. Configure geo header injection using cdn.yaml request-transformation rules to map existing Adobe geo headers such as x-aem-client-country and x-aem-client-continent to custom headers like X-Forwarded-Country and X-Forwarded-Region, and verify the transformation through header inspection.
  5. Validate DNS flow by pointing the public domain to the customer CDN and ensuring the CDN targets Fastly and then AEM, avoiding direct DNS mapping to Fastly for custom domains.
  6. Confirm that Fastly always sits between the customer CDN and AEM and cannot be removed or bypassed, then perform end-to-end validation by accessing the site through the public domain and verifying routing, headers, and caching behavior using browser developer tools.
recommendation-more-help
experience-cloud-kcs-help-kbarticles