Fix 403 errors with AEM IP allow lists

IP allow lists in AEM as a Cloud Service restrict access to specified IP addresses. Requests originating from IP addresses that are not included in the allow list return a 403 Not Allowed error. This issue can occur because of missing IP entries, default deny-all configurations, or unsupported forwarded headers. To resolve the issue, review and update the IP allow list configuration with the correct IP addresses.

Description description

Environment

  • Adobe Experience Manager as a Cloud Service (AEMaaCS)
  • AEM Assets Essentials
  • AEM Managed Services

Issue/Symptoms

  • Requests return 403 Not allowed errors
  • Services are inaccessible from certain networks
  • Editor tools fail to load content
  • Traffic routed through external networks does not reach the application

Root cause

Access control is enforced at the edge using the actual connecting IP address. Any request from an IP not explicitly listed is blocked. Forwarded headers are not trusted, and default deny-all configurations can block all access until updated.

Resolution resolution

To resolve this issue, follow these steps:

  1. Review the environment configuration and identify any applied IP allow list.
  2. Check for a default deny-all configuration and remove it if not required.
  3. Create a new allow list and add the required IP addresses or ranges.
  4. Apply the allow list to the appropriate services.
  5. Include any required service IP ranges used by integrated tools.
  6. Validate access from allowed and non-allowed networks to confirm behavior.
  7. Test both default and mapped domains to ensure consistent enforcement.
  8. Ensure that requests cannot bypass restrictions using forwarded headers.
recommendation-more-help
experience-cloud-kcs-help-kbarticles