Documentation

Configuring and validating a dedicated egress IP in AEM as a Cloud Service

Last update: Fri Jun 19 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

Dedicated Egress IP configuration in AEM as a Cloud Service confuses customers because creation happens at the program level, but the IP isn’t active for outbound traffic until it’s explicitly enabled per environment. The dedicated IP never appears in the Cloud Manager UI; it’s retrieved through a DNS lookup against the program’s external hostname. Provisioning delays and Cloud Manager quota errors add to the confusion. Creating the network infrastructure, enabling it on each environment, resolving the IP via DNS, and confirming outbound traffic uses that IP completes a working allowlist configuration.

Description description

Issue: Dedicated egress IP can’t be located or doesn’t route outbound traffic in AEM as a Cloud Service

Description

When configuring Dedicated Egress IP addresses in Cloud Manager, customers can’t locate the correct configuration UI, experience unexpected UI behavior, or are unsure how to retrieve the final egress IP to allowlist for external systems. Cloud Manager displays errors such as An error occurred while triggering network creation, Only one network infrastructure per program is allowed, or NETWORK_INFRASTRUCTURES_EXCEEDS_LIMIT. Customers also need to validate which IP address AEM uses for outbound calls (HTTP/HTTPS or SMTP), especially for firewall or WAF allowlisting. The issue arises when the feature isn’t fully provisioned or isn’t yet enabled at the environment level, or when program-level infrastructure creation is confused with environment-level enablement.

Environment:

  • Adobe Experience Manager as a Cloud Service (AEMaaCS)
  • AEM Assets Essentials
  • Cloud Manager (Advanced Networking)

Issue/Symptoms:

  • Cloud Manager displays errors such as An error occurred while triggering network creation or Only one network infrastructure per program is allowed.
  • The Dedicated Egress IP address can’t be found in the UI, and the IP isn’t displayed anywhere in Cloud Manager.
  • Outbound connections to third-party systems are blocked due to unrecognized source IPs, causing 403/503 errors or WAF denials.
  • Dedicated Egress IP infrastructure appears created, but outbound traffic isn’t using the expected source IP.

Root cause:

AEM as a Cloud Service uses Cloud Manager to provision advanced networking features. Dedicated Egress IP creation occurs at the program level, but the IP isn’t active for outbound traffic until it’s explicitly enabled per environment. The dedicated IP doesn’t appear in the UI; instead, it must be resolved via a DNS lookup. Misinterpretation of these steps, combined with Cloud Manager UI differences and provisioning delays of up to one to two hours, leads to confusion or failed outbound allowlisting. Some Cloud Manager errors occur when attempting to create multiple infrastructures in one program or when quotas are exceeded.

How to confirm

  1. Verify the provisioning status. Log in to Cloud Manager, select your program, open the Environments tab, and choose Network Infrastructure in the left sidebar. A record for Dedicated egress IP address appears with a status of ready or provisioning.

  2. Retrieve the dedicated egress IP with a local DNS lookup, replacing {programId} with your program ID:

    code language-none 
    dig +short p{programId}.external.adobeaemcloud.com

The command returns a single public IP address. If the record returns empty, provisioning isn’t yet complete.

Resolution resolution

  1. Create the Dedicated Egress IP infrastructure. In Cloud Manager, go to Environments > Network Infrastructure > Add Network Infrastructure, select Dedicated egress IP address, choose a region, and click Save. A new entry appears and its status changes to ready within roughly 15 to 60 minutes. If Cloud Manager returns An error occurred while triggering network creation or NETWORK_INFRASTRUCTURES_EXCEEDS_LIMIT, resolve permissions or remove an existing infrastructure, since only one network infrastructure per program is allowed.

  2. Enable the Dedicated Egress IP at the environment level. Go to Environments, select the specific environment (Dev/Stage/Prod), open Advanced Networking, enable the network infrastructure, and click Save. Under Network Infrastructure, confirm the Environments column shows the environment as enabled. If it doesn’t update, confirm you pressed Save inside the environment-level dialog.

  3. Retrieve the dedicated egress IP and confirm it. Run the DNS lookup and confirm the returned IP matches the value seen in logs or via a remote echo service:

    code language-none 
    dig +short p{programId}.external.adobeaemcloud.com

  4. Validate that outbound traffic uses the dedicated egress IP. From AEM code or an HTTP client using system proxy properties, call an echo service or your target system, then confirm the destination logs the same IP returned by the dig command. Ensure the client code uses system proxy settings, such as HttpClientBuilder.useSystemProperties().

  5. Configure SMTP or other non-HTTP/HTTPS traffic if needed. For SMTP or custom ports, submit a portForwards JSON definition in Cloud Manager. Confirm third-party logs show requests arriving from the dedicated IP. If connections fail, validate the port forwarding definitions and retry after the infrastructure reaches a ready state.

Validation

  1. Run the DNS lookup and confirm it returns the expected IP:

    code language-none 
    dig +short p{programId}.external.adobeaemcloud.com

  2. Perform a test HTTP call from AEM to an echo service and confirm the returned IP matches the dedicated egress IP.

  3. Confirm third-party systems (SMTP, WAF, CRM, and similar) now register inbound traffic from the dedicated IP.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f