DocumentationAEMAEM TutorialsAEM as a Cloud Service Tutorials

Virtual Private Network (VPN)

Last update: Mon Nov 18 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Intermediate
  • Developer

Learn how to connect AEM as a Cloud Service with your VPN to create secure communication channels between AEM and internal services.

What is Virtual Private Network?

Virtual Private Network (VPN) allows an AEM as a Cloud Service customer to connect the AEM environments within a Cloud Manager Program to an existing, supported VPN. VPN allows secure and controlled connections between AEM as a Cloud Service and services within the customer’s network.

A Cloud Manager Program can only have a single network infrastructure type. Ensure that Virtual Private Network is the most appropriate type of network infrastructure for your AEM as a Cloud Service before executing the following commands.

NOTE
Please note, connecting the build environment from Cloud Manager to a VPN is not supported. If you must access binary artifacts from a private repository, you must set up a secure and password-protected repository with a URL that is available on the public internet as described here.
Related Articles
Read the AEM as a Cloud Service advanced network configuration documentation for more details on Virtual Private Network.

Prerequisites

The following are required when setting up a Virtual Private Network using Cloud Manager APIs:

For more details review how to setup, configure, and obtain Cloud Manger API credentials,to use them to make a Cloud Manager API call.

This tutorial uses curl to make the Cloud Manager API configurations. The provided curl commands assume a Linux/macOS syntax. If using the Windows command prompt, replace the \ line-break character with ^.

Enable Virtual Private Network per program

Start by enabling the Virtual Private Network on AEM as a Cloud Service.

Cloud Manager

Flexible port egress can be enabled using Cloud Manager. The following steps outline how to enable flexible port egress on AEM as a Cloud Service using the Cloud Manager.

  1. Log in to the Adobe Experience Manager Cloud Manager as a Cloud Manager Business Owner.

  2. Navigate to the desired Program.

  3. In the left menu, navigate to Services > Network Infrastructures.

  4. Select the Add network infrastructure button.

    Add network infrastructure

  5. In the Add network infrastructure dialog, select the Virtual private network option. Fill out the fields and select Continue. Work with your organization’s network administrator to obtain the correct values.

    Add VPN

  6. Create at least one VPN connection. Give the connection a meaningful name and select the Add connection button.

    Add VPN connection

  7. Configure the VPN connection. Work with your organization’s network administrator to obtain the correct values. Select Save to confirm the addition of the connection.

    Configure VPN connection

  8. If multiple VPN connections are required, as more connections as needed. When all VPN connections are added, select Continue.

    Configure VPN connection

  9. Select Save to confirm the addition of the VPN and all configured connections.

    Confirm VPN creation

  10. Wait for the network infrastructure to be created and marked as Ready. This process can take up to 1 hour.

    VPN creation status

With the VPN created, you can now configure it using the Cloud Manager APIs as described below.

Cloud Manager APIs

Virtual Private Network can be enabled using Cloud Manager APIs. The following steps outline how to enable VPN on AEM as a Cloud Service using the Cloud Manager API.

  1. First, determine the region in which the Advanced Networking is needed by using the Cloud Manager API listRegions operation. The region name is required to make subsequent Cloud Manager API calls. Typically, the region the Production environment resides in is used.

    Find your AEM as a Cloud Service environment’s region in Cloud Manager under the environment’s details. The region name displayed in Cloud Manager can be mapped to the region code used in the Cloud Manager API.

    listRegions HTTP request

    code language-shell 
    $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/regions \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json'

  2. Enable Virtual Private Network for a Cloud Manager Program using Cloud Manager APIs createNetworkInfrastructure operation. Use the appropriate region code obtained from the Cloud Manager API listRegions operation.

    createNetworkInfrastructure HTTP request

    code language-shell 
    $ curl -X POST https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructures \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json'
    -d @./vpn-create.json

    Define the JSON parameters in a vpn-create.json and provided to curl via ... -d @./vpn-create.json.

    Download the example vpn-create.json. This file is only an example. Configure your file as required based on the optional/required fields documented at enableEnvironmentAdvancedNetworkingConfiguration.

    code language-json 
    {
    "kind": "vpn",
    "region": "va7",
    "addressSpace": [
        "10.104.182.64/26"
    ],
    "dns": {
        "resolvers": [
            "10.151.201.22",
            "10.151.202.22",
            "10.154.155.22"
        ],
        "domains": [
            "wknd.site",
            "wknd.com"
        ]
    },
    "connections": [{
        "name": "connection-1",
        "gateway": {
            "address": "195.231.212.78",
            "addressSpace": [
                "10.151.0.0/16",
                "10.152.0.0/16",
                "10.153.0.0/16",
                "10.154.0.0/16",
                "10.142.0.0/16",
                "10.143.0.0/16",
                "10.124.128.0/17"
            ]
        },
        "sharedKey": "<secret_shared_key>",
        "ipsecPolicy": {
            "dhGroup": "ECP256",
            "ikeEncryption": "AES256",
            "ikeIntegrity": "SHA256",
            "ipsecEncryption": "AES256",
            "ipsecIntegrity": "SHA256",
            "pfsGroup": "ECP256",
            "saDatasize": 102400000,
            "saLifetime": 3600
        }
    }]
}

    Wait 45-60 minutes for the Cloud Manager Program to provision the network infrastructure.

  3. Check that the environment has finished Virtual Private Network configuration using the Cloud Manager API getNetworkInfrastructure operation, using the id returned from the createNetworkInfrastructure HTTP request in the previous step.

    getNetworkInfrastructure HTTP request

    code language-shell 
    $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructure/{networkInfrastructureId} \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: <YOUR_BEARER_TOKEN>' \
    -H 'Content-Type: application/json'

    Verify that the HTTP response contains a status of ready. If not yet ready, recheck the status every few minutes.

With the VPN created, you can now configure it using the Cloud Manager APIs as described below.

Configure Virtual Private Network proxies per environment

  1. Enable and configure the Virtual Private Network configuration on each AEM as a Cloud Service environment using the Cloud Manager API enableEnvironmentAdvancedNetworkingConfiguration operation.

    enableEnvironmentAdvancedNetworkingConfiguration HTTP request

    code language-shell 
    $ curl -X PUT https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json' \
    -d @./vpn-configure.json

    Define the JSON parameters in a vpn-configure.json and provided to curl via ... -d @./vpn-configure.json.

    Download the example vpn-configure.json

    code language-json 
    {
    "nonProxyHosts": [
        "example.net",
        "*.example.org"
    ],
    "portForwards": [
        {
            "name": "mysql.example.com",
            "portDest": 3306,
            "portOrig": 30001
        },
        {
            "name": "smtp.sendgrid.com",
            "portDest": 465,
            "portOrig": 30002
        }
    ]
}

    nonProxyHosts declares a set of hosts for which port 80 or 443 should be routed through the default shared IP address ranges rather than the dedicated egress IP. nonProxyHosts may be useful as traffic egressing through shared IPs is optimized automatically by Adobe.

    For each portForwards mapping, the advanced networking defines the following forwarding rule:

    table 0-row-5 1-row-5
    Proxy host Proxy port External host External port
    AEM_PROXY_HOST portForwards.portOrig portForwards.name portForwards.portDest

    If your AEM deployment only requires HTTP/HTTPS connections to external service, leave the portForwards array empty, as these rules are only required for non-HTTP/HTTPS requests.

  2. For each environment, validate the VPN routing rules are in effect using the Cloud Manager API’s getEnvironmentAdvancedNetworkingConfiguration operation.

    getEnvironmentAdvancedNetworkingConfiguration HTTP request

    code language-shell 
    $ curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/environment/{environmentId}/advancedNetworking \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json'

  3. Virtual private network proxy configurations can be updated using the Cloud Manager API’s enableEnvironmentAdvancedNetworkingConfiguration operation. Remember enableEnvironmentAdvancedNetworkingConfiguration is a PUT operation, so all rules must be provided with every invocation of this operation.

  4. Now, you can use the Virtual Private Network egress configuration in your custom AEM code and configuration.

Connecting to external services over the Virtual Private Network

With the Virtual Private Network enabled, AEM code and configuration can use them to make calls to external services via the VPN. There are two flavors of external calls that AEM treats differently:

  1. HTTP/HTTPS calls to external services
    • Includes HTTP/HTTPS calls made to services running on ports other than the standard 80 or 443 ports.
  2. non-HTTP/HTTPS calls to external services
    • Includes any non-HTTP calls, such as connections with Mail servers, SQL databases, or services that run on other non-HTTP/HTTPS protocols.

HTTP/HTTPS requests from AEM on standard ports (80/443) are allowed by default but do not use the VPN connection if not configured appropriately as described below.

HTTP/HTTPS

When creating HTTP/HTTPS connections from AEM, when using VPN, HTTP/HTTPS connections are automatically proxied out of AEM. No additional code or configuration is required to support HTTP/HTTPS connections.

TIP
See AEM as a Cloud Service’s Virtual Private Network documentation for the full set of routing rules.

Code examples

HTTP/HTTPS

HTTP/HTTPS

Java™ code example making HTTP/HTTPS connection from AEM as a Cloud Service to an external service using the HTTP/HTTPS protocol.

Non-HTTP/HTTPS connections code examples

When creating non-HTTP/HTTPS connections (ex. SQL, SMTP, and so on) from AEM, the connection must be made through a special host name provided by AEM.

Variable name
Use
Java™ code
OSGi configuration
AEM_PROXY_HOST
Proxy host for non-HTTP/HTTPS connections
System.getenv("AEM_PROXY_HOST")
$[env:AEM_PROXY_HOST]

Connections to external services are then called through the AEM_PROXY_HOST and the mapped port (portForwards.portOrig), which AEM then routes to the mapped external hostname (portForwards.name) and port (portForwards.portDest).

Proxy host
Proxy port
External host
External port
AEM_PROXY_HOST
portForwards.portOrig
portForwards.name
portForwards.portDest

Code examples

SQL connection using JDBC DataSourcePool

SQL connection using JDBC DataSourcePool

Java™ code example connecting to external SQL databases by configuring AEM's JDBC datasource pool.

SQL connection using Java APIs

SQL connection using Java™ APIs

Java™ code example connecting to external SQL databases using Java™'s SQL APIs.

Virtual Private Network (VPN)

E-mail service

OSGi configuration example using AEM to connect to external e-mail services.

Limit access to AEM as a Cloud Service via VPN

The Virtual Private Network configuration limits access to AEM as a Cloud Service environments to a VPN.

Configuration examples

Applying an IP allow list

Applying an IP allowlist

Configure an IP allowlist such that only VPN traffic can access AEM.

Path-based VPN access restrictions to AEM Publish

Path-based VPN access restrictions to AEM Publish

Require VPN access for specific paths on AEM Publish.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69