Adobe CDN is blocking requests from internal Adobe service IPs (IO Runtime) || Allow Adobe I/O Runtime to AEM Author Traffic for Runtime Namespace
Hi Everyone,
We have implemented the following business use case -
1. Send a request from AEM Publish to Runtime
2. Runtime action is able to generate the access token against the IMS to access the AEM Author instance
3A. Use cURL command to directly ping the author server with the payload -- Gives 200 OK works fine
3B Use the runtime action to generate the request to author instance -- gets blocked at CDN layer
4. The servlet at author takes the payload and does its own custom logic processing.
So locally and via curl the servlet worked fine but when invoked from Adobe I/O runtime it failed with 403 not allowed.
Conclusions -
1. Issue not in servlet, not in dispatcher rules as direct curl from local machine gives 200 OK
The curl command when hit gives the below response -
rohan_garg@work hello-runtime % curl -X POST \
"https://author-p123456-e1234567.adobeaemcloud.com/services/abc/save" \
-H "Authorization: Bearer eyJhbGciOiJSUz..." \
-H "Content-Type: application/json" \
-d @payload.json -i
{"status":"success"}%
CDN Logs -
{"timestamp":"2025-10-07T18:32:38+0000","ttfb":846,"ttlb":846,"cli_ip":"66.159.199.33","cli_country":"HK","cli_region":"HK","rid":"1c2a187a-9cc9-4bb1-a27a-359fe08467ec","req_ua":"curl/8.7.1","aem_envKind":"SKYLINE","aem_tenant":"myProject","host":"author-p123456-e1234567.adobeaemcloud.com","url":"/services/abc/save","method":"POST","res_ctype":"application/json","cache":"PASS","debug":"","res_age":"","status":200,"pop":"YYZ","rules":"","alerts":"","sample":"","ddos":false}
2. Runtime behaviour action - Signs a JWT, exchanges it for IMS access token and forwards POST to Author URL
Runtime container is working, generating tokens, but the HTTP request is being blocked before it hits AEM Author.
This is validated from the CDN logs as seen below -
rohan_garg@work hello-runtime % aio runtime action invoke sendToAuthorBridgeActionV2 --result -p operation save -p payload "$(cat payload.json)"
{
"body": "{\"message\":\"✅ save completed via Runtime\",\"authorResponse\":{\"raw\":\"<!DOCTYPE html>\\n <html>\\n <head>\\n <title>403 Not allowed.</title>\\n </head>\\n <body>\\n <h1>Error 403 Not allowed.</h1>\\n <p>Not allowed.</p>\\n <p>Trace-id: aa39596b-88b9-4356-a5e3-9899d3073cd8</p>\\n </body>\\n </html>\\n \",\"statusCode\":403}}",
"headers": {
"Content-Type": "application/json"
},
"statusCode": 200
}
TRACE ID - aa39596b-88b9-4356-a5e3-9899d3073cd8
CDN Logs -
{"timestamp":"2025-10-07T19:47:47+0000","ttfb":2636,"ttlb":2636,"cli_ip":"35.78.23.248","cli_country":"JP","cli_region":"JP-13","rid":"aa39596b-88b9-4356-a5e3-9899d3073cd8","req_ua":"","aem_envKind":"SKYLINE","aem_tenant":"myProject","host":"author--e1234567.adobeaemcloud.com","url":"/services/abc/save","method":"POST","res_ctype":"","cache":"ERROR","debug":"","res_age":"","status":403,"pop":"NRT","rules":"","alerts":"","sample":"","ddos":false}
We have hit multiple requests like this to get the same result.
Diagnosis - AEM Author’s WAF doesn’t allow traffic from Adobe I/O Runtime’s egress IPs (AWS Tokyo region).
Now I have raised an Adobe support ticket for this to obtain the definitive egress IPs for my runtime and add them via Cloud Manager → IP Allow Lists have them filtered to author instance.
But the weird part is the Adobe support's response to this -
The error indicates that Adobe Cloud Edge is actively blocking requests that originate from internal Adobe service IPs due to missing whitelist entries. Could you confirm and obtain the definitive egress IP addresses (or CIDR ranges) used by Adobe I/O Runtime for the namespace ABC?
As a customer, I don't have access to this information I believe as I double checked the console to get that information.
Can anyone help if I am wrong or maybe need to better explain the scenario?
@arunpatidar , @santoshsai , @giuseppebaglio, @estebanbustamante, @joerghoh, @brettbirschbach
Sorry for the long query!
Thanks in advance,
Rohan Garg
