Submissions are now open for the 2026 Adobe Experience Maker Awards.
Adobe CDN is blocking requests from internal Adobe service IPs (IO Runtime) || Allow Adobe I/O Runtime to AEM Author Traffic for Runtime Namespace
Hi Everyone,
We have implemented the following business use case -
1. Send a request from AEM Publish to Runtime
2. Runtime action is able to generate the access token against the IMS to access the AEM Author instance
3A. Use cURL command to directly ping the author server with the payload -- Gives 200 OK works fine
3B Use the runtime action to generate the request to author instance -- gets blocked at CDN layer
4. The servlet at author takes the payload and does its own custom logic processing.
So locally and via curl the servlet worked fine but when invoked from Adobe I/O runtime it failed with 403 not allowed.
Conclusions -
1. Issue not in servlet, not in dispatcher rules as direct curl from local machine gives 200 OK
The curl command when hit gives the below response -
rohan_garg@work hello-runtime % curl -X POST \
"https://author-p123456-e1234567.adobeaemcloud.com/services/abc/save" \
-H "Authorization: Bearer eyJhbGciOiJSUz..." \
-H "Content-Type: application/json" \
-d @payload.json -i
{"status":"success"}%
CDN Logs -
{"timestamp":"2025-10-07T18:32:38+0000","ttfb":846,"ttlb":846,"cli_ip":"66.159.199.33","cli_country":"HK","cli_region":"HK","rid":"1c2a187a-9cc9-4bb1-a27a-359fe08467ec","req_ua":"curl/8.7.1","aem_envKind":"SKYLINE","aem_tenant":"myProject","host":"author-p123456-e1234567.adobeaemcloud.com","url":"/services/abc/save","method":"POST","res_ctype":"application/json","cache":"PASS","debug":"","res_age":"","status":200,"pop":"YYZ","rules":"","alerts":"","sample":"","ddos":false}
2. Runtime behaviour action - Signs a JWT, exchanges it for IMS access token and forwards POST to Author URL
Runtime container is working, generating tokens, but the HTTP request is being blocked before it hits AEM Author.
This is validated from the CDN logs as seen below -
rohan_garg@work hello-runtime % aio runtime action invoke sendToAuthorBridgeActionV2 --result -p operation save -p payload "$(cat payload.json)"
{
"body": "{\"message\":\"✅ save completed via Runtime\",\"authorResponse\":{\"raw\":\"<!DOCTYPE html>\\n <html>\\n <head>\\n <title>403 Not allowed.</title>\\n </head>\\n <body>\\n <h1>Error 403 Not allowed.</h1>\\n <p>Not allowed.</p>\\n <p>Trace-id: aa39596b-88b9-4356-a5e3-9899d3073cd8</p>\\n </body>\\n </html>\\n \",\"statusCode\":403}}",
"headers": {
"Content-Type": "application/json"
},
"statusCode": 200
}
TRACE ID - aa39596b-88b9-4356-a5e3-9899d3073cd8
CDN Logs -
{"timestamp":"2025-10-07T19:47:47+0000","ttfb":2636,"ttlb":2636,"cli_ip":"35.78.23.248","cli_country":"JP","cli_region":"JP-13","rid":"aa39596b-88b9-4356-a5e3-9899d3073cd8","req_ua":"","aem_envKind":"SKYLINE","aem_tenant":"myProject","host":"author--e1234567.adobeaemcloud.com","url":"/services/abc/save","method":"POST","res_ctype":"","cache":"ERROR","debug":"","res_age":"","status":403,"pop":"NRT","rules":"","alerts":"","sample":"","ddos":false}
We have hit multiple requests like this to get the same result.
Diagnosis - AEM Author’s WAF doesn’t allow traffic from Adobe I/O Runtime’s egress IPs (AWS Tokyo region).
Now I have raised an Adobe support ticket for this to obtain the definitive egress IPs for my runtime and add them via Cloud Manager → IP Allow Lists have them filtered to author instance.
But the weird part is the Adobe support's response to this -
The error indicates that Adobe Cloud Edge is actively blocking requests that originate from internal Adobe service IPs due to missing whitelist entries. Could you confirm and obtain the definitive egress IP addresses (or CIDR ranges) used by Adobe I/O Runtime for the namespace ABC?
As a customer, I don't have access to this information I believe as I double checked the console to get that information.
Can anyone help if I am wrong or maybe need to better explain the scenario?
@arunpatidar , @SantoshSai , @giuseppebag, @EstebanBustamante, @Jörg_Hoh, @BrettBirschbach
Sorry for the long query!
Thanks in advance,
Rohan Garg
Topics
Topics help categorize Community content and increase your ability to discover relevant content.
Hi @giuseppebag, thank you for the response!
We are not using an external service here. The endpoint is AEM Author instance.
Connecting AEM Publish to AEM Author by a middleware/external service seems to be an overkill. I am not sure if using runtime to connect AEM Publish to Author is the best approach then though it was suggested by Adobe support.
While your documentation link says "For security reasons, Runtime does not expose egress IPs."
That's understandable but the actual container instances that handle the runtime can spin up anywhere in the assigned AWS region. From the logs above I can see the request originates from "ap-northeast-1" every-time. So even though the exact IP can change and not be exposed but the broader AWS region IPs or CIDR blocks can be permitted though if anytime the region changes the runtime can silently fail.
Feels like using runtime to establish the connectivity is not the easiest of solutions! 😓
Hi @Rohan_Garg
I don’t believe you have access to that information. According to this thread: https://experienceleaguecommunities.adobe.com/t5/app-builder-questions/i-o-runtime-ip-address-public..., Adobe should be able to assist. I think the next best step would be to reply to Adobe directly. Please update this thread once you find more details. Thanks!
Esteban Bustamante
Related Conversations
