Adobe Experience Manager Sites & More

Q. What do you recommend as protection measures in front of AEM STAGE which works with the CDN? Usually one uses Basic Auth configured at the CDN Level, but Cloud Manager does not expose any API to configure Fastly. Another alternative is mutual TLS certificates. My question is about protecting sensitive content on Stage Publish (not so much about DDos) 

A. there is a default DDoS protection on the Edge which ensures that the edge remains safe in the event of L4 attacks. Then further back we do standard L7 filtering to ensure no invalid requests get through. Further back there is a dispatcher and we will be supporting standard modules. We offer an IP allows the list to restrict viewers. Yes so you can self-service IP protection for the stage, and we are looking at other L7 protection implemented at the edge. 

Q. Are EMEA datacenters available for the Author nodes now? 

A. Yes we have EMEA datacenters for Author 

Q. can we set a user to a specific author instance in a specific datacenter? 

A. Requests have affinity cookies to ensure that the same author is accessed each time. 

Q. Are those public edge apis part of the roadmap for an OOTB AEM integration - something like a dedicated rep agent/distribution agent? 

A. The public api is very simple, send a PURGE method on the url to be invalidated and it will invalidate everything that is relevant to it. 

Q. So there is really no time when green and blue are both online and HTML request is served by one, and related JS/CSS request by the other? 

A. Bear in mind the JS/CSS has a long cache lifetime on the CDN, and the JS/CSS urls being referenced are immutable, so if there is a HIT the content is served and on MISS the same origin as the html is used. Obviously, edge cache keys need to be blue/green aware. 

Q. do the edge servers support Edge Side Includes?  

A. A subset of the ESI spec is supported 

Q. for staging publisher can we set up access only for ADFS authenticated users? 

A. users are not specific to an instance (which is transient in Cloud Service) and are unrelated to the datacenter.  Rather, they are specific to an environment (such as dev, stage, or prod).  And yes, it is possible to require authentication via SAML on publishing environments. 

Q. Will it also supports an OOTB ETag-based invalidation mechanism? 

A. etag revalidation yes, and you can purge content via public edge apis 

Q. Can the certs be updated by API on CS? 

A. Yes, via Cloud Manager API. 

Q. Also, do the edge servers support Edge Side Includes? if no, do you already support or plan to support a secondary caching layer like Varnish? 

A. A subset of ESI is supported at the Edge. 

Q. How long does it take to invalidate the cache for an asset? 

A. Immediately the asset is published on the publish tier since assets are referenced immutably in the CDN and the reference changes immediately the asset is published on the tier. Customers can get finer-grained control by adjusting the cache-control and surrogate-control headers on those references.  

Q. Will these SSL certs be auto-renewed ?? 

A. SSL certs are not auto-renewed.  Customers are notified when the expiration date is coming soon.