Adobe just quietly rolled out another capability of the AEM as a Cloud Service product in that it is now able to be configured with full VPN connectivity to a corporate network.
Previously, if you wanted to secure access to your AEM Cloud Service implementation from your company’s network, your only avenues were to use IP allow/deny lists (which are at least now self-service). However, there are many use cases this simply doesn’t satisfy (as many times it can be entirely impractical to secure access to an enterprise asset (or an environment) by IP address only.
Adobe recognized this and now offers a full VPN appliance which can be set up with the assistance of Adobe Customer Care.
An intentionally comically-oversimplified diagram of AEM as a Cloud Service and VPN connectivity
The full documentation and diagram of this is available to customers under NDA, so I don’t have any docs to link to from Adobe right now, so the above diagram is a simplified version of the VPN schematic that I got OK from Adobe to publish. Essentially, though, it will allow a mutual TLS tunnel to exist between the customer site and the edge of Adobe’s managed cloud network in Azure, from which point it can take advantage of a nearby Fast.ly POP for caching, and directly connect to the Kubernetes environments running your AEM gear.