AEM Cloud: Restrict Publish instance to internal company traffic | Community
Skip to main content
D
Dinesh_A
Level 2
January 16, 2025
Solved

AEM Cloud: Restrict Publish instance to internal company traffic

  • January 16, 2025
  • 4 replies
  • 1318 views

Hello,

We are currently migrating to AEM cloud and would like to know how PROD Publish instance could be restricted to internal company traffic (Company IP range) and blocked externally? while the domains being accessible externally.

 

By internally I mean company IP range, so that publish instance could only be accessed by employees.

I have tried the IP Allow List feature in cloud manager, but this would prevent the domains from loading externally as well (the domain still resolve's externally but would show a 403).

 

Thanks
Dinesh

Best answer by joerghoh

Hi,

ok, so you want "publish-pXXXX-eXXXX.adobeaemcloud.com" to be not accessible from the internet, but from the internet only "www.myname.com" should be reachable?

 

In that case I would block the domain "publish-pXX-eXX...." on the dispatcher with a matching configuration, which just returns a 403 for all requests. (The service monitoring running on the same hostname should not be affected by this, but it's better if you try that out on Stage first.)

4 replies

Rohan_Garg
Community Advisor
Rohan_GargCommunity Advisor
Community Advisor
January 16, 2025

Hi @dinesh_a,

 

Using the IP Allow List in Cloud Manager in isolation would block access entirely, even preventing the domain from resolving externally.  You need a solution that selectively restricts access to the Publish instance but still allows the CDN (Content Delivery Network) layer to serve external users.

  1. Configure the IP Allow List in the Cloud Manager to restrict direct access to the Publish instance (blocks external access).
  2. Configure the CDN to route all public traffic and ensure the CDN forwards only allowed requests to the Publish instance.

You will need to configure the dispatcher to allow traffic only from Internal IP ranges and CDN edge nodes.

/filter
{
    /0001 { /type "allow" /url ".*" /clientip "CDN-IP-Range-1" }
    /0002 { /type "allow" /url ".*" /clientip "CDN-IP-Range-2" }
    /0003 { /type "allow" /url ".*" /clientip "Internal-IP-Range" } # Allow direct internal traffic
    /0004 { /type "deny" /url ".*" } # Deny everything else
}

Hope this helps!

Rohan Garg

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    January 16, 2025

    Hi @dinesh_a 

    You can do it at CDN 

    https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic-filter-rules-including-waf#examples 

    Arun Patidar
      joerghoh
      Adobe Employee
      joerghohAdobe Employee
      Adobe Employee
      January 17, 2025

      You posted 2 requirements:

      1. restrict PROD publish instance to internal traffic (from a certain IP range)
      2. not preventing the domain to load externally.

      I don't understand how these 2 requirements can be met at the same time, because they contradict each other (if you allow external access to the domain, not all traffic is coming from the specified IP range).

       

        D
        Dinesh_AAuthor
        Level 2
        January 17, 2025

        Hi @joerghoh 

         

        thank you for your response.

         

        we would like to block external traffic from directly accessing the Publish instance with its domain (which is provided by adobe)

        But would want the  custom domains (custom website domains that are setup by us for the projects) to be accessible externally.

         

        Thanks

        Dinesh

         

         

         

          joerghoh
          Adobe Employee
          joerghohAdobe EmployeeAccepted solution
          Adobe Employee
          January 17, 2025

          Hi,

          ok, so you want "publish-pXXXX-eXXXX.adobeaemcloud.com" to be not accessible from the internet, but from the internet only "www.myname.com" should be reachable?

           

          In that case I would block the domain "publish-pXX-eXX...." on the dispatcher with a matching configuration, which just returns a 403 for all requests. (The service monitoring running on the same hostname should not be affected by this, but it's better if you try that out on Stage first.)

            AmitVishwakarma
            Community Advisor
            AmitVishwakarmaCommunity Advisor
            Community Advisor
            January 19, 2025

            To restrict the AEM Publish instance to internal company traffic while allowing external access, use a CDN or Edge Network (like Akamai) to proxy requests. Set up firewall rules to allow only internal IPs for the Publish instance, and use DNS to route internal traffic directly. This way, external traffic can still access necessary domains without being blocked.

              Terms & ConditionsAccessibility statement

              Loading footer...