Adobe Experience Manager Sites & More

Dinesh_A · 1/15/25

Hello,

We are currently migrating to AEM cloud and would like to know how PROD Publish instance could be restricted to internal company traffic (Company IP range) and blocked externally? while the domains being accessible externally.

By internally I mean company IP range, so that publish instance could only be accessed by employees.

I have tried the IP Allow List feature in cloud manager, but this would prevent the domains from loading externally as well (the domain still resolve's externally but would show a 403).

Thanks
Dinesh

Jörg_Hoh · 1/17/25

Hi,

ok, so you want "publish-pXXXX-eXXXX.adobeaemcloud.com" to be not accessible from the internet, but from the internet only "www.myname.com" should be reachable?

In that case I would block the domain "publish-pXX-eXX...." on the dispatcher with a matching configuration, which just returns a 403 for all requests. (The service monitoring running on the same hostname should not be affected by this, but it's better if you try that out on Stage first.)

View solution in original post

Rohan_Garg · 1/16/25

Hi @Dinesh_A,

Using the IP Allow List in Cloud Manager in isolation would block access entirely, even preventing the domain from resolving externally. You need a solution that selectively restricts access to the Publish instance but still allows the CDN (Content Delivery Network) layer to serve external users.

Configure the IP Allow List in the Cloud Manager to restrict direct access to the Publish instance (blocks external access).
Configure the CDN to route all public traffic and ensure the CDN forwards only allowed requests to the Publish instance.

You will need to configure the dispatcher to allow traffic only from Internal IP ranges and CDN edge nodes.

/filter
{
    /0001 { /type "allow" /url ".*" /clientip "CDN-IP-Range-1" }
    /0002 { /type "allow" /url ".*" /clientip "CDN-IP-Range-2" }
    /0003 { /type "allow" /url ".*" /clientip "Internal-IP-Range" } # Allow direct internal traffic
    /0004 { /type "deny" /url ".*" } # Deny everything else
}

Hope this helps!

Rohan Garg

arunpatidar · 1/16/25

Hi @Dinesh_A

You can do it at CDN

https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic...

Arun Patidar

Jörg_Hoh · 1/17/25

You posted 2 requirements:

restrict PROD publish instance to internal traffic (from a certain IP range)
not preventing the domain to load externally.

I don't understand how these 2 requirements can be met at the same time, because they contradict each other (if you allow external access to the domain, not all traffic is coming from the specified IP range).

Dinesh_A · 1/17/25

Hi @Jörg_Hoh

thank you for your response.

we would like to block external traffic from directly accessing the Publish instance with its domain (which is provided by adobe)

But would want the custom domains (custom website domains that are setup by us for the projects) to be accessible externally.

Thanks

Dinesh

Jörg_Hoh · 1/17/25

Hi,

ok, so you want "publish-pXXXX-eXXXX.adobeaemcloud.com" to be not accessible from the internet, but from the internet only "www.myname.com" should be reachable?

In that case I would block the domain "publish-pXX-eXX...." on the dispatcher with a matching configuration, which just returns a 403 for all requests. (The service monitoring running on the same hostname should not be affected by this, but it's better if you try that out on Stage first.)

AmitVishwakarma · 1/19/25

To restrict the AEM Publish instance to internal company traffic while allowing external access, use a CDN or Edge Network (like Akamai) to proxy requests. Set up firewall rules to allow only internal IPs for the Publish instance, and use DNS to route internal traffic directly. This way, external traffic can still access necessary domains without being blocked.

Adobe Experience Manager Sites & More

AEM Cloud: Restrict Publish instance to internal company traffic

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe