Adobe Experience Manager Sites & More

Hi @khalidmo,

Since this is AEM 6.5 On-Prem (Classic) but deployed on Azure, you should aim for cloud-ready infrastructure:

1. Core AEM Setup

• Author Tier (for Assets)

  • Clustered (Cold standby or TarMK/Document Node Store depending on scale).

  • If asset-heavy → use Document Node Store backed by Azure Cosmos DB (Mongo API) or Azure SQL.

  • Blob storage for binaries → Azure Blob Storage with Shared DataStore for all instances.

• Publish Tier (Optional, if external sharing is needed)

  • If assets need to be shared outside organization, you can have Publish with Dispatcher.

  • If internal only → may skip Publish, use Brand Portal / Asset Share Commons instead.

• Dispatcher

  • Run on Azure App Gateway + Azure Front Door (CDN) for external traffic.

  • Use Azure Load Balancer for internal traffic between authors/publishers.

2. Azure Native Services to Use

• Storage:

  • Shared Blob DataStore → for binary assets across all author/publish instances.

  • Azure Files or Blob NFS → for shared directories (e.g., /crx-quickstart/install, logs if needed).

• Database / Persistence:

  • Azure Cosmos DB (Mongo API) → for Document Node Store.

  • If TarMK is chosen, scale is limited → best for smaller implementations.

• Networking / Security:

  • Use Azure VNet with subnets for Author/Publish/Dispatcher.

  • Use NSGs (Network Security Groups) to restrict traffic between tiers.

  • Integrate with Azure AD for SSO (Asset authorship).

• Load Balancing / CDN:

  • Azure Application Gateway for WAF + LB.

  • Azure Front Door for global traffic + CDN (if assets distributed globally).

• Monitoring / Logging:

  • Azure Monitor + Log Analytics integrated with AEM logs.

  • Azure Key Vault for secure secrets management.

3. Environment Design (DEV, STG, UAT, PRD)

• DEV:

  • Single Author, no publish, minimal infra.

• STG & UAT:

  • 1 Author (active/standby if budget allows).

  • 1 Publish + Dispatcher (for integration testing).

• PRD:

  • 2+ Author (active/standby or clustered with Mongo).

  • 2+ Publish (if external delivery is required).

  • 2+ Dispatcher behind App Gateway/Front Door.

  • Shared Blob DataStore + Cosmos DB.

4. Security Considerations

• Private IP access for Author, public access only via Dispatcher/CDN.

• App Gateway WAF for traffic sanitization.

• Azure AD integration for user/group authentication.

• Encrypt all data in transit (TLS) and at rest (Blob storage, DB).

• Store secrets in Key Vault (e.g., blob SAS tokens, DB credentials).

• Restrict storage account with Private Endpoints (not public).

Santosh Sai