Adobe Experience Manager Sites & More

EduardoMa9 · 11/25/25

Hi everybody,

We have a AEM program that has Advanced Network configuration set to use the Dedicated Egress IP address, but we would like to change it and set the VPN configuration insteady. This is with an existing program that is currently in production, which means that any downtime is critical for us.

Looking at the documentation at https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/configu... , it mentions that this change would require downtime (>1 hour), so about this, we had some questions:

- We do not understand how we could test the new VPN configuration safely without affecting our current production system. Does anybody know if there is any way to test our changes before applying changes to production?

- The documentation mentions a downtime of 1 hour but it also says: "If downtime would cause significant business impact, contact customer support for assistance, describing what has already been created and the reason for the change." Did anybody perform a change like this? Did you contact Adobe? What was the response from Adobe support about this?

Many thanks to everybody

ManviSharma · 11/25/25

Hello @EduardoMa9 ,

> You can test VPN safely in non‑prod, but you cannot have both “Dedicated Egress IP” and “VPN” active in the same program at the same time. Moving a program from Dedicated Egress IP → VPN is a kind change and currently means a controlled advanced‑networking outage (egress via VPN/dedicated IP is unavailable while you switch).

> There is no hidden zero‑downtime self‑service switch today.

> A program can only have one advanced networking infrastructure kind at a time:
flexiblePortEgress or dedicatedEgressIp or vpn
→ No parallel “Dedicated IP and VPN” in the same program right now.

>>Reference:
--------------------------------
https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/networking/advance...

> Changing kind Dedicated Egress IP → VPN requires deleting and recreating the infrastructure
“To migrate from flexiblePortEgress or dedicatedEgressIP to VPN, the network infrastructure needs to be deleted and re‑created. … This procedure will result in a downtime of advanced networking services.”

--> Given that, your safe testing options are basically:

1. Use a separate test program with VPN
Because advanced networking kind is per program, the cleanest way to do safe VPN testing without touching prod is:

i. Create a second AEM CS program (e.g. MyProgram-VPN-POC) in the same IMS org.

2. In that test program: Add VPN network infrastructure (kind: "vpn") via Cloud Manager UI or API. Configure addressSpace, dns.resolvers, connections,.gateway.address, etc. as your network team will use in prod.

3.Add at least one DEV environment to that program and:

Enable advanced networking on that env as VPN (PUT /environment/{id}/advancedNetworking).
Wire your services on the customer side to accept traffic from:
a) p{PROGRAM_ID}.external.adobeaemcloud.com (public egress IP), and/or
b) p{PROGRAM_ID}.{REGION}-gateway.external.adobeaemcloud.com (VPN gateway IP on AEM side).

> See table under Useful domains for configuration in:

https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/configu...

4. Run realistic tests from AEM code and dispatcher:

- HTTP(S) over VPN.
- Non‑HTTP (databases, SMTP, etc.) using portForwards.
- DNS resolution via your internal resolvers (if configured).
- This fully exercises the same VPN stack you’d use later in production, without touching your live program or its dedicated IP.

> The trade‑offs:

- You must maintain an extra program temporarily.
- Some things (like content, configs) need to be copied/adjusted in that program to be realistic.
- For a customer where downtime is truly critical, this is the pattern I would recommend.

View solution in original post

ManviSharma · 11/25/25