Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events

Is it possible to route egress traffic from AEMaaCS pipelines through the same advanced network configuration?

Avatar

Level 2

I need to ensure traffic from the it.tests and ui.tests are routed through known IPs. Is it possible to apply the same network configuration AEM instances use for egress traffic to pipelines?

 

Failing that, presume either the next best option is to whitelist all known IPs (is there a list of them) used by the pipelines, or setup our own proxy and apply it to the pipeline.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

4 Replies

Avatar

Level 1

Hello @raininglemons 

 

As per analysis, you can Integrating these configurations with your pipeline depends on the pipeline tool you're using. If you're using a CI/CD tool like Jenkins, you can execute scripts or commands to apply these configurations as part of your pipeline workflow.

Also, you can set up a proxy server and routing all traffic from your pipelines through it is another option. You can then configure the proxy to allow traffic only to specific IP addresses

 

Best,

Venkat

Avatar

Level 2

Hi,

 

Thanks for the reply, but I'm using the Adobe pipelines, so configuring the pipeline is outside my control.

Avatar

Level 9

Hi @raininglemons ,

Routing egress traffic from AEM as a Cloud Service (AEMaaCS) pipelines through the same advanced network configuration used by AEM instances is not directly supported out of the box. AEMaaCS pipelines are designed to run in a CI/CD environment, which may not support the same network configurations as the managed AEM instances.

However, you have a few alternative approaches to manage and secure egress traffic from your AEMaaCS pipelines:

1. Whitelist Known IPs Used by Pipelines

Adobe does not typically provide a fixed list of IP addresses for their cloud services due to the dynamic nature of cloud environments. However, you can:

  • Monitor and log the IP addresses used by the pipelines.
  • Use these logs to create a list of IP addresses that you can whitelist in your firewall or access control lists.

2. Set Up a Proxy and Configure Pipelines to Use It

This approach involves setting up your own proxy server and configuring your AEMaaCS pipelines to route their traffic through this proxy. Here’s a high-level overview of how to achieve this:

Step-by-Step Setup:

  1. Set Up a Proxy Server:

    • Deploy a proxy server (e.g., Squid, HAProxy) within your network or a secure cloud environment.
    • Configure the proxy server to handle and log egress traffic.
  2. Configure Proxy Server:

    • Ensure that the proxy server can handle the traffic load and has appropriate security configurations.
    • Set up access controls and logging for auditing purposes.
  3. Update Pipeline Configuration:

    • Configure the AEMaaCS pipelines to use the proxy server. This is typically done by setting environment variables for HTTP/HTTPS proxies.
    • Depending on the CI/CD tool used by AEMaaCS, you might set environment variables like HTTP_PROXY and HTTPS_PROXY.

Example Configuration for Proxy in AEMaaCS Pipelines:

 

pipeline:
  environmentVariables:
    HTTP_PROXY: http://your-proxy-server:port
    HTTPS_PROXY: http://your-proxy-server:port

 

3. Use Adobe’s Advanced Networking (if Available)

If your organization has advanced networking configurations set up with Adobe, you might be able to leverage these for your pipelines as well. This would typically involve:

  • Coordinating with Adobe support or your Adobe account manager to understand if this can be extended to include pipeline traffic.
  • Ensuring that the configurations align with your security requirements.

Conclusion

While AEMaaCS pipelines do not natively support routing egress traffic through the same advanced network configuration as AEM instances, you can achieve controlled and secure egress traffic through:

  1. Whitelisting known IP addresses used by the pipelines.
  2. Setting up and configuring a proxy server for the pipelines to use.
  3. Exploring advanced networking options with Adobe if applicable.

Setting up a proxy server and configuring your pipelines to use it is often the most flexible and secure approach, allowing you to control and monitor all egress traffic effectively.




Avatar

Level 6

Thanks ChatGPT, I've been following you, and this is considered spamming, I am reporting you.