Adobe Experience Manager Sites & More

MattHa30 · 8/15/25

I am trying to set up a dedicated egress IP address, following the instructions on https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/networking/dedicat... .

I am having trouble and I need help. I execute the CURL commands, but they fail (due to authentication, I think).

Here is the full setup:

In the developer console, I created a project to work with. It has the Products & Services with Cloud Manager API with the Product profiles:

Business Owner - Cloud Service
Deployment Manager - Cloud Service
Developer - Cloud Service

That is linked to the credentials OAuth Server-to-Server, with the Scopes: openid, AdobeID, read_organizations, additional_info.projectedProductContext, read_pc.dma_aem_ams

I am an Administrator with the Admin roles of Product and User Group. My products are Adobe Experience Manager as a Cloud Service - Cloud Manager, with four profiles:

Developer - Cloud Service
Program Manager - Cloud Service
Integrations - Cloud Service
Deployment Manager - Cloud Service.

I have Developer access with four profiles:

Developer- Cloud Service
Business Owner - Cloud Service
Integrations - Cloud Service
Deployment Manager - Cloud Service.

And I am in the user group WCM Development.

I have enabled the dedicated egress IP address on the program.

I have the Organization ID, the project's API key (client ID) and Access Token, the Cloud Manager Program ID and Environment IDs.

Then I get the Cloud Manager API curl commands, and it fails. I do the curl command for the Advanced Networking

curl -X GET https://cloudmanager.adobe.io/api/program/{programId}/regions \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json'

And I get {"error_code":"403025", "message":"Profile is not valid"}

But I know I'm in the East US, so I can use va7, and I try to enable the dedicated IP address using createNetworkInfrastructure:

curl -X POST https://cloudmanager.adobe.io/api/program/{programId}/networkInfrastructures \
    -H 'x-gw-ims-org-id: <ORGANIZATION_ID>' \
    -H 'x-api-key: <CLIENT_ID>' \
    -H 'Authorization: Bearer <ACCESS_TOKEN>' \
    -H 'Content-Type: application/json' \
    -d '{ "kind": "dedicatedEgressIp", "region": "va7" }'

And I get {"reason":"Validation error Request id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.","message":"Bad Request"}

I have triple checked my credentials and IDs. I have (or should have) the prerequisite roles and access.

How can I fix this? How can I troubleshoot this? What should I check or where should I go for assistance?

(Thank you in advance.)

HrishikeshKagne · 8/21/25

Hi @MattHa30 ,

The 400 error wasn’t really about curl or permissions anymore, but about the program already having a network infrastructure. AEM Cloud Manager allows only one network infrastructure per program, so a second POST will always fail with:

{
"code": "NETWORK_INFRASTRUCTURES_EXCEEDS_LIMIT",
"message": "Only one network infrastructure per program is allowed"
}

Use GET /networkInfrastructures if you suspect it’s already provisioned.

Grab the existing networkId from that response.

Use that networkId to check readiness or link it with connections.

Recommendation: Adobe’s Dedicated Egress IP tutorial/docs should be updated to clarify that POST works only once per program, and subsequent setups require a GET to fetch the existing network infrastructure.

Hrishikesh Kagane

View solution in original post

HrishikeshKagne · 8/16/25

Hi @MattHa30 ,

Your errors come from missing or mismatched Cloud Manager API roles/scopes, not from the curl syntax. The "Profile is not valid" means your access token does not include the right Cloud Manager product profile (you must be assigned as Deployment Manager or Business Owner in Cloud Manager for that program). The "Bad Request" happens because the network infrastructure call only works if the program has Advanced Networking enabled and you pass the exact region returned by the /regions API — you can’t hardcode va7 unless the API confirms it.

To fix this as below:

Verify in the Admin Console that your user/service account is in the correct Cloud Manager roles for the program (Deployment Manager is required).

Regenerate the access token with the correct Cloud Manager API scopes.

First call /regions successfully (once roles are fixed), then use that response in the POST.

If it still fails, open an Adobe Support ticket — only Adobe can enable Advanced Networking for your program if it’s not provisioned.

Hrishikesh Kagane

kautuk_sahni · 8/21/25

@MattHa30 Just checking in. Were you able to resolve your issue? We’d love to hear how things worked out. If the suggestions above helped, marking a response as correct can guide others with similar questions. And if you found another solution, feel free to share it — your insights could benefit the community. Thanks again for being part of the conversation!

Kautuk Sahni

MattHa30 · 8/21/25

Thank you Hrishikesh and Kautuk for your replies. I have made forward progress, yes. Hrishikesh's advice led me to change my Cloud Manager roles a bit, adding AEM Managed Services with five profiles, including Deployment Manager. I think that is what got me the access needed for the first CURL command to work, and I was able to make the regions call and confirm that va7 was a valid region (and that my access was correct). But my networkInfrastructures post was still yielding a {"reason":"Validation error Request id: xxxxxxxxxxx","message":"Bad Request"} response.

What really helped was issuing the POST command outside of CURL. (I used my browser console, but Postman could work, too.) This gave me back a more detailed response:

{
    "type": "http://ns.adobe.com/adobecloud/network-infrastructure-generic-exception",
    "status": 400,
    "title": "Network infrastructure exception",
    "errors": [
        {
            "code": "NETWORK_INFRASTRUCTURES_EXCEEDS_LIMIT",
            "message": "Only one network infrastructure per program is allowed"
        }
    ]
}

The issue was that at some point the dedicated egress IP address had already been enabled, and we only have one network infrastructure. The networkInfrastructures post was trying to create a network configuration, but only one network infrastructure per program is allowed, so it returned the 400 error.

Once I knew this, I was able to do a GET to the networkInfrastructures API to get the network ID and move forward. (The tutorial only indicated getting the network id from the POST, and the network id is needed to check if the connection is ready.)

If it is possible for someone to update the Dedicated egress IP address tutorial/documentation to include that the networkInfrastructures post can only be made once per program, and that if it is already set, you need to make a GET call to get the network ID, (or some other process to check if it is already running), I think it would be very helpful.

Thank you again, for your assistance.

HrishikeshKagne · 8/21/25

Hi @MattHa30 ,

The 400 error wasn’t really about curl or permissions anymore, but about the program already having a network infrastructure. AEM Cloud Manager allows only one network infrastructure per program, so a second POST will always fail with:

{
"code": "NETWORK_INFRASTRUCTURES_EXCEEDS_LIMIT",
"message": "Only one network infrastructure per program is allowed"
}

Use GET /networkInfrastructures if you suspect it’s already provisioned.

Grab the existing networkId from that response.

Use that networkId to check readiness or link it with connections.

Recommendation: Adobe’s Dedicated Egress IP tutorial/docs should be updated to clarify that POST works only once per program, and subsequent setups require a GET to fetch the existing network infrastructure.