Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!
[AEM Gems] Getting started with Adobe Managed CDN
Session Details
Learn what is Adobe Managed CDN in AEM Cloud Service and how it can be configured. Join us to explore the new CDN configuration capabilities that can be used to enhance both the performance and security of your AEM as a Cloud Service application. In this session you will discover: What is Adobe CDN and the relevant topologies for AEMaaCS and Edge Delivery Services | What are the typical use cases that can be implemented with CDN rules | How to use RDEs to quickly test and deploy CDN configurations.
Session Recording
Session Presentation: https://adobe.ly/4h7fH3M
Session Q&A
| Question | Answer |
| Is this CDN service and Azure service or an Adobe private CDN? | The CDN is Fastly |
| How do we override any CDN configuration in AEMCaas | See this article, which describes how to use the config pipeline to deploy customer configuration: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/confi... |
| how to delete the cache from fastly | See this article about purging the CDN: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con... |
| Where is the reach of the Adobe CDN? | George, can you ask again with more context? Not sure what you mean by reach. |
| Does AEM has any plans to support architecture where clients can actually replace Fastly with their own CDN, rather then just disable Fastly and keep it as a dummy bridge ? | For AEM Publish (i.e. not Edge Delivery Services), the Adobe-Managed CDN will continue to be part of the architecture. It can't be disabled, however you can configure cache headers such that content isn't cached there. |
| Also, what is he business case for using Adobe CDN vs. AEM.live? What are he technical differences. Only support for IPv4 or both(IPv6)? What's the diff? | aem.live is essentially an origin for your "front CDN". You cannot go live with your custom domain using only aem.live, you would need your own CDN or use the Adobe Managed CDN. https://www.aem.live/docs/byo-cdn-adobe-managed |
| when do we need Edge Delivery Services? | See the article https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/edge-delivery/ov... for a discussion on Edge Delivery Services. Benefits include high lighthouse scores. You can have some sites or pages served through traditional publish delivery, and others served with Edge Delivery Services. |
| Is there a plan to have SSO authentication (instead of basic authentication) at CDN? | We are exploring various authentication scenarios at the CDN. Please send an email to aemcs-edgecompute-feedback@adobe.com with your use case. Thanks! |
| Can we identify bots and block them? If yes. then what are configurations? | Quentin will cover this in a few minutes. Here is an article, which also references some recommended starter rules, and a tutorial: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic... |
| is it possible to test Adobe CDN configs in lower environments? | Yes! Check out how you can deploy config pipeline to specific environments: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/confi... |
| Utilizing Sling Dynamic Include (SDI) in AEM setup to handle Edge Side Includes (ESI) for dynamic content delivery. With ESI:Include is it possible to read the query parameters of the parent URL or append the Parent URL queryparams to ESI:include url? | It is not possible at the moment to send the query paraeters but we could make the parent url availa... |
| How much filterin can be done at cdn level vs waf level... cdn rules differ from waf rules in what way? | Out of the box, traffic filter rules can block requests based on domains, paths, headers, IPs, etc. You can also define rate limits rules. On the other hand, WAF rules have advanced intelligence to block known threats like OWASP10 (SQL injection, XSS, etc). They also reference data sources of known malicious IPs. See this table for a list of supported WAF rules: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic... |
| is the config pipeline run against a program level ? Because in case of EDS, there are no environments | Config pipelines are deployed at an env level. You are correct that currently config pipelines aren't run on EDS, but this may be possible in the future. The approach today would be to send traffic to the AEM publish env, execute any configuration, and then route to the Edge Delivery Services url using the origin selector configuration type. |
| A single configuration file for entire cloud instance creates challenges as the number of site grows.. any plans to have multiple config files per site ? | Config files are per environment. We are not currently thinking to allow multiple files for an environment, mainly because the size for an environment is limited to 100KB. |
| How can we set these environment variables/secrets for EDS ? | Config Pipeline is not yet released for Adobe Managed CDN in front of EDS. |
| What is required to disable Fastly cache in case of a customer CDN in front of AEMaaCS? Is the header „Surrogate-Control: no-store“ sufficient? | Yes, surrogate control is the right strategy. I'm more familiar with setting the max-age, but perhaps no-store works too. You can also use an origin selector with skipCache to go directly to origin without inspecting the cache. |
| We would like to enroll in SSO setup/ IDP - please let us know whom to reach out - to enroll in early adopter program. | Please reach out to this alias and we'll see if there's an opportunity: aemcs-edgecompute-feedback@adobe.com |
| Pipeline free URL redirects solution i am trying currently, it does not work.. | Please open a ticket with Adobe support, if you haven't already. |
| If we have our own CDN, can we still use these features at the Adobe CDN layer? For example "client-redirects" ? | You can, although we've found that customers with their own CDN tend to configure at their CDN. |
| Is supported ESI in Fastly CDN to be able to use SDI in components? | Yes, see https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con... |
| Question on Traffic rule: If we are blocking a request based on IP range and Teir as publish Does this block custom domains request (customer setup domain) which will internally get data from publish as well? or does it only block when users try to access publish instance directly? (this is needed to block direct Publish instance from external traffic) |
yes it will block custom domains as well. You will need to add another condition to apply the rule for the publish domain you want the IPs to get blocked |
| Does it have any limitation in number of redirects ? | It depends on the approach. See this article for the variations: https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/administration/url-re.... For the redirects configured directly at the CDN, you have 100kb to declare all rules. The dispatcher supports more (there are a couple of variants as you can see in that article). |
| Is Adobe Managed CDN only available for AEMaaCS or also available for Adobe Managed Service? | Specifically for Cloud Service. |
| does aem.live needs a different license.. we have AEMCaas enterprise license already | It depends on when your current license started or was renewed. Please reach out to your Adobe rep! |
| is there a pricing plan available for the WAF licensed product | I'd direct you to your organization's Adobe rep! You can also open a support ticket and they'll route you to the right resource. Thanks! |
| What is the most efficient way to test CDN and WAF rules implemented for implementations with lots of rules? | I recommend looking at the tutorials referenced on the page below, which mention a couple of tools that could be useful for approximating malicious traffic: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic... |
| How can we clear the cache for a particular folder level in cdn | It is not supported OOTB but can be implemented in a custom solution using Surrogate-Keys Assume you have www.example.com/folder1/page1.html www.example.com/folder1/page2.html If your response contains the Surrogate-Key header with the folder name (eq. Surrogate-Key: folder1) then purging that Surrogate-Key will purge all resources in that folder. https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con... |
| Can we use the AEM WAF functionality while using the custom CDN ? | Yes, it is possible. |
| How long the CDN logs retained> | You can download 7 days through Cloud Manager. If you have a vendor/technology like Splunk, Elastic, etc, you can forward logs and retain them as long as you'd like! See this article: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/dev... |
| Does it support IPv6? Do you have an security partnerships (Checkpoint, Cisco, Juniper/Netscreen or Websense)? | IPv6 is not currently supported. |
| If I configure rate limiting and I have my own CDN pointing to Adobe's managed CDN, does the managed CDN use the true client IP (X-Forwarded-For) as opposed to my own CDN's IP? | When you define your ratelimiting rule you can use groupBy to set the property which should be used to aggregate the counters. The following should count the request per forwardedIp groupBy: { reqProperty: forwardedIp } |
| How can we increase the number of connections if we using advanced networking | Advanced Networking is for egress connections, going out from AEM. Those are not going via the CDN |
| What are the options for configuring alerts? | See this article - https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic... |
| 100KB size restriction for CDN config file looks challenging for instances having large number of sites. Is that something Adobe Support team can help in increasing the limit ? | Open a support case that includes in detail the type(s) of rules you expect, and estimated number -- and while I can't promise, we'll look into whether there's a way to increase it a bit based on your scenario. |
| is 100k limit for each domain? | it is per environment |
| Can we have he environment specific yaml? | yes, see this article: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/confi... |
| Will it deploy the CDN changes to AEM Author CDN as well or only publish CDN? | the cdn.yaml applies to all tiers, author, publish and preview. You should guard your conditions to apply the rules only to a specific tier when: { reProperty: tier, equals: publish } |
| What is the use case for bringing your own CDN when we already have a Adobe CDN? | We've tried to fill the major use cases. |
| In the case of AEMaaCS , Adobe Managed CDN and customer provided SSL certificates. Why is there a cap or limit of adding only 70 SSL certificates per program ? What is the technical reason for having the limit of this 70 count of SSL certs |
All resources have limits and that is a limit that works fine for the majority of the customers. We are considering to support higher number fo domains and certificates but that may be in the future a separate SKU. In any case, if you are blocked by that limit please open a customer request with the details of the numbers that will be needed. |
| What is the best practice for caching when customers have their own CDN? Should customers enable caching on both CDNs? | If your CDN connects with an exdge-key and the key it is required (meaning one cannot access the origin site without a key) then caching can be done only in Customer CDN. |
| Does rate limiting require WAF license? | No it does not. https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic... |
| Can we get the sample file with all possible configuration that we can apply with yaml file? | link to the various articles from https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/confi... , each of which has some example configuration |
| In case of custom CDN, will 2 CDNs not cause performance issues? | In practice, there is very low latency. |
| When something can be achieved both at dispatcher and CDN which one is recommended? | It is better to do it at the CDN, as soon as the request enters the AEMaaCS infrastructure |
| Why is there a cap or limit of adding only 70 SSL certificates per program ? What is the technical reason for having the limit of this 70 count of SSL certs |
All resources have limits and that is a limit that works fine for the majority of the customers. We are considering to support higher number fo domains and certificates but that may be in the future a separate SKU. In any case, if you are blocked by that limit please open a customer request with the details of the numbers that will be needed. |
Session Useful link:
Purge: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con...
Traffic filter rules: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic...
CDN rules: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con...
Redirects: https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/administration/url-re...
Traffic filter rules: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/traffic...
CDN rules: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/con...
Redirects: https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/administration/url-re...
Session Schedule
Wednesday, 22nd January, 2025, | 8 am PST OR 5 pm CEST OR 9.30 pm IST
Speaker(s)
Quentin Vecchio - Adobe (Software Development Engineer), Florian Froese - Adobe (Software Development Engineer), Marius Petria - Adobe (Senior Computer Scientist)
Register Now: https://adobe.ly/4ae1KhZ
Don't forget to register yourself for this session using the registration link shared above.
Kautuk Sahni
That is still in the process of refinement. Once done, I will share that here.
Kautuk Sahni
