Dedicated egress IP using Advanced Networking in AEMaaCS

PublishedJune 02, 2025

Due to the organization's networking policy, certain applications may need to be hosted behind a firewall, accessible only through specific whitelisted IP addresses. In terms of AEMaaCS, Cloud Environment IP range is large and dynamic, is not shared with customers for whitelisting. To address this issue, Adobe provides a solution to assign a dedicated egress IP address to your AEMaaCS environment using Advanced Networking so that you can whitelist this IP address in organization's firewall.

Advanced Networking is only available in the Production program and is not supported in the Sandbox program.

Configuring Advanced Networking

Configuration of the Advanced Networking option must first be done at the Program level.

From your desired program, Navigate to Services > Network Infrastructures and click on the Add network infrastructure button. AEMaaCS New Network Infrastructure

In the Add network infrastructure dialog, select the Dedicated egress IP address option, and select the Region to create the dedicated egress IP address.

To confirm the addition of the dedicated egress IP address, select Save in the next step. It may take up to 1 hour for the network infrastructure to be set up.

Obtain the dedicated egress IP address by running dig command from the command line. Note that the same dedicated egress IP address is shared by all environments in the program, and applies to both Author and Publish services.

dig +short p{programId}.external.adobeaemcloud.com

Enabling Dedicated Egress IP

Once you have configured an advanced networking option for a program, you must enable it at the environment level to use it.

Navigate to Environment where you want to enable the advanced networking configuration. Then select the Advanced network configuration tab of the selected environment and click Enable network infrastructure.

Within the Configure Advanced Networking dialog box, the Non-Proxy Hosts tab allows to define a list of hosts. These defined hosts will be routed through the shared IP address range instead of the dedicated egress IP. This approach may be useful since traffic egressing through shared IPs may be further optimized. Egress IP Non Proxy Hosts

On the Port forwards tab, you can define port forwarding rules for any destination ports other than 80/443. For each destination host, you must map the intended destination port to a port from 30000 through 30999. For example, if you want to connect to a PostgreSQL database, you could use 30432 as the Port Orig and 5432 as the Port Dest. Egress IP Port Forwards

Click Save in the dialog box to apply the advanced networking configuration to the selected environment.

Usage in AEM Backend

Some libraries, such as HttpClientBuilder, require explicit configuration to use system properties from egress IP settings. Otherwise, they may continue to use the shared IP when sending requests to the client.

RestClientService.java

try (CloseableHttpClient httpClient = HttpClientBuilder.create()
    .setDefaultRequestConfig(getRequestConfig())
    .useSystemProperties()
    .build()) {
    // Implementation goes here
}

With the dedicated egress IP obtained using the dig command, you can now whitelist it in your firewall. Once your required changes are deployed to the cloud environment, you should be able to connect to APIs that are hosted behind the firewall.

Happy learning! In an upcoming article, we'll explore how to send emails in AEMaaCS using ports other than 80/443.