AEM as a Cloud Service Now Supports VPN Connectivity

AEM as a Cloud Service Now Supports VPN Connectivity

February 26, 2021 0 By Tad Reeves

Adobe just quietly rolled out another capability of the AEM as a Cloud Service product in that it is now able to be configured with full VPN connectivity to a corporate network.

Previously, if you wanted to secure access to your AEM Cloud Service implementation from your company’s network, your only avenues were to use IP allow/deny lists (which are at least now self-service). However, there are many use cases this simply doesn’t satisfy (as many times it can be entirely impractical to secure access to an enterprise asset (or an environment) by IP address only.

Adobe recognized this and now offers a full VPN appliance which can be set up with the assistance of Adobe Customer Care.

diagram of AEM as a cloud service plus VPN
An intentionally comically-oversimplified diagram of AEM as a Cloud Service and VPN connectivity

The full documentation and diagram of this is available to customers under NDA, so I don’t have any docs to link to from Adobe right now, so the above diagram is a simplified version of the VPN schematic that I got OK from Adobe to publish. Essentially, though, it will allow a mutual TLS tunnel to exist between the customer site and the edge of Adobe’s managed cloud network in Azure, from which point it can take advantage of a nearby Fast.ly POP for caching, and directly connect to the Kubernetes environments running your AEM gear.

This would allow for a number of use cases which were previously going to be a tough sell for your friendly neighborhood security guys, and now have a better chance of working. Use cases like:

  • Fully-Internal AEM Environments: There are a number of companies that I’ve worked with that utilize Adobe Experience Manager as the platform for their internal corporate intranet (I know I’m not supposed to use that dated word anymore). If AEM has to be able to authenticate back to an internal corporate Active Directory, or to work with other internal resources (internal Sharepoint, search or legacy systems), this would require an AEM environment placed with 100% VPN access only.
  • Environments with sensitive lower environment data: In some cases, AEM lower environments have data that you want to make sure doesn’t leak to the public until a formal deployment event, and as such one wants to ensure they’re entirely isolated behind a VPN.
  • Public Sites Accessing Private Resources: There are many cases where fully-public AEM sites have integrations with legacy on-premise systems which cannot be moved to the cloud or made public. This would solve for this use case as well.

There may be other cases that the VPN setup in this case will or won’t solve for, with respect to ticking all of the security boxes you come up with in evaluating whether a cloud deployment is right for you.

I’d definitely recommend reaching out or talking to your Adobe partner if you think this might be something you’d want to investigate.


Cover photo: Just an afternoon out at the Willamette River at sunset with my kids, just a 5-minute roll down the bike trail from my house. Sunset Sunrays on the Willamette | Tad Reeves | Flickr

Sunset Sunrays on the Willamette