ÃÛ¶¹ÊÓƵ

Documentation

VPN Advanced Networking configuration challenges in AEMaaCS

Last update: Wed Jun 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

When configuring Advanced Networking with a Virtual Private Network (VPN) in ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service (AEMaaCS), issues occur with address space conflicts, invalid Domain Name System (DNS) resolver settings, and stuck states during setup. These problems delay secure connectivity between AEM and external systems. To resolve the issue, configure valid Classless Inter-Domain Routing (CIDR) blocks, include DNS resolvers in the address space, and verify firewall rules.

Description description

Environment

ÃÛ¶¹ÊÓƵ Experience Manager as a Cloud Service (AEMaaCS) – Sites

Issue/Symptoms

  • VPN setup fails due to incorrect or overlapping address space configurations.
  • DNS resolver IPs are rejected if not public or not included in the connection’s address space.
  • Configuration changes remain stuck in states like Creating Ìý´Ç°ù Updating.
  • Outbound IP ranges require clarification for firewall allowlisting.

Resolution resolution

  1. To address space configuration:

    • Ensure the address space uses a CIDR block of at least /26 (for example, 10.39.0.0/26).
    • Avoid smaller ranges like /32, which are invalid for this setup.
    • Choose a range that does not overlap with existing network IPs.
    • Ensure subnets align with valid boundaries (for example, change 10.39.108.67/26 to 10.39.108.64/26).

  2. Include DNS resolvers that resolve private network domains. If using a private resolver (for example, 10.39.182.200), ensure its IP or subnet (for example, 10.39.182.192/26) is part of the connection’s address space.

  3. Fix stuck states when the UI shows Creating Ìý´Ç°ù Updating  by verifying that all configurations meet requirements—such as valid address space and DNS resolvers—and updating incorrect gateway address spaces or DNS settings based on engineering feedback.

  4. Identify outbound traffic sources based on destination:

    • For internal services within the VPN, AEM sends requests from the defined internal address space (for example, 10.39.0.0/26).
    • For external services, AEM uses the public-facing gateway IP (for example, 130.xxx.xxx.xxx). Make sure to allowlist this gateway IP on external endpoints.

  5. System allows only one VPN connection per program across all environments. It does not currently support separate VPN connections per environment, though this may be considered for future enhancement.

  6. For a successful VPN setup, allowlist both internal CIDR ranges and public-facing gateway IPs in firewalls to ensure seamless communication, and coordinate with the network team to properly align subnets and DNS resolver configurations.

For further assistance or clarification on specific use cases, contact ÃÛ¶¹ÊÓƵ Support.

Configure Advanced Networking in AEMaaCS user guide.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f