Configurability of CDN in AEM Cloud Service

In this presentation, we will explore how to enhance the capabilities of the Adobe Managed CDN by utilizing CDN Rules and the Configuration Pipeline.

Attendees will gain insights into:

Traffic Filtering: Learn to filter traffic to your website using Traffic Filter Rules, ensuring optimal performance and security.
Enhanced Security: Discover how to protect your website against malicious attacks, including those outlined in the OWASP Top 10, by leveraging the Adobe Web Application Firewall (WAF).
Proxy Requests: Understand how to use the Adobe Managed CDN to efficiently proxy requests to non-AEM origins.
Edge Transformations: Explore methods for transforming request and response properties directly at the edge.
Traffic Redirection: Learn techniques for redirecting traffic directly from the edge.
Edge Authentication: Implement robust authentication mechanisms at the edge to enhance security and user experience.

Join us to unlock the full potential of the Adobe Managed CDN and elevate your website's performance, security, and flexibility.

How could we get some of this flexibility in the AMS version of the same?

qvecchio

AMS doesn't use AEM Managed CDN but provided CDNs (Cloudfront/FrontDoor) offer the same level of flexibility

Is it possible to bypass CDN in order to execute tests against dispatcher? I know there are internal domains bypassing, but can we do bypassing from our ci/cd solutions? Is it possible to execute these tests in cloud-manager pipeline bypassing CDN?

wolf

The answer given is not an answer for this…

mpetria

use a random url to bypass the cdn cache and add it to ignoreurlparams in dispatcher so that it does not also bypass the cdn cache. You cannot bypass the cdn layer at infrastructure layer.

Does AEMaaCS have cache invalidation mechanism on dispatcher side and also on external CDN side like Akamai e.g.?

Robert

Disatcher is invalidated ootb (based on its configuration). For e.g. Akamai Cache invalidation you need a custom implementation.

mpetria

You can purge the AEMaaCS OOTB CDN manually [1]. But there is no automation built in AEM to do this. [1] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/cdn-cache-purge

Anian Weber - TechDivision

Is there a way to test and develop the CDN features somewhere (locally)? Doing try and error on the Cloud environment doesn't seem like that good of an idea.

Tad

At least the config pipeline runs quickly (~1min execution time) and does have rde/dev/stage/prod that you can test on, but I haven't figured out how to test these rules locally. RDE is the best & fastest way so far.

Do you have any tips for setting cache rules in AEMaaCS?

mpetria

These are good rules for a public website https://github.com/adobe/aem-guides-wknd/blob/main/dispatcher/src/conf.d/available_vhosts/wknd.vhost#L147

puradawid

Is there a static analysis tool to check this configuration before submitting it to the repository?

mpetria

not yet.

Are all of this features available for AEM sites or only for EDS?

Tad

The default backend for Managed CDN is the AEMaaCS backend for that environment. You can set an EDS site as an alternative backend for path-based request proxying, but the default is AEM Sites/Assets.

mpetria

Actually it is the other way around. The CDN configuration is currently available for the CDN that comes by default for AEMaaCS. However, we are working also to offer this configuration for a Managed CDN that one can put in front of EDS.

Alexander

Is there any tool to help migrate AEM dispatcher configuration to Fastly CDN configuration?

mpetria

No. We have discussed this internally and I do not think we will build such a tool.

Vugar Aghayev

Can we still configure & use the ootb CDN( strip out query params, rate limiter and etc) even if you bring your own CDN ?

Tomasz Sobczyk

Yes you can

With WAF and the possibility to also route (and cache) traffic to external services, do you see any reason left for customers to bring their own cdn on top of CS one?

Wojtek

Where is this built-in WAF "located" ?

Tomasz Sobczyk

One use case would be if you want to run edge functions - you dont have access to fastly compute in AEMaaCS so the only way is to do it in your own cdn. Example --we use Edge compute to enforce users to login to see the content

wolf

Also, comparing the WAF capabilties of this solution to e.g. Akamai’s shows you how rudimentary it still is.

wolf

You also apparently get charged for the traffic routed to those external sources (see the other question) as if it was going to the AEMaaCS.

qvecchio

WAF is running at the CDN and is based on Fastly technologies

Now instead of just caching, CDN IS also processing every request. How easy is it to access the logs to debug issues in the CDN configs?

Barry

CDN logs are available in the Cloud Manager UI or via the aio cli

Tomek Niedzwiedz

Any chance of enabling Edge Side Includes in the future?

Tomasz Sobczyk

Thye are there already

Tomek Niedzwiedz

Wow, must be a recent addition. Completely missed that. Thanks! https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/edge-side-includes

Tomasz Sobczyk

There is a lot of cool features that were added to the cdn setup recently. Worth checking!

Robert

Are there any plans to geg feature parity with Akamais ESI support (e.g. like if/than/else, setting/reading cookies, generate random numbers)?

mpetria

> Are there any plans to geg feature parity with Akamais ESI support (e.g. like if/than/else, setting/reading cookies, generate random numbers)? Not really. The ESI support is minimal, only includes, and that is mainly because our CDN Provider does not support more advanced features.

royteeuwen

What about allowing Edge Functions?

mpetria

we are actively considering this. Do you have some usecases in mind?

Dominik Suess

Just curious, do we support esi:include ? (Edge Side Includes) ?

Tomek Niedzwiedz

Apparently, yes https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/edge-side-includes

Beo

do you know if all of https://www.fastly.com/documentation/reference/vcl/statements/esi/ is supported?

Tomek Niedzwiedz

Alas, no. Literally just found out about it

qvecchio

Yes we do support esi, we offer all features provided by Fastly

Georg Henzler

When using external origins, do the requests to those non-AEM origins count to the "content requests" KPI of the AEM licensing?

Tad

What I was told (as of June of this year) is that in the current state of the product, requests to non-AEM backends do still indeed count toward your AEMaaCS license pageview count total.

mpetria

yes

Was confused about the "eds does not support query parameters" and you could remove all parameters on CDN layer. Doesn't this break Features like spreadsheets, See https://www.aem.live/developer/spreadsheets

mpetria

I think I was too general regarding EDS. The html pages do not accept query params. In general, if your origin needs some query params just allow those.

Barry

When blocking traffic can you set a custom response HTML or will it give a technical/unbranded page?

Tomek Niedzwiedz

We ran into this too. When a security auditor typed a URL matching an old classic UI console, they got a blank HTTP 403, rather than a branded 404, which would've happened if they hit our Apache. It was cut off at the CDN level but still flagged as a vulnerability (path enumeration to find out what resources might be hidden under the hood)

qvecchio

You can use custom error page feature to deliver a custom response when requests are blocked (or when your origin is unavailable) Ref: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/cdn-error-pages

Tomasz Sobczyk

Are there any plans to provide online version of these Dashboards which will not require Downloading logs?

qvecchio

There is no plan as of today, the only possible alternative is to forward your logs to your own logging infrastructure (eg. Splunk, but we will soon support other logging vendors)

How does the pricing strategy of the WAF look like?

qvecchio

The WAF is sold as an uplift of your AEMCS content request license. You can reach out to the Adobe Sales team to get more information

Does the CDN have the capability to serve stale content if the origin is unavailable (and validity expired)?

Simon

Doesn't the "Cache-Control" header wit the "stale-if-error" directive do the trick? https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

qvecchio

Yes it does, as Simon mentioned, it is controlled via the Cache-Control header and the property `stale-if-error`

chrisp

Do triggered alerts just show in the logs or somewhere else?

qvecchio

Triggered alerts shows up in CDN logs as well as in Action Center https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/actions-center

Barry

Does it still make sense to keep using the dispatcher if the CDN is more mature and a lot of config shifts to the edge?

mpetria

The obvious limitation of CDN configuration is the size (100 KB). Also, dispatcher will be there whether you configure it or not. At least for the forseable future. It is good that you content is also cached in dispatcher as the CDN caches are per datacenter.

Any advantages of blocking / modifying user agents for example for LLM bots?

mpetria

You should block bots that do not respect robots.txt.

qvecchio

I guess it depends on your use cases, user-agent can easily be changed by the client but official bots usually keep using the same user-agent.