Cache Invalidation in Hybrid AEM: Keeping EDS and AMS

-

 

Cache Invalidation in Hybrid AEM: Keeping EDS and AMS in Sync on AWS CloudFront

Introduction

In a hybrid AEM setup where EDS and AMS serve different parts of the same website through AWS CloudFront, cache invalidation is one of the trickiest problems to solve. Both systems have completely different invalidation mechanisms — and if you don't coordinate them properly, editors end up seeing stale content, confused about why their published changes aren't showing up.

This post explains how cache invalidation works in each system, why hybrid setups make it harder, and how to build a reliable invalidation strategy across both origins.

The Core Problem

In a single-origin AEM setup, invalidation is straightforward:

  • Editor publishes in AEM
  • Dispatcher flush agent clears the Dispatcher cache
  • CloudFront invalidation clears the CDN layer
  • Done

In a hybrid setup you have two completely separate invalidation pipelines that must never interfere with each other:

EDS publish event
      ↓
Franklin Bot → Hlx Purge API → EDS edge cache cleared
      ↓
CloudFront invalidation for /blog/* paths only

AMS publish / replication event
      ↓
Dispatcher Flush Agent → Dispatcher cache cleared
      ↓
CloudFront invalidation for /products/* paths only

The danger: if an AMS invalidation accidentally triggers a CloudFront purge on EDS paths (or vice versa), you lose your entire EDS cache — destroying the performance advantage EDS was chosen for.

 

       

 

      How EDS Invalidation Works

EDS has a very elegant, automated invalidation model.

When an author updates a page in Google Docs or SharePoint and it is published through the Franklin pipeline:

  1. Franklin Bot detects the change
  2. It automatically calls the Hlx Purge API for the affected URL
  3. The EDS edge cache (Fastly/Hlx) clears that specific page
  4. CloudFront, sitting in front of EDS, needs to be told separately

The key thing to understand: EDS invalidates at the page level automatically. You rarely need to manually trigger EDS purges. The challenge is making sure CloudFront also clears its copy.

EDS invalidation scope:

  • Single page purge — when one document is updated
  • Section purge — when a shared block or fragment is updated (affects multiple pages)
  • Full site purge — rarely needed, triggered manually

How AMS Invalidation Works

AMS invalidation follows the traditional Dispatcher flush model.

When an author activates/publishes content in AEM:

  1. AEM replication agent sends the content to Publish instance
  2. Dispatcher Flush Agent on Publish sends a flush request to Dispatcher
  3. Dispatcher removes the cached .html file and marks the stat file
  4. CloudFront needs a separate invalidation call for the CDN layer

The key difference from EDS: AMS invalidation is path-based and granular — it clears specific .html files or entire subtrees depending on your Dispatcher flush configuration. It does not automatically clear CloudFront.

AMS invalidation scope:

  • Single page — /content/mysite/en/products/overview.html
  • Section tree — /content/mysite/en/products/*
  • Full Dispatcher flush — clears everything (avoid in production)

    

The CloudFront Invalidation Layer

Both EDS and AMS need to trigger CloudFront invalidations when content changes. But they must only invalidate their own paths.

The golden rule:

EDS publish event   → invalidate CloudFront /blog/* paths only
AMS publish event   → invalidate CloudFront /products/* paths only

Never let an EDS event invalidate AMS paths and never let an AMS flush invalidate EDS paths. A full /* CloudFront invalidation should be a last resort — it clears everything across both origins and destroys cache efficiency.

How to Trigger Scoped CloudFront Invalidations

From EDS side: EDS does not natively call CloudFront. You need a small webhook or Lambda function that:

Listen for Franklin publish webhook event
  Extract the URL path that was published (e.g. /blog/my-post)
  Call CloudFront CreateInvalidation API
  Scope: only the specific EDS path (/blog/my-post)
  Do NOT invalidate /products/* or AMS paths

From AMS side: AEM has a built-in mechanism for this — a custom CQ Replication Event Listener or a post-processing workflow step that:

Listen for AEM replication/activation event
  Get the page path that was activated (e.g. /content/mysite/en/products/overview)
  Map it to the external URL (/products/overview)
  Call CloudFront CreateInvalidation API
  Scope: only the specific AMS path
  Do NOT invalidate /blog/* or EDS paths

Invalidation Patterns — What Works and What Doesn't

Pattern 1 — Page-Level Invalidation (Recommended)

Invalidate only the exact URL that changed.

Page published: /content/mysite/en/products/camera.html
External URL:   /products/camera
CloudFront invalidation: /products/camera

Pros: Precise, fast, cheap (CloudFront charges per invalidation path) Cons: If a shared component (header, footer, navigation) changes, you need to invalidate all pages that use it

Pattern 2 — Section-Level Invalidation

Invalidate an entire section when a shared component or template changes.

Navigation component updated → affects all pages
CloudFront invalidation: /products/*

Pros: Covers all affected pages in one call Cons: Temporarily reduces cache hit rate for entire section

Pattern 3 — Surrogate Keys / Cache Tags (Advanced)

Tag CloudFront responses with logical groups so you can invalidate by tag rather than by path.

All /products/* pages tagged with: "products-section", "global-nav"
Navigation changes → invalidate tag "global-nav"
CloudFront clears all pages with that tag across /products/*

This is the most precise approach but requires CloudFront to pass surrogate key headers from AMS Dispatcher (Surrogate-Key or Cache-Tag headers) and a Lambda@Edge function to manage tag-based invalidation.

Shared Components — The Hardest Invalidation Problem

In hybrid setups, the most painful scenario is a shared component that appears on both EDS and AMS pages — typically the global header, footer, or navigation.

Global navigation updated in AEM
  ↓ Needs to invalidate:
  /products/* (AMS pages)     AND
  /blog/*     (EDS pages)

Recommended approach:

Treat shared components as two separate problems:

  • On AMS pages — navigation is rendered server-side by AEM. AMS invalidation handles it.
  • On EDS pages — navigation is typically a shared block fetched from a Google Sheet or SharePoint list. EDS automatically purges it when the sheet is updated.

The key is: do not try to share a single invalidation event across both origins. Keep them independent and let each system handle its own shared components natively.

Stale Content Fallback — Defence in Depth

Even with the best invalidation setup, there will be edge cases where CloudFront serves stale content. Use stale-while-revalidate and stale-if-error directives as a safety net:

For EDS paths:

Cache-Control: public, max-age=86400, stale-while-revalidate=3600

This means: serve cached content for up to 24 hours, but if the cache is between 24h and 25h old, serve stale while fetching fresh in the background. The user never sees a slow page.

For AMS paths:

Cache-Control: public, max-age=3600, stale-while-revalidate=300, stale-if-error=86400

This means: serve cached content for 1 hour, revalidate in background for 5 minutes after expiry, and if AMS Dispatcher is down, serve stale content for up to 24 hours rather than showing a 503.

Key Takeaways

  • EDS and AMS have completely separate invalidation pipelines — never let them cross-contaminate each other's CloudFront paths.
  • EDS invalidation is largely automatic via Franklin Bot — your job is to wire up a CloudFront invalidation scoped to EDS paths only.
  • AMS invalidation requires a custom replication listener or workflow step to trigger scoped CloudFront invalidations.
  • Always invalidate at page level where possible — section-level invalidation as a fallback, full /* invalidation only as a last resort.
  • Use stale-while-revalidate as a safety net on both origins — it eliminates slow cache misses and protects against origin downtime.
  • Shared components (navigation, footer) should be invalidated independently on each origin — do not try to build a single cross-origin invalidation event.

Comments

Post a Comment

Popular Posts

Configure/Decoding AEM AuditLogs

-
Image
AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM. Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom. This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.  This article covers the following - How can we enable Audit logs in AEM. How can we read and understand the Audit logs/ tools to use it. Audit log on file system in crx-quickstart/logs folder.   Audit logs for User creation / Modification. How can you archive/purge the audit logs. How can we enable Audit logs in AEM?            By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...
Read more

How to Increase Apache Request Per Second ?

-
Image
How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apach...
Read more

AdobeDispatcherHacks ".statfile"

-
Image
AEM DISPATCHER STATFILE UNDERSTANDING & CACHE INVALIDATION:- AEM Developers, Infrastructure Engineers regularly come across a challenge on decoding the statfile and using it efficiently especially statfile becomes highly relevant in a multi-tenanted environment with different project teams controlling different sites. The article addresses in a simple way on how to understand the mechanisms of stat file and gives a detailed explanation of how it can be used in a multi-tenant environment model.  The image for your reference as a quick overview of the data flow, before we take a deep dive.  This article covers - 1 - When dispatcher serves the old version of the content. How to avoid it. 2- Cache invalidation mechanism. Assumption - If you are reading this article, I believe you would have a basic understanding of Dispatcher and it's configuration. Firstly let’s set the initial configuration for the cache invalidation section ...
Read more

how to clear dispatcher cache in aem ?

-
Image
How to clear dispatcher cache in aem ? As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.   This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache. Clear Cache using the Dispatcher Flush Agent You can use the Dispatcher Flush Agent. Follow these steps:   Log in to your AEM instance and navigate to http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush" agent to open the agent's configuration page. Clic...
Read more

How Does S3 works with AEM ?

-
Image
How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/...
Read more

AEM Security Headers

-
Image
Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">               ...
Read more

How to Sync HMAC in AEM ?

-
Image
Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL...
Read more

OakAccess0000: Access denied

-
Image
ERROR :-   OakAccess0000: Access denied We often observe while doing the AEM development or in live running environment we get the error code  OakAccess0000 , especially while running a workflow or any asset upload. This issue disrupts normal operation. As content authors are unable to perform essential task like uploading or managing content, leading to business impact.   This impact the business as content author are unable to upload any content.  Error stack trace :- Javax.jcr.AccessDeniedException: OakAccess0000: Access denied  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:232) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:669) [org.apache...
Read more

AEM ACL and how they are evaluated

-
Image
ACL's and how they are evaluated ? AEM Developers, Infrastructure Engineers / Dev-ops teams working in any domain regularly come across a challenge for understanding the ACL & its evaluation mechanism.  Adobe Experience Manager is designed to cater for content authoring of multiple sites by multiple content authors. Naturally, this process needs to be controlled by strict Access Control Lists (ACLs) to manage. AEM WCM uses Access Control Lists (ACLs) to organise the permissions being applied to the various pages. This article addresses in a simple way on how to understand the ACL's , its different ways,  This article covers the following - How can we read and understand the ACL.  Evaluation of user permissions.  Concurrent Permission on ACL Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration...
Read more

Dispatcher flush from AEM UI

-
Image
How to Delete Dispatcher cache without logging into the Dispatcher servers? Our Authoring team faces day to day challenges while deleting/flush the dispatcher cache. when the changes are not visible on server. They have to be depended on the IT operations/Dev ops teams to do the same. Which some time get very much time consuming for a small work.  In this article we will see it can be configure and used by Author UI itself.  This will allow  AEM authors (or “super authors”) to flush parts of the dispatcher cache manually without the involvement of IT Operations. How to Use 1. Log in to AEM Author 2. Download the ACS commons tool from  ACS Commons Official page 3. Install the downloaded package via aem package manager.   4. Make sure you create the dispatcher flush agents on Author for all Dispatchers. from http://<<host:port>>/miscadmin#/etc/replication/agents.author, check the NOTE's part at the end of page. 5. Navigate to Tools 6. Under the ac...
Read more