Hybrid AMS & EDS Architecture

-
aemrules.com
Hybrid AEM CDN Architecture: Routing EDS + AMS on AWS CloudFront
8 min read  ·  Anuj Gangwar  ·  AEM Architect @ Adobe
5 things to know in 30 seconds
1
AWS CloudFront acts as a single traffic cop — routing every request to either EDS or AMS based on the URL path pattern.
2
EDS paths like /blog/* go to hlx.live origin. AMS paths like /products/* go to the Dispatcher origin. Default catch-all points to AMS.
3
Consolidate all EDS static assets under /eds/* — fonts, scripts, styles, blocks, icons all under one folder. One CloudFront rule instead of six.
4
A CloudFront Edge Function handles .html to clean URL 301 redirects at the edge — before any origin is contacted.
5
Always pass X-Forwarded-Host to both origins. AMS needs it for vhost matching. EDS Franklin Bot needs it for site resolution.
Ask a question in the Ask AI tab for more details on any topic.
Local Q&A — zero API cost — aemrules.com

Hybrid AMS & EDS Architecture: Routing EDS + AMS from a Single Domain on AWS CloudFront

Introduction

One of the most complex — and increasingly common — enterprise AEM patterns is running a hybrid topology. Some pages of the website are served by AEM Edge Delivery Services (EDS) while others run on AEM Managed Services (AMS) with a traditional Dispatcher stack. Both serve from the same domain (www.example.com) with no visible difference to the end user.

The glue holding this together is the CDN layer. In most enterprise setups, that means AWS CloudFront. Getting this right requires careful path-based routing, origin separation, cache strategy, and edge-level redirects — particularly the common .html to clean URL problem.

This post covers everything you need to know to architect this correctly.

Why Hybrid Topology Happens

Organisations rarely migrate an entire AEM estate overnight. The typical journey looks like this:

  • Marketing pages (/blog, /articles, /news) migrate to EDS first — they benefit most from EDS speed and simple authoring in Google Docs or SharePoint.
  • Complex transactional pages (/products, /account, /checkout) stay on AMS — they rely on AEM components, workflows, personalisation, and backend integrations that are not yet EDS-compatible.
  • Both need to live under the same domain, same navigation, same experience.

The result is a website where the CDN must silently route each request to the right origin based on the URL path.

       

The Architecture in Plain English

Think of AWS CloudFront as a smart traffic cop sitting in front of two completely different backend systems.

User visits www.example.com
            ↓
      AWS CloudFront
            ↓
  Is this path an EDS path?
      ↓ YES              ↓ NO
  Route to EDS      Route to AMS
  (hlx.live)        (Dispatcher)

CloudFront decides which origin to send the request to based on path patterns you configure — called Cache Behaviours. The rules are evaluated top to bottom, first match wins.

Path Routing — How to Split Traffic

You define which URL paths belong to EDS and which belong to AMS.

EDS paths (examples):

  • /blog/*
  • /articles/*
  • /en/news/*
  • /resources/*

AMS paths (examples):

  • /products/*
  • /content/*
  • /account/*
  • /services/*
  • Everything else (default)

In CloudFront, each path pattern maps to an origin and a cache policy. The default behaviour (catch-all) should point to AMS since that is typically the larger part of the estate.

Key rule: Always pass X-Forwarded-Host: www.example.com to both origins. AMS Dispatcher needs it for virtual host matching. EDS Franklin Bot needs it to identify the correct site configuration.

The .html to Clean URL Redirect Problem

This is one of the most overlooked issues in hybrid AEM setups.

The problem:

  • AMS Dispatcher has historically served pages as /products/overview.html
  • EDS serves clean URLs — /blog/my-post with no extension
  • Google may have indexed .html versions of your pages
  • Users may have bookmarked .html URLs
  • Internal links from AMS pages may point to .html versions of EDS pages

If you don't handle this at the CDN, users hit broken pages or duplicate content issues.

The solution — a CloudFront Edge Function at the viewer-request stage:

The function runs before the request reaches either origin. The logic in plain English:

When a request comes in:
  IF the URL ends with .html THEN
    Remove the .html extension
    Return a 301 redirect to the clean URL
    Preserve any query parameters in the redirect

  IF the URL starts with /content/sitename/ THEN
    Strip the /content/sitename/ prefix
    Remove .html extension
    Return a 301 redirect to the clean external URL

  OTHERWISE
    Let the request pass through normally

This runs at the CloudFront edge — meaning the redirect happens in milliseconds before any origin is contacted. It applies consistently to both EDS and AMS paths.

Example redirects this handles:

Incoming URL Redirected To
/blog/my-post.html /blog/my-post
/products/overview.html /products/overview
/content/mysite/en/home.html /en/home
/articles/2026/april.html /articles/2026/april

Cache Strategy — EDS vs AMS Are Very Different

This is where most teams get caught out. EDS and AMS have fundamentally different caching philosophies and you need separate cache policies for each.

EDS Cache Policy

EDS is built for aggressive edge caching. Pages are static HTML generated from Google Docs or SharePoint content. There are no sessions, no personalisation at origin, no cookies.

  • Cache for 24 hours to 7 days at CloudFront
  • Strip all cookies — EDS does not use them
  • Strip all request headers from cache key — EDS responses do not vary by header
  • Let EDS handle its own invalidation via Franklin purge API when content changes

AMS Cache Policy

AMS pages may vary by language, authentication state, or personalisation. The Dispatcher already does its own caching so CloudFront acts as a second cache layer.

  • Cache for 1 to 24 hours depending on content type
  • Forward authentication cookies (login-token) for personalised pages
  • Vary on Accept-Language for multi-language sites
  • For account / checkout pages — disable CloudFront caching entirely and let AMS/Dispatcher handle it

Origin Request Policy — What to Forward

Beyond caching, you need to control what CloudFront forwards to each origin.

For EDS origin:

  • Forward the Host header as www.example.com
  • Do NOT forward cookies
  • Do NOT forward unnecessary headers — keep it clean

For AMS origin:

  • Forward X-Forwarded-For so Dispatcher sees the real client IP
  • Forward X-Forwarded-Host for vhost resolution
  • Forward relevant cookies for authenticated experiences
  • Forward Accept-Language if AMS uses language-based dispatching

Common Mistakes to Avoid

1. Not setting X-Forwarded-Host Both EDS and AMS use the Host header to determine which site/vhost to serve. Without it you get 404s or wrong content from both origins.

2. Letting AMS cookies bleed into EDS paths If CloudFront forwards AMS login cookies to EDS, the cache key becomes polluted. Every authenticated user gets a unique cache entry and your hit rate drops to near zero.

3. Ordering Cache Behaviours incorrectly CloudFront matches path patterns top to bottom. More specific patterns must come before broader ones. /blog/featured/* must appear before /blog/* or it will never be evaluated.

4. Forgetting the .html redirect on AMS paths Teams often add the .html redirect only for EDS paths. But AMS URLs indexed by Google also need clean URL redirects when you update your URL strategy. Apply the edge function to all paths.

5. Same cache policy for both origins Never use the same CloudFront cache policy for EDS and AMS. Their TTL, cookie, and header requirements are completely different. Sharing a policy will either break AMS personalisation or destroy EDS cache efficiency.

Key Takeaways

  • AWS CloudFront is the right tool for hybrid EDS + AMS routing — its path-based Cache Behaviour model maps perfectly to split-origin topologies.
  • Always pass X-Forwarded-Host to both origins — it is required by both EDS and AMS for correct resolution.
  • Handle .html to clean URL redirects at the CloudFront edge function (viewer-request) — this is the only layer that can intercept and redirect before touching either origin.
  • Use separate cache policies for EDS and AMS — they have fundamentally different caching needs.
  • Default Cache Behaviour should point to AMS as the fallback origin.

Comments

Post a Comment

Popular Posts

Configure/Decoding AEM AuditLogs

-
Image
AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM. Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom. This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.  This article covers the following - How can we enable Audit logs in AEM. How can we read and understand the Audit logs/ tools to use it. Audit log on file system in crx-quickstart/logs folder.   Audit logs for User creation / Modification. How can you archive/purge the audit logs. How can we enable Audit logs in AEM?            By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...
Read more

How to Increase Apache Request Per Second ?

-
Image
How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apach...
Read more

AdobeDispatcherHacks ".statfile"

-
Image
AEM DISPATCHER STATFILE UNDERSTANDING & CACHE INVALIDATION:- AEM Developers, Infrastructure Engineers regularly come across a challenge on decoding the statfile and using it efficiently especially statfile becomes highly relevant in a multi-tenanted environment with different project teams controlling different sites. The article addresses in a simple way on how to understand the mechanisms of stat file and gives a detailed explanation of how it can be used in a multi-tenant environment model.  The image for your reference as a quick overview of the data flow, before we take a deep dive.  This article covers - 1 - When dispatcher serves the old version of the content. How to avoid it. 2- Cache invalidation mechanism. Assumption - If you are reading this article, I believe you would have a basic understanding of Dispatcher and it's configuration. Firstly let’s set the initial configuration for the cache invalidation section ...
Read more

how to clear dispatcher cache in aem ?

-
Image
How to clear dispatcher cache in aem ? As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.   This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache. Clear Cache using the Dispatcher Flush Agent You can use the Dispatcher Flush Agent. Follow these steps:   Log in to your AEM instance and navigate to http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush" agent to open the agent's configuration page. Clic...
Read more

How Does S3 works with AEM ?

-
Image
How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/...
Read more

AEM Security Headers

-
Image
Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">               ...
Read more

How to Sync HMAC in AEM ?

-
Image
Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL...
Read more

OakAccess0000: Access denied

-
Image
ERROR :-   OakAccess0000: Access denied We often observe while doing the AEM development or in live running environment we get the error code  OakAccess0000 , especially while running a workflow or any asset upload. This issue disrupts normal operation. As content authors are unable to perform essential task like uploading or managing content, leading to business impact.   This impact the business as content author are unable to upload any content.  Error stack trace :- Javax.jcr.AccessDeniedException: OakAccess0000: Access denied  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:232) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:669) [org.apache...
Read more

AEM ACL and how they are evaluated

-
Image
ACL's and how they are evaluated ? AEM Developers, Infrastructure Engineers / Dev-ops teams working in any domain regularly come across a challenge for understanding the ACL & its evaluation mechanism.  Adobe Experience Manager is designed to cater for content authoring of multiple sites by multiple content authors. Naturally, this process needs to be controlled by strict Access Control Lists (ACLs) to manage. AEM WCM uses Access Control Lists (ACLs) to organise the permissions being applied to the various pages. This article addresses in a simple way on how to understand the ACL's , its different ways,  This article covers the following - How can we read and understand the ACL.  Evaluation of user permissions.  Concurrent Permission on ACL Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration...
Read more

Dispatcher flush from AEM UI

-
Image
How to Delete Dispatcher cache without logging into the Dispatcher servers? Our Authoring team faces day to day challenges while deleting/flush the dispatcher cache. when the changes are not visible on server. They have to be depended on the IT operations/Dev ops teams to do the same. Which some time get very much time consuming for a small work.  In this article we will see it can be configure and used by Author UI itself.  This will allow  AEM authors (or “super authors”) to flush parts of the dispatcher cache manually without the involvement of IT Operations. How to Use 1. Log in to AEM Author 2. Download the ACS commons tool from  ACS Commons Official page 3. Install the downloaded package via aem package manager.   4. Make sure you create the dispatcher flush agents on Author for all Dispatchers. from http://<<host:port>>/miscadmin#/etc/replication/agents.author, check the NOTE's part at the end of page. 5. Navigate to Tools 6. Under the ac...
Read more