Skip to Content
Technical Articles
Author's profile photo Raoul Biagioni

Deploying a Flask-Powered SAP Conversational AI Chatbot on Amazon EC2



This article describes how to deploy a Flask-powered SAP Conversational AI (SAP CAI) chatbot on an Amazon Web Services (AWS) EC2 instance running an Apache2 Web Server.

When I recently set out to deploy a SAP CAI chatbot with Flask on AWS, I thought this was going to be a quick job. I didn’t however consider two important and interconnected facts, that is SAP CAI requires a secure (i.e. https) webhook in order to communicate with a third party (a Flask application in my case), and EC2 instances come by default only with a non-secure IP address. In this article I describe my findings of the journey undertaken to try and overcome this problem. The article is in part inspired by Vishnu Thiagarajan’s excellent article Setting up Flask and Apache on AWS EC2 Instance.

The focus of the article is not so much on developing a fully fledged conversational chatbot but rather to provide a scaffolding upon which to develop a Flask-powered SAP CAI chatbot hosted on an EC2 instance. For this reason, the chatbot is intentionally kept basic. The bot simply returns “Roger That!” to whatever you tell it. The SAP CAI implementation consist of only one skill, namely a Fallback skill that initiates communication with the Flask application. The Flask application boilerplate code repository can be found here. The SAP CAI bot can be found here.

The article assumes that the reader is familiar with basic web development concepts, the basics of the SAP CAI and AWS platforms and with Linux command line. Please do note proposed implementation will incur small costs. If you are fine with this and are interested in replicating the proposed implementation I recommend to follow the steps in the same order as described in the article. The code snippets in the article should be adapted to reflect your own domain name.

The areas covered in this article include:

  • Setting up and configuring AWS Services
  • Installing and configuring Apache2 and WSGI
  • Domain Name and SSL Certificate
  • Deploying the Flask Application
  • SAP CAI Chatbot Configuration


Setting up and configuring AWS Services


In this section we will look at two AWS-specific services and configurations needed for the implementation: EC2 and Route 53. Within EC2, we will setup an instance to host the chatbot, a Security Group and an Elastic IP. Within Route 53 we will setup a Hosted Zone which will hold the Domain Name Server (DNS) records to be used for the secure domain name configuration.


First let’s start by setting up a security group that we will subsequently associate with our EC2 instance. Below is a (partial) screenshot of what worked for me. Select My IP for the SSH setting, and Anywhere for all others. Note that each of the unique types below needs only be specified once. AWS automatically duplicates them when creating the group (not sure why).


Next, let’s launch an EC2 instance. Note that as part of this process you must follow the instructions for creating a key pair. The .pem key is required for connecting remotely to the EC2 instance. The instance used for this tutorial is an Ubuntu Server 16.04 of type t2.micro. Associate the instance with the above security group.



As a sidenote, depending on the dependencies of your application you may need to select an instance other than the free tier option. For example, if you were to run an application with a deep learning library such as PyTorch one would need to select at least an instance of type t2.medium in order to satisfy the dependencies’ memory footprint.

We now turn our attention to the topics of static IP addresses and DNS servers. In order to be able to stop and restart instances at will, without having to worry about changing IP addresses, we need to avail of the AWS Elastic IP service. An Elastic IP is in essence a static IP that can be associated to a given instance on a permanent basis. A good video tutorial for setting up an Elastic IP can be found here.

The Route 53 service allows to set up Hosted Zone to hold the DNS records for our instance . This is required in a subsequent step in order to complete secure domain name configuration. A good article for setting up a hosted zone can be found here (about half way down the page). Note that you will need your Elastic IP in place before setting up the hosted zone.


Installing and Configuring Apache2 and WSGI


Ok, so now that we have the AWS-specific building blocks in place, let’s start with some web development. First we install the Apache2 and WSGI (for Python 3). Login to your EC2 instance and run the below command. Note that the web server will be started as part of the installation.

sudo apt-get update &&
sudo apt-get install apache2 libapache2-mod-wsgi-py3


The Apache2 directory of interest in the current context is etc/apache2/sites-available . This directory contains two files:000-default.confand default-ssl.conf . We will leave both files untouched and make a copy of the former:

sudo cp /etc/apache2/sites-available/000-default.conf 


Open the new file:

sudo nano /etc/apache2/sites-available/000-default-ssl.conf


Modify as shown below:

<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on 
SSLCertificateFile /etc/ssl/example_dev.crt
SSLCertificateKeyFile /etc/ssl/private/ 
SSLCertificateChainFile /etc/ssl/
WSGIDaemonProcess sap_cai_boilerplate threads=5
WSGIScriptAlias / /var/www/html/sap_cai_boilerplate/sap_cai_boilerplate.wsgi
<Directory sap_cai_boilerplate>
  WSGIProcessGroup sap_cai_boilerplate
  WSGIApplicationGroup %{GLOBAL}
  Order deny,allow
  Allow from all


Then, save and close the file usingCtrl + oand Ctrl + s.


Domain Name and SSL Certificate


As mentioned in the introduction, SAP CAI requires a secure webhook in order to communicate with a third party application such as Flask. Therefore, if we wish to use an EC2 instance to host our SAP CAI bot, we need a secure domain, henceforth referred to as This section describes the steps involved in getting a secure domain name.

There is a plethora of options out there for buying a domain name. I looked at this review article of domain registrars and picked namecheap. (I have no affiliation with these guys!). Note that the steps I describe next are specific to that platform and may vary if you use a different registrar.

Once the (non-secure) domain name has been purchased, two actions must be taken: add the Hosted Zone DNS records to the registrar’s platform and obtain an SSL certificate. Instructions for the DNS configuration can be found in this article. A detailed description of the SSL process can be found in this article . In summary, a Certificate Signing Request (CSR) has to be issued first. To do so, login to your EC2 instance and, from the root directory, run the below command:

openssl req -new -newkey rsa:2048 -nodes -keyout -out


The CSR process will prompt to fill in information required for registering the certificate. As we are doing this for learning purposes, the only field that needs to be accurate is Common Name. This should be the domain name e.g. (without the http://prefix). The process will generate two files with extensions .csr and .key respectively. The .csr file is required for completing the certificate request, while the .key file will be needed for configuring Apache2. Copy the contents of the .csr file. (e.g. using cat see the file content) and follow the steps in this article to complete the process for obtaining an SSL certificate.

The process will generate two files with extensions .csr and .key respectively. The former is required for completing the certificate request, while the latter will be needed for configuring Apache2. Copy the contents of the .csr file. (e.g. using cat see the file content) and follow the steps in this article to complete the process for obtaining an SSL certificate.

Once the process is completed you will receive an email containing two files with extensions .ca-bundle and .crt respectively. Upload those two files, along with the .key file mentioned above, to the EC2 instance. This can be done using, for example, FileZilla. To learn how to connect FileZilla to your EC2 instance, check out this video. As another sidenote, I recommend to download the .key file to your local machine and to store it somewhere safely. The reason being that if at some stage you need to start the overall process from scratch including terminating your EC2 instance and relaunching a fresh one, the .key will be lost and you would have to resubmit a CSR which will unnecessarily complicate things.

Next, assuming you have uploaded the three files to the root directory of your EC2 instance, run the following command:

sudo cp ~/example_dev.crt /etc/ssl/ &&
sudo cp ~/ /etc/ssl/ &&
sudo cp ~/ /etc/ssl/private/


Then, execute the following commands to instruct Apache2 to activate the sites and to enable SSL:

cd /etc/apache2/sites-available &&
sudo a2ensite * &&
sudo a2enmod ssl


Lastly, execute sudo apachectl configtestto ensure all is in order (you should seeSyntax OK), then restart Apache2: sudo service apache2 restart.


Deploying the Flask Application


The final steps in the process involve cloning the Flask boilerplate code into our EC2 instance, installing and activating a virtual environment, installing application dependencies, and creating a symbolic link referencing the application source directory to the Apache2 web directory.

From the root directory of the instance, clone the application repository:

cd ~ && git clone


Install and activate a virtual environment:

cd sap_cai_boilerplate &&
sudo apt install virtualenv &&
virtualenv -p python3 myenv &&
source myenv/bin/activate


Note that the name of the virtual environment (in this case myenv ) and the directory in which it is created (in this case /home/ubuntu/sap_cai_boilerplate/) must match the path defined in the WSGI script of the Flask application. For example, in my case, the first line of the sap_cai_boilerplate.wsgi script looks like this:

activate_this = '/home/ubuntu/sap_cai_boilerplate/myenv/bin/'


Finally, we install the application’s dependencies and create the symbolic link:

pip install -r requirements.txt &&
sudo ln -sT /home/ubuntu/sap_cai_boilerplate /var/www/html/sap_cai_boilerplate


SAP CAI Chatbot Configuration


We are now ready to configure the SAP CAI bot. Put the base URL (without trailing /) in the bot’s settings:



And configure the Fallback skill accordingly in line with the Flask application:



We can now start to use the bot in production! To start the Flask application go to your EC2 instance and execute the command flask run


The chatbot should now be running and ready to go. Note that disconnecting from your instance will not affect the application.





In this tutorial we looked at the various moving parts involved in deploying a SAP CAI chatbot on AWS and how they fit together. As is common for such projects, I had to go through several iterations of terminating and relaunching instances, and reinstalling everything multiple times, before i got it to work as expected. If you decided to follow the instructions above I do hope it worked out for you relatively smoothly. The one to watch out for will be the naming convention. Say, your bot project is named myflaskbot, then this needs to be reflected across board in most of sections described above.

The process described in this tutorial has, no doubt, some gaps in terms of security such as SSL key handling and in terms of Flask best practice etc. However do keep in mind that this article is meant to act as a reference guide, and security concerns need to be addressed separately if required.

Last but not least, I would like to thank the authors from whom I gathered the various bits and pieces used to produce this article. As Isaac Newton said in 1675: “If I have seen further it is by standing on the shoulders of Giants.”

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.