Skip to Content
Technical Articles
Author's profile photo Ashish Hans

Azure Application Gateway Setup for FIORI Launchpad Load Balancing

Thought about writing this blog after learning how to use Azure Application Gateway to access SAP web-based services such as Webdypro and FIORI applications via intranet or internet.

Application Gateway manages to navigate web applications by making routing decisions based on the URI path and HTTP header.

Following are some exciting features of Application Gateway:

1.    It is a layer 7 load balancer that means it only manages web traffic.
2.    It supports Offloading SSL capabilities
3.    It does routing based on URL
4.    It does round-robin distribution of incoming traffic to route request among target servers
5.    It can set up multi-site hosting.

 

Following are four different tiers of application gateway along with their pricing

  1. Standard
  2. Standard V2
  3. Web Application Firewall
  4. Web Application Firewall V2

Application Gateway BASIC/Standard SKU Size

Average back-end page response size Small Medium Large
6 KB 7.5 Mbps 13 Mbps 50 Mbps
100 KB 35 Mbps 100 Mbps 200 Mbps
  1. The above table shows an average performance throughput for each application gateway instance with SSL offload enabled
  2. Basic/Standard Application Gateway with single instance count does not support high availability as it needs two or more cases for the HA setup.
  3. Small App GW instance is only recommended for development and testing scenarios.
  4. Instance size can be changed from medium to large without disruption after App GW setup

Application Gateway Standard V2 Tier

  1. V2 version supports the public IP-address configuration to allow internet traffic.
  2. Standard V2 Application Gateway supports high availability and spreads instances across fault and update domains
  3. It also has an auto-scaling feature, which is not present in the Standard v1 version.

You must be wondering why can’t we use Azure Private Load Balancer to distribute traffic b/w SAP application nodes because it is less complicated to configure and no dedicated Subnet is required. Also, a private load balancer is cheaper than the application gateway.

However, the following are the reasons that we need the Application Gateway to distribute web traffic.

  1. A Private load balancer does not support the SSL offloading hence it can only run with HTTP protocol.
  2. Application Gateway is known as OSI 7 layer load balancer and hence support the ROUND ROBIN algorithm for traffic distribution. Also, it has multi-site hosting and URL based routing features. Whereas, private load balancers use a 5 tuple distribution algorithm (source IP, source port, destination IP, destination port, protocol type) hash to map traffic to available servers

Application Gateway Architecture

We had a requirement of deploying the Application Gateway for FIORI applications. Along with it, we configured the standalone Active-Active web dispatchers to route traffic (based on the rules defined in dispatcher profile) to respective FIORI backend servers.

Therefore, we had three-layer architecture:

  1. Layer 1 – Application Gateway with SSL termination
  2. Layer 2 – SAP Web Dispatchers
  3. Layer 3 – SAP Backend servers S4HANA 1809 with embedded FIORI (Front End Server 5.0)

Application Gateway Configuration

Assuming, SAP web dispatchers are already installed.

Following are the required details I provided while setting up the Application Gateway.

Application Gateway Tier: Standard, tier standard can only support intranet access as we don’t have such requirement to access any of these web site through an internet.
Create backend pool but don’t add target systems

During the configuration, you have to provide the certificate PFX file to let application gateway accessible on port 443. Therefore, get SSL certificate generated for both s4hana.com and fiori.com websites.

Since, azure application gateway is cloud service hence CSR can be generated using IIS (configured on local machine) or using utility such as DigiCert Certificate Utility for Windows. I used, IIS to generate both CSR and private key. Refer below blog.

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

Enter the FQDN of the website

Refer above table and update details to configure routing rules

Application Gateway is configured successfully.

Now, add the required target systems (web dispatcher) in backend pool.

Save your changes.

SAP Web Dispatcher Configuration

Update following parameter in both SAP web dispatcher profiles

#———————————————————————–
# Back-end system configuration
#———————————————————————–

  • wdisp/system_conflict_resolution = 1
  • wdisp/ping_protocol = https
  • wdisp/group_info_protocol = https
  • wdisp/url_map_protocol = https
  • wdisp/add_client_protocol_header = true
  • wdisp/handle_webdisp_ap_header = 1
  • wdisp/add_xforwardedfor_header = true
  • icm/server_port_0 = PROT=HTTP,PORT=8003
  • wdisp/system_1 = SID=<FIORI_SID>, MSHOST=<ABAP_Front-End_Message_Server_Host>, MSPORT=<ABAP_Front-End_Message_Server_Port>, SRCSRV=*:8003, SRCURL=/sap/opu;/sap/public;/sap/bc
  • wdisp/system_2 = SID=<S4_SID>, MSHOST=<ABAP_Back-End_Message_Server_Host>, MSPORT=<ABAP_Back-End_Message_Server­_Host>, SRCSRV=*:8003, SRCURL=/sap/es

Perform dispatcher configuration check and confirm no error.

FIORI Testing

https://fiori.com:443/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

FIORI URL is working fine with Azure Application Gateway website

Conclusion

In this blog post I have explained in detail about Azure Application Gateway Setup with SSL termination to access SAP FIORI launchpad via internet/intranet.

 

 

 

 

 

 

 

 

 

 

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Adam Rogers
      Adam Rogers

      Nicely done!

      Author's profile photo Jean-Philippe AUGERT
      Jean-Philippe AUGERT

      Hi,

      this is a very good post.

      I don't understand why you spoke of port 443 in your post but the webdispatcher is configured with 8003 :

      /server_port_0 = PROT=HTTP,PORT=8003

       

      thanks

      Author's profile photo Ashish Hans
      Ashish Hans
      Blog Post Author

      Port 443 is configured for Azure application gateway.