Thought about writing this blog after learning how to use Azure Application Gateway to access SAP web-based services such as Webdypro and FIORI applications via intranet or internet.
Application Gateway manages to navigate web applications by making routing decisions based on the URI path and HTTP header.
Following are some exciting features of Application Gateway:
1. It is a layer 7 load balancer that means it only manages web traffic.
2. It supports Offloading SSL capabilities
3. It does routing based on URL
4. It does round-robin distribution of incoming traffic to route request among target servers
5. It can set up multi-site hosting.
Following are four different tiers of application gateway along with their pricing
- Standard V2
- Web Application Firewall
- Web Application Firewall V2
Application Gateway BASIC/Standard SKU Size
|Average back-end page response size||Small||Medium||Large|
|6 KB||7.5 Mbps||13 Mbps||50 Mbps|
|100 KB||35 Mbps||100 Mbps||200 Mbps|
- The above table shows an average performance throughput for each application gateway instance with SSL offload enabled
- Basic/Standard Application Gateway with single instance count does not support high availability as it needs two or more cases for the HA setup.
- Small App GW instance is only recommended for development and testing scenarios.
- Instance size can be changed from medium to large without disruption after App GW setup
Application Gateway Standard V2 Tier
- V2 version supports the public IP-address configuration to allow internet traffic.
- Standard V2 Application Gateway supports high availability and spreads instances across fault and update domains
- It also has an auto-scaling feature, which is not present in the Standard v1 version.
You must be wondering why can’t we use Azure Private Load Balancer to distribute traffic b/w SAP application nodes because it is less complicated to configure and no dedicated Subnet is required. Also, a private load balancer is cheaper than the application gateway.
However, the following are the reasons that we need the Application Gateway to distribute web traffic.
- A Private load balancer does not support the SSL offloading hence it can only run with HTTP protocol.
- Application Gateway is known as OSI 7 layer load balancer and hence support the ROUND ROBIN algorithm for traffic distribution. Also, it has multi-site hosting and URL based routing features. Whereas, private load balancers use a 5 tuple distribution algorithm (source IP, source port, destination IP, destination port, protocol type) hash to map traffic to available servers
Application Gateway Architecture
We had a requirement of deploying the Application Gateway for FIORI applications. Along with it, we configured the standalone Active-Active web dispatchers to route traffic (based on the rules defined in dispatcher profile) to respective FIORI backend servers.
Therefore, we had three-layer architecture:
- Layer 1 – Application Gateway with SSL termination
- Layer 2 – SAP Web Dispatchers
- Layer 3 – SAP Backend servers S4HANA 1809 with embedded FIORI (Front End Server 5.0)
Application Gateway Configuration
Assuming, SAP web dispatchers are already installed.
Following are the required details I provided while setting up the Application Gateway.
During the configuration, you have to provide the certificate PFX file to let application gateway accessible on port 443. Therefore, get SSL certificate generated for both s4hana.com and fiori.com websites.
Since, azure application gateway is cloud service hence CSR can be generated using IIS (configured on local machine) or using utility such as DigiCert Certificate Utility for Windows. I used, IIS to generate both CSR and private key. Refer below blog.
Refer above table and update details to configure routing rules
Save your changes.
SAP Web Dispatcher Configuration
Update following parameter in both SAP web dispatcher profiles
# Back-end system configuration
- wdisp/system_conflict_resolution = 1
- wdisp/ping_protocol = https
- wdisp/group_info_protocol = https
- wdisp/url_map_protocol = https
- wdisp/add_client_protocol_header = true
- wdisp/handle_webdisp_ap_header = 1
- wdisp/add_xforwardedfor_header = true
- icm/server_port_0 = PROT=HTTP,PORT=8003
- wdisp/system_1 = SID=<FIORI_SID>, MSHOST=<ABAP_Front-End_Message_Server_Host>, MSPORT=<ABAP_Front-End_Message_Server_Port>, SRCSRV=*:8003, SRCURL=/sap/opu;/sap/public;/sap/bc
- wdisp/system_2 = SID=<S4_SID>, MSHOST=<ABAP_Back-End_Message_Server_Host>, MSPORT=<ABAP_Back-End_Message_Server_Host>, SRCSRV=*:8003, SRCURL=/sap/es
Perform dispatcher configuration check and confirm no error.
FIORI URL is working fine with Azure Application Gateway website
In this blog post I have explained in detail about Azure Application Gateway Setup with SSL termination to access SAP FIORI launchpad via internet/intranet.