Skip to Content
Technical Articles
Author's profile photo Santhosh Kumar Vellingiri

SAP CPI – High Availability using Azure Traffic Manager

In this blog let us see how to achieve High Availability for SAP CPI service using cross-region failover configuration. The method shown here is not only limited to failover configuration but can also be used to distribute traffic optimally for high responsiveness. The same can be applied to other SAP Cloud Platform Services too.

If you haven’t yet, I suggest reading this blog How to crash your iflows and watch them failover beautifully by Martin Pankraz. An excellent article detailing why failover is required and how to achieve it using Azure Front Door. His blog also saves me some writing effort to explain the same and hence let’s jump directly into the Solution.

The Solution

The solution is to run two SAP CPI instances in a different region and load balance them with Azure Traffic Manager. Azure Traffic Manager is a DNS based load balancing solution and supports six different routing methods as documented here. The proposed solution below is based on the Priority routing method.

High Availability Setup

  • The two tenants i.e. one primary and one secondary tenant in this example are provisioned in EU2 and EU3 Region.
  • Both the Subaccount has the Custom Domain configuration and use the same URL i.e. for the IFL application a.k.a. CPI Runtime.
  • Set-Up SAP CPI tenant to host a Health Check Endpoint, so Azure Traffic Manager can automatically detect the unavailability of an instance to determine DNS resolution.
  • A traffic manager controls which SSL Host i.e. eu2* or eu3* is resolved for the client and also sets DNS TTL to an acceptable minimum duration i.e. 60 seconds.

Primary and Secondary Tenant Set-Up

The easiest part here is spinning two tenants, while the difficult part is having them both in synch always i.e.maintaining the same version of Interface, same configuration values, credentials, Trust Certificates, Client Authentication Certificates etc. This can be done manually (everytime), however, I choose to enhance the Command line tool released here SAP CPI : Artifact Extractor – Command Line Utility to download and upload Package from Primary to Secondary, similarly apply the IFlow configuration from Primary to Secondary tenant, with a help a custom IFlow download the Security Artifacts with password from Primary and create/update them in Secondary, Download the Trust Certificate and create/update them in Secondary etc. Most of these operations were done leveraging the Platform APIs. I’m looking to publish this version of the tool too in near future.

Custom Domain Set-Up

Read my previous blog SAP CPI – How to Configure Custom Domain to create a custom domain for SAP CPI primary and secondary tenant. It’s important to have the same custom domain name in the both primary and secondary tenant.

SAP CPI Health Check Endpoint

We need to set-up a ping kind of service in SAP CPI for Azure Traffic Manager to check if the configured Tenant is reachable. This heartbeat result will enable Azure Traffic Manager to determine the availability and latency to the SCPI tenant and thus decide which tenant should the DNS resolution happen to.

Set-up a simple iflow and control access to it using a custom role of your choice. It’s advised to create a new role a not share it with other productive interfaces.


Tenant Ping IFlow

Traffic Manager Set-Up

  1. Create a new Traffic Manager in Azure.
  2. Add SAP CPI Primary Tenant as External Endpoint with Priority 1. It should be configured to resolve to SSL Host created as part of Custom Domain Creation on Primary Tenant Subaccount i.e. EU2* in my example.

    Maintain Customer Header Setting with SAP CPI Custom Domain Host. This is because in this step-2 & 3 we will only maintain the SSL Hostname and in step-4 just the HTTP path to SCPI Health Check Interface. So Traffic manager will perform the Health Check Interface all performing an HTTP get to SSL HOST with the configured path (which is wrong). So this custom header setting will send additionally the hostname of SAP IFL application to SSL Host which will route the message to correct CPI IFL Application.

  3. Add SAP CPI Secondary Tenant as External Endpoint with Priority 2. It should be configured to resolve to SSL Host created as part of Custom Domain Creation on Secondary Tenant Subaccount i.e. EU3* in my example.
  4. Configure Traffic Manager to set the DNS TTL to 60 seconds. This way the DNS records resolved expire after 60 seconds and smart clients will attempt to resolve it once again. Also set-up the Endpoint Monitoring to the SCPI Ping Interface created before. There is no provision to choose an Authentication method, hence as a workaround base64 encode username:password and send it in the Custom Header. Don’t use a privileged user credential here since the password here can be decoded.
  5. Create a CNAME record in your DNS Server i.e. and map it to traffic manager Domain Name. Traffic Manager will inturn decide to resolve to SSL host of Primary or Secondary based on the routing method configuration.

Runtime Behaviour

When a Client attempt connection to a

  • A DNS resolution happens to Azure traffic manager Domain i.e.
  • Traffic Manager Domain will then resolve to custom SSL Host eu*
  • Custom SSL host will resolve to an IP
  • The client will initiate message exchange to the IP with the host header containing value
  • SSL host will let message reach SAP CPI runtime since we have mapped the custom domain to SAP CPI IFL application while creating the custom domain.


The approach defined here with Azure Traffic Manager is for Push based interface i.e. Interfaces listening to HTTP traffic. Pull/Interface Polling from a Message Broker / Event Streaming Platform is to be approached differently.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Daniel Graversen
      Daniel Graversen

      Hi Santhosh

      Nice way to setup fallback.

      I guess it will also do a CF migration easier because you can just change the backend without having go change the clients. (Though you probably need to change authentication)

      And then if you have flows that does not start with an HTTP connection then you should find a solution for having them deployed once the main is down.




      Author's profile photo Martin Pankraz
      Martin Pankraz

      Daniel Graversen: interesting thought to make the migration easier. Do you think it is feasible because you need to "inject" the DNS-approach into your existing deployment that often doesn't use custom domain yet? If you already had it, it would be awesome to just point to the new CF deployment, I agree.

      Santhosh Kumar Vellingiri It would probably be great for the community if you could add a sentence or two, why you added the custom host header on the traffic manager setup in step2 for your NEO implementation. It seems in my current prototype for CF with Traffic Manager I don't need it. Thanks again for linking my post on the matter with FrontDoor 🙂 the community thrives even better, when we connect what has already been provided and built on-top of each others ideas.



      Author's profile photo Santhosh Kumar Vellingiri
      Santhosh Kumar Vellingiri
      Blog Post Author

      Martin Pankraz I’ve included the reason for it as you rightly pointed out 🙂

      This config is only used by Azure Traffic Manager to send the Hostname of SAP CPI IFL node to SSL Host, so it can accept and route the traffic to SAP CPI.

      Author's profile photo Daniel Graversen
      Daniel Graversen

      yes because you don't give DNS info to clients or external users.

      But you would still need to give them new credentials which would still be a pain.

      Author's profile photo Martin Pankraz
      Martin Pankraz

      Are you sure on the credentials? If the users are part of SAP ID service it should be enough to import them into your new subaccount.

      Author's profile photo Daniel Graversen
      Daniel Graversen

      Maybe it is changed. But normally you needed to create Service keys and then link them with Send message role.

      Author's profile photo Martin Pankraz
      Martin Pankraz

      That is one option. But you can now have a RoleCollection with MessageSend role. No need for the service key. That was introduced by SAP in November 20 I believe.

      Author's profile photo Santhosh Kumar Vellingiri
      Santhosh Kumar Vellingiri
      Blog Post Author

      Hi Daniel Graversen ,

      Yes. It will ease the CF migration with both Custom Domain and tool-based approach to build/clone an instance.

      Yes. PULL based interfaces HA was controlled with deploying/undeploying them as required (with certain degree of automation)


      Author's profile photo Daniel Graversen
      Daniel Graversen

      But I guess you need to have the iflows deployed at all times. Unless you want to wait 1-2 minutes for them to be deployed.

      It does depend on which license type you have.