Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to enable mixed mode for Azure native services via Azure Application Gateway

Tencho_Dimitrov
Associate
Associate
‎2024 Jul 23 9:09 PM
0 Kudos
513

Introduction

Usually, an Azure service can be consumed from SAP Business Technology Platform (BTP) via a SAP Private Link endpoint, ensuring secure and private connectivity. However, this is not always possible.
In such case, the public endpoint of the Azure service must be used.
Unfortunately, Azure does not guarantee a static public IP for most of its native services.
One way to work around this limitation is by using Azure Application Gateway as a proxy.
Here follows a detailed description on how to configure Azure Application Gateway with a public static IP in front of an Azure service.

Prerequisites

  1. We need a public FQDN that will resolve to the public IP of Azure Application Gateway. This can be achieved by registering a subdomain in a DNS server that you have control of or by using one of the cheap subdomain hosting services. In our configuration we will use the subdomain pubazuresvc.example.com.

  2. A TLS certificate for that same subdomain pubazuresvc.example.com is needed - use one of the CA authorities on the market. The certificate has to be in pfx format.

Overveiw

Lets take as an example Apache Kafka endpoint on Azure that has a public hostname publickafka.servicebus.windows.net and listens on TCP port 9093.
Lets assume that we face the problem described above and DNS name publickafka.servicebus.windows.net cannot be resolved from within BTP.
We are going to build a workaround by using Azure Application Gateway and its newly released layer 4 features.
Azure Applicate Gateway will be configured with a public static IP address and it will serve as a TLS proxy for the Apache Kafka endpoint.

appgw_l4_proxy_kafka.drawio (5).png

Fig. 1 Architecture Overview

Configure and deploy Azure Application Gateway

Lets create and configure the Application Gateway. We will follow similar steps as described in this tutorial, using the following configuration values:

  1. Basic tab: no difference with the tutorial

  2. Frontends tab: configure a public static IP, and take note of the IP as it must be assigned to the hostname pubazuresvc.example.com

  3. Backends tab: add backend pool with Target Type: IP address or FQDN and target value set to the hostname of the Kafka endpoint publickafka.servicebus.windows.net

  4. Configuration tab: add a routing rule

  5. Configure listener with values:

    • Protocol: TLS
    • Port: 9093
    • in Tls Settings choose Upload a certificate and select the TLS certificated you have created for pubazuresvc.example.com
    • Listener type: basic 
       

      routing-rule.png

  6. Backend targets tab: select the backend pool created on step 3.

  7. Add a new Backend settings with values:

    • Backend protocol: TLS
    • Backend port: 9093
    • Backend server’s certificate is issued by a well-known CA: Yes
    • SNI: servicebus.windows.net 
       

      backend-settings.png

  8. Finish the rest of the creation wizard and deploy the Application Gateway

  9. Configure your DNS server so that hostname pubazuresvc.example.com will be resolved with the public ip of the Application Gateway

After deploying the above configuration, you can connect to the Apache Kafka service using the hostname pubazuresvc.example.com and port 9093.

Labels in this area
Popular Blog Posts