AWS for SAP

Improving SAP Fiori Performance with Amazon CloudFront and AWS Global Accelerator Part 2: How-to Guide

In a previous blog, we have concluded that Amazon CloudFront is recommended to accelerate the SAP Fiori Launchpad use case, while AWS Global Accelerator is recommended to accelerate the external system integration scenario via OData API calls such as Data extraction for analytics and reporting. We observed improvement in the time to first load SAP Fiori Launchpad, when accelerated through CloudFront, and improvement on OData API call times through Global Accelerator.

This post will discuss in details on how-to implement each of these solutions including the key parameters to pay attention to ensure successful deployment of CloudFront and Global Accelerator for SAP Fiori. 

Solution Overview

Solution Overview Fiori with CloudFront and Global Accelerator

The demo solution architecture above describes a simple deployment of SAP S/4HANA 2020 with embedded Fiori in the AWS us-east-1 (Northern Virginia) region that can be accessed over the internet, while the users are in Singapore.

  • SAP Fiori launchpad will be accelerated by Amazon CloudFront.
  • In another scenario, we will simulate the acceleration of the SAP OData API calls with AWS Global Accelerator.
  • The Application Load balancer (ALB) will act as reverse proxy to SAP S/4HANA 2020. Please note that in productive deployment, to improve the security posture, we recommend you install SAP S/4HANA with embedded Fiori in a private subnet, and setup an SAP Web dispatcher in a public subnet.
  • AWS Certificate Manager will be used to manage the wildcard SSL certificate for CloudFront and Application Load balancer.
  • Amazon Route 53 will manage the DNS entries required to support the solutions.

Pre-Requisites

You will need to ensure the following are configured before the solution implementation step:

  • Windows RDP (Remote Desktop Protocol) is installed. You will use this to administer and maintained various configuration of SAP S/4HANA and SAP Fiori.
  • SAP S/4HANA 2020 is installed. You can use AWS Launch Wizard to do this . 
  • After the SAP S/4HANA vanilla installation is done, please follow these steps to update the system using SAP Maintenance Planner tool to have embedded Fiori component enabled. References: SAP S/4HANA 2020 Maintenance planner, SAP S/4HANA 2020 Installation, SAP S/4HANA 2020 Best Practice Activation and SAP S/4HANA 2020 Ravid Activation for Fiori
  • You must have a valid internet domain; you can procure this from Amazon Route 53 or another DNS provider. It will be used to maintained DNS Entry (e.g., Alias in Route53 or CNAME in other DNS) records for ALB, CloudFront and Global Accelerator.
  • For ease of deployment, I use a Wildcard SSL certificate signed by public Certificate Authority (example: Verisign). You can import this into AWS Certificate Manager and SAP Fiori back-end (example *.example.com). SSL public certificates that are generated from AWS Certificate Manager (ACM) will not work with SAP because it requires a signed SSL certificate to be imported to SAP Fiori system using Certificate Signing Request (CSR) method.

Solution Implementation

1. Configure Application Load Balancer

You can follow this documentation to create Application Load Balancer.

1.1 Create Target Group

Input Parameters

Considerations

Protocol Port

In this example, we use HTTPS port 8443

Health Check Path

/sap/public/ping

Please ensure this path is enabled in SICF transaction code in SAP Fiori

Stickiness

As SAP is a stateful application, you will need ALB to always point to certain SAP instance for that particular user session. This must be enabled.

Stickiness duration

You can set to 1 day or 8 hours stickiness to cover user activities for the day.

  Target Group

1.2 Create Load Balancer

Input Parameters

Considerations

DNS Name

Let’s name this “sap-alb” which later in this document be defined as an alias record in Route53 or CNAME in other DNS

Scheme

Define as “internet-facing”
This blog series presumes your end users will access Fiori over the Internet, which also enables the use CloudFront or Global Accelerator to accelerate Fiori or OData based network connections.

Security
Group

Port 443 of the Load Balancer security group (you can name this security group as “sgLBSAP” for example) must be open to Internet

Port 8443 of the SAP Fiori security group (you can name this security group as “sgSAPPAS” for example) is opened from ALB security group (you can name this security group as “sgLBSAP” for example) to SAP Fiori

Listener. ID

HTTPS: 443

SSL Certificate

You can point this to AWS Certificate Manager which holds the wildcard SSL Certificate

Rules

Forwarding to “tgSAP” target group which contains the SAP Fiori system

Load Balancer Configuration 1 Load Balancer Configuration 2 Load Balancer Configuration 3

2. Create CloudFront Distribution

You can follow this documentation to create CloudFront Distribution.

2.1 General Settings 

Input Parameters

Considerations

Price Class

CloudFront has edge locations all over the world.
The cost for each edge location varies and, as a result, the price that are charged varies depending on the edge location from which CloudFront serves the requests.

You can align this to the user’s location and performance expectation.

Alternate Domain Names (CNAMEs)

You will set this to the target website name. This must to be in line with the alias or CNAME record and SSL Certificate, so when the user browse to SAP Fiori, it connects through the CloudFront end-point. (example: sap.example.com)

SSL Certificate

You point this to the wildcard SSL Certificate SSL certificate in Certificate Manager. The Common Name must correspond to the Domain name above. (example:CN=*.example.com)

Domain Name

You can take note of this when maintaining target “sap” alias record in Route 43 or CNAME record in other DNS

Security Policy

At the time of writing TLSv1.2_2019 is the latest security policy recommended that are supported by both CloudFront and SAP

Supported HTTP versions

Ensure that HTTP/2 is enabled, as this provides many performance improvements compared to 1.1 and 1.0, by reducing latency, minimizing protocol overhead via compression and support over requests prioritization.

Log Bucket & Log Prefix

You will need this to troubleshoot, analyse and monitor the solution.

CloudFront General Setttings

2.2 Origin Settings 

Input Parameters

Considerations

Origin Domain Name

You will point this to the ALB. Please ensure that it is aligned with the SSL wildcard domain (example: sap-alb.example.com)

Minimum Origin SSL Protocol

Please specify TLSv1.2, as at the time of writing this is the highest supported by SAP.

Origin Protocol Policy

You will use HTTPS only. This will be the protocol used between CloudFront and ALB to implement end-to-end encryption.

CloudFront Origin Settings 

2.3 Behaviour

Input Parameters

Considerations

Path Pattern

You set this as per the table below, with a Precedence zero of *FioriLaunchpad.html

Below is the example Default (*)

Viewer Protocol Policy

You can set this to “Redirect HTTP to HTTPS” to achieve better user experience (most of browsers are still going to HTTP port as default when HSTS is not enabled) and better security posture.

Non-Cacheable Objects

Please set *FioriLaunchpad.html to

cache policy : Managed-CachingDisabled

request policy : Managed-AllViewer

The GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE operation must be allowed

This is required to ensure all the session cookies, query strings, HTTP headers
are passed to the back-end SAP Fiori for proper handling.
 

Cacheable Objects

The cacheable objects include : *.html, *.js, *.css, *.jpg, *.png, *.ttf, *.ico, must have the following settings

cache policy : Managed-CachingOptimized

request policy : Managed-AllViewer

The GET, HEAD operation must be allowed

Default (*)

As fallback, if none of the objects do not fall into the above policy, it must
be set with this policy

cache policy : Managed-CachingDisabled

request policy : Managed-AllViewer

The GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE operation must be allowed

  CloudFront Behaviour 1 CloudFront Behaviour 2

3. Create Global Accelerator

You can follow this documentation to create Global Accelerator.

Input Parameters

Considerations

Accelerator name

You set this value as “gaSAP” for example

Accelerator type

You select “Standard” here

Ports

443, default for HTTPS

Client Affinity

Client affinity is set to “Source IP” as SAP Fiori is stateful application

Region

This is where the Application Load Balancer and SAP Fiori located at

Endpoint type

You set this to Application Load Balancer ARN

Listener port

TCP:443 (default HTTPS Port of Application Load Balancer)

Global Accelerator Configuration 1 Global Accelerator Configuration 2 Global Accelerator Configuration 3 Global Accelerator Configuration 4

4. Maintain alias record in Route53 or CNAME in other DNS Server and Perform test

You have registered domain “example.com”, and created a hosted zone for “example.com” in Route53. The alias records in Route53 or CNAME records in other DNS server are maintained for each of the components that were created earlier.

Record Name

Record Type

Value

sap-alb

A (Route53) or CNAME (other)

xxxxxxxxxx.cloudfront.net

sap

A (Route53) or CNAME (other)

lbsap-xxxxxxxxxx.us-east-1.elb.amazonaws.com

sap-ga

A (Route53) or CNAME (other)

xxxxxxxxxx.awsglobalaccelerator.com

5. Once the DNS is propagated, you can test using each of the URL below

Component

URL Address for testing

Application Load Balancer

https://sap-alb.example.com/<urlpath>

CloudFront

https://sap.example.com/<urlpath>

Global Accelerator

https://sap-ga.example.com/<urlpath>

 Legend: <urlpath> = sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

 Example: = https://sap.example.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

Conclusion

Today, we have shown you how to implement CloudFront for SAP Fiori Launchpad step-by-step. This allows you to achieve better SAP Fiori performance, user experience and increased user productivity, while ensuring the standard SAP Fiori behavior is not altered.

We have shown you how to implement Global Accelerator to accelerate SAP OData API Calls. This will be useful in system integration scenarios where accelerated traffic is required to reduce latency between systems.

You can find out more about SAP on AWS, CloudFront and Global Accelerator from the AWS product documentation.