Skip to Content

cloud foundry inter app communication

I am trying to deploy our solution on SAP cloud foundry. The service consists of frontend and backend services. The frontend services have to communicate directly with the backend services. The backend services on the other hand should not be reachable publicly.

According to the cloud foundry documentation inter app communication can be achieved by using Internal Routes which should expose the special domain "apps.internal".

https://docs.cloudfoundry.org/devguide/deploy-apps/routes-domains.html#internal-routes

This feature does not seem to be available on SAP cloud foundry platform. Can you please advise how to implement inter app communication on SAP cloud platform?

Add a comment
10|10000 characters needed characters exceeded

  • Hi Benjamin,

    can you please elaborate a little bit more in detail what you are trying to do (and why)?

    Do you mean a "classical" front-end service like a SAPUI5 / Angular app? And why shouldn't the back-end service be publicly accessible?

    Or are you talking about a scenario where only users, who have logged in the front-end service before, should be allowed to call the backend services?

    Regards,

    Marius

  • Hey Marius

    Our application is structed in small services which have to communicate with each other. For security reasons I only want to expose the services which have a direct interface to clients. These small services do all sort of tasks like generating reports, or handling interfaces with thirdparty datasources. If you're interested in microservice architecture, I can recommend following book: http://shop.oreilly.com/product/0636920033158.do

    Regards,
    Benjamin

  • I also have a problem related to internal routing through the apps.internal domain. My frontend service (SAP Application Router) is not able to forward a request to the internal service.

    1. I do have the apps.internal domain in my Cloud Foundry environmen
    2. I have a frontend app (the SAP Application Router) with a route on the cfapps.eu10.hana.ondemand.com domain and a backend app with a route for the apps.internal domain. The ouput of cf routes (with names changed):
    3. In the SAP Application Router I have a destination to http://backend.apps.internal/. But the request from a route mapped to that destination fails. It returns a 502 Bad Gateway status code.

    According to the Cloud Foundry documentation I have to create a network policy:
    "By default, apps cannot communicate with each other on the container network. To allow apps to communicate with each other you must create a network policy." - Configuring Routes and Domains - Internal Routes

    However, my trial user doesn't have the required permission to even list the network policies. I get:

    > cf network-policies
    provided scopes [cloud_controller.read password.write cloud_controller.write openid uaa.user] do not include allowed scopes [network.admin network.write]
    FAILED<br>

    Any suggestions on what I might be missing are welcome!

    EDIT:

    I added the scopes "network.write" and "network.admin" and a role-template to my XSUAA service as follows:

      "scopes": [
        ...
        {
          "name": "network.write",
          "description": "Allow editing of network policites."
        },
        {
          "name": "network.admin",
          "description": "Allows administration of network policies."
        }
      ],
      "role-templates": [
        ...
        {
          "name": "RTNetworkAdministration",
          "description": "Role Template for administration of the network policies.",
          "scope-references": [
            "network.admin",
            "network.write"
          ]
        }
      ]

    I created a role-collection using the role-template and assigned the role-collection to my user in the SAP ID service of the sub-account.

    I then signed out and back into the cf CLI.

    This did not resolve the issue. I still cannot add a network policy.

    kobut.png (3.7 kB)

Related questions

3 Answers

  • Posted on Nov 20, 2019 at 06:13 PM
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 23 at 01:26 AM

    Hi,

    I would like to know how can we achieve app2app communication in CF?

    Basically, we would like to call a SaaS app from another SaaS app. Both the saas apps reside in different provider accounts.

    Regards,

    Kush Sharma

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 24 at 07:57 PM

    A similar issue (although I believe I am trying to sort out a different problem).

    One solution which involves a number of REST-based microservices (3 so far, let's call them A, B & C).

    There is also an Angular UI and an app router ("@sap/approuter": "^8.5.0").

    The router needs to know about A, B & C:

    -- excerpt from router's xs-app.json:
    
    
        {
          "source": "/api/A/(.*)$",
          "target": "/A/$1",
          "destination": "A"
    	},
        {
          "source": "/api/B/(.*)$",
          "target": "/B/$1",
          "destination": "B"
    	},
    	{
          "source": "/api/C/(.*)$",
          "target": "/C/$1",
          "destination": "C"
    	}
    

    And that is fine so far.

    Then there is the destinations environment variable in the manifest.yml to direct those destinations to real endpoints:

      env:
          destinations: >
            [
                {
                    "name": "A",
                    "url": "https://A.cfapps.eu10.hana.ondemand.com",
                    "forwardAuthToken": true
                },
                {
                    "name": "config",
                    "url": "https://B.cfapps.eu10.hana.ondemand.com",
                    "forwardAuthToken": true
                },
                {
                    "name": "config",
                    "url": "https://C.cfapps.eu10.hana.ondemand.com",
                    "forwardAuthToken": true
                }

    Of course, this is an issue A, B & C need to be unique.

    But here is the thing, it is not necessary for this application for neither A, B or C to be accessible from the outside world, all access can be done via the approuter.

    The solution would be to be able to do this instead:

        env:
          destinations: >
            [
                {
                    "name": "A",
                    "url": "https://A.apps.internal,
                    "forwardAuthToken": true
                },
                {
                    "name": "config",
                    "url": "https://B.apps.internal,
                    "forwardAuthToken": true
                },
                {
                    "name": "config",
                    "url": "https://C.apps.internal,
                    "forwardAuthToken": true
                }
    

    But this does not seem to work and I've tried all sorts of things.

    http, https, use the actual port exposed by the service (8080).

    Nothing works. Eventually I ssh'ed into the router and tried to connect to the internal services using curl:

    curl -v http://A.apps.internal
    curl -v http://A.apps.internal:8080
    curl -v https://A.apps.internal

    They all fail the same way, connection refused.

    Is this achievable in SAP Cloud?

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.