cancel
Showing results for 
Search instead for 
Did you mean: 

cloud foundry inter app communication

former_member593912
Discoverer

I am trying to deploy our solution on SAP cloud foundry. The service consists of frontend and backend services. The frontend services have to communicate directly with the backend services. The backend services on the other hand should not be reachable publicly.

According to the cloud foundry documentation inter app communication can be achieved by using Internal Routes which should expose the special domain "apps.internal".

https://docs.cloudfoundry.org/devguide/deploy-apps/routes-domains.html#internal-routes

This feature does not seem to be available on SAP cloud foundry platform. Can you please advise how to implement inter app communication on SAP cloud platform?

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

Hi Benjamin,

can you please elaborate a little bit more in detail what you are trying to do (and why)?

Do you mean a "classical" front-end service like a SAPUI5 / Angular app? And why shouldn't the back-end service be publicly accessible?

Or are you talking about a scenario where only users, who have logged in the front-end service before, should be allowed to call the backend services?

Regards,

Marius

former_member593912
Discoverer

Hey Marius

Our application is structed in small services which have to communicate with each other. For security reasons I only want to expose the services which have a direct interface to clients. These small services do all sort of tasks like generating reports, or handling interfaces with thirdparty datasources. If you're interested in microservice architecture, I can recommend following book: http://shop.oreilly.com/product/0636920033158.do

Regards,
Benjamin

I also have a problem related to internal routing through the apps.internal domain. My frontend service (SAP Application Router) is not able to forward a request to the internal service.

  1. I do have the apps.internal domain in my Cloud Foundry environmen
  2. I have a frontend app (the SAP Application Router) with a route on the cfapps.eu10.hana.ondemand.com domain and a backend app with a route for the apps.internal domain. The ouput of cf routes (with names changed):
  3. In the SAP Application Router I have a destination to http://backend.apps.internal/. But the request from a route mapped to that destination fails. It returns a 502 Bad Gateway status code.

According to the Cloud Foundry documentation I have to create a network policy:
"By default, apps cannot communicate with each other on the container network. To allow apps to communicate with each other you must create a network policy." - Configuring Routes and Domains - Internal Routes

However, my trial user doesn't have the required permission to even list the network policies. I get:

> cf network-policies
provided scopes [cloud_controller.read password.write cloud_controller.write openid uaa.user] do not include allowed scopes [network.admin network.write]
FAILED<br>

Any suggestions on what I might be missing are welcome!

EDIT:

I added the scopes "network.write" and "network.admin" and a role-template to my XSUAA service as follows:

  "scopes": [
    ...
    {
      "name": "network.write",
      "description": "Allow editing of network policites."
    },
    {
      "name": "network.admin",
      "description": "Allows administration of network policies."
    }
  ],
  "role-templates": [
    ...
    {
      "name": "RTNetworkAdministration",
      "description": "Role Template for administration of the network policies.",
      "scope-references": [
        "network.admin",
        "network.write"
      ]
    }
  ]

I created a role-collection using the role-template and assigned the role-collection to my user in the SAP ID service of the sub-account.

I then signed out and back into the cf CLI.

This did not resolve the issue. I still cannot add a network policy.

Accepted Solutions (0)

Answers (4)

Answers (4)

alfonsoarmenta
Explorer

A similar issue (although I believe I am trying to sort out a different problem).

One solution which involves a number of REST-based microservices (3 so far, let's call them A, B & C).

There is also an Angular UI and an app router ("@sap/approuter": "^8.5.0").

The router needs to know about A, B & C:

-- excerpt from router's xs-app.json:


    {
      "source": "/api/A/(.*)$",
      "target": "/A/$1",
      "destination": "A"
	},
    {
      "source": "/api/B/(.*)$",
      "target": "/B/$1",
      "destination": "B"
	},
	{
      "source": "/api/C/(.*)$",
      "target": "/C/$1",
      "destination": "C"
	}

And that is fine so far.

Then there is the destinations environment variable in the manifest.yml to direct those destinations to real endpoints:

  env:
      destinations: >
        [
            {
                "name": "A",
                "url": "https://A.cfapps.eu10.hana.ondemand.com",
                "forwardAuthToken": true
            },
            {
                "name": "config",
                "url": "https://B.cfapps.eu10.hana.ondemand.com",
                "forwardAuthToken": true
            },
            {
                "name": "config",
                "url": "https://C.cfapps.eu10.hana.ondemand.com",
                "forwardAuthToken": true
            }

Of course, this is an issue A, B & C need to be unique.

But here is the thing, it is not necessary for this application for neither A, B or C to be accessible from the outside world, all access can be done via the approuter.

The solution would be to be able to do this instead:

    env:
      destinations: >
        [
            {
                "name": "A",
                "url": "https://A.apps.internal,
                "forwardAuthToken": true
            },
            {
                "name": "config",
                "url": "https://B.apps.internal,
                "forwardAuthToken": true
            },
            {
                "name": "config",
                "url": "https://C.apps.internal,
                "forwardAuthToken": true
            }

But this does not seem to work and I've tried all sorts of things.

http, https, use the actual port exposed by the service (8080).

Nothing works. Eventually I ssh'ed into the router and tried to connect to the internal services using curl:

curl -v http://A.apps.internal
curl -v http://A.apps.internal:8080
curl -v https://A.apps.internal

They all fail the same way, connection refused.

Is this achievable in SAP Cloud?

matejdurajka
Explorer
0 Kudos

Hi, alfonsoarmenta

did you find a solution for this ?

alfonsoarmenta
Explorer

matejdurajka Nope, but I also stopped looking for the solution to be honest 🙂

former_member798696
Discoverer
0 Kudos
This seems to be a common problem. Is there a solution to this problem?

0 Kudos

Hi,

I would like to know how can we achieve app2app communication in CF?

Basically, we would like to call a SaaS app from another SaaS app. Both the saas apps reside in different provider accounts.

Regards,

Kush Sharma

0 Kudos