By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using AWS AppFlow Private SAP OData Connection with different Port then 443 not supported?

1

I was recently setting up an AWS AppFlow Flow to pull data from SAP and store them into an S3 data lake. As the SAP source Sytem was reachable via a dedicated VPN connection only it was required to setup a private connection and so I was following the tutorial at

https://aws.amazon.com/blogs/awsforsap/share-sap-odata-services-securely-through-aws-privatelink-and-the-amazon-appflow-sap-connector/

to make it work. As several things like a VPC, an ACM certificate and the required NLB were already in place I was able to skip those steps and start with setting up a PrivateLink endpoint service with a private DNS name dedicated for the SAP connection to be used by the AppFlow Connector. And as the default HTTPS port 443 was already in use at the NLB I just picked another one that was available and added a new listener for that port having attached a target group pointing to the on-premise SAP instace's IP address. But unfortunately this setup didn't work and setting up the Connector using this Private Link Service Endpoint's DNS name and the respective NLB's port for the SAP instance always failed with error message

"Error while communicating to connector: Client error: The request to SAP failed with the status code: 400 and error message: Call to SAP endpoint timed out for GET http request".

After hours of debugging, research, documentation lookup and somehow trying to find or at least getting an idea for the mistake in our setup a colleague of mine came up with the desperate proposal to setup a new NLB and again setup everything from scratch using this NLB and use exactly the values outlined in the tutorial - and it worked! After a bit of testing it turned out that initially using a different port then 443 for the Connector was the root cause of our problem. Was anyone else already able to make such a connection work using a different port than 443? As in the Connector setup the port selection is not limited (via any kind of validation rule nor is it mentioned at any place of the official documentation - only found a hint that using HTTPS is necessary somewhere) so I can only hardly imagine that this setup is so limited to be only possible with port 443.

Topics
Application IntegrationNetworking & Content Delivery
Tags
Amazon AppFlowElastic Load BalancingAWS PrivateLink
Language
English
jclausen_Ratepay
asked 2 years ago1.1K views
1 Answer
1

Hi

I have tried the scenario you mentioned and it does not seem to be the case. I was able to use port 444 as a listener on my nlb and setup the appflow connector with PrivateLink for the same. The Appflow connector setup is successful and also the extraction of data is working as expected. Also the NLB target group(protocol-TCP, port - 80) can point to a HTTP port on the sap side and its not necessary to have a HTTPS port. If you point the Target group(protocol-TLS, port -443) to SAP HTTPS port then make sure the sap has a valid SSL Certificate.

Regards Nishant Jain

AWS
Nishant_J
answered 2 years ago
  • rePost-User-7092109
    2 years ago

    Hi Nishant,

    Thanks for sharing. I saw you have been able of setting up AppFlow vs HTTP endpoint for SAP. How did you configure it? I'm struggling doing the same with Odata exposed via HTTP on port 8000. Trying to create a SAP OData connection on AppFlow it seems we can only use HTTPS endpoints and not HTTP (even with PrivateLink up and running). Any suggestion will be higly appreciated.

    Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content