Deploy SAP Application Router on Kyma

April 1, 2025 ☼ SAP ☼ Kyma ☼ K8S ☼ BTP

In this post we’ll take a look at how to deploy the SAP Application Router on Kyma. We’ll see two different flavors of doing so and the differences between them.

SAP Application Router

The SAP Application Router is a lightweight HTTP server that acts as a reverse proxy and forwards requests to the appropriate backend services. It acts as a single entry point to your business application.

It’s commonly used when developing applications on SAP BTP. It can also be used to:

• Serve static content
• Authenticate and authorize users
• Forward to the appropriate identity provider for login
• Rewrite URLs
• Handle CORS

From my experience, the Application Router is a great tool to put in front of your Frontend application. Your FE doesn’t need to handle things like token management, CORS. The Application Router will do that for you.

It also integrates seamlessly with SAP Identity Service and XSUAA.

Deploying the Application Router on Kyma

There are two ways to use the Application Router capabilities in SAP BTP, Kyma runtime.

• Managed Application Router
• Standalone Application Router

Standalone Application Router

With this approach, you will deploy and manage the Application Router as a standalone service on Kyma. You can create a basic Docker image and run the Application Router in a Kubernetes pod.

The advantages of this approach are:

• You have full control over the Application Router configuration and extension. For example, you can add custom middlewares.
• You can use any version of the Application Router.

The disadvantages are:

• You need to manage the Application Router yourself. This includes scaling, monitoring, and updating the Application Router.
• You need to create and maintain the Docker image.
• To achieve high availability and zero downtime, you must maintain multiple replicas and externally store the session. That way, the session is not lost when a Pod restarts. You must add an external storage like Redis.

Managed Application Router

In this setup, the Application Router is a component managed and operated by SAP. Within the Kyma runtime, you can deploy your Frontend to the HTML App Repository and configure the site using the Launchpad service.

The advantages will be:

• No software maintenance for Application Router components
• There is a single session provided and managed by the Application Router.
• High availability and external session management provided out of the box

Disadvantages of this setup:

• To integrate or forward requests to backing microservices running on Kyma runtime, they must be exposed with API Rules. That’s because managed Application Router is not running inside the Kyma runtime.
• The Application Router capabilities cannot be extended. Thus, for example, injecting a custom middleware won’t be possible.
• Rate limited (300 Req/s) — Other limitation

I can not tell you which approach is better. It depends on your use case. In this post I’ll show you how to deploy the standalone version.

Reference Architecure diagram

                 ┌──────────────────────────────────────────────────────────────────────────────────────────────┐
                 │SAP BTP                                                                                       │
                 │                                                                                              │
                 │                                                                                              │
                 │      ┌───────────────────────────────────────────────────────────────────────────────┐       │
                 │      │Kyma Runtime (k8s)                                                             │       │
                 │      │                                                                               │       │
                 │      │                 ┌───────────────┐                                             │       │
                 │      │                 │     NGNIX     │                                             │       │
                 │      │                 │  (Frontend)   │                      ┌───────────────┐      │       │
                 │      │                 └───────────────┘                      │     API 1     │      │       │
                 │      │                         ▲           ┌─────────────────▶│               │      │       │
                 │      │           ┌─────────────┘           │                  └───────────────┘      │       │
                 │      │           │                         │                                         │       │
┌──────────┐     │      │   ┌───────────────┐                 │                  ┌───────────────┐      │       │
│          │     │      │   │  Application  │                 │                  │     API 2     │      │       │
│ Browser  │─────┼──────┼──▶│    Router     │─────────────────┼─────────────────▶│               │      │       │
│          │     │      │   └───────────────┘                 │                  └───────────────┘      │       │
└──────────┘     │      │           │                         │                                         │       │
                 │      │           │                         │                  ┌───────────────┐      │       │
                 │      │           │     ┌ ─ ─ ─ ─ ─ ─ ─ ┐   │                  │     API 3     │      │       │
                 │      │           │       Ext. Session      └─────────────────▶│               │      │       │
                 │      │           ├────▶│     Store     │                      └───────────────┘      │       │
                 │      │           │      ─ ─ ─ ─ ─ ─ ─ ─                                              │       │
                 │      │           │                                                                   │       │
                 │      │           │                                                                   │       │
                 │      └───────────┼───────────────────────────────────────────────────────────────────┘       │
                 │                  ▼                                                                           │
                 │          ┌───────────────┐                                                                   │
                 │          │ SAP Identity  │                                                                   │
                 │          │Authentication │                                                                   │
                 │          │    Service    │                                                                   │
                 │          └───────────────┘                                                                   │
                 └──────────────────────────────────────────────────────────────────────────────────────────────┘

Prerequisites

• Kyma
• Docker
• kubectl

Note: Please, make sure you review the code before deploying it. The code is provided as an example and may not be suitable for production use. You should always test the code in a safe environment before deploying it to production.

Steps

1. Create a new folder with the following structure:

k8s/
resources/
  ├── logout.html
Dockerfile
package.json
package-lock.json
xs-app.json

2. Create a new file called package.json with the following content:

{
  "name": "my-approuter",
  "version": "1.0.0",
  "description": "SAP Application Router",
  "scripts": {
    "start": "node node_modules/@sap/approuter/approuter.js"
  },
  "keywords": ["approuter", "nodejs", "btp"],
  "author": "",
  "dependencies": {
    "@sap/approuter": "^19.0.4"
  },
  "engines": {
    "node": "20.18"
  }
}

3. Create a new file called xs-app.json with the following content:

{
  "welcomeFile": "/index.html",
  "authenticationMethod": "none",
  "logout": {
    "logoutEndpoint": "/logout.html"
  },
  "routes": [
    {
      "source": "^/api1/(.*)$",
      "target": "/$1",
      "service": "api1"
    },
    {
      "source": "^/api2/(.*)$",
      "target": "/$1",
      "service": "api2"
    },
    {
      "source": "^/api3/(.*)$",
      "target": "/$1",
      "service": "api3"
    }
  ]
}

Here you can set the authenticationMethod to route or none. If you set it to route, the Application Router will use the authentication method defined in the route. If you set it to none, the Application Router will not use any authentication.

4. Create a Docker image

FROM node:20-alpine AS build

ENV NODE_ENV=production
USER node

WORKDIR /app

COPY package*.json ./
RUN npm ci --only=production

COPY . .

# Use multi-stage build for a smaller final image
FROM node:20-alpine

WORKDIR /app

# Copy built artifacts from the build stage
COPY --from=build /app .

ENV NODE_ENV=production
ENV PORT=5000

EXPOSE 5000

USER node
CMD ["node", "node_modules/@sap/approuter/approuter.js"]

Build the image and tag it with the version you want:

docker build -t my-approuter-image:1.0.0 .

You can also push the image to a container registry like Docker Hub or SAP BTP Container Registry.

docker tag my-approuter-image:1.0.0 <your-docker-hub-username>/my-approuter-image:1.0.0
docker push <your-docker-hub-username>/my-approuter-image:1.0.0

5. Create the necessay K8s resources

Service.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-approuter
  labels:
    app: my-approuter
    service: my-approuter
spec:
  ports:
    - port: 5000
      protocol: TCP
      name: http
  selector:
    app: my-approuter
status:
  loadBalancer: {}

Deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-approuter
  labels:
    app: my-approuter
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-approuter
      version: v1
  template:
    metadata:
      labels:
        app: my-approuter
        version: v1
    spec:
      containers:
        - name: ri-approuter
          image: my-approuter-image:1.0.0
          imagePullPolicy: Always
          ports:
            - containerPort: 5000
          resources:
            limits:
              memory: "512Mi"
            requests:
              cpu: "250m"
              memory: "256Mi"
          env:
            - name: destinations
              valueFrom:
                configMapKeyRef:
                  name: destinations
                  key: destinations
            - name: CF_NODEJS_LOGGING_LEVEL
              value: debug

ConfigMap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: destinations
data:
  destinations: >-
    [
      {
        "name": "api1",
        "url": "http://api1.svc.cluster.local:80",
        "forwardAuthToken": true
      },
      {
        "name": "api2",
        "url": "http://api2.svc.cluster.local:80",
        "forwardAuthToken": true
      },
      {
        "name": "api3",
        "url": "http://api3.svc.cluster.local:80",
        "forwardAuthToken": true
      }
    ]

destination-rule.yaml

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: my-approuter
spec:
  host: my-approuter
  trafficPolicy:
    loadBalancer:
      consistentHash:
        httpCookie:
          name: JSESSIONID
          path: /
          ttl: 0s

6. Deploy the Application Router

kubectl apply -f k8s/

Done 🎉

The approuter is exposed at https://my-approuter.{CLUSTER_DOMAIN}.

---

If you have any suggestions, questions, corrections or if you want to add anything please DM or tweet me: @zanonnicola