Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Private Link service use cases for SAP Cloud Integration and SAP Build Work Zone, Standard Edition

hterminasyan
Product and Topic Expert
Product and Topic Expert
‎08-22-2022 9:21 PM








 Updates

 13.03.2023: Azure Blob Storage connectivity to SAP Cloud Integration with help of SAP Private Link service (GitHub)

Dear Community,

In my previous blog post, I introduced how to use the SAP Private Link service to extend your SAP S/4HANA business processes running on Microsoft Azure while keeping the traffic within the Azure internal network.

In this blog, I would like to share three more use cases for SAP Private Link connectivity

  • SAP Private Link service with SAP Cloud Integration for building diverse integration scenarios

  • Azure Blob Storage connectivity to SAP Cloud Integration with help of SAP Private Link service

  • SAP Private Link service for frontend applications accessible from SAP Build Work Zone, Standard Edition


Please have a look at the great blog series by martin-pankraz, where he also presents the SAP Cloud Integration scenario in Part 2.

Even without a direct integration of SAP Cloud Integration and SAP Build Work Zone, Standard Edition services with SAP Private Link service, we can still establish connectivity with help of Application Router, meanwhile, the product team is working to enable the direct integration.

Now let’s have a closer look at these two scenarios:

SAP Private Link service with SAP Cloud Integration for building diverse integration scenarios


The SAP Cloud Integration capability of SAP Integration Suite enables enterprises to connect different systems and applications in hybrid and cloud landscapes, that are developed and maintained on different technology stacks. These stacks, usually follow different security standards and requirements.

With the help of the SAP Private Link service, you can extend your hybrid integration scenarios to suit stricter security policies and communicate with your SAP S/4HANA on Microsoft Azure through private network connectivity.

The main idea of this architecture is to use the Application Router as a proxy for the private connectivity between SAP S/4HANA and SAP Cloud Integration. More details about Application Router can be found below. Please also check the GitHub repository for further details.


SAP Cloud Integration with SAP Private Link service


 

Azure Blob Storage connectivity to SAP Cloud Integration with help of SAP Private Link service


With the help of the SAP Private Link service, Azure Blob storage can now be linked to SAP Cloud Integration, enabling the easy exchange of massive amounts of unstructured data like images and documents.This integration provides a secure solution for businesses that need to transfer unstructured data between the two platforms.

The main idea of this architecture is to use the Application Router as a proxy for the private connectivity between Azure Blob Storage and SAP Cloud Integration. You can find the detailed steps for configuration here.


Azure Blob Storage connectivity with SAP Private Link service


 

SAP Private Link service for frontend applications accessible from SAP Build Work Zone, Standard Edition


As you might know, the SAP Build Work Zone, Standard Edition service plays an important role to increase users’ productivity and efficiency by enabling organizations to establish a central point of access to SAP, custom-build, third-party applications, and extensions.

The frontend extensions of your SAP S/4HANA system running on SAP BTP can now also benefit from the new SAP Private Link service by establishing private connectivity to your SAP backend systems.

Like the above-mentioned scenario, the main idea of this architecture is to use the Application Router as a proxy for the private connectivity between SAP S/4HANA and frontend extensions running on SAP BTP. Below you'll find more information on Application Router. To learn more, you can check the GitHub repository.
Please note that this scenario covers only the frontend extensions. The federated SAP S/4HANA content is out of scope for this blog.


UI extensions with SAP Private Link service




How to achieve this?


As previously mentioned, for the moment, we cannot use SAP Private Link service directly from SAP Cloud Integration or SAP Build Work Zone, Standard Edition; nevertheless, we can bridge this gap with help of SAP’s Application Router (approuter), which can play the role of a proxy between SAP and SAP Cloud Integration.

Application Router is a package available in the public npm repository, usually used as a single-entry point to your applications. It can help dispatch incoming requests to other microservices, facilitate authentication & authorization, and finally integrate other SAP BTP services like the Destination service or the HTML5 Application Repository.

These main capabilities of the Application Router with the latest release (as of today - 11.3.2) can help you establish the above-mentioned proxy role for Private Link.

 

Configure and deploy Application Router


You can configure and deploy the Application Router with the IDE of your choice, but with help of SAP Business Application Studio (BAS), it is much simpler, since you can take advantage of the provided templates for your Application Router configuration.

If you choose BAS, select Standalone Approuter as an option in the template wizard.


The only configuration required in Application Router is to define the route and the destination used for the SAP Private Link connectivity. This can be done in the xs-app.json file where BusinessPartner-approuter is the destination configured for SAP Private Link connectivity in the target SAP BTP subaccount (see destination configuration below).
{

  "authenticationMethod": "route",

  "routes": [

    {

        "source": "^/sap/(.*)$",

        "target": "/sap/$1",

        "destination": "BusinessPartner-approuter",

        "authenticationType": "xsuaa",

        "csrfProtection": false

    }

  ]

}


After setting up the route with destination and authentication, you can deploy the Application Router to your SAP BTP subaccount
e.g. by  mbt build and cf deploy privatelink-proxy.mtar

Once the Application Router is up and running, it can be used by your integration flows or Fiori applications to connect with the SAP backend system.

 

Summary 


In this blog, you have learned how to bypass the missing features and still be able to use SAP Private Link service with your integration and frontend extension scenarios with help of Application Router.

You can find detailed steps for both scenarios in the following GitHub repo.

For the latest product features, you can check the SAP Private Link service roadmap.

 

 
12 Comments
DG
Active Contributor
‎08-23-2022 7:37 AM
Hi

Is it only HTTP-based traffic that can be sent thru the link, or can you also have other protocols like JMS, SFTP or other platforms.
Martin-Pankraz
Active Contributor
‎08-23-2022 8:27 AM
0 Kudos
No, the CF approuter works with http only. However, you can apply your own proxy. In my earlier example I implemented this with a Java app. In there you can receive the http request from CPI for instance and then forward you request using JMS, SFTP etc. Till there is native support for SAP BTP PaaS/SaaS apps for private link this is the way to go.

harutyun.ter-minasyan2 how about a small comment on the blog and github repos to clarify?
DG
Active Contributor
‎08-23-2022 8:30 AM
0 Kudos
thanks Martin
VijayKonam
Active Contributor
‎08-24-2022 4:27 PM
0 Kudos
How is this different or better from using the Cloud Connector? Many organizations have taken so much pain to set up the cloud connector already. Does this add any additional value like latency or connectivity to various regions? Am I missing the point?

Thanks,

Vijay Konam (VJ)
VijayKonam
Active Contributor
‎08-24-2022 4:33 PM
0 Kudos
Okay, I understood by going through the other blog. This is for the customers who have their BTP apps or CPI hosted on Azure and thus bypassing the internet to connect to on-premise. Thanks.
Martin-Pankraz
Active Contributor
‎08-24-2022 4:39 PM
Hi vijaykonam,

thanks for reaching out. I created a dedicated blog to answer that question.

Would adjust your summary slightly: SAP Private Link for Azure is about connecting to workloads running on Azure (typically not on-premises, even though you could technically forward proxy via firewall +VPN/Exrpress Route etc. to your on-premises network).

Does that clarify?

KR

Martin
Muniyappan
Active Contributor
‎08-25-2022 8:47 AM
Eagerly waiting for the last piece, where cpi can directly call Azure host instead of proxy app. Hope product team releases soon.
VijayKonam
Active Contributor
‎08-25-2022 2:27 PM
0 Kudos
Thanks Martin. Yes you did. By on-prem I meant, S4/HANA hosted on Azure private cloud. That is almost on-prem in our case. This could/should be a great thing for us to avoid the bottleneck of SAP Cloud Connector.

Thanks,

Vijay Konam
former_member819790
Discoverer
‎09-02-2022 8:24 AM
0 Kudos
Great post
xudonny
Advisor
Advisor
‎05-31-2023 10:27 AM
0 Kudos

Hi,

For the steps in "SAP Private Link service for frontend applications accessible from SAP Build Work Zone, Standard Edition", I saw it's using standard app router, then make it mutli tenant mode, subscribe, and make it visible in WZ std content provider.

But I saw the main setting is the router in xs-app.json, looks no big difference to other type of destination used in typical extension app. May I know can we use managed app router directly? Will it work also for private link?

Thanks,

Donny

gowrisankar_m2
Employee
Employee
‎06-01-2023 12:17 PM
0 Kudos
Hi Donny,

Unfortunately, support for the managed app router is not available at the moment because it runs in a provider space. The problem is during privatelink binding, cf application security groups are created to control egress traffic. Since privatelinks are created in the consumer space, they cannot be utilized for the managed app router running in the provider space because egress traffic is not allowed.

However, we are actively working towards adding support for the managed app router as well. Please note that we cannot provide a guaranteed timeline for its availability.

Thank you, Gowrisankar
xudonny
Advisor
Advisor
‎06-01-2023 12:28 PM
0 Kudos
Hi Gowrisankar,

Thanks for the technical details. Now I understand why use standalone app router in the sample now.

Regards,

Donny
Labels in this area
Popular Blog Posts