cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure On-Premise to BTP Connectivity

Go to solution
abdulbasit
Active Contributor

on ‎06-23-2022 11:52 AM

Hi,

I have a requirement to connect the S4HANA On-Premise (or maybe any other SAP or non-SAP system) system to the SAP BTP Public Services (Integration Suite in my case) hosted in EU20 (Azure - Netherlands) with a secure connection. I don’t want to setup my connection over the internet but looking for more secure way to handle this communication.

SAP Cloud Connector is already in place but it works only Cloud to On-Premise but we cannot use it for connections initiated from On-Premise. I’m investigating several options like SAP Private Link or Azure Express Route.

SAP Private Link Service has just been announced GA but it does only work for SAP BTP to Azure connections and also works only for outbound connections from BTP Public Services. The reverse way seems to be on the roadmap but still this will only be available for Cloud to Cloud connections.

There is also Azure Express Route option available on the Microsoft side but I still cannot find clear information that could work in my case. I found the blog Secure Connectivity to SAP Cloud Services hosted on Hyperscaler which states that Azure Express Route is possible for this requirement (scenario 6) but I couldn’t validate this information in any other official documentation.

In Summary, I need to find a way to connect from on-premise S4HANA system to the SAP BTP Integration Suite without using the HTTPS/TLS connection through public internet.

Anyone has an idea or alternative approach to this requirement?

Thanks,

Abdulbasit.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Martin-Pankraz
Active Contributor
‎06-23-2022 12:48 PM

Hi 1bf660afcf81417ca60d42962287a506,

very good question. Unfortunately BTP PaaS like Integration Suite offer only public-endpoints by design. There is nothing you can do about that. So, even if you send your request through private channels over the Azure backbone with ExpressRoute etc. you still have to break out into the Internet at the end to reach SAP Integration Suite.

However, Azure-to-Azure requests with public endpoints stay on the Azure backbone and don't actually reach the Internet. Still it will be a public SAP BTP endpoint.

Some customers use SAP's public load balancer list for their internet proxies to limit request target range for outbound. Be aware that SAP might change them at short notice.

Let the community know what you decided in the end 🙂

KR

Martin

Show replies
Show replies

Answers (1)

Answers (1)

abdulbasit
Active Contributor
‎06-23-2022 1:18 PM
0 Kudos

Hi Martin,

Thanks for the detailed explanation.

"However, Azure-to-Azure requests with public endpoints stay on the Azure backbone and don't actually reach the Internet. Still it will be a public SAP BTP endpoint."

That's what I'm trying to reach with the Azure Express Route option. If I setup an Azure Express Route between customer data center and Azure, I would expect my connections from on-premise to SAP BTP Public Services on Azure region will stay on the Azure backbone without reaching the Internet. Isn't that correct?

I'm also reading the Azure Express Route documentation on Microsoft side. The attached figure on the documentation shows that even if I reach to the Microsoft Public Services (orange route), it doesn't go over the public internet. That's what I'm expecting to have for SAP BTP Public Services too, since they are also on Azure.

I know it is getting complicated but I'm just trying to understand if it is technically possible. The implementation effort and cost would be the topic for another discussion 🙂

Best Regards,

Abdulbasit.

Show replies
Show replies
Martin-Pankraz
Active Contributor
‎06-23-2022 1:49 PM

The part I explained concerns traffic that reached Azure already. Find the official source for that here. Look at the section below figure 1. That explains the routing.

Ensuring that requests towards a public BTP endpoint goes through the ExpressRoute is a challenge that needs to be solved on the on-premise side with your network team and ExpressRoute provider. Technically it is possible yes.

Conceptually I would argue it breaks a cloud pattern to squeeze request into a VPN or ExpressRoute to reach a public service.

Does that help?

KR

Martin

abdulbasit
Active Contributor
‎06-23-2022 6:37 PM

Thanks, it is more clear now.

But, I still see this a reasonable request if the both sender and receiver systems are in a private network and/or public cloud. Otherwise we have the only option to use on-premise middleware system to handle this communication without going over the Internet. This, on the other hand, breaks the strategy to move middleware system(s) to the cloud until all the participating systems are completely moved to the cloud.

Also, it seems that the similar scenario is already on the roadmap for SAP Private Link Service for Azure to SAP BTP (Public) connections. The missing part here is the on-premise systems which might be solved by adding reverse connectivity options to the SAP Cloud Connector.

Anyway, I got my answers and now it is time to discuss the alternatives with the customer. I'll let you know here with the result 🙂

Thanks again.

Abdulbasit.

Ask a Question