Skip to Content
Technical Articles
Author's profile photo Jana Subramanian

Accessing SAP Cloud Platform via AWS Direct Connect

Traditionally, SAP Cloud Platform is considered as public cloud offered as Platform as a Service (PaaS), accessible only via public Internet.  While Internet services have become reliable and stable over the years and many customers still choose to access SAP Cloud Platform securely via public Internet, few of our regulated customers in Government, Banking and Finance and other public sector organizations require dedicated “direct” connectivity from on-premise to SAP Cloud Platform services to access business critical applications. For such customers, using public internet is unacceptable for security and compliance reasons.

In this blog, we explore how SAP customers can access SAP Cloud Platform securely via AWS Direct Connect connection without traffic traversing via public internet. We will explore details on how to establish direct connectivity between on-premise customer location and SAP Cloud Platform (Cloud Foundry) running on AWS.

SAP Cloud Platform (CF@AWS) Access via AWS Direct Connect

SAP Cloud (Cloud Foundry) runs on public cloud service providers (hyperscalers) such as AWS, Azure, GCP and Alibaba. The SAP Cloud Platform regions and service capabilities and hyperscalers used in various regions can be found here.  While all hyperscalers provide native capability to establish dedicated direct link to their respective cloud platform, we focus specifically only on AWS in this blog.

AWS Direct Connect service is a physical connection that connects customer on-premise network to AWS. This allows customer on-premise traffic to traverse via secure direct network to SAP Cloud Platform without traversing via Public Internet and this offers an excellent bandwidth, consistent network performance and low latency. The connectivity architecture has three parts:


Step 1:

  • As a prerequisite, a customer must have an AWS account and obtain Letter of Authorization and Connecting Facility Assignment (LOA-CFA) from AWS after specifying name, location, speed and interconnection provider details. This is essentially customer requesting a “AWS DX port” operating at certain speed belonging to their AWS Account ID and allow that port to be connected to their router via cross-connect. This is entirely customer responsibility.

Step 2:

  • Customer works with Interconnect Provider (such as Equinix, Verizon) by presenting LOA-CFA to “cross connect” AWS DX port in DX location to customer router/partner router in the same DX location. Connections to AWS Direct Connect require single mode fiber, 1000BASE-LX (1310nm) for 1 gigabit Ethernet, or 10GBASE-LR (1310nm) for 10 gigabit Ethernet. Auto Negotiation for the port must be disabled. Customer router must support 802.1Q VLANs across these connections, support Border Gateway Protocol (BGP) and BGP MD5 authentication.
  • Once cross connect is established, customer AWS Account ID will accept incoming connection request. If customers are large enterprise or public sector, they can reach out to your national carrier to provide physical connectivity from DX location through to their business premises or on-premise data center.  If customer is a smaller company, they can connect AWS DX Port to their partner router and partner brings physical connectivity to customer on-premise router. In any case, it is customer responsibility to bring that physical connectivity from DX Port to their on-premise router. This is just single physical fiber optic cable from AWS DX Port all the way to customer premises. While AWS DX port allocation will be faster, setting physical connection from your on-premise router to DX Router will take many weeks and this must be planned well in advance.

Step 3:

  • Once physical connection is setup between AWS DX Port to on-premise router, virtual configuration must be completed. To connect to AWS resources that are reachable by a public IP address or AWS public endpoints, Public Virtual Interface should be used. Therefore, over the top of physical connection, a public VIF should be configured to connect to AWS Public zone services. Each VIF is considered as one VLAN. BGP peering must be established between AWS Port and Customer Router.
  • Customer will provide BGP ASN number for establishing BGP session.Once Public VIF is setup, AWS will advertise its global IP routes to customer router using Border Gateway Protocol (BGP). Customer have an option to filter routes based on BGP attributes limiting AWS public routes only from specific regions that establishes connectivity to customer network.  Similarly, customer can advertise their routes along with BGP attributes to limit route advertisement to single or multiple regions.  SAP provides documentation related to URL/IP address SAP Cloud Foundry environment in AWS here.
  • It must be noted that AWS Public VIF connectivity provides direct connectivity to AWS public zone (such as public endpoints, Elastic Load Balancers, AWS API Gateways etc). Therefore, customer must establish best practice approach and comply to their internal IT policy for connecting to AWS public network.
  • It must be noted that this is entirely customer responsibility to establish connectivity from their on-premise to SAP Cloud Platform using public VIF, working with AWS, Interconnect Providers and Networks Service Providers.

High Availability Setup

Many customer run business critical applications and integration scenarios on SAP Cloud Platform. In order to ensure high availability and cater for disaster recovery scenarios customer can have diversity of connection via two separate co-location partners operating in multiple location. While building redundant links, it is also important to provision enough capacity to ensure that failure of one network connection does not overwhelm and degrade redundant connection. More information on best practice guideline can be found here.

Additional Considerations

It is important to understand that there is no built-in or native encryption in AWS Direct Connect link. However, SAP supports application level encryption for data in transit via HTTPS/TLS1.2. In most cases, this will be acceptable to our customers to meet security and regulatory compliance. Also, it must be noted that for on-premise integration scenarios, Cloud Connector is still needed as an reverse invoke proxy solution to communicate to SAP backend systems. The network traffic (TLS1.2 tunnel) from cloud connector to SAP Cloud Platform (Cloud Foundry) will traverse via this AWS Direct connect link instead of going via public Internet.


If SAP enterprise customers have multiple SAP solutions running on AWS such as SAP HANA Enterprise Cloud, SAP Cloud Platform and their own works loads, a single AWS Direct Connect physical link can be used to create multiple Private VIF and Public VIF. Please refer to my blog on how to connect to use Private VIF for SAP HANA Enterprise Cloud here. This helps to protect existing investments on AWS Direct Connect. If customers are using SAP Cloud Platform (Cloud Foundry) using Azure, similar approaches are supported using Azure Express Route and for customers using SAP Cloud Platform (Cloud Foundry) on Google Cloud Platform, customer can use Google Cloud Interconnect. This approach greatly helps our customers to bypass internet while accessing SAP Cloud Platform (Cloud Foundry) and thereby facilitate meeting security and compliance requirements.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Gov TOTAWAR
      Gov TOTAWAR

      Thank you Jana for great Blog.

      Does this pattern apply to SCP on Azure? via Azure Express Route .

      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hello Gov Totawar,  Yes, similar approach can be taken for accessing SCP CF on Azure via Azure Express Route

      Author's profile photo Thorsten Düvelmeyer
      Thorsten Düvelmeyer


      is it possible to connect from SCP (e.g. Integration Suite) to private services in aws via this way?


      Best Regards,

      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hi Thorsten,

      Yes, we can integrate AWS services into the Cloud Foundry environment on SAP Cloud Platform by using the AWS Service Broker

      You can find details on this link:



      Author's profile photo Sebasitan Simon
      Sebasitan Simon

      Hi Jana,

      Interesting blog post.

      Just wondering if this setup is present for SAP CloudFoundry (SCPI running on CF) and a customer has a on premise SAP ERP.

      At least in theory we wouldn’t need to use Cloud Connector between CPI /CF and the ERP system then as we have a private tunnel through Direct Link. (Which in fact would be great!! :D)

      Is that envisioned by SAP in this kind of setup?


      With best regards


      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hi Sebastian, Thank you for your query. As you may know, cloud connector provides reverse proxy solution and it is not a connectivity solutions. SAP standard integration approach is to use cloud connector and hence we will need cloud connector setup even when the private connectivity is established via AWS Direct Connect.

      Author's profile photo Sree Arumugam
      Sree Arumugam

      Dear Jana,

      Thank you for this wonderful Blog explaining in detail about Direct Connect and its nuances.

      My Customer is not ready to expose port 443 (HTTPs), he has an SFTP server on the on-premise environment,  the question is if I have a direct connection via Direct Connect I am going through a private link without exposing to the internet. If I need to send some files over to a third-party application or even a SAP application like the success factor do I still need to install a cloud connector?  The customer does not want anything to be installed in their on-prem environment.  Please help me

      Kind Regards


      Author's profile photo Jana Subramanian
      Jana Subramanian
      Blog Post Author

      Hi Sree,

      The SAP Private Link service facilitates a secure, private connection between selected SAP BTP (Business Technology Platform) services and certain services within customer own IaaS (Infrastructure as a Service) provider hyperscale accounts. By leveraging the private link functionality provided by our partner IaaS providers, this service allows you to access your services through private network and the traffic goes via provider backbone network.
      SAP Cloud Connector serves as a link between SAP Business Technology Platform applications and on-premise systems, enabling secure and efficient communication between the two environments. It allows on-premise systems to be securely connected to SAP BTP without the need to expose the entire internal network. SAP Cloud Connector act as a Reverse Invoke Proxy meaning it initiates the connection from the internal network to the external network, allowing requests to come in through that established connection, which increases security as only outbound 443 needs to be opened. Mutual TLS1.2 is supported between SAP cloud connector to SAP BTP connectivity services.
      Please note that SFTP does not use HTTPS but uses Port 22 (SSH)
      On-premise systems/users can connect to SAP SaaS solutions via ODATA or REST API provided by the SaaS application, over HTTPS. SAP cloud connector is needed only when there is a integration needed via SAP BTP.
      Author's profile photo Sree Arumugam
      Sree Arumugam

      Hi Jana,


      Thank you this is is fantastic.  Thanks for the call as well where you give me answers very specific questions.


      Kind Regards


      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi @jana.subramanian,

      thank you for your helpful blog. You mention offerings for Azure, AWS and GCP. Are you aware of a similar offering for alibaba?



      Author's profile photo Sree Arumugam
      Sree Arumugam

      Hi Wolfgang,

      Sorry for the late reply, I don't know if you already know the answer to your query.

      Anyway here is the answer.

      You can use Express Cloud Connect to establish dedicated connections from your on-premise data centers to Alibaba Cloud. The service provides an all-in-one network experience and lowers your network and maintenance costs.

      Again if the question is if SAP RISE is Certified for Ali Cloud the answer is No.  

      Hope this helps.

      Kind Regards