Skip to Content
Technical Articles
Author's profile photo Shailendar ANUGU

SAP Analytics Cloud Tunnel Connectivity and its use cases


I would like to discuss about the SAP Analytics Cloud Live Tunnel connectivity use cases and when to opt for SAP Analytics Cloud Direct CORS based Live connectivity.


SAP has introduced SAP Analytics Cloud Tunnel connectivity in QRCQ3/2020 release to help customer to access Live reports on the browser in the Internet.


Tunnel connection type


SAP Analytics Cloud on Non SAP datacenters support both Basic and SAML Single Sign on Authentication methods.


What is SAP Analytics Cloud Live Tunnel connection?

Tunnel Connectivity provides Live connection to the SAP data sources, SAP BW, SAP BW/4HANA, SAP S/4HANA and SAP HANA, it’s based on SAP Cloud Connector-based HTTPS secure tunnel connection configuration.

If your using SAP BW or SAP S/4HANA SSO you’ll need to establish trust for Principal Propagation trust between the Cloud Connector and SAP Analytics Cloud and you’ll need to setup the trust between Cloud Connector and the data source.


This connection type will allow users outside your corporate network to connect live to your data without giving them VPN rights or exposing datasources to Internet through a reverse proxy or SAP Webdispatcher.

Advantages: No additional proxies or opening up network firewalls required, Low TCO.

When to choose Tunnel Connection:

If you have a requirement to access Live reports on the Browser in Internet, based on the SAP data sources (SAP BW, SAP BW/4HANA, SAP S/4HANA and SAP HANA), YES opt for Tunnel connectivity.



                                       Tunnel Connection


How to configure Tunnel Connectivity:


  • SAP Cloud Connector installed and configured to SAC Subaccount
  • Ina Service is enabled/activated on SAP Data sources



Follow SAP SAP Analytics Cloud Documentation for details , you can also refer to the technical blog post which explains Tunnel connectivity configuration for SAP HANA .

Data Flow:

Please note Data flows into SAP Analytics Cloud through SAP Cloud Connector secure tunnel and it’s cached in Live Connectivity Services(LCS) for a moment, once the data is sent to web browser, the cache is cleared and SAP Analytics Cloud doesn’t store any data



Data flow

SAC Android Mobile Application does support Tunnel connectivity from 2021.01 wave and QRC2021 Q1. 

Performance is dependent on the customer’s network speed,  The performance will be subtly slower in tunnel connection because the data flow through extra components, like SAP Cloud Connector and LIve Connectivity Services, than direct live CORS connectivity.


I was often asked by customers how do they access Live reports on SAP Analytics Cloud Mobile application outside their Firewall or corporate network, without exposing data sources to internet or without using proxies.

SAP has Introduced in Q2QRC2020 Advanced Features to support Single Sign on with SAP datasources for SAP Analytics cloud mobile application

In this case, Customer can configure Direct CORS Live connectivity +  SAP Cloud Connector based Mobile Single Sign-on to achieve the use case to access Live reports outside firewall and yes, it works within Firewall too.




                                     Live Direct CORS Connection (Valid till Tunnel connection is supported on both IOS and Android)

Please Note, Android Mobile app doesn’t support Direct + Cloud Connector based Single Sign-on, it’s in roadmap for early 2021.

Please Note, Android SAC Mobile app does support Direct+Cloud connector based Single Sign-on from QRC12021.



Advanced Features for Mobile SSO


What if a Customer doesn’t want to use Tunnel connection as SAC Mobile application doesn’t support it and want to access Live reports on Internet in the web browser and on Mobile.

Customer can still use Direct CORS Live connection + SAP Cloud Connector based Mobile Single Sign-on and open the firewall rules to access the data sources on Internet


Prerequisite : Ina service(getserverinfo) should be accessible on Internet.




Once SAP Analytics Cloud Mobile application supports Tunnel Connectivity, the Direct CORS connectivity can be changed to Tunnel connection.

Please note:

once Tunnel connection is saved, you cannot revert the connection back to Direct CORS connection. However, this shouldn’t stop you from creating a new Direct CORS connection and updating existing models to use it.



I hope its clear now  when to choose SAP Analytics Cloud Tunnel and Direct Live connectivity types.


Thank you,


Please feel free to provide your feedback.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Abhimanyu Sharma
      Abhimanyu Sharma

      Thanks for this informative blog.


      have one doubt:

      So the abstract what I understood is in Tunnel connection we dont need to open Firewall to access lets say backend Bw queries in SAC..

      w/o opening the firewall, SAC can access datasources ? Am i right ?

      whereas in CORS , in order to access backend BW queries we need to open firewall so that SAC can access ldatasource as live connection...

      Author's profile photo Debjit Singha
      Debjit Singha

      None of the connection type (CORS and Tunnel) requires firewall exceptions. Unless you have plans to use CORS based connection out side your company VPN.

      Note: Tunnel connection let your corporate data leave the safety of company firewall. CORS based direct connection doesn't.

      Author's profile photo Abhimanyu Sharma
      Abhimanyu Sharma

      So it means if my requirement is to use corporate data outside VPN then Tunnel connection doesnt require firewall to open.

      Whereas In CORS , we need to open firewall to access data outside company VPN..


      but if our requirement is to just open SAC within company network then CORS and Tunnel connection both are same ?? Am i right ?

      Author's profile photo Debjit Singha
      Debjit Singha

      Theoretically CORS can be used outside of network. Though official document only let you configure it in a way to consume data within the network. Architecture is designed to satisfy compliance restriction where company data should not go on public domain.
      To your last point, they both look the same from superficial layer, though you may notice performance difference. Beside CORS takes less step to setup. Hope this help.

      Author's profile photo Shailendar ANUGU
      Shailendar ANUGU
      Blog Post Author

      Hi Abhimanyu,

      yes for your firewall open question using Tunnel connection.

      yes for CORS, open firewall to access data outside company VPN.

      customer has choice depends on their policies to use reverse proxies or ports open in firewalls etc.

      if the requirement is SAC reports within company network, you have to go with CORS.. technically both works, but with Tunnel, the same reports are accessible over internet which is opposite to the requirement and customer should know that.. this blog post should make the understanding clear.




      Author's profile photo Shailendar ANUGU
      Shailendar ANUGU
      Blog Post Author

      Hi Abhimanyu,


      yes, your understanding is correct.




      Author's profile photo Carlos Edgar Moreno
      Carlos Edgar Moreno

      Great blog! Thank you for creating it, this really helps to understand the concept.

      Author's profile photo Johannes Huhn
      Johannes Huhn

      great content, Thanks for sharing!

      Author's profile photo Yves Gouverneur
      Yves Gouverneur

      Thanks a lot for sharing.

      I have a practical question : what happens to existing models, reports, stories when changing for live connection we go through a switch between cors and tunneling ?


      1. if you have a set of models, stories... connected to a BW4hana datawarehouse through CORS connection, and you decide to change the connection to a tunneling one, are all the reports continue to work without modification. This specific point we really need a rock solid answer. Anyone that has done it and can confirm would be a +
      2. if you are already on a tunneling config and you want to go back, I understand one cannot bringh the conneciton in SAC back to cors live connection, but can I create another cors connection in sac and EASILY switch all my models-stories to go through that new path. Is it EASY and fast ?


      Thanks a lot

      Author's profile photo Debjit Singha
      Debjit Singha
      1. Connection change will not have impact on other related SAC assets. For existing models as if nothing changed. Would be somewhat slower though.
      2. DS switch is supported (supported since early 2018) for live connection. You can create a live connection (on CORS) and move over models if required.
      Author's profile photo Shailendar ANUGU
      Shailendar ANUGU
      Blog Post Author


      yes for both questions and agree with Debjit's answer.




      Author's profile photo Martijn van Foeken
      Martijn van Foeken

      Hi Shailendar,

      You mention that there is a potential performance penalty compared to CORS based connectivity. Do you have any statistics? Or can you share more details regarding the sizing of the Cloud Connector when using the tunnel connection? One final question: does this connectivity support HTTP/2?

      Kind regards,

      Martijn van Foeken | Interdobs

      Author's profile photo Kevin Li
      Kevin Li

      Hi Martijn,

      Thank you for your questions.

      Performance difference comes from the data flow across network. In direct connection, the data flows to the browser directly; while in tunnel connection, the data flows to SAC server via Cloud Connector, and eventually to the browser. Technically, the tunnel connection would be slower. The degree of the slowness depends on the customer’s network performance, the amount of transferred data, the mechanism of caching the data in SAC server. I don’t have a statistics on this yet.

      Sizing Recommendations of the cloud connector can be found here:

      So far, I didn’t see any documentation specifies Cloud Connector supports HTTP/2. I know BW and HANA already supports HTTP/2. If Cloud Connector supports HTTP/2, the tunnel connection will support HTTP/2.



      Author's profile photo Sergio Oliveira
      Sergio Oliveira

      Hello and thank you for the great blog post!

      I was able to configure CORS and create the Live Data Connection to our on-premise S4HANA system using the DIRECT mode.


      However on SAC I can't use this Live Data Connection to build anything such as a Dataset or Model.

      Datasets: Only provide me the Live Data option to SAP HANA (not S4HANA)

      Modeler: Only provides options for HANA, BW, BPC and SAP Universe.

      Also tried other things such as Analytical Applications, Data Analyzer, etc. The type of connection I created does not show as a data source option for any of those.

      So, my question is. What is the purpose of this type of connection withn SAC? What kind of Analytics resources should be able to consume this connection?


      I haven't tried the TUNNEL Live Connection yet (because I still have to set up Cloud Connector on our side), but apparently this connection type won't show up as a source either.

      Author's profile photo Shailendar ANUGU
      Shailendar ANUGU
      Blog Post Author

      Hello Sergio,

      Good Day!!

      you have to select while creating Models, the connection type is BW and you should be able to select the S/4HANA connection.

      Yeah its BW Type, as the communication is through/sap/bw/ina service.


      hope that helps!!