Technical Articles
SAP Analytics Cloud Tunnel Connectivity and its use cases
Title:
I would like to discuss about the SAP Analytics Cloud Live Tunnel connectivity use cases and when to opt for SAP Analytics Cloud Direct CORS based Live connectivity.
Introduction:
SAP has introduced SAP Analytics Cloud Tunnel connectivity in QRCQ3/2020 release to help customer to access Live reports on the browser in the Internet.
Tunnel connection type
SAP Analytics Cloud on Non SAP datacenters support both Basic and SAML Single Sign on Authentication methods.
What is SAP Analytics Cloud Live Tunnel connection?
Tunnel Connectivity provides Live connection to the SAP data sources, SAP BW, SAP BW/4HANA, SAP S/4HANA and SAP HANA, it’s based on SAP Cloud Connector-based HTTPS secure tunnel connection configuration.
If your using SAP BW or SAP S/4HANA SSO you’ll need to establish trust for Principal Propagation trust between the Cloud Connector and SAP Analytics Cloud and you’ll need to setup the trust between Cloud Connector and the data source.
This connection type will allow users outside your corporate network to connect live to your data without giving them VPN rights or exposing datasources to Internet through a reverse proxy or SAP Webdispatcher.
Advantages: No additional proxies or opening up network firewalls required, Low TCO.
When to choose Tunnel Connection:
If you have a requirement to access Live reports on the Browser in Internet, based on the SAP data sources (SAP BW, SAP BW/4HANA, SAP S/4HANA and SAP HANA), YES opt for Tunnel connectivity.
Tunnel Connection
How to configure Tunnel Connectivity:
Prerequisites:
- SAP Cloud Connector installed and configured to SAC Subaccount
- Ina Service is enabled/activated on SAP Data sources
Procedure:
Follow SAP SAP Analytics Cloud Documentation for details , you can also refer to the technical blog post which explains Tunnel connectivity configuration for SAP HANA .
Data Flow:
Please note Data flows into SAP Analytics Cloud through SAP Cloud Connector secure tunnel and it’s cached in Live Connectivity Services(LCS) for a moment, once the data is sent to web browser, the cache is cleared and SAP Analytics Cloud doesn’t store any data
Data flow
SAC Android Mobile Application does support Tunnel connectivity from 2021.01 wave and QRC2021 Q1.
Performance is dependent on the customer’s network speed, The performance will be subtly slower in tunnel connection because the data flow through extra components, like SAP Cloud Connector and LIve Connectivity Services, than direct live CORS connectivity.
I was often asked by customers how do they access Live reports on SAP Analytics Cloud Mobile application outside their Firewall or corporate network, without exposing data sources to internet or without using proxies.
SAP has Introduced in Q2QRC2020 Advanced Features to support Single Sign on with SAP datasources for SAP Analytics cloud mobile application
In this case, Customer can configure Direct CORS Live connectivity + SAP Cloud Connector based Mobile Single Sign-on to achieve the use case to access Live reports outside firewall and yes, it works within Firewall too.
Live Direct CORS Connection (Valid till Tunnel connection is supported on both IOS and Android)
Please Note, Android Mobile app doesn’t support Direct + Cloud Connector based Single Sign-on, it’s in roadmap for early 2021.
Please Note, Android SAC Mobile app does support Direct+Cloud connector based Single Sign-on from QRC12021.
https://saphanajourney.com/sap-analytics-cloud/product-updates/q1-2021/
Advanced Features for Mobile SSO
What if a Customer doesn’t want to use Tunnel connection as SAC Mobile application doesn’t support it and want to access Live reports on Internet in the web browser and on Mobile.
Customer can still use Direct CORS Live connection + SAP Cloud Connector based Mobile Single Sign-on and open the firewall rules to access the data sources on Internet
Prerequisite : Ina service(getserverinfo) should be accessible on Internet.
Once SAP Analytics Cloud Mobile application supports Tunnel Connectivity, the Direct CORS connectivity can be changed to Tunnel connection.
Please note:
once Tunnel connection is saved, you cannot revert the connection back to Direct CORS connection. However, this shouldn’t stop you from creating a new Direct CORS connection and updating existing models to use it.
Conclusion
I hope its clear now when to choose SAP Analytics Cloud Tunnel and Direct Live connectivity types.
Thank you,
Please feel free to provide your feedback.
Thanks for this informative blog.
have one doubt:
So the abstract what I understood is in Tunnel connection we dont need to open Firewall to access lets say backend Bw queries in SAC..
w/o opening the firewall, SAC can access datasources ? Am i right ?
whereas in CORS , in order to access backend BW queries we need to open firewall so that SAC can access ldatasource as live connection...
None of the connection type (CORS and Tunnel) requires firewall exceptions. Unless you have plans to use CORS based connection out side your company VPN.
Note: Tunnel connection let your corporate data leave the safety of company firewall. CORS based direct connection doesn't.
So it means if my requirement is to use corporate data outside VPN then Tunnel connection doesnt require firewall to open.
Whereas In CORS , we need to open firewall to access data outside company VPN..
but if our requirement is to just open SAC within company network then CORS and Tunnel connection both are same ?? Am i right ?
Theoretically CORS can be used outside of network. Though official document only let you configure it in a way to consume data within the network. Architecture is designed to satisfy compliance restriction where company data should not go on public domain.
To your last point, they both look the same from superficial layer, though you may notice performance difference. Beside CORS takes less step to setup. Hope this help.
Hi Abhimanyu,
yes for your firewall open question using Tunnel connection.
yes for CORS, open firewall to access data outside company VPN.
customer has choice depends on their policies to use reverse proxies or ports open in firewalls etc.
if the requirement is SAC reports within company network, you have to go with CORS.. technically both works, but with Tunnel, the same reports are accessible over internet which is opposite to the requirement and customer should know that.. this blog post should make the understanding clear.
thanks,
Shailendar.
Hi Abhimanyu,
yes, your understanding is correct.
Thanks,
Shailu.
Great blog! Thank you for creating it, this really helps to understand the concept.
great content, Thanks for sharing!
Thanks a lot for sharing.
I have a practical question : what happens to existing models, reports, stories when changing for live connection we go through a switch between cors and tunneling ?
Thanks a lot
Hi,
yes for both questions and agree with Debjit's answer.
Thanks,
Shailendar.
Hi Shailendar,
You mention that there is a potential performance penalty compared to CORS based connectivity. Do you have any statistics? Or can you share more details regarding the sizing of the Cloud Connector when using the tunnel connection? One final question: does this connectivity support HTTP/2?
Kind regards,
Martijn van Foeken | Interdobs
Hi Martijn,
Thank you for your questions.
Performance difference comes from the data flow across network. In direct connection, the data flows to the browser directly; while in tunnel connection, the data flows to SAC server via Cloud Connector, and eventually to the browser. Technically, the tunnel connection would be slower. The degree of the slowness depends on the customer’s network performance, the amount of transferred data, the mechanism of caching the data in SAC server. I don’t have a statistics on this yet.
Sizing Recommendations of the cloud connector can be found here: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/f0084943389a4112bd441c0e014efd04.html
So far, I didn’t see any documentation specifies Cloud Connector supports HTTP/2. I know BW and HANA already supports HTTP/2. If Cloud Connector supports HTTP/2, the tunnel connection will support HTTP/2.
Best,
Kevin