Cloud Connector: The big picture
The following is the first chapter of my 2017 SAP PRESS E-Bite Cloud Connector for SAP Cloud Platform: How-to Guide. It provides the big picture of hybrid cloud connectivity, and discusses how Cloud Connector fits into it.
As you are probably aware by now, the SAP Cloud Platform brand has been retired since the book was written. I’ve decided, however, to not change the original text, so please keep in mind that some product names have changed in the meantime.
Cloud Connector and the Hybrid Cloud Landscape
Before we begin working with Cloud Connector, let’s take a step back and look at how Cloud Connector fits into the overall SAP cloud landscape. We’ll discuss what hybrid cloud is and the connectivity challenge introduced by the hybrid cloud landscape. We’ll then cover hybrid cloud applications on SAP Cloud Platform and how Cloud Connector addresses the connectivity challenge.
What Is Hybrid Cloud?
Hybrid cloud is a computing landscape that combines applications, data, and services from on-premise data centers, private clouds, and public clouds.
Note: A private cloud makes cloud computing capabilities available to a single customer. It can run in either the customer’s own data center or in a data center operated by a vendor. However, unlike public cloud services, the resources of a private cloud are not shared.
In the more specific context of an existing SAP customer, hybrid cloud translates to a landscape where the customer runs a number of SAP systems either on-premise or in a private cloud and complements them with public cloud services and applications like SAP SuccessFactors (Figure 1).
Figure 1 Hybrid Cloud in the Context of an On-Premise SAP Customer
For a customer with a large investment in on-premise SAP solutions, the hybrid cloud model makes a lot of sense. It lets the customer gain the benefits of cloud services, such as faster innovation cycles, scalability, and utility pricing, while keeping control of the core business systems in-house. Furthermore, the hybrid cloud model lets the customer adopt cloud services gradually and thus build both confidence in and experience with the cloud.
The Connectivity Challenge of Hybrid Cloud
In a hybrid cloud landscape, the on-premise and cloud applications and services could remain independent of each other. However, to realize the full benefit of the model, applications and services must be integrated across cloud and on-premise landscapes.
In the SAP world, examples of such integrations are SAP SuccessFactors synchronizing employee data with an on-premise SAP system, and an SAPUI5 application running on SAP Cloud Platform calling the OData API of an on-premise SAP S/4HANA system.
There is an obvious problem, though: your on-premise SAP systems are not — and should not be — reachable directly from the Internet. In fact, right now your security department is working hard at making sure things stay that way. This is the connectivity challenge of hybrid cloud, which we must address.
Hybrid Cloud Applications on SAP Cloud Platform
SAP Cloud Platform is the platform for building hybrid cloud applications in SAP’s cloud landscape. SAP Cloud Platform is SAP’s platform-as-a-service (PaaS) product, offering a wide range of development tools and services in categories such as user experience, storage, integration, machine learning, mobile, Internet of Things, and many others.
Note: Platform-as-a-service (PaaS) is a cloud computing environment consisting of infrastructure and services that let customers build, run, and manage cloud applications and solutions. SAP Cloud Platform is a public cloud offering, but other vendors market private cloud PaaS products.
You can think of SAP Cloud Platform as the development stack for the SAP cloud world. SAP Cloud Platform is where you build new applications and solutions native to the cloud, extend existing SAP software solutions, and integrate the cloud and on-premise worlds.
And SAP Cloud Platform wouldn’t be complete, of course, without an answer to the hybrid cloud connectivity challenge. That answer is Cloud Connector.
Cloud Connector’s Approach to Connectivity
Cloud Connector is a software agent running on a host in the corporate network, in either the demilitarized zone (DMZ) or the internal network. Unlike a reverse proxy such as SAP Web Dispatcher, the Cloud Connector host is never connected to via the Internet. Instead, Cloud Connector establishes a transport layer security (TLS)-encrypted tunnel to SAP Cloud Platform, which is used for all subsequent communications between the cloud and on-premise. This approach is known as reverse invoke.
Figure 2 shows Cloud Connector providing connectivity between SAP Cloud Platform and the internal network.
Note: In Figure 2, arrows represent network connections and point away from the system initiating the connection.
Figure 2 SAP Cloud Platform and the Internal Network Connected through Cloud
Note: Figure 2 shows Cloud Connector running in the DMZ. However, it is also possible to run Cloud Connector in the internal network. This topic is discussed in Section 7.2.
Since no connections are made to the Cloud Connector host from the Internet, firewalls can block all inbound traffic to it. This shields the Cloud Connector host from denial-of-service attacks, intrusion attempts, and other nefarious activity.
When an SAP Cloud Platform application needs to send, for example, an HTTP request to a backend system, it doesn’t communicate directly with that backend system. Instead, Cloud Connector receives the request through the TLS tunnel. If Cloud Connector’s security mechanisms allow the request, Cloud Connector then communicates with the backend system on the application’s behalf, receives the response, and returns it to the application through the TLS tunnel.
Cloud Connector can also be configured to provide access to cloud resources, such as virtual machines and SAP HANA databases running on SAP Cloud Platform, from on-premise hosts. Like the cloud to on-premise scenario, an on-premise host never communicates directly with a cloud resource. Instead, it communicates with Cloud Connector, which then communicates with the cloud resource through the TLS tunnel.
Note: Out of the box, Cloud Connector does not provide access to any backend or cloud resources. For a resource to be reachable, it must be explicitly configured in Cloud Connector.