An easy alternative to setting up a VPN or peering connection between SAP Data Intelligence and an on-premise network is to use the SAP Cloud Connector — a service offered by SAP BTP. This solution can be used simultaneously with an existing VPN or peering connection on the SAP Data Intelligence Cloud instance.
The Cloud Connector:
- Serves as a link between applications in SAP BTP and on-premise systems an lets you use existing on-premise assets without exposing the entire internal landscape.
- Runs as on-premise agent in a secured network.
- Acts as a reverse invoke proxy between the on-premise network and SAP BTP.
- Can be installed and hosted on Windows, Linux, or MacOS
- You can even run the client on your own personal laptop (Obviously this is not recommended for production)
- Provides fine-grained control over:
- On-premise systems and resources that can be accessed by cloud applications.
- Cloud applications using the Cloud Connector.
- Lets you use the features that are required for business-critical enterprise scenarios.
- Recovers broken connections automatically.
- Provides audit logging of inbound traffic and configuration changes.
- Can be run in a high-availability setup.
- SAP Data Intelligence Cloud has already been deployed in a subaccount
- Access to an administrator user for the SAP BTP account
- Download SAP Cloud Connector 2.12.x or newer (Download link) to a machine on the on-premise network
- On-premise network must have access to the internet, specifically SAP BTP
Assign Cloud Connector role for SAP BTP administrator user:
Before you can connect the SAP Cloud Connector client to the SAP BTP service you will need to assign a Cloud_Connector_Administrator role to your administrator user.
Begin by navigating to the subaccount where your SAP Data Intelligence instance is hosted. Make a note of its provider, region and subaccount ID. You will need this later!
Create a new role collection which should contain the Cloud_Connector_Administrator role, and be assigned to your subaccount user.
Install the SAP Cloud Connector client
The client can be installed on practically any kind of machine that will have access to your on-premise network, however the best practice is to use a dedicated machine.
Installation is fairly straight forward and is documented in the installation guide. Sizing depends entirely on the expected load and is also described in the official documentation. You can always start small and resize the machine at a later time.
Log on to SAP Cloud Connector
When installation is complete, you will be able to launch the client and connect to it via your browser at https://<host_ip_address>:8443
The default username and password is Administrator / manage. You will be prompted to pick a new password.
Establishing the link between Cloud Connector client and SAP BTP
Click on the Add subaccount button in the upper right corner.
Fill out the form using the information you collected previously about your subaccount. Note that the region must include your provider, currently this will either be AWS or Azure.
The login e-mail address must be the same of the account that was granted Cloud_Connector_Administrator role.
Leave LocationID blank.
If you are unable to connect check the following:
- Is the Cloud Connector role is assigned to the login e-mail address in SAP BTP Cockpit?
- Does the selected region/provider match the subaccount of the DI Cloud instance?
Adding new on-premise systems to SAP Cloud Connector
Navigate to “Cloud To On-Premise” menu, and click on the + sign to add a new system.
Currently, SAP Data Intelligence supports the following back-end types:
|Supported Back-End Type||Supported Protocols|
- Hostname resolved on the on-premise network (e.g. mydatabase.on-premise.corp ) and the corresponding backend port
- Must be reachable from the network where Cloud Connector is installed
- The hostname used to connect from Data Intelligence.
- Can be any hostname and port number (e.g. fakehostname.com)
- Can also be identical to the internal hostname
Notes on RFC connections:
- You are required to whitelist which functions can be called by SAP Data Intelligence. The exact functions depend on the type of backend ABAP system and are documented in SAP Note 2835207 – ABAP connection type for SAP Data Intelligence.
- Furthermore, the virtual port may only be
sapgwXXswhere XX is the instance number of the ABAP application. Currently, only numerical ports are allowed in the Data Intelligence Connection Manager, but we plan to support the special “sapgw” string ports in the future.
Notes on HTTP connections:
- You may limit to request to a certain sub-path or open to all. This is entirely at your discretion.
Verify connection between SAP BTP and Cloud Connector
Creating a new connection to an on-premise system in SAP Data Intelligence Cloud
Log on to your SAP Data Intelligence Cloud instance, and launch the Connection Manager application.
Create a new connection. Note that the Cloud Connector is currently only enabled for the following connection types:
- ABAP (only RFC protocol)
When specifying the hostname and port, use the virtual hostname that was chosen in SAP Cloud Connector.
To route connections via SAP Cloud Connector (instead of routing via public internet or VPN) select SAP Cloud Connector as a Gateway.
Finally, click on “Test Connection” button to validate that everything is working.
Before a connection can successfully be stablished to an ABAP system you are required to go through SAP Note 2835207 – ABAP connection type for SAP Data Intelligence.
For other connections, please ensure that the machine where the Cloud Connector is running is able to reach the remote system.
Finally, if you are unable to resolve the problem on your own please create a support ticket under the component CA-DI-OPS and mention your cluster ID (copy/paste your login URL).