Product Information
SAP Private Link Service (BETA) is Available
| Update (22.11.2022): SAP Private Link is now also available as beta for AWS! Read all about it in this blog post |
| Update (29.06.2022): The SAP Private Link service has left its beta phase and is now generally available on Azure! Read all about it in this blog post |
SAP Private Link service establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts. By reusing the private link functionality of SAP’s partner IaaS providers, the service lets you access your services through private network connections to avoid the need for public endpoints or data transfer via the public internet.
What does the BETA include?
With SAP Private Link service, Cloud Foundry applications running on SAP BTP with Microsoft Azure as IaaS provider can communicate with Azure Private Link services via a private connection. This ensures that traffic is not routed through the public internet but stays within the Azure infrastructure.
Connection from SAP BTP Cloud Foundry to Azure using Private Link service
What are possible use cases?
One possible use case is to use the SAP Private Link service to communicate with an SAP S/4HANA system or other SAP or non-SAP system running on a VM in your own Azure account privately from within SAP BTP Cloud Foundry.
This connection can be established by creating an Azure Private Link service that exposes a loadbalancer which routes traffic to the SAP S/4HANA system. This Azure Private Link service must then be used as the resource to which the SAP Private Link service connects to. As soon as the connection is established successfully, the SAP Private Link service provides a private IP pointing to the Azure Private Link service.
You can also find the end-to-end S/4HANA extension scenario with step-by-step instructions in this repository.
Connection from SAP BTP Cloud Foundry to a loadbalancer on Azure
How can I use it?
Check out the tutorials about how to
- Setup the SAP Private Link service in SAP BTP
- Connect SAP Private Link service to Microsoft Azure Private Link Service using the Cloud Foundry CLI
What to expect after BETA?
Currently, we only support the connection from SAP BTP Cloud Foundry to Azure Private Link services.
In the future, we plan to support:
- AWS as IaaS provider and the corresponding AWS PrivateLink service
- GCP as IaaS provider and the corresponding GCP Private Service Connect
- Connections to selected native Azure services, e.g. CosmosDB
- Connections initiated from within Azure to SAP BTP Cloud Foundry or other SAP BTP services
- Connections from other SAP BTP services
Please understand that SAP does not commit to, promise to, and is under no legal obligation to deliver these feature in the future. This list of features may be changed or withdrawn by SAP at any time for any reason without notice, and business decisions should not be based on this.
Important Links
Conclusion
Now you know what the SAP Private Link service has to offer for its initial BETA release, with support for the SAP Cloud Foundry environment on Azure, and what to expect during the next months.
Get started with the BETA! We’re eager to receive your feedback!
Thanks for the update. Much awaited feature
Hi,
is there a date for the AWS PrivateLink service?
Will it be possible to connect to aws MSK (managed kafka) via the service?
Best Regards,
Thorsten
Hi Thorsten,
BRs, Gowrisankar
Hi Gowrisankar,
I saw in SAP Roadmaps that SAP Private Link service availability on Amazon Web Services (Beta) is planned to be released in Q4. Can you share something about it? How can we enroll this Beta? Best, Miguel
Hi Miguel,
It will be available as public beta. You have to ensure beta features are enabled for your subaccount.
(Global) Administrators can enable beta features in your subaccount on SAP BTP Platform, Cloud Foundry so you can view all available beta features, including SAP Private Link service. From within your subaccount, you won’t see beta features automatically, but an administrator can set this up for you.
To find out if beta features are enabled for your subaccount, choose the Information icon in your subaccount for more information. If beta features are currently disabled in your subaccount, contact your administrator.
Thanks, Gowrisankar
Hi Gowrisankar,
Thanks for your answer. One of my customers has enabled the beta features as you highlight, and we are waiting a communication of private link with AWS release, so we can start using it in a DEV subaccount.
Best, Miguel
Hi Philipp,
do I get it right that I would still need a SAP Cloud Connector to benefit from Principal Propagation? But the traffic for the SCC to BTP CF will be routed through the private link.
Best regards
Gregor
Hi Gregor,
Principal Propagation is currently only supported via SAP Cloud Connector. We are currently looking into possibilities to make SCC connections via private link possible, but are not there (yet).
Best regards,
Philipp
Does Private Link allow communication two-way, BTP to Customer VNET and Customer VNET to BTP?
Hi Gov,
Private Link only allows one-way communication, in the sense that connections from SAP BTP side can be opened to the Azure resource connected to the private link, but not the other way round.
Best regards,
Philipp
Hi. Thank you for the great blog.
When we use BTP with AWS and our AWS environment, I thought the traffic between the service in BTP and instance in our AWS does not go out of AWS private network. (FAQ Link -> Q.Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?)
If so, isn't possible to connect between BTP with AWS and our AWS without Private Link? Are there any advantage to use it over without it?
Thank you.
Hi,
In that case you still have to keep a public endpoint for your instance in AWS, which represents an additional attack vector, especially if not thoroughly configured and monitored. By utilizing Private Link, you can omit such public endpoints.
Best regards,
Philipp
Hello Philipp,
Nice article! Perhaps with private links, Inbound and Outbound data processing will be charged by hyperscalers(Azure/AWS/GCP/Ali), correct?
Example for USD below:
Thanks,
Amit
Hi Amit,
For Azure, the costs for the private links are automatically associated (by Azure) with the Azure subscription that holds the private endpoint. In our initial scenario, this means that the transferred data (both ingress and egress) will be charged to the Azure subscriptions owned by SAP.
For other hyperscalers it's currently too early to say on how this will be done there.
Best regards,
Philipp
Hello Phillip,
Our MTA application is running on SAP BTP CF (on Azure) environment needs to have a connection with Azure MySQL DBaaS hosted on customer's Azure account.
Customer want to deny public network access on the MySQL DB instead they want to create a private network endpoint.
As SAP Private link Service is BETA, so on SAP BTP CF environment do we have any solution which helps us to connect MTA application to an external private endpoint?
Thanks,
Ashish
Hi Ashish,
With the SAP Private Link service we also plan to support connections to Azure Database for MySQL soon. Besides that, I am currently not aware of other possibilities to connect from SAP BTP CF environment to a customers Azure MySQL database without exposing a public endpoint.
Best regards,
Philipp
Hello Philipp,
Thanks for your reply. Any idea when this service will be released for production usage ?
Thanks,
Ashish
Hi Ashish,
We currently expect the service to become available for productive use by the end of Q2/2022. But please be aware that, similar to other dates communicated, this is only the current plan, and this timeline may be changed by SAP anytime without notice and business decisions should not be taken based on release timelines that you read in the comment section of a blog 🙂
Best regards,
Philipp
Hi Philipp,
Thanks for your reply.
Regards,
Ashish
Hi Philip,
Its nice to have this feature, I am using heavy Integration suite services which is connected to my hosted ABAP application on azure via Cloud connector. If we have Private link in future do I need to have Cloud connector or I can make direct communication to BTP application via SAP Private link which will help to eliminate the Cloud connector as SPoF.
Earlier we did this same scenario for SAP Data intelligence in which we did the Vnet peering between SAP DI and our Azure network by which we eliminate cloud connector usage. If such scenario can be achieved for Integration suite by eliminating the Cloud connector against the SAP private link it would really helpful.
Regards,
Anil
Have you seen my comment on the same topic?
Yes Gregor, I have referred it. But my ask is something different. Can we remove SCC completely after introducing private link and make direct communication between Backend system and BTP CF. Rather than making configuration in SCC and routing the traffic from SCC. Need to understand if Private link can help eliminate the SCC requirment and the configuration which we currently mapping SCC, can it be done through other means so I will remove SPoF as SCC.
regards,
Anil
Hi Anil,
Whether you can completely replace SCC with Private Link in the future depends on your specific scenario. For example, one of the things that SCC offers that is not planned for Private Link is RFC filtering. So to decide whether you can do the replacement, you would need to check what exact functionality you are currently using from SCC and whether that is already or will be supported by Private Link in the future.
Best regads,
Philipp
This will surely foster the friendship between network security folks and BTP Architects 🙂 Waiting for AWS release too
Hi ,
I am trying to establish a private link service on BTP with our Azure private link service.
My first problem is private link is only available as beta under my subaccount.I can not have it as standart.
Even if it is beta, i decided to try it. But when i try to provision service on btp , it always asks me to enter aws serviceName as parameter. It does not accept resourceId in my CLI params.
Following CLI command not work :
cf create-service privatelink beta privatelink-test -c '{"resourceId": "MY_SUBSCRIPTION_ID"}'
I have an error like below :
Does beta version only supports aws ?
Regards
Hi Murat,
Looks like, you are using AWS subaccount. We announced beta on aws recently. The service plan "beta" will be available only on aws.
Thanks, Gowrisankar
What I would really like to see would be the opposite direction. E.g. connect an Azure VM to SAP Hana Cloud via Private Link and restrict the HANA Cloud Firewall to Private Link only or at least BTP IPs + Private Link. This would greatly simplify our network access as this would allow for a direct network connection without corporate internet firewalls.
Moreover, currently all applications in Cloud Foundry are publicly accessible without any configurable/monitorible web application firewall available in BTP. Currently, we are forced to be the evil nemesis of our IT security departement. If one could make Cloud Foundry apps solely available via Private Link this would be much better. Eventually then you could also configure your own Application Gateway in Azure.
Hi Sebastian,
Thanks for your feedback, that is very valuable to us! We're currently investigating whether and how we can support the opposite direction to cover the scenarios that you mentioned.
Best regards,
Philipp
Hi, we are trying to set up the private link service. Everything has been clear and very good except the last step to bind the service to an application. We are not sure what kind of application or what it should do. We are also struggling with how to test it? At the moment we are just doing a POC and want to hit Azure. This is the documentation we used. Do you have documentation on what the application should do and how to test the link?
Thank you,
Katie
Connect SAP Private Link Service to Microsoft Azure Private Link Service | Tutorials for SAP Developers
This is the step:
Hi Katie,
You should build your application based on the backend you want to connect over a private link.
The easiest way to test this is to use the
cf ssh <app_name>command and try using thecurlcommand to test it. Before proceeding, you need to create a service key for theSERVICE_INSTANCEusing thecf create-service-key(binding) command.https://cli.cloudfoundry.org/en-US/v6/create-service-key.html
Thanks, Gowrisankar
Hi, Thank you for the detailed information. We are able to call Azure blob storage from iFlow using approuter but it is throwing a http 409 error.
AGS is set up for the private link service.
Here is the error message
<?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account.
RequestId:b0b54817-b01e-003e-6f03-94fb80000000
Time:2023-05-31T21:05:34.6423939Z</Message></Error>
When I did a curl with private endpoint I got the following error messgae, it didn't say public access is not allowed
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidQueryParameterValue</Code><Message>Value for one of the query parameters specified in the request URI is invalid.
Any idea what is missing?
thank you
Dhana
Hi Dhana,
This seems more like a configuration issue. Could you please open a support case to component BC-CP-PRIVATELINK to take a look ?
Also, are you following https://github.com/SAP-samples/btp-private-link-approuter/tree/main/azure-blob-approuter-cloud-integration ?
Thanks, Gowrisankar
Thank you for the reply. Yes, I followed https://github.com/SAP-samples/btp-private-link-approuter/tree/main/azure-blob-approuter-cloud-integration
Created a ticket with SAP
453372 / 2023 Private Link Service from BTP is not working
Thank you
Dhana