Skip to Content
Product Information
Author's profile photo Philipp Becker

SAP Private Link Service (BETA) is Available

Update (29.06.2022):

The SAP Private Link service has left its beta phase and is now generally available on Azure! Read all about it in this blog post

SAP Private Link service establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts. By reusing the private link functionality of SAP’s partner IaaS providers, the service lets you access your services through private network connections to avoid the need for public endpoints or data transfer via the public internet.

What does the BETA include?

With SAP Private Link service, Cloud Foundry applications running on SAP BTP with Microsoft Azure as IaaS provider can communicate with Azure Private Link services via a private connection. This ensures that traffic is not routed through the public internet but stays within the Azure infrastructure.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20Azure%20using%20Private%20Link%20service

Connection from SAP BTP Cloud Foundry to Azure using Private Link service

What are possible use cases?

One possible use case is to use the SAP Private Link service to communicate with an SAP S/4HANA system or other SAP or non-SAP system running on a VM in your own Azure account privately from within SAP BTP Cloud Foundry.

This connection can be established by creating an Azure Private Link service that exposes a loadbalancer which routes traffic to the SAP S/4HANA system. This Azure Private Link service must then be used as the resource to which the SAP Private Link service connects to. As soon as the connection is established successfully, the SAP Private Link service provides a private IP pointing to the Azure Private Link service.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20a%20loadbalancer%20on%20Azure

Connection from SAP BTP Cloud Foundry to a loadbalancer on Azure

How can I use it?

Check out the tutorials about how to

  1. Setup the SAP Private Link service in SAP BTP
  2. Connect SAP Private Link service to Microsoft Azure Private Link Service using the Cloud Foundry CLI

What to expect after BETA?

Currently, we only support the connection from SAP BTP Cloud Foundry to Azure Private Link services.

In the future, we plan to support:

  • AWS as IaaS provider and the corresponding AWS PrivateLink service
  • GCP as IaaS provider and the corresponding GCP Private Service Connect
  • Connections to selected native Azure services, e.g. CosmosDB
  • Connections initiated from within Azure to SAP BTP Cloud Foundry or other SAP BTP services
  • Connections from other SAP BTP services

Please understand that SAP does not commit to, promise to, and is under no legal obligation to  deliver these feature in the future. This list of features may be changed or withdrawn by SAP at any time for any reason without notice, and business decisions should not be based on this.

Important Links

Conclusion

Now you know what the SAP Private Link service has to offer for its initial BETA release, with support for the SAP Cloud Foundry environment on Azure, and what to expect during the next months.

Get started with the BETA! We’re eager to receive your feedback!

Assigned Tags

      22 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Thanks for the update. Much awaited feature

      Author's profile photo Thorsten Duevelmeyer
      Thorsten Duevelmeyer

      Hi,

      is there a date for the  AWS PrivateLink service?

      Will it be possible to connect to aws MSK (managed kafka) via the service?

      Best Regards,
      Thorsten

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Thorsten,

      We are also working on making AWS PrivateLink available but cannot yet communicate a timeline.

      BRs, Gowrisankar

      Author's profile photo Miguel Figueiredo
      Miguel Figueiredo

      Hi Gowrisankar,

      I saw in SAP Roadmaps that SAP Private Link service availability on Amazon Web Services (Beta) is planned to be released in Q4. Can you share something about it? How can we enroll this Beta? Best, Miguel

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Philipp,

      do I get it right that I would still need a SAP Cloud Connector to benefit from Principal Propagation? But the traffic for the SCC to BTP CF will be routed through the private link.

       

      Best regards

      Gregor

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gregor,

      Principal Propagation is currently only supported via SAP Cloud Connector. We are currently looking into possibilities to make SCC connections via private link possible, but are not there (yet).

      Best regards,
      Philipp

      Author's profile photo Gov Totawar
      Gov Totawar

      Does Private Link allow communication two-way, BTP to Customer VNET and Customer VNET to BTP?

       

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gov,

      Private Link only allows one-way communication, in the sense that connections from SAP BTP side can be opened to the Azure resource connected to the private link, but not the other way round.

      Best regards,
      Philipp

      Author's profile photo Junya Zushi
      Junya Zushi

      Hi. Thank you for the great blog.

      When we use BTP with AWS and our AWS environment, I thought the traffic between the service in BTP and instance in our AWS does not go out of AWS private network. (FAQ Link -> Q.Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?)

      If so, isn't possible to connect between BTP with AWS and our AWS without Private Link? Are there any advantage to use it over without it?

      Thank you.

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi,

      In that case you still have to keep a public endpoint for your instance in AWS, which represents an additional attack vector, especially if not thoroughly configured and monitored. By utilizing Private Link, you can omit such public endpoints.

      Best regards,
      Philipp

      Author's profile photo AMIT Lal
      AMIT Lal

      Hello Philipp,

      Nice article! Perhaps with private links, Inbound and Outbound data processing will be charged by hyperscalers(Azure/AWS/GCP/Ali), correct?

      Example for USD below:

      • Inbound Data Processed     $xx per GB
      • Outbound Data Processed     $xx per GB

      Thanks,

      Amit

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Amit,

      For Azure, the costs for the private links are automatically associated (by Azure) with the Azure subscription that holds the private endpoint. In our initial scenario, this means that the transferred data (both ingress and egress) will be charged to the Azure subscriptions owned by SAP.

      For other hyperscalers it's currently too early to say on how this will be done there.

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hello Phillip,

      Our MTA application is running on SAP BTP CF (on Azure) environment needs to have a connection with Azure MySQL DBaaS hosted on customer's Azure account.

      Customer want to deny public network access on the MySQL DB instead they want to create a private network endpoint.

      As SAP Private link Service is BETA, so on SAP BTP CF environment do we have any solution which helps us to connect MTA application to an external private endpoint?

      Thanks,

      Ashish

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Ashish,

      With the SAP Private Link service we also plan to support connections to Azure Database for MySQL soon. Besides that, I am currently not aware of other possibilities to connect from SAP BTP CF environment to a customers Azure MySQL database without exposing a public endpoint.

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hello Philipp,

      Thanks for your reply. Any idea when this service will be released for production usage ?

       

      Thanks,

      Ashish

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Ashish,

      We currently expect the service to become available for productive use by the end of Q2/2022. But please be aware that, similar to other dates communicated, this is only the current plan, and this timeline may be changed by SAP anytime without notice and business decisions should not be taken based on release timelines that you read in the comment section of a blog 🙂

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hi Philipp,

      Thanks for your reply.

      Regards,

      Ashish

      Author's profile photo Anil Bhandary
      Anil Bhandary

      Hi Philip,

      Its nice to have this feature, I am using heavy Integration suite services which is connected to my hosted ABAP application on azure via Cloud connector. If we have Private link in future do I need to have Cloud connector or I can make direct communication to BTP application via SAP Private link which will help to eliminate the Cloud connector as SPoF.

      Earlier we did this same scenario for SAP Data intelligence in which we did the Vnet peering between SAP DI and our Azure network by which we eliminate cloud connector usage. If such scenario can be achieved for Integration suite by eliminating the Cloud connector against the SAP private link it would really helpful.

      Regards,

      Anil

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Have you seen my comment on the same topic?

      Author's profile photo Anil Bhandary
      Anil Bhandary

      Yes Gregor, I have referred it. But my ask is something different. Can we remove SCC completely after introducing private link and make direct communication between Backend system and BTP CF. Rather than making configuration in SCC and routing the traffic from SCC. Need to understand if Private link can help eliminate the SCC requirment and the configuration which we currently mapping SCC, can it be done through other means so I will remove SPoF as SCC.

       

      regards,

      Anil

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Anil,

      Whether you can completely replace SCC with Private Link in the future depends on your specific scenario. For example, one of the things that SCC offers that is not planned for Private Link is RFC filtering. So to decide whether you can do the replacement, you would need to check what exact functionality you are currently using from SCC and whether that is already or will be supported by Private Link in the future.

      Best regads,
      Philipp

      Author's profile photo Vinod Patil
      Vinod Patil

      This will surely foster the friendship between network security folks and BTP Architects 🙂 Waiting for AWS release too