Skip to Content
Product Information
Author's profile photo Philipp Becker

SAP Private Link Service (BETA) is Available

Update (22.11.2022): SAP Private Link is now also available as beta for AWS! Read all about it in this blog post
Update (29.06.2022): The SAP Private Link service has left its beta phase and is now generally available on Azure! Read all about it in this blog post

SAP Private Link service establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts. By reusing the private link functionality of SAP’s partner IaaS providers, the service lets you access your services through private network connections to avoid the need for public endpoints or data transfer via the public internet.

What does the BETA include?

With SAP Private Link service, Cloud Foundry applications running on SAP BTP with Microsoft Azure as IaaS provider can communicate with Azure Private Link services via a private connection. This ensures that traffic is not routed through the public internet but stays within the Azure infrastructure.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20Azure%20using%20Private%20Link%20service

Connection from SAP BTP Cloud Foundry to Azure using Private Link service

What are possible use cases?

One possible use case is to use the SAP Private Link service to communicate with an SAP S/4HANA system or other SAP or non-SAP system running on a VM in your own Azure account privately from within SAP BTP Cloud Foundry.

This connection can be established by creating an Azure Private Link service that exposes a loadbalancer which routes traffic to the SAP S/4HANA system. This Azure Private Link service must then be used as the resource to which the SAP Private Link service connects to. As soon as the connection is established successfully, the SAP Private Link service provides a private IP pointing to the Azure Private Link service.

You can also find the end-to-end S/4HANA extension scenario with step-by-step instructions in this repository.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20a%20loadbalancer%20on%20Azure

Connection from SAP BTP Cloud Foundry to a loadbalancer on Azure

How can I use it?

Check out the tutorials about how to

  1. Setup the SAP Private Link service in SAP BTP
  2. Connect SAP Private Link service to Microsoft Azure Private Link Service using the Cloud Foundry CLI

What to expect after BETA?

Currently, we only support the connection from SAP BTP Cloud Foundry to Azure Private Link services.

In the future, we plan to support:

  • AWS as IaaS provider and the corresponding AWS PrivateLink service
  • GCP as IaaS provider and the corresponding GCP Private Service Connect
  • Connections to selected native Azure services, e.g. CosmosDB
  • Connections initiated from within Azure to SAP BTP Cloud Foundry or other SAP BTP services
  • Connections from other SAP BTP services

Please understand that SAP does not commit to, promise to, and is under no legal obligation to  deliver these feature in the future. This list of features may be changed or withdrawn by SAP at any time for any reason without notice, and business decisions should not be based on this.

Important Links

Conclusion

Now you know what the SAP Private Link service has to offer for its initial BETA release, with support for the SAP Cloud Foundry environment on Azure, and what to expect during the next months.

Get started with the BETA! We’re eager to receive your feedback!

Assigned Tags

      33 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Thanks for the update. Much awaited feature

      Author's profile photo Thorsten Duevelmeyer
      Thorsten Duevelmeyer

      Hi,

      is there a date for the  AWS PrivateLink service?

      Will it be possible to connect to aws MSK (managed kafka) via the service?

      Best Regards,
      Thorsten

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Thorsten,

      We are also working on making AWS PrivateLink available but cannot yet communicate a timeline.

      BRs, Gowrisankar

      Author's profile photo Miguel Figueiredo
      Miguel Figueiredo

      Hi Gowrisankar,

      I saw in SAP Roadmaps that SAP Private Link service availability on Amazon Web Services (Beta) is planned to be released in Q4. Can you share something about it? How can we enroll this Beta? Best, Miguel

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Miguel,

      It will be available as public beta. You have to ensure beta features are enabled for your subaccount.

      (Global) Administrators can enable beta features in your subaccount on SAP BTP Platform, Cloud Foundry so you can view all available beta features, including SAP Private Link service. From within your subaccount, you won’t see beta features automatically, but an administrator can set this up for you.

      To find out if beta features are enabled for your subaccount, choose the Information icon in your subaccount for more information. If beta features are currently disabled in your subaccount, contact your administrator.

      Thanks, Gowrisankar

      Author's profile photo Miguel Figueiredo
      Miguel Figueiredo

      Hi Gowrisankar,

      Thanks for your answer. One of my customers has enabled the beta features as you highlight, and we are waiting a communication of private link with AWS release, so we can start using it in a DEV subaccount.

      Best, Miguel

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Philipp,

      do I get it right that I would still need a SAP Cloud Connector to benefit from Principal Propagation? But the traffic for the SCC to BTP CF will be routed through the private link.

       

      Best regards

      Gregor

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gregor,

      Principal Propagation is currently only supported via SAP Cloud Connector. We are currently looking into possibilities to make SCC connections via private link possible, but are not there (yet).

      Best regards,
      Philipp

      Author's profile photo Gov TOTAWAR
      Gov TOTAWAR

      Does Private Link allow communication two-way, BTP to Customer VNET and Customer VNET to BTP?

       

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gov,

      Private Link only allows one-way communication, in the sense that connections from SAP BTP side can be opened to the Azure resource connected to the private link, but not the other way round.

      Best regards,
      Philipp

      Author's profile photo Junya Zushi
      Junya Zushi

      Hi. Thank you for the great blog.

      When we use BTP with AWS and our AWS environment, I thought the traffic between the service in BTP and instance in our AWS does not go out of AWS private network. (FAQ Link -> Q.Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?)

      If so, isn't possible to connect between BTP with AWS and our AWS without Private Link? Are there any advantage to use it over without it?

      Thank you.

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi,

      In that case you still have to keep a public endpoint for your instance in AWS, which represents an additional attack vector, especially if not thoroughly configured and monitored. By utilizing Private Link, you can omit such public endpoints.

      Best regards,
      Philipp

      Author's profile photo AMIT Lal
      AMIT Lal

      Hello Philipp,

      Nice article! Perhaps with private links, Inbound and Outbound data processing will be charged by hyperscalers(Azure/AWS/GCP/Ali), correct?

      Example for USD below:

      • Inbound Data Processed     $xx per GB
      • Outbound Data Processed     $xx per GB

      Thanks,

      Amit

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Amit,

      For Azure, the costs for the private links are automatically associated (by Azure) with the Azure subscription that holds the private endpoint. In our initial scenario, this means that the transferred data (both ingress and egress) will be charged to the Azure subscriptions owned by SAP.

      For other hyperscalers it's currently too early to say on how this will be done there.

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hello Phillip,

      Our MTA application is running on SAP BTP CF (on Azure) environment needs to have a connection with Azure MySQL DBaaS hosted on customer's Azure account.

      Customer want to deny public network access on the MySQL DB instead they want to create a private network endpoint.

      As SAP Private link Service is BETA, so on SAP BTP CF environment do we have any solution which helps us to connect MTA application to an external private endpoint?

      Thanks,

      Ashish

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Ashish,

      With the SAP Private Link service we also plan to support connections to Azure Database for MySQL soon. Besides that, I am currently not aware of other possibilities to connect from SAP BTP CF environment to a customers Azure MySQL database without exposing a public endpoint.

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hello Philipp,

      Thanks for your reply. Any idea when this service will be released for production usage ?

       

      Thanks,

      Ashish

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Ashish,

      We currently expect the service to become available for productive use by the end of Q2/2022. But please be aware that, similar to other dates communicated, this is only the current plan, and this timeline may be changed by SAP anytime without notice and business decisions should not be taken based on release timelines that you read in the comment section of a blog 🙂

      Best regards,
      Philipp

      Author's profile photo Ashish RATHI
      Ashish RATHI

      Hi Philipp,

      Thanks for your reply.

      Regards,

      Ashish

      Author's profile photo Anil Bhandary
      Anil Bhandary

      Hi Philip,

      Its nice to have this feature, I am using heavy Integration suite services which is connected to my hosted ABAP application on azure via Cloud connector. If we have Private link in future do I need to have Cloud connector or I can make direct communication to BTP application via SAP Private link which will help to eliminate the Cloud connector as SPoF.

      Earlier we did this same scenario for SAP Data intelligence in which we did the Vnet peering between SAP DI and our Azure network by which we eliminate cloud connector usage. If such scenario can be achieved for Integration suite by eliminating the Cloud connector against the SAP private link it would really helpful.

      Regards,

      Anil

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Have you seen my comment on the same topic?

      Author's profile photo Anil Bhandary
      Anil Bhandary

      Yes Gregor, I have referred it. But my ask is something different. Can we remove SCC completely after introducing private link and make direct communication between Backend system and BTP CF. Rather than making configuration in SCC and routing the traffic from SCC. Need to understand if Private link can help eliminate the SCC requirment and the configuration which we currently mapping SCC, can it be done through other means so I will remove SPoF as SCC.

       

      regards,

      Anil

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Anil,

      Whether you can completely replace SCC with Private Link in the future depends on your specific scenario. For example, one of the things that SCC offers that is not planned for Private Link is RFC filtering. So to decide whether you can do the replacement, you would need to check what exact functionality you are currently using from SCC and whether that is already or will be supported by Private Link in the future.

      Best regads,
      Philipp

      Author's profile photo Vinod Patil
      Vinod Patil

      This will surely foster the friendship between network security folks and BTP Architects 🙂 Waiting for AWS release too

      Author's profile photo Murat Yakar
      Murat Yakar

      Hi ,

      I am trying to establish a private link service on BTP with our Azure private link service.

      My first problem is private link is only available as beta under my subaccount.I can not have it as standart.

      Even if it is beta, i decided to try it. But  when i try to provision service on btp , it always asks me to enter aws serviceName as parameter. It does not accept resourceId in my CLI params.

      Following CLI command not work :

      cf create-service privatelink beta privatelink-test -c '{"resourceId": "MY_SUBSCRIPTION_ID"}'

      I have an error like below :

      Service broker error: Service broker privatelink failed with: serviceName: serviceName is a required field

      Does beta version only supports aws ?

      Regards

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Murat,

      Looks like, you are using AWS subaccount. We announced beta on aws recently. The service plan "beta" will be available only on aws.

      For Azure, you must have subaccount created on one of the BTP Azure regions. 
      We provide standard service plan on Azure.

       

      Thanks, Gowrisankar

      Author's profile photo Sebastian Wolters
      Sebastian Wolters

      What I would really like to see would be the opposite direction. E.g. connect an Azure VM to SAP Hana Cloud via Private Link and restrict the HANA Cloud Firewall to Private Link only or at least BTP IPs + Private Link. This would greatly simplify our network access as this would allow for a direct network connection without corporate internet firewalls.

      Moreover, currently all applications in Cloud Foundry are publicly accessible without any configurable/monitorible web application firewall available in BTP. Currently, we are forced to be the evil nemesis of our IT security departement. If one could make Cloud Foundry apps solely available via Private Link this would be much better. Eventually then you could also configure your own Application Gateway in Azure.

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Sebastian,

      Thanks for your feedback, that is very valuable to us! We're currently investigating whether and how we can support the opposite direction to cover the scenarios that you mentioned.

      Best regards,
      Philipp

      Author's profile photo Katie Doody
      Katie Doody

      Hi, we are trying to set up the private link service. Everything has been clear and very good except the last step to bind the service to an application. We are not sure what kind of application or what it should do. We are also struggling with how to test it? At the moment we are just doing a POC and want to hit Azure. This is the documentation we used. Do you have documentation on what the application should do and how to test the link?

       

      Thank you,

      Katie

       

      Connect SAP Private Link Service to Microsoft Azure Private Link Service | Tutorials for SAP Developers

      This is the step:

      • STEP 7

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Katie,

      You should build your application based on the backend you want to connect over a private link.

      The easiest way to test this is to use the cf ssh <app_name> command and try using the

      curl command to test it. Before proceeding, you need to create a service key for the

      SERVICE_INSTANCE using the cf create-service-key (binding) command.

       

      https://cli.cloudfoundry.org/en-US/v6/create-service-key.html

       

      Thanks, Gowrisankar

      Author's profile photo Dhana Saranam
      Dhana Saranam

      Hi, Thank you for the detailed information. We are able to call Azure blob storage from iFlow using approuter but it is throwing a http 409 error.

      AGS is set up for the private link service.

      Here is the error message

      <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account.
      RequestId:b0b54817-b01e-003e-6f03-94fb80000000
      Time:2023-05-31T21:05:34.6423939Z</Message></Error>

      When I did a curl with private endpoint I got the following error messgae, it didn't say public access is not allowed

      <?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidQueryParameterValue</Code><Message>Value for one of the query parameters specified in the request URI is invalid.

      Any idea what is missing?

      thank you

      Dhana

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Dhana,

      This seems more like a configuration issue. Could you please open a support case to component  BC-CP-PRIVATELINK to take a look ?

      Also, are you following https://github.com/SAP-samples/btp-private-link-approuter/tree/main/azure-blob-approuter-cloud-integration ?

      Thanks, Gowrisankar

      Author's profile photo Dhana Saranam
      Dhana Saranam

      Thank you for the reply. Yes, I followed https://github.com/SAP-samples/btp-private-link-approuter/tree/main/azure-blob-approuter-cloud-integration

      Created a ticket with SAP

      453372 / 2023 Private Link Service from BTP is not working

       

      Thank you

      Dhana