Skip to Content
Product Information
Author's profile photo Philipp Becker

SAP Private Link Service (BETA) is Available

SAP Private Link service establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts. By reusing the private link functionality of SAP’s partner IaaS providers, the service lets you access your services through private network connections to avoid the need for public endpoints or data transfer via the public internet.

What does the BETA include?

With SAP Private Link service, Cloud Foundry applications running on SAP BTP with Microsoft Azure as IaaS provider can communicate with Azure Private Link services via a private connection. This ensures that traffic is not routed through the public internet but stays within the Azure infrastructure.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20Azure%20using%20Private%20Link%20service

Connection from SAP BTP Cloud Foundry to Azure using Private Link service

What are possible use cases?

One possible use case is to use the SAP Private Link service to communicate with an SAP S/4HANA system or other SAP or non-SAP system running on a VM in your own Azure account privately from within SAP BTP Cloud Foundry.

This connection can be established by creating an Azure Private Link service that exposes a loadbalancer which routes traffic to the SAP S/4HANA system. This Azure Private Link service must then be used as the resource to which the SAP Private Link service connects to. As soon as the connection is established successfully, the SAP Private Link service provides a private IP pointing to the Azure Private Link service.

Connection%20from%20SAP%20BTP%20Cloud%20Foundry%20to%20a%20loadbalancer%20on%20Azure

Connection from SAP BTP Cloud Foundry to a loadbalancer on Azure

How can I use it?

Check out the tutorials about how to

  1. Setup the SAP Private Link service in SAP BTP
  2. Connect SAP Private Link service to Microsoft Azure Private Link Service using the Cloud Foundry CLI

What to expect after BETA?

Currently, we only support the connection from SAP BTP Cloud Foundry to Azure Private Link services.

In the future, we plan to support:

  • AWS as IaaS provider and the corresponding AWS PrivateLink service
  • Connections to selected native Azure services, e.g. CosmosDB
  • Connections initiated from within Azure to SAP BTP Cloud Foundry or other SAP BTP services
  • Connections from other SAP BTP services

Important Links

Conclusion

Now you know what the SAP Private Link service has to offer for its initial BETA release, with support for the SAP Cloud Foundry environment on Azure, and what to expect during the next months.

Get started with the BETA! We’re eager to receive your feedback!

Assigned tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Thanks for the update. Much awaited feature

      Author's profile photo Thorsten Duevelmeyer
      Thorsten Duevelmeyer

      Hi,

      is there a date for the  AWS PrivateLink service?

      Will it be possible to connect to aws MSK (managed kafka) via the service?

      Best Regards,
      Thorsten

      Author's profile photo Gowrisankar M
      Gowrisankar M

      Hi Thorsten,

      We are also working on making AWS PrivateLink available but cannot yet communicate a timeline.

      BRs, Gowrisankar

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Philipp,

      do I get it right that I would still need a SAP Cloud Connector to benefit from Principal Propagation? But the traffic for the SCC to BTP CF will be routed through the private link.

       

      Best regards

      Gregor

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gregor,

      Principal Propagation is currently only supported via SAP Cloud Connector. We are currently looking into possibilities to make SCC connections via private link possible, but are not there (yet).

      Best regards,
      Philipp

      Author's profile photo Gov Totawar
      Gov Totawar

      Does Private Link allow communication two-way, BTP to Customer VNET and Customer VNET to BTP?

       

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Gov,

      Private Link only allows one-way communication, in the sense that connections from SAP BTP side can be opened to the Azure resource connected to the private link, but not the other way round.

      Best regards,
      Philipp

      Author's profile photo Junya Zushi
      Junya Zushi

      Hi. Thank you for the great blog.

      When we use BTP with AWS and our AWS environment, I thought the traffic between the service in BTP and instance in our AWS does not go out of AWS private network. (FAQ Link -> Q.Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?)

      If so, isn't possible to connect between BTP with AWS and our AWS without Private Link? Are there any advantage to use it over without it?

      Thank you.

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi,

      In that case you still have to keep a public endpoint for your instance in AWS, which represents an additional attack vector, especially if not thoroughly configured and monitored. By utilizing Private Link, you can omit such public endpoints.

      Best regards,
      Philipp

      Author's profile photo AMIT Lal
      AMIT Lal

      Hello Philipp,

      Nice article! Perhaps with private links, Inbound and Outbound data processing will be charged by hyperscalers(Azure/AWS/GCP/Ali), correct?

      Example for USD below:

      • Inbound Data Processed     $xx per GB
      • Outbound Data Processed     $xx per GB

      Thanks,

      Amit

      Author's profile photo Philipp Becker
      Philipp Becker
      Blog Post Author

      Hi Amit,

      For Azure, the costs for the private links are automatically associated (by Azure) with the Azure subscription that holds the private endpoint. In our initial scenario, this means that the transferred data (both ingress and egress) will be charged to the Azure subscriptions owned by SAP.

      For other hyperscalers it's currently too early to say on how this will be done there.

      Best regards,
      Philipp