Skip to Content
Technical Articles
Author's profile photo Jana Subramanian

Secure Connectivity to SAP Cloud Services hosted on Hyperscaler


SAP has embraced “Hyperscaler” such as Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba as an “IaaS provider” to host many of the SAP SaaS solutions and SAP Business Technology Platform. Beginning of the year in 2021, SAP has launched, RISE with SAP with S/4HANA Cloud Private Edition, which includes Infrastructure, Software and a Private Managed Environment hosted on Hyperscaler depending on the region of availability of the services. Often, questions arise on how to provide secure connectivity to SAP cloud services and in some cases, on how to establish connectivity to SAP cloud services, going via private connectivity bypassing public internet. This consideration is important for customer to meet security and compliance to their regulations.

In this blog, we go through variety of secure connectivity option that exists to connect to SAP cloud services hosted on Hyperscaler. For the sake of clarity, we will not go into deep technical details but keep the discussion at a high level to provide perspective on connectivity options to consider. An illustrative diagram with high level details are provided for some of the connectivity solutions.

Secure Connectivity Summary

The table below provide broad summary of secure connectivity options that can be considered.

Secure Connectivity Options to SAP Cloud Services

Dedicated Private Connectivity

Customers can establish a dedicated private connection from an on-premises network to VPC assigned to SAP S/4HANA Cloud Private Edition or SAP HANA Enterprise Cloud hosted on Hyperscaler. This would mean customers will have to work with Hyperscaler and vendor neutral facility (VNF) provider such as Equinix to establish network connectivity. In this case, SAP cloud services will assist in providing software defined network configuration to establish peering and connectivity to customer on-premise gateway. Customer owns the responsibility for the access, LOA-CFA and working with VNF such as Equinix.

The following links can be referenced for technical details:


Dedicated Private Connectivity to S/4HANA Cloud Private Edition


IPSEC VPN Connectivity

Some customer may consider IPSEC VPN as an option to connect to SAP S/4HANA Cloud Private Edition or SAP HANA Enterprise Cloud as dedicated connections may be expensive. If the security and compliance is permitted,  IPSEC VPN can be considered which is an site-to-site encrypted channel. It is also possible to keep dedicated private connection as primary and IPSEC VPN connection as a secondary connection for fail-over scenarios.

The following links can be referenced for technical details:


IPSEC VPN Tunnel – Customer On-Premise to S/4HANA Cloud Private Edition

VPC Peering

If customer require a secure connection between their own VPC with SAP S/4HANA Cloud Private Edition or SAP HEC VPC, VPC peering may be considered. A VPC peering connection is a networking connection between two VPCs that enables customer to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC managed by SAP in a private managed environment.

The following links can be referenced for technical details:


VPC Peering

BTP Connectivity with Private Link

SAP has launched Private Link Service which is beta service available on SAP BTP for subaccounts in enterprise accounts. SAP Private Link service establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts. By reusing the private link functionality of our partner IaaS providers, it lets you access your services through private network connections to avoid data transfer via the public Internet.

For more details, please refer to the link below:


Azure Private Link (Beta)

SAP Business Technology Platform Connectivity via Public Internet

Customers can install an on-premise SAP cloud connector agent in their DMZ, and this serves as a link between SAP BTP applications and on-premise systems. It acts as a reverse invoke proxy and a secure TLS1.2 mutual authentication can be established between SAP Cloud Connectors deployed on-premise to SAP Business Technology Platform. This traffic will traverse via public internet, but the channel is encrypted as well as authenticated. The cloud connector will not be accessible directly by any host on the internet.

Technical details on the connectivity can be found at this link:


BTP Connectivity via Cloud Connector


SAP Business Technology Platform Connectivity via Private Connection (Public endpoint)

If customers require private connection from on-premise to SAP Business Technology Platform, it is possible to direct connection options provided by Hyperscaler, but such option require connectivity to SAP BTP public endpoints. As SAP BTP is a multi-tenanted platform-as-a-service, access is allowed only via public endpoint which customer can access using private connection. It must be pointed out that SAP Cloud Connector is needed as it provides secure reverse proxy solution.  In this case, it is entirely up to customer to setup this connection working with their ecosystem’s partners such as Hyperscaler and vendor neutral facility providers such as Equinix.


SAP Connectivity via Direct Connection (Public Endpoints)


Network Connectivity is a foundational layer but yet is an important consideration to customers. With SAP Cloud Services moving to Hyperscaler and SAP leveraging Hyperscaler as “IaaS provider”, customer have many connectivity options to consider which are provided natively by Hyperscaler. SAP is also expanding connectivity options to SAP SaaS services hosted in Hyperscaler providing choices to customers to meet security and regulatory requirement. While this blog does not cover all connectivity options for all of SAP Cloud Services, this will help to get a high level view of options customers may consider for their cloud connectivity requirement.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Wei-Shang Ku
      Wei-Shang Ku

      Hi Jana,

      Among the 10 connectivities in your table, I couldn't find  "Cloud --VPN--> on-Premise" connectivity.

      I hope we can have :

      Source : S/4HANA PCE

      Target : Server on-Premise

      Channel : through ExpressRoute or DirectConnect.

      The application is use DBCO to access database (like MSSQL/Oracle) on-premise.

      Is that possible ? Any extra fee required ?



      Author's profile photo Martin Pankraz
      Martin Pankraz

      Hey Wei-Shang Ku,

      have look here at our RISE documentation to address your question. I would recommend to test your scenario though since direct database access via ODBC and similar to on-premises might be a challenge due the network hops involved.

      How would you trigger the load from S4 though? Are we talking ABAP programs or what exactly?



      Author's profile photo Julien SCHWAAB
      Julien SCHWAAB

      Do you know if it's possible on S/4Hana PUBLIC cloud to get a VPN to customer on premise?