Technical Articles
Getting Started with SAP Private Link Service for Azure
NEWS FEED15.06.23: SAP added Azure OpenAI service and Azure Cache for Redis support to SAP Private Link 😍 23.03.23 SAP added Azure Cognitive Services support to SAP Private Link 😍 13.03.23 SAP added Azure Storage Account support to SAP Private Link and shared a sample with SAP Integration Suite inspired by customer implementation 02.03.23 SAP announced Kyma runtime support for Q4 2023 09.02.23 SAP released Azure Machine Learning for SAP Private Link. 01.12.22: Adjusted guidance for end-to-end TLS regarding automatically obtained certificates from well-known authorities (CA) via Azure Key Vault. That includes auto-renewal bringing down your maintenance effort a lot. 06.10.22: SAP released further Azure services for SAP Private Link! Enjoy now Azure Application Gateway, Azure KeyVault, Azure Automation, Azure CosmosDB, Azure App Service and Azure Functions! 22.08.22: Official guidance by SAP for SAP Build Workzone and Cloud Integration using Private Link for http based communication. Check out the SAP samples repos for config details. For non-http communication still look at part 2 of the series. 22.06.22: General Availability on all Azure BTP regions Annoucement. You can start using productively. Or as Gowri from SAP put it: prime time 😀 03.06.22: SAP Cloud Application Programming model and Cloud SDK for JavaScript now support Private Link. Consider upgrading both libraries. 13.01.22: SAP CloudSDK v3.61.0 for Java supports new proxy type PrivateLink. Consider upgrading your pom.xml. |
Dear community,
I am running a series of blog posts around the topic of #SAP Private Link service with Azure. My primary goal is sharing service implementation experience and possible applications of this new BTP service through its journey since Beta and General Availability in June 2022. Ideally it gives you a kickstart into your own journey of private connectivity on BTP.
Of we go to link what was meant to be linked, I solemnly pinkie swear – private linky I mean 😉
Going forward I will always refer to SAP Private Link Service in short with PLS.
📢Check the first customer success story
FrieslandCampina moved their productive SAP BTP Cloud Integration use case with Azure Storage Account to SAP Private Link in a couple of hours.
Jul 2nd, 2022: Joint GA announcement Session with Sven Kohlhaas from SAP
Jul 24, 2021: First introductory Session from early stages of PLS beta! 🎥YouTube Webcast link.
Find you way around the blog series with below tables.
Azure PaaS scenarios
|
Connecting to Azure PaaS databases Featured service: MySQL, MariaDB |
Describes Azure PaaS connectivity options from BTP illustrated with an example app deployed in CloudFoundry environment consuming MySQL on Azure. See the available database spectrum here. |
|
Inspect your traffic coming from BTP with the Azure App Gateway web application firewall “Simplify the link architecture and increase security” Featured service: Azure Application Gateway, Azure API Management |
Learn how to configure the Azure Application Gateway for SAP Private Link and connect to your Azure PaaS Services like Functions, API Management, Data Lake, App Service etc. |
|
Global scale for shop-floor scenarios blending SAP S4 data “Guaranteed speed at any scale” Featured service: Azure Cosmos DB |
Learn how to spin up an architecture with the distributed Cosmos DB using SAP Private Link to cope with global scale requirements. See the available database spectrum here. |
|
🆕OData integration for any Azure PaaS “Enabling SAP CAP to talk OData with anyone on Azure” Featured service: Azure App Service, Azure Cosmos DB |
Learn how to apply an OData proxy to enable every Azure SDK for any PaaS service to respond to OData requests. This way SAP CAP may natively interact with those services without the need to add the respective SDK. As a result development concerns can be separated. |
|
Featured service: Azure OpenAI |
Learn how to reason and summarize security threats in your SAP BTP instance via The SAP BTP Audit Log. SAP CAP serves as interface to present the results and a private fully isolated instance of Azure OpenAI is connected via the SAP Private Link. |
SAP PaaS scenarios
|
SAP Private Link service use cases for SAP Cloud Integration and SAP Launchpad 📢Official SAP sample Featured service: SAP Build Workzone, Integration Suite, Azure Standard Load Balancer |
Learn how to integrate SAP Build WorkZone or SAP Integration Suite privately with your workloads on Azure. |
|
🆕Expand your file storing needs from SAP Cloud Integration to Azure Storage Account (Blob) 📢Official SAP sample Featured Service: SAP Integration Suite, Azure Storage Account (Blob) |
Learn how to enable file interactions on Azure Cloud Storage via SAP Cloud Integration. |
Azure Standard Load Balancer scenarios
|
Part1 Introductory post to the series “Whatever happens in an Azure and SAP Private Linky swear, stays in the linky swear! An implementation story of the Private Link Service for Azure.” |
Understand SAP Private Link Service and its connectivity scope. I show how to perform OData calls via the private tunnel using SAP Cloud SDK for Java/CAP. |
|
Part 2 Expose PLS to SAP Cloud Integration (specifically CPI) “Business as usual for iFlows with Private Link Service” 📢featured post by SAP for Integration Suite and Launchpad Service |
Add cf proxy app to enable CPI to route calls through PLS. If SAP implements direct “line of sight” for Cloud Integration, Connectivity service and PLS we would no longer need an app to proxy. |
|
Part 3 Consider architecture impact – broaden scope to production environments “How many pinkies do I need? Architecture impact of Private Link Service.” |
Shedding light on the different deplyoment modes given by your SAP architecture. |
|
Part 4 Focus on development environment “How do I debug and test with live data via Private Link Service?” |
Learn how to enable debugging and proper testing with live data while using the PLS from SAP Business Application Studio or Visual Studio Code locally. |
|
Part 5 Implement SAP Principal Propagation via PLS “Propagate your SAP principels via Private Link Service” |
Describes SAP Principal Propagation – cf user mapping to SAP backend users. |
|
Part 6 Restrict access to your PLS exposed backend endpoints “Keep the auditor happy with Private Link Service” |
Understand the means, limitations and “places” to maintain backend access restrictions when using PLS. |
|
Part 7 Implement end-to-end SSL when using PLS “How to setup SSL end-to-end with Private Link Service” |
Learn how to setup SAP Personal Security Environment and BTP Destinations to ensure end-to-end communication encryption. |
|
Part 8 Use SAP Cloud Connector or Private Link or both? “Combine best of both worlds” |
Learn the ins and outs of both BTP connectivity options and gain insights into SAP’s roadmap |
|
Part 9 Expose your Azure Kubernetes Service hosted apps to BTP “How to spin up single service PLS with kubectl for Java on BTP” |
Learn how to connect your apps running in Azure Kubernetes Service to SAP BTP workloads via the SAP Private Link. |
SAP Roadmap for PLS
Fig.1 Screenshot from SAP+Microsoft joint roadmap webcast session
Pay attention to the free text notes that Sven put next to the tiles.
For latest news and committed features please have a look at the SAP RoadMap Explorer.
Official References
SAP docs
- SAP Help entry for PLS
- Developer Tutorial for Private Links Service
- SAP Cloud SDK docs
- SAP Private Link service use cases for SAP Cloud Integration and SAP Launchpad | SAP Blogs
SAP announcements
- SAP Private Link service on Azure is now generally available (GA)! | SAP Blogs
- Extend your Business Processes with the new SAP Private Link service | SAP Blogs (focus on SAP CAP and CloudSDK for JS)
Microsoft docs
SLAs (as of Feb 2023)
- SAP Private Link 99,9% availability
- Azure Private Link (foundation for SAP PLS) 99,99%, Microsoft SLA summary
Find all artifacts from the series on my GitHub repos here.
As always feel free to ask lots of follow-up questions.
Cheers
Martin
any roadmap between BTP to SAP Commerce cloud(CCV2) ?
CCV2 is on Azure , if BTP is on Azure, then I think the private link is simple
Thanks for reaching out.
It is not mentioned on the roadmap discussed by Sven. You would need to ask SAP directly.
KR
Martin
Hi Martin,
Is there support for SAP DWC via PrivateLink? Can you share details?
Thanks
-ravi
Gowrisankar M do you have a comment for Ravi Condamoor?
In general the CF AppRouter would apply to SAP PaaS apps as described by your colleague Harut here for Integration Suite.
KR
Martin