Skip to Content
Personal Insights
Author's profile photo Antonio Maradiaga

Cloud Connector, explained in simple terms

In this blog post I will try to explain what Cloud Connector ☁️ 🔗 is, without getting too technical, and I will include some examples of business process/integrations/functionality that Cloud Connector enables.

Cloud%20Connector%20use%20cases

Cloud Connector use cases

Let’s start with what is Cloud Connector and what does it do?

Cloud Connector is an application that can be installed on a Windows, Linux, Mac OS operating system, which creates a secure connection to the SAP “cloud”, so that SAP Cloud products can communicate securely with systems in a customer’s on-premise/private cloud landscape.

Note: For simplicity purposes I will refer to on-premise/private cloud systems as internal systems.

Are there alternative ways for SAP Cloud products to communicate with internal systems?

Sure, these internal systems can be exposed directly to the internet but that will not be secure. This might end up requiring opening the firewall to allow communications with the internal system(s), which is another security risk, and a malicious actor can end up trying to attack our systems. Generally, it is not recommended to expose your critical operational systems to the internet 😃

Then, how can Cloud Connector allow communication from SAP Cloud products without exposing my systems to the internet?

The Cloud Connector installed in your on-premise/private cloud landscape is the one that initiates the communication/connection to the SAP Cloud, this to create a secure communication tunnel. This “tunnel” is used by SAP Cloud products to communicate with your internal systems securely.

Can anyone in the internet use the “tunnel” initiated by Cloud Connector to connect to my landscape?

No. No one but SAP Cloud products or applications that you’ve deployed to the SAP platform as a service, e.g. SAP Business Technology Platform (BTP), can connect to your internal systems.

Where do I need to install Cloud Connector and how I can connect to the SAP Cloud?

Cloud Connector can be installed on Windows, Linux or Mac OSX. This can be in a virtual machine or a physical machine. An SAP BTP account is needed to configure the connection between the SAP Cloud environment and the Cloud Connector instance. Multiple Cloud Connectors can be deployed to connect to one or more SAP BTP region-subaccounts. This will depend on your landscape and needs.

What happens if my Cloud Connector instance stops working? How can the SAP Cloud communicate with my internal systems?

Ideally, Cloud Connector will be setup as highly available, meaning that there will be another machine (failover) available to process/receive the requests from the SAP Cloud in case the main machine (Cloud Connector instance) fails. This to ensure that cloud to internal connectivity is not lost in case of a failure.

Ok, now to the examples of business process/integrations/functionality that Cloud Connector enables achieve with the SAP Cloud.

    • Extensions:
      • Extend a business process: There is functionality that an on-premise product doesn’t cover and you can develop a custom application to cover the functionality missing. Maybe use SAP Graph to retrieve the data from the on-premise SAP S/4HANA. The custom application can be hosted in SAP BTP and it can communicate with the on-premise system to retrieve the data it needs.
      • Allow communication between SAP Cloud products to internal systems: SAP Ariba offers an integration capability called SAP Ariba Cloud Integration Gateway, which uses Cloud Connector to communicate your internal systems. Various SAP BTP services, e.g. SAP Asset ManagerSAP Data Warehouse CloudSAP Cloud Integration, allow connecting the service to internal systems.
    • Integration:
      • Integrate your on-premise systems with cloud applications: Using Cloud Integration, part of SAP Integration Suite, we can create integrations between cloud applications and many types of internal systems that communicate through different protocols, e.g. OData, HTTP, LDAP, Mail, SFTP. Cloud Integration can be configured so that it can connect to these on-premise systems.
      • Expose internal APIs to the internet: SAP API Management, part of the SAP Integration Suite, can utilise Cloud Connector to expose internal APIs, in a secure/controlled way, to the internet. This way we can enable external parties/business partners to communicate with your systems via this secure API Gateway.
    • Data processing
      • Replicate/virtualise data from an on-premise database to the cloud: Cloud Connector enables connecting SAP HANA with the cloud. An SAP HANA database can replicate/virtualise data from SAP HANA on-premise to SAP HANA Cloud. This is a way of making your data available in the cloud environment.
      • Move large amounts of data: SAP Data Intelligence can communicate with internal systems, via Cloud Connector, to retrieve data and send it to other data products, e.g. SAP Datawarehouse Cloud, SAP HANA Cloud, for further processing/analysis.
      • Reporting in the cloud: You use SAP Analytics Cloud and want to create dashboards based on your data that lives in on-premise/private cloud systems. SAP Analytics Cloud can use Cloud Connector to securely communicate with an on-premise/private cloud SAP HANA database, SAP S/4HANA or an SAP BW/4HANA system. It can also connect to just an OData API exposed by an internal system.

Thanks for making it this far 😃. I’ve tried to cover the absolute basics of Cloud Connector without getting too technical. Also, highlighted different scenarios that Cloud Connector can enable between cloud applications/services and internal systems. I hope you’ve find the information explained here useful.

 

Further reading:

Assigned Tags

      15 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Balamurugan Gunasekaran
      Balamurugan Gunasekaran

      Good document. It will help for beginners. Appreciated

      Author's profile photo Naresh Dasika
      Naresh Dasika

      Hello Antonio Maradiaga,

      Would it be possible to create multiple user accounts to login to Cloud Connector?

      Regards,

      Naresh

       

      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga
      Blog Post Author

      Naresh Dasika, the only way you can have multiple user accounts in Cloud Connector is by configuring LDAP - https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/3859e50f652e4a4b9c66a6a572ced7a4.html

      Author's profile photo Siyabonga Ndlovu
      Siyabonga Ndlovu

      Interesting read about Cloud Connector, thanks Antonio.

      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga
      Blog Post Author

      Thanks to you for taking the time to read 🙂

      Author's profile photo Mark Kremnitzky
      Mark Kremnitzky

      Hello Antonio,

      excellent article. Thanks for summing up in very simple terms!

      Are you planning to put out further posts going more into the details of Cloud Connector architecture and configuration?

      Regards,

      Mark

      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga
      Blog Post Author

      That's a good idea Mark. I will keep it mind for future blog posts.

      Author's profile photo William Graig
      William Graig

      Hey! Thank you so much for your amazing writing. Indeed very informative and unbiased!

      Author's profile photo Pavan Golesar
      Pavan Golesar

      Very well articulated in simple terms and with good examples!  Thank you Antonio Maradiaga!

      Author's profile photo Nagesh Popalayat
      Nagesh Popalayat

      One of the best Blog

      Author's profile photo Timm Seitz
      Timm Seitz

      Hello Antonio,

      thanks for this article, but i also do have a couple of questions regarding the following statement:

      Are there alternative ways for SAP Cloud products to communicate with internal systems?

      Sure, these internal systems can be exposed directly to the internet but that will not be secure. This might end up requiring opening the firewall to allow communications with the internal system(s), which is another security risk, and a malicious actor can end up trying to attack our systems. Generally, it is not recommended to expose your critical operational systems to the internet

      What about the usage of dedicated/standard VPN Tunnel between the two Clouds instead...i mean, these VPN products provide also high encryption/security for the communication path?

      The various apps have their own security features and communicate on the basis of HTTPS, e.g. Concur, SuccessFactors, etc. - is this not enough?

      And what about the usage of other Kernel-related SAP components, e.g. SAP Web Dispatcher or SAProuter. I mean, these are all some kind of security components - not directly for SaaS, but they will do their job for a standard setup, too - correct?

      I understand there are many different features included with this Cloud Connector, but at the end it looks for me that this depends strongly on the usage scenario(s)- correct?

      May be i miss here something.

      Again. top job - very nice summary.

       

      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga
      Blog Post Author

      Hi Timm Seitz,

      > Usage of a dedicated/standard VPN tunnel
      Agree, this will be secure as well. This will be similar to what you do with Cloud Connector.... Cloud Connector establish that secure tunnel. I would say that establishing the VPN tunnel will be more involved than just using Cloud Connector.

      > The various apps have their own security features and communicate on the basis of HTTPS
      Communication over HTTPS will be secure. The difference between over HTTPS and Cloud Connector before getting to your internal systems:
      - Over HTTPS: The traffic will go through the open web
      - Cloud Connector: The traffic will be routed through the "SAP network" and the secure tunnel. It doesn't go through the open web.

      > the usage of other Kernel-related SAP components, e.g. SAP Web Dispatcher
      My understanding is that if you want to expose this system to the internet you will either need to open a firewall, have it in a DMZ or have some kind of reverse proxy in place.

      > this depends strongly on the usage scenario(s)
      Can be... it also depends on the security practices that a customer might have. That said, Cloud Connector is widely adopted across many SAP cloud products and I would say that generally, using Cloud Connector, would simplify how you manage and establish connections between SAP Cloud products and your internal systems.

       

      Author's profile photo Johannes Goerlich
      Johannes Goerlich

      Hi Timm Seitz ,

      if you're thinking about connecting SAP BTP to systems hosted in Azure you should check out SAP Private Link service on Azure.

      BR,

      Joe

      Author's profile photo Lutz Rottmann
      Lutz Rottmann

      Hi Timm Seitz , Antonio Maradiaga!,

      just thinking about encryption as providing security falls short. Encryption is just a subset.

      You probably also want to control which subaccount has access to which backend services. And you want to decide on which services shall be able to use which type of authentication to the backend to manage risks.

      I don't want some (beginner ?) BTP developer to be able to expose webgui of my backend system to the internet via BTP just because the system was exposed to BTP for using some minor odata services before. I also don't want some developers to build something in BTP based on RFC_READ_TABLE or something like that. I want someone knowledgeable to control/limit this on Cloud Connector. No other technology gives you this granularity of control.

      I want one central repository where I can read out all those fine granular rules for review -> Cloud Connector

      At best I would detect strange access behavior in Cloud Connector logs perhaps with ETD or some SIEM (my next todo).

      So for me the Cloud Connector is more like a Web Application Firewall where I can limit and monitor access in a fine granular way to defend my core systems in a more holistic way.

      BR, Lutz

      Author's profile photo Antonio Maradiaga
      Antonio Maradiaga
      Blog Post Author

      Lutz Rottmann , great points your are including here.

      It can be argued that you can have the same kind of control, if not more, going through the network team in your company and them allowing traffic from specific IP addresses to your internal network. In the end, they are operating a firewall and they will need to allow the traffic. That level of control/monitoring will normally be there in large companies.

      That said, you will need to get the network team involved if you want to diagnose what's going on in the communication between Cloud and on-prem, e.g. any changes in your setup/configuration or you want to track if a message is reaching your network, you will need to get the network team involved and that is normally a HUGE pain. SAP Cloud Connector simplifies the connection and monitoring.