Cloud Connector, explained in simple terms
In this blog post I will try to explain what Cloud Connector ☁️ 🔗 is, without getting too technical, and I will include some examples of business process/integrations/functionality that Cloud Connector enables.
Let’s start with what is Cloud Connector and what does it do?
Cloud Connector is an application that can be installed on a Windows, Linux, Mac OS operating system, which creates a secure connection to the SAP “cloud”, so that SAP Cloud products can communicate securely with systems in a customer’s on-premise/private cloud landscape.
Note: For simplicity purposes I will refer to on-premise/private cloud systems as internal systems.
Are there alternative ways for SAP Cloud products to communicate with internal systems?
Sure, these internal systems can be exposed directly to the internet but that will not be secure. This might end up requiring opening the firewall to allow communications with the internal system(s), which is another security risk, and a malicious actor can end up trying to attack our systems. Generally, it is not recommended to expose your critical operational systems to the internet 😃
Then, how can Cloud Connector allow communication from SAP Cloud products without exposing my systems to the internet?
The Cloud Connector installed in your on-premise/private cloud landscape is the one that initiates the communication/connection to the SAP Cloud, this to create a secure communication tunnel. This “tunnel” is used by SAP Cloud products to communicate with your internal systems securely.
Can anyone in the internet use the “tunnel” initiated by Cloud Connector to connect to my landscape?
No. No one but SAP Cloud products or applications that you’ve deployed to the SAP platform as a service, e.g. SAP Business Technology Platform (BTP), can connect to your internal systems.
Where do I need to install Cloud Connector and how I can connect to the SAP Cloud?
Cloud Connector can be installed on Windows, Linux or Mac OSX. This can be in a virtual machine or a physical machine. An SAP BTP account is needed to configure the connection between the SAP Cloud environment and the Cloud Connector instance. Multiple Cloud Connectors can be deployed to connect to one or more SAP BTP region-subaccounts. This will depend on your landscape and needs.
What happens if my Cloud Connector instance stops working? How can the SAP Cloud communicate with my internal systems?
Ideally, Cloud Connector will be setup as highly available, meaning that there will be another machine (failover) available to process/receive the requests from the SAP Cloud in case the main machine (Cloud Connector instance) fails. This to ensure that cloud to internal connectivity is not lost in case of a failure.
Ok, now to the examples of business process/integrations/functionality that Cloud Connector enables achieve with the SAP Cloud.
- Extend a business process: There is functionality that an on-premise product doesn’t cover and you can develop a custom application to cover the functionality missing. Maybe use SAP Graph to retrieve the data from the on-premise SAP S/4HANA. The custom application can be hosted in SAP BTP and it can communicate with the on-premise system to retrieve the data it needs.
- Allow communication between SAP Cloud products to internal systems: SAP Ariba offers an integration capability called SAP Ariba Cloud Integration Gateway, which uses Cloud Connector to communicate your internal systems. Various SAP BTP services, e.g. SAP Asset Manager, SAP Data Warehouse Cloud, SAP Cloud Integration, allow connecting the service to internal systems.
- Integrate your on-premise systems with cloud applications: Using Cloud Integration, part of SAP Integration Suite, we can create integrations between cloud applications and many types of internal systems that communicate through different protocols, e.g. OData, HTTP, LDAP, Mail, SFTP. Cloud Integration can be configured so that it can connect to these on-premise systems.
- Expose internal APIs to the internet: SAP API Management, part of the SAP Integration Suite, can utilise Cloud Connector to expose internal APIs, in a secure/controlled way, to the internet. This way we can enable external parties/business partners to communicate with your systems via this secure API Gateway.
- Data processing
- Replicate/virtualise data from an on-premise database to the cloud: Cloud Connector enables connecting SAP HANA with the cloud. An SAP HANA database can replicate/virtualise data from SAP HANA on-premise to SAP HANA Cloud. This is a way of making your data available in the cloud environment.
- Move large amounts of data: SAP Data Intelligence can communicate with internal systems, via Cloud Connector, to retrieve data and send it to other data products, e.g. SAP Datawarehouse Cloud, SAP HANA Cloud, for further processing/analysis.
- Reporting in the cloud: You use SAP Analytics Cloud and want to create dashboards based on your data that lives in on-premise/private cloud systems. SAP Analytics Cloud can use Cloud Connector to securely communicate with an on-premise/private cloud SAP HANA database, SAP S/4HANA or an SAP BW/4HANA system. It can also connect to just an OData API exposed by an internal system.
Thanks for making it this far 😃. I’ve tried to cover the absolute basics of Cloud Connector without getting too technical. Also, highlighted different scenarios that Cloud Connector can enable between cloud applications/services and internal systems. I hope you’ve find the information explained here useful.
- Cloud Connector documentation: https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/e6c7616abb5710148cfcf3e75d96d596.html
- In case you are interested in learning how to setup/configure Cloud Connector, make sure to checkout the tutorials available – https://developers.sap.com/tutorial-navigator.html?search=’Cloud+Connector’
Good document. It will help for beginners. Appreciated
Hello Antonio Maradiaga,
Would it be possible to create multiple user accounts to login to Cloud Connector?
Naresh Dasika, the only way you can have multiple user accounts in Cloud Connector is by configuring LDAP - https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/3859e50f652e4a4b9c66a6a572ced7a4.html
Interesting read about Cloud Connector, thanks Antonio.
Thanks to you for taking the time to read 🙂
excellent article. Thanks for summing up in very simple terms!
Are you planning to put out further posts going more into the details of Cloud Connector architecture and configuration?
That's a good idea Mark. I will keep it mind for future blog posts.
Hey! Thank you so much for your amazing writing. Indeed very informative and unbiased!
Very well articulated in simple terms and with good examples! Thank you Antonio Maradiaga!
One of the best Blog
thanks for this article, but i also do have a couple of questions regarding the following statement:
Are there alternative ways for SAP Cloud products to communicate with internal systems?
Sure, these internal systems can be exposed directly to the internet but that will not be secure. This might end up requiring opening the firewall to allow communications with the internal system(s), which is another security risk, and a malicious actor can end up trying to attack our systems. Generally, it is not recommended to expose your critical operational systems to the internet
What about the usage of dedicated/standard VPN Tunnel between the two Clouds instead...i mean, these VPN products provide also high encryption/security for the communication path?
The various apps have their own security features and communicate on the basis of HTTPS, e.g. Concur, SuccessFactors, etc. - is this not enough?
And what about the usage of other Kernel-related SAP components, e.g. SAP Web Dispatcher or SAProuter. I mean, these are all some kind of security components - not directly for SaaS, but they will do their job for a standard setup, too - correct?
I understand there are many different features included with this Cloud Connector, but at the end it looks for me that this depends strongly on the usage scenario(s)- correct?
May be i miss here something.
Again. top job - very nice summary.
Hi Timm Seitz,
> Usage of a dedicated/standard VPN tunnel
Agree, this will be secure as well. This will be similar to what you do with Cloud Connector.... Cloud Connector establish that secure tunnel. I would say that establishing the VPN tunnel will be more involved than just using Cloud Connector.
> The various apps have their own security features and communicate on the basis of HTTPS
Communication over HTTPS will be secure. The difference between over HTTPS and Cloud Connector before getting to your internal systems:
- Over HTTPS: The traffic will go through the open web
- Cloud Connector: The traffic will be routed through the "SAP network" and the secure tunnel. It doesn't go through the open web.
> the usage of other Kernel-related SAP components, e.g. SAP Web Dispatcher
My understanding is that if you want to expose this system to the internet you will either need to open a firewall, have it in a DMZ or have some kind of reverse proxy in place.
> this depends strongly on the usage scenario(s)
Can be... it also depends on the security practices that a customer might have. That said, Cloud Connector is widely adopted across many SAP cloud products and I would say that generally, using Cloud Connector, would simplify how you manage and establish connections between SAP Cloud products and your internal systems.
Hi Timm Seitz ,
if you're thinking about connecting SAP BTP to systems hosted in Azure you should check out SAP Private Link service on Azure.
Hi Timm Seitz , Antonio Maradiaga!,
just thinking about encryption as providing security falls short. Encryption is just a subset.
You probably also want to control which subaccount has access to which backend services. And you want to decide on which services shall be able to use which type of authentication to the backend to manage risks.
I don't want some (beginner ?) BTP developer to be able to expose webgui of my backend system to the internet via BTP just because the system was exposed to BTP for using some minor odata services before. I also don't want some developers to build something in BTP based on RFC_READ_TABLE or something like that. I want someone knowledgeable to control/limit this on Cloud Connector. No other technology gives you this granularity of control.
I want one central repository where I can read out all those fine granular rules for review -> Cloud Connector
At best I would detect strange access behavior in Cloud Connector logs perhaps with ETD or some SIEM (my next todo).
So for me the Cloud Connector is more like a Web Application Firewall where I can limit and monitor access in a fine granular way to defend my core systems in a more holistic way.
Lutz Rottmann , great points your are including here.
It can be argued that you can have the same kind of control, if not more, going through the network team in your company and them allowing traffic from specific IP addresses to your internal network. In the end, they are operating a firewall and they will need to allow the traffic. That level of control/monitoring will normally be there in large companies.
That said, you will need to get the network team involved if you want to diagnose what's going on in the communication between Cloud and on-prem, e.g. any changes in your setup/configuration or you want to track if a message is reaching your network, you will need to get the network team involved and that is normally a HUGE pain. SAP Cloud Connector simplifies the connection and monitoring.
Great article! Do you have something more advanced? I'm looking to configure the "Application Tunnel Connections", "Tunnel Worker Threads" and "Protocol Processor Worker Threads" for my configuration but I can't find anything useful on the topic. I mainly have 6 to 8 subaccounts with only 1 of them with an heavy load of 7-10M request a day of small data like name, address, etc.. I have setup the JVM memory and the server CPU and memory like the SAP Sizing guide explain. But, for the tuning part, I want to know what are those parameters and what are they use for by the Cloud Connector. I want to be able to figure out what numbers to give them that will make sence.
Thank you and have a nice day 🙂
I understand, it supports Cloud to On Prem connectivity. Is it possible to initiate a API call from On Prem using Cloud connector instead of enabling outgoing internet connection to CPI?
See the Cloud Connector documentation, Frequently Asked Questions
Features - Can I use the Cloud Connector from on-premise to cloud for any protocol?
For HTTP you need to call the CPI API endpoint directly.
Great blog. Just need some insight. Whats behind the secure tunnel creation process. Is it a S-2-S VPN Gateway, for example?