Skip to Content
Technical Articles
Author's profile photo Harutyun Ter-Minasyan

SAP Private Link service use cases for SAP Cloud Integration and SAP Launchpad

Dear Community,

In my previous blog post, I introduced how to use the SAP Private Link service to extend your SAP S/4HANA business processes running on Microsoft Azure while keeping the traffic within the Azure internal network.

In this blog, I would like to share two more use cases for SAP Private Link connectivity

  • SAP Private Link service with SAP Cloud Integration for building diverse integration scenarios
  • SAP Private Link service for frontend applications accessible from SAP Launchpad service

Please have a look at the great blog series by Martin Pankraz, where he also presents the SAP Cloud Integration scenario in Part 2.

Even without a direct integration of SAP Cloud Integration and SAP Launchpad services with SAP Private Link service, we can still establish connectivity with help of Application Router, meanwhile, the product team is working to enable the direct integration.

Now let’s have a closer look at these two scenarios:

SAP Private Link service with SAP Cloud Integration for building diverse integration scenarios

The SAP Cloud Integration capability of SAP Integration Suite enables enterprises to connect different systems and applications in hybrid and cloud landscapes, that are developed and maintained on different technology stacks. These stacks, usually follow different security standards and requirements.

With the help of the SAP Private Link service, you can extend your hybrid integration scenarios to suit stricter security policies and communicate with your SAP S/4HANA on Microsoft Azure through private network connectivity.

The main idea of this architecture is to use the Application Router as a proxy for the private connectivity between SAP S/4HANA and SAP Cloud Integration. More details about Application Router can be found below. Please also check the GitHub repository for further details.

SAP%20Cloud%20Integration%20with%20SAP%20Private%20Link%20service

SAP Cloud Integration with SAP Private Link service

 

SAP Private Link service for frontend applications accessible from SAP Launchpad Service

As you might know, the SAP Launchpad service plays an important role to increase users’ productivity and efficiency by enabling organizations to establish a central point of access to SAP, custom-build, third-party applications, and extensions.

The frontend extensions of your SAP S/4HANA system running on SAP BTP can now also benefit from the new SAP Private Link service by establishing private connectivity to your SAP backend systems.

Like the above-mentioned scenario, the main idea of this architecture is to use the Application Router as a proxy for the private connectivity between SAP S/4HANA and frontend extensions running on SAP BTP. Below you’ll find more information on Application Router. To learn more, you can check the GitHub repository.

Please note that this scenario covers only the frontend extensions. The federated SAP S/4HANA content is out of scope for this blog.

UI%20extensions%20with%20SAP%20Private%20Link%20service

UI extensions with SAP Private Link service

How to achieve this?

As previously mentioned, for the moment, we cannot use SAP Private Link service directly from SAP Cloud Integration or SAP Launchpad Service; nevertheless, we can bridge this gap with help of SAP’s Application Router (approuter), which can play the role of a proxy between SAP and SAP Cloud Integration.

Application Router is a package available in the public npm repository, usually used as a single-entry point to your applications. It can help dispatch incoming requests to other microservices, facilitate authentication & authorization, and finally integrate other SAP BTP services like the Destination service or the HTML5 Application Repository.

These main capabilities of the Application Router with the latest release (as of today – 11.3.2) can help you establish the above-mentioned proxy role for Private Link.

 

Configure and deploy Application Router

You can configure and deploy the Application Router with the IDE of your choice, but with help of SAP Business Application Studio (BAS), it is much simpler, since you can take advantage of the provided templates for your Application Router configuration.

If you choose BAS, select Standalone Approuter as an option in the template wizard.

The only configuration required in Application Router is to define the route and the destination used for the SAP Private Link connectivity. This can be done in the xs-app.json file where BusinessPartner-approuter is the destination configured for SAP Private Link connectivity in the target SAP BTP subaccount (see destination configuration below).

{
  "authenticationMethod": "route",
  "routes": [
    {
        "source": "^/sap/(.*)$",
        "target": "/sap/$1",
        "destination": "BusinessPartner-approuter",
        "authenticationType": "xsuaa",
        "csrfProtection": false
    }
  ]
}

After setting up the route with destination and authentication, you can deploy the Application Router to your SAP BTP subaccount

e.g. by  mbt build and cf deploy privatelink-proxy.mtar

Once the Application Router is up and running, it can be used by your integration flows or Fiori applications to connect with the SAP backend system.

 

Summary 

In this blog, you have learned how to bypass the missing features and still be able to use SAP Private Link service with your integration and frontend extension scenarios with help of Application Router.

You can find detailed steps for both scenarios in the following GitHub repo.

For the latest product features, you can check the SAP Private Link service roadmap.

 

 

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Daniel Graversen
      Daniel Graversen

      Hi

      Is it only HTTP-based traffic that can be sent thru the link, or can you also have other protocols like JMS, SFTP or other platforms.

      Author's profile photo Martin Pankraz
      Martin Pankraz

      No, the CF approuter works with http only. However, you can apply your own proxy. In my earlier example I implemented this with a Java app. In there you can receive the http request from CPI for instance and then forward you request using JMS, SFTP etc. Till there is native support for SAP BTP PaaS/SaaS apps for private link this is the way to go.

      Harutyun Ter-Minasyan how about a small comment on the blog and github repos to clarify?

      Author's profile photo Daniel Graversen
      Daniel Graversen

      thanks Martin

      Author's profile photo Vijay Konam
      Vijay Konam

      How is this different or better from using the Cloud Connector? Many organizations have taken so much pain to set up the cloud connector already. Does this add any additional value like latency or connectivity to various regions? Am I missing the point?

      Thanks,

      Vijay Konam (VJ)

      Author's profile photo Vijay Konam
      Vijay Konam

      Okay, I understood by going through the other blog. This is for the customers who have their BTP apps or CPI hosted on Azure and thus bypassing the internet to connect to on-premise. Thanks.

      Author's profile photo Martin Pankraz
      Martin Pankraz

      Hi Vijay Konam,

      thanks for reaching out. I created a dedicated blog to answer that question.

      Would adjust your summary slightly: SAP Private Link for Azure is about connecting to workloads running on Azure (typically not on-premises, even though you could technically forward proxy via firewall +VPN/Exrpress Route etc. to your on-premises network).

      Does that clarify?

      KR

      Martin

      Author's profile photo Vijay Konam
      Vijay Konam

      Thanks Martin. Yes you did. By on-prem I meant, S4/HANA hosted on Azure private cloud. That is almost on-prem in our case. This could/should be a great thing for us to avoid the bottleneck of SAP Cloud Connector.

      Thanks,

      Vijay Konam

      Author's profile photo Muniyappan Marasamy
      Muniyappan Marasamy

      Eagerly waiting for the last piece, where cpi can directly call Azure host instead of proxy app. Hope product team releases soon.

      Author's profile photo Stanley Evans
      Stanley Evans

      Great post