Beginner Level Understanding on SAP BTP Architecture

I’ve found out still some new customers are curious about SAP BTP (Business Technology Platform) architecture. Today I want to leverage my former experience as a developer in SAP IT (they heavily rely on SAP BTP on software development, e.g SAP for Me is developed on SAP BTP and SAP Support Launchpad was one of the earliest “customers” of SAP BTP) and recent customer engagement experience, trying to give a simple holistic view of SAP BTP architecture.

History

SAP BTP was called SAP HANA Cloud Platform in the beginning and later the name was changed SAP Cloud Platform (SCP). The idea was to provide a platform which was not only related to SAP HANA but with other open source technologies and services, e.g. Java development, MongoDB, etc.

However, SAP is not a pure technology company, while it thrives on real industry business process so the name was finally changed to SAP Business Technology Platform, which indicates SAP BTP is targeted for business requirement, leveraging various technologies, including open source ones of course.

At first, SAP provided infrastructure level and we call it “NEO” as the historical version. Right now SAP has shifted this level to partners i.e. AWS, Azure, GCP or Alicloud and we call it “CF” (short for Cloud Foundry) as the current version. This somehow reflects SAP’s strategy change due to fast digital world growing.

So far, SAP BTP has elvovled with a very stable architecture and it is easy to extend, from both customer and SAP perspective. We know as a platform, SAP BTP itself has no value, while the 90+ services on the top are the key factors for real enterprise daily usage. Thse services will cover data and analytics, integration and app development, machine learning and AI technologies. You can easily categorize these services on SAP’s official discovery center and I recommend this blog post which gave a very nice infographic for the 90+ services.

Architecture

As mentioned, SAP BTP has no direct value to customers. Then why SAP BTP? Let’s imagine what will happen if without SAP BTP, just only 90+ standalone services.

1. These more than 90 services each time, from development to use, are independent of the SAP’s internal development process and efficiency. They also place a heavy burden on the customer’s use, since it is likely that each service has its own activation method and usage environment, which is arguably a very bad experience for end users.
2. The categorization of solutions makes SAP’s services very fragmented and does not create a unified understanding of the customer’s various usage scenarios, such as which service is used to solve data problems, which ones are used to solve process problems, and which ones are used to solve development problems.
3. The underlying role authorization certification, the sharing of connections to ERP systems, etc., is developed independently of each other, and it is difficult to communicate directly between these services, and each new service needs to be developed from scratch without leveraging existing resources.

And SAP BTP’s architecture is to solve these problems.

Probably your first impression on SAP BTP starts with SAP BTP cockpit which looks quite simple, right?

Actually SAP did a lot of stuff underlying, like role management, connections and destinations, entitlement concept, trust configurations, subaccounts and spaces, etc. It is easy to get lost in the beginning if you only concentrate on one SAP service like SAP Integration Suite.

I made a simple architecture diagram, which may help on the understanding.

1. Identity Authentication Tenant

This is a free service which can be created out of SAP BTP and included also in many other SAP cloud solutions like SAP Successfator, SAP S/4 HANA Cloud. This means you don’t need to create it again on SAP BTP if you already have one and one such kind of service is usually enough for your production purpose. Sometimes it is often referred to as IAS – Identity Authentication Service. Strictly speaking, this service is not a service on BTP, but an identity authentication service independently developed by SAP for better interconnection for its own cloud products. You can connect common Microsoft authentication data to IAS, and use existing user data and permissions to realize seamless login of SAP cloud products. You can also create and fill users from 0 to 1 on it, and rely heavily on IAS to realize SAP cloud Product user management.

As can be seen from the architecture diagram above, IAS plays a very critical authentication role when users log in to services on BTP through a browser. Only if the user has sufficient authority, they can access the specified services on BTP, or doing development work for their own customized applications. The combination method is not difficult. There are a lot of information in the SAP community forum. For example I ever wrote this blog post for IAS. The most easy-to-find direct entry point is the menu on the left side of the BTP cockpit screenshot above, you can see that there you can invovle an additional self-created IAS in Trust Configuration instead of just the default one privided by SAP.

It looks like this and you can discover more powerful functionalities.

2. Connectivity & Destination

This is a very important part of BTP. To understand the architecture of BTP, you must know how it works. To put it bluntly, it is a proxy, and many services must be interconnected through this component. If you are familiar with the creation and use of various services on BTP, you will probably get the design idea from SAP BTP product team, which is, you only need to maintain these connection information in BTP, and then various services can reuse them again. For example, you can import the corresponding connection information in SAP Build Apps, and obtain each OData Service of the background system at one time.

You can see that the right side of the architecture is the local on-premise system behind the firewall. It is necessary to establish a connection with BTP through the SAP Cloud Connector (described below), and then various services on the BTP can use the virtual address exposed by the connection for data processing and intercommunication. You can see the picture below I have connected BTP to two ABAP systems.

During the development process, if it is an external address, there is often a problem of cross-domain access restriction. At this time, it is necessary to establish a proxy through the Destination on the BTP, and write the user name and password information of the external address before it can be used in the application developed on the BTP. For seamless access, this also ensures that confidential information is stored in the Destination rather than in the code. The following figure is a destination connected to the S4 system, which can be directly consumed in various services of BTP, and can be called arbitrarily in Java or Javascript codes, which is very convenient.

I mentioned the destination serves not only as the proxy to external public API or on-premise backend system like SAP S/4 HANA via SAP Cloud Connector, but also it can bind different services together. Let me raise one typical example here.

SAP BTP Document Management Service (DMS) & SAP BTP Process Automation (SPA)

Within SAP BTP Process Automation it is possible to create a request form where you can upload files. You can simply drag the “file” widget from the left panel and drop it to your form as the following screenshot shows.

However, you won’t see this widget unless you already subscribed to SAP BTP DMS. All you need to do is to create a destination with the designated name “sap_process_automation_document_store” as the following screeshot shows.

You can see the connection between different BTP services and destination is the key. And I can feel the effort between different BTP service development teams. This is ONE SAP. You will find more and more connections between, as you use more services.

3. Customer Subaccount, and Space

A customer subaccount is a hierarchical concept with a relatively larger granularity. It has independent user role allocation, independent computing resources, independent service allocation, independent connectivity and destination, etc. It can be said that most of the services exist in a certain customer subaccount. For example, if you bought two tenants of the SAP integration suite, they can only be allocated to two sub-accounts separately.

As mentioned earlier, through the discovery center, you can see that the services on the BTP are roughly divided into several categories, application development and automation, data and analysis, integration, and AI services. Its core idea is to move towards the direction of low-code and no-code. I have taken out several very representative and widely used services in the architecture diagram above. For example, the SAP integration suite is a tool for manipulating APIs in a code-free manner. SAP’s process automation also uses a code-free method for robot development and approval flow management. SAP’s Build Apps is a very popular code-free application development at the moment. To develop cross-platform end-to-end applications, SAP’s Build WorkZone can develop enterprise portals in a code-free way, and SAP Analytics Cloud can also develop and analyze BI reports in a low-code way. Of course, traditional professional code development tools are still active, such as Business Application Studio and Cloud Foundry runtime environment. Since BTP is based on an open source platform, various programs such as Java, Javascript, and Python are deployed and run on it. SAP also has its own developed Back-end development frameworks such as SAP CAP which can easily combine SAP’s technology stack and the external open source world.

In addition, there are many scattered services. For example, Feature Toggle can manage application switches, Document Management Service can manage documents, Event Mesh is an event queue service, and Task Center integrates various approval and notification services. With the service, Mobile Service can develop IOS or Android and so on. . .

Then what is Space?

Please see this diagram.

You can see that Space is under Subaccount in Cloud Foundry environment. To make things simple, you can regard Space is a fine granular group where specific members can deploy BTP applications and run BTP services. For example, I was ever responsible for the searching functionality in SAP One Support Launchpad, then I was one of the members for Space “Search” NOT in other spaces like, Incidents creating or SAP Knowlege Base, or System Data, etc. We 8 team members would collaborate and deploy custom applications in Space level. But for BTP standard SAAS like SAP Integration Suite, or SAP Process Automation, Space has nearly no meaning.

4. SAP Cloud Connector

Please notice SAP Cloud Connector (SCC) doesn’t belong to SAP BTP, but it is used for SAP BTP. To put it simply, it is a reverse proxy installed on your local machine, where your S/4 HANA system lies for a private deployment. Because BTP and its services are public network concepts, resource exposure can be conveniently, safely and quickly through the cloud connector, so that you do not need to separately configure each services on BTP. If the whitelist is processed or the port is exposed, if there is a problem, you can also view the log records through the cloud connector (of course, the actual use is very stable, and there are few problems). So please remember that one end of the SAP cloud connector must be BTP, and the other end can be the ERP system, or your locally developed Java server, etc.

SAP Cloud Connector is highly used with on-premise scenarios and very stable after configured once, which means usuall you don’t need to manipuate the configuration from time to time. It will be delivered together wtih SAP S/4 HANA Cloud Private landscape, with admin user and passwords, so that you don’t need to install it manually.

What is the relationship between SAP Cloud Connector and SAP Destination? If you see SAP BTP Cockpit you can see they all belong to the same “Connection” menu. Let’s say you map your SAP S/4 backend to something (as you wish) like “sapxxxx.virtual:8080”, then the destination for API endpoints underhood should be “http://sapxxx.virtual:8080/sap/opu/sap/odata/api_sales_order_srv”. So don’t get confused, Only after connection to SAP S/4 via SCC is established then you can use that in SAP BTP Destination.

5. BTP Runtime (very importan concept)

When it comes to development, some readers may already be familiar with the concept of Cloud Foundry. In fact, it is an open source cloud platform framework. Not just related to application development and deployment, nany services on BTP are based on this environment, so you must create a Cloud Foundry environment and space, before creating services like SAP Integration Suite.The reason is each application and service needs some runtime environment as the container and Cloud Foundry serves this purpose. To have a Cloud Foundry environment, you need to create a Space, which is a more fine-grained hierarchical level under subaccount, where you can assign corresponding members and deploy corresponding applications.

For example, the development team I ever stayed in has a separate space and the space is only for us with 8 team members, who are responsible for searching functionality. The Space is usually used for isolation management from other development groups, if you are from a very big team.

In addition, for the convenience of development, SAP has newly added the ABAP environment and the Kyma environment. The former, as the name suggests, provides an ABAP development environment, while the latter is for some high-end players who are not satisfied with the scaling function of BTP itself and need to involve cloud development tools such as K8S.

Although Low Code No Code development is quite hot topic recent years, for complex, long term support applications, especially those who need resilience, CI/CD, etc, still professional development is necessary. And BTP runtime here provides a powerful platform together with web IDE called “Business Application Studio”. This is something like Microsoft Visual Studio code, but have better integration to SAP’s solution like S/4 HANA and SAP HANA Cloud database, via connectivity and  destinations mentioned above.

Summary

I don’t plan to list all details here as SAP BTP contains too many services, and each service may contain thousands of details… But this is the starting point, for you to begin the PAAS journey in a holistic way.

♣Although I put “Beginner Level” within the title but if you don’t make hands dirty still it will be quite confusing. How about starting with a short development tutorial https://developers.sap.com/tutorials/btp-cf-buildpacks-java-create.html and I belive you will get more feelings to BTP runtime and security topic on SAP BTP!