Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"SAP Private Link and Azure Private Link" in the Context of SAP Enterprise Cloud Services

SantoshPaulBenedict
Associate
Associate
‎2024 Jun 03 1:46 PM
1,407

"SAP Private Link and Azure Private Link" in the Context of SAP Enterprise Cloud Services

"The content of this blog is provided for informational purposes only and does not constitute a binding service delivery offering at SAP Enterprise Cloud Services. All information is subject to change without notice, and readers should not rely solely on the information presented here for making decisions. For specific service offerings and commitments from SAP Enterprise Cloud Services, please contact SAP Enterprise Cloud Services directly."

 

Introduction

SAP Private Link service on BTP has been available for quite some time, here in this Blog, I aim to introduce and provide an overview of the setup of the SAP Private Link service when the backend SAP Application system (ABAP) is located within the SAP Enterprise Cloud Services (SAP RISE) Landscape. 

SAP Private Link service sets up a private HTTPS connectivity between SAP BTP and Azure to enable some SAP BTP extensions or applications to consume certain Azure native Services via a "Private Azure Backbone Network connectivity”, yes you read that right - Private!  , here the data transfer between SAP BTP and Azure is through Private Network Connections.

 

What is Different When you use SAP Private Link Service in an SAP Enterprise Cloud Services hosted landscape @Azure

Generally, SAP Private Link service lets you consume selected Azure native services of your Azure subscription in SAP BTP in a "uni-directional" manner.

Now specifically at SAP Enterprise Cloud Services, when you have SAP Application systems hosted on Azure as your underlying hyperscaler platform ; the only use-case of SAP Private link service that is applicable is 'Azure Private Link Service (generic LB scenario for VMs and others)' - This means in the context of SAP Enterprise Cloud Services , A S/4HANA application or another compatible SAP solution will be the only service  BTP extensions/Apps/services can connect to in the ECS@Azure Hyperscaler platform. This connectivity is enabled by the provisioning of the Azure private link service, allowing you to access ECS managed SAP application resources ( again..without using the public Internet ! ) .

The scenario setup for Enterprise Cloud Services can be visualized like the below:

Private_Member_179585_0-1717403998499.png

 

Security Concept at Enterprise Cloud Services

The Azure Private Link service-based connectivity has been approved by the ECS Security Office following the standard ECS Security Concept Approval process.

Technical Setup at Enterprise Cloud Services

As usual the setup at ECS comprises of a bunch of steps which I try to breakdown into sections below

    • How to request this Service
    • Pre-requisites
    • Infrastructure Components at Enterprise Cloud Services
    • Pricing at ECS
    • Steps at Enterprise Cloud Services to implement this connectivity service
    • Out of scope activities in the context of ECS

Pre-requisites

  1. The connectivity Source will be: Extensions/ Services in SAP  
  2. The connectivity Target will be: SAP Applications hosted within ECS Account in the Azure Hyperscaler platform.
  3. Customer already has all required BTP entitlements. (how to set entitlements > Link)
  4. Customer knows the SAP BTP CF's subscription IDs for the landscape where your Private Link service should be consumed from. (To know how to search for Customers' BTP related Azure Subscription ID see -Best Practices for Secure Endpoint Approval on Azure . A current list of subscription IDs can be found in <https://me.sap.com/systemsprovisioning/connectivity>) .

The above pre-requisites are pictured below, each bullet point above is depicted here in the following picture ;

Private_Member_179585_1-1717403998508.png

 

How to request this Service at ECS

Please get in touch with your Customer Facing contacts at Enterprise Cloud Services and ask for this by providing your requirement. The Enterprise Cloud Services Engineering team be contacted internally for further assessment of the requirement and if the requirement fits the SAP Private Link use-case at ECS this will subsequently result in the next steps of the required technical setup.

Infrastructure Components at Enterprise Cloud Services

    • Azure Private Link Service
    • Azure Load Balancer
    • S/4HANA or a SAP Private Link service compatible SAP Application hosted in the ECS@Azure platform

Pricing at Enterprise Cloud Services

Please get in touch with your Customer Facing contacts at Enterprise Cloud Services to discuss pricing involved for the connectivity-related components.

Steps at Enterprise Cloud Services to implement this connectivity service.

    • Based on the information received from the customer about the SAP BTP CF's subscription IDs, the below steps will be followed:
      • Enterprise Cloud technical team to Create Azure private link service and share the "ResourceID" with the customer which is needed while setting up the SAP Private Link service at BTP.
      • Customer reached the step of "connection request sent to Azure" on the SAP BTP platform and SAP Enterprise Cloud Services.
      • Enterprise Cloud Services technical teams execute the needed Connection Approval on the Azure Portal (must be done within 24 hours) and complete the connectivity setup at Enterprise Cloud Services.
      • The customer will continue with the needed application setup on SAP BTP.

 

Private_Member_179585_2-1717403998513.png

 

Out of scope activities in the context of Enterprise Cloud Services setup

    • All BTP related Tasks + Cloud Foundry Related tasks; All configurations in BTP (sub account level) and relevant Apps beyond this will be in customer scope (or customer System Integrator scope).
    • Application binding and private end point creation.
    • Creating of required Destinations to the ECS@Azure hosted S4HANA system in the related Sub-account.

 

Conclusion

The SAP Private Link Service is not a replacement of the SAP Cloud Connector which still has pre-dominantly large use-cases ( Martin’s ‘cloud connector vs. Private Link’ Blog post here is a good read to understand the differences– however SAP Private Link serves as a great 'Private' connectivity option for certain use-cases enabling access to private service endpoints and avoids public endpoints, thereby resulting in transfer of data over private networks. Finally, the SAP Private Link Service here offers a connectivity option to SAP BTP without involving any VM cost (..$$$..) .

 

References:

 

 

Co-Authored with

  • Martin Pankraz (Azure SME- Microsoft)

 

Acknowledgement to Contributions 

SAP ECS Technology & Architecture team
  • Jyothi Prakash Lakshmi (SAP ECS Network SME and Solution owner ECS-Azure Private Link service)
SAP BTP product owner SAP Private Link Service
  • Ivelin Petkov
  • Elina Zheleva
Labels in this area
Popular Blog Posts