AWS for SAP

How to connect SAP BTP Services with AWS Services using SAP Private Link Service

Customers like Zalando Payments GmbH (ZPS), Georgia Pacific and HP are using SAP Business Technology Platform (BTP) and AWS services to extend SAP applications such as S/4HANA and to develop new functionality and applications. There are 83 BTP services globally available on AWS, more than on any other cloud provider. AWS has significantly more services and more features within those services, than any other cloud provider – from infrastructure technologies like compute, storage and databases to emerging technologies, such as machine learning and artificial intelligence, data lakes and analytics, and Internet of Things. Customers can choose out of this service portfolio to extend and innovate on their ERP system, while keeping core functionality in the SAP S/4HANA system.
Today, SAP launched SAP Private Link service on AWS in beta, a new service based on AWS PrivateLink to establish private connectivity between selected SAP BTP services and native AWS services. The new service is a result of the strategic partnership between SAP and AWS and another great example how customers can add value to their SAP ERP journey to the cloud. Multiple other software vendors like Salesforce Heroku have implemented similar patterns to secure communication between applications and AWS services with AWS PrivateLink. It’s great to see that SAP extends the integration capabilities between SAP BTP and AWS services.

In this blog, we will look at how to take advantage of this service to securely connect SAP BTP with AWS services.

If you previously wanted to link SAP BTP applications with native AWS services, you needed to connect to the public APIs and use public IP addresses to expose SAP services to public networks through an internet gateway. With SAP Private Link service, you can now establish a secure and private communication between SAP BTP and AWS services and benefit from the reliable and secure AWS network. By using just private IP address ranges (RFC 1918), you reduce the attack surface of the application. For customers in regulated industries, such as financial services, healthcare and government agencies, with regulations such as HIPAA, EU/US Privacy Shield, and PCI DSS, this can be necessary for compliance.
The SAP beta release of SAP Private Link service is open for everyone and available in SAP BTP Cloud Foundry regions cf-eu10 (AWS: eu-central-1) and cf-us10 (AWS: us-east-1). During beta, you can test in non-productive BTP subaccounts the functionality of your own use-cases. Currently the SAP Private Link service only supports the SAP BTP Cloud Foundry runtime. SAP is evaluating the integration in other services such as SAP Integration Suite, SAP Analytics Cloud, SAP Data Warehouse Cloud, SAP HANA Cloud, SAP Cloud Connector, and Kyma runtime.
Before we look into the capabilities of the new SAP service, let me explain AWS PrivateLink first, which is the foundation of SAP’s service.

What’s AWS PrivateLink

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing the traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture. It enables you to connect to AWS services, including services hosted by other AWS accounts (referred to as endpoint services), and to AWS Marketplace partner services, via interface endpoints, that are elastic network interfaces with private IP addresses in your VPC. The interface endpoints are created directly inside of your VPC, using elastic network interfaces and IP addresses in your VPC’s subnets. You can associate security groups and attach an endpoint policy to interface endpoints of AWS services, to control access to a specified service.

Figure 1 shows a VPC on the left which has several EC2 instances in a private subnet and three interface VPC endpoints. The top-most VPC endpoint connects to an AWS service. The middle VPC endpoint connects to a service hosted by another AWS account (a VPC endpoint service). The bottom VPC endpoint connects to an AWS Marketplace partner service:

Overview Architecture of AWS PrivateLink

Figure 1: Overview Architecture of AWS PrivateLink

With AWS PrivateLink, you can access AWS services or other services, provided by another VPC, securely through private connectivity within the AWS network. All network traffic stays on the global AWS backbone and is not traversing the public internet.

What’s SAP Private Link Service

SAP is using AWS PrivateLink as a foundation of their own service, which allows you to setup a private connectivity between the SAP BTP services and your own AWS accounts. This enables customers with strong security requirements to establish connectivity between both systems without using public IP addresses, and to reduce the attack surface.
The SAP Private Link service establishes a private connection between selected SAP BTP services and AWS services in your own AWS account. With the beta release of SAP Private Link the following AWS services are supported:

At AWS we are constantly refining how we deliver our services based on feedback we get from our customers. Similarly, with SAP Private Link service for AWS, we would also like to hear from you on what you’d most like to see available in with this service.

Beside the supported native AWS services, SAP Private Link allows custom setups via a load balancer to a custom Amazon EC2 instance, running SAP S/4HANA for example. With this, you can connect BTP services with any application running on Amazon EC2.
There are two directions and use-cases, how the communication is initiated.
a) SAP BTP to AWS: Applications developed on SAP BTP Cloud Foundry Runtime can consume AWS native services via the SAP Private Link service.
b) AWS to SAP BTP: Applications like SAP S/4HANA running on AWS can connect to SAP BTP services via SAP Private Link service.
At launch of the beta service option a) BTP to AWS is supported by SAP Private Link service.

SAP BTP to AWS:

Applications developed and running on SAP BTP Cloud Foundry Runtime, can leverage native AWS services to enrich functionality and consume services directly on AWS. For example, you can store data of your BTP application on Amazon S3 or send Emails via Amazon SES. The communication is initiated from the BTP side and the entire communication stays private. Traffic destined for the AWS service is resolved to the private IP addresses of the endpoint network interfaces using DNS, and then sent to the AWS service using the connection between the VPC endpoint and the AWS service.

SAP Private Link service communication to AWS servicesFigure 2: SAP Private Link service communication to AWS services

Beside the supported AWS services, you can also consume your own services with SAP Private Link service. You can create an Endpoint Service for your S/4HANA system, running on EC2 instances. This allows a private communication between BTP applications and your SAP system. It’s now easy for developers of Cloud Foundry applications to consume for example OData services of the S/4HANA system, while the S/4HANA system is not exposed to the internet. Special security approvals and exceptions are no longer needed.

SAP Private Link service communication to custom applications on EC2

Figure 3: SAP Private Link service communication to custom applications on EC2

For both scenarios, SAP takes care of the AWS components within the BTP environment. You just need to create the services and resources in your own AWS account. For more information how to setup the services, see SAP documentation: Using SAP Private Link service.

Cross region communication

For AWS endpoint services across AWS regions, you can create a VPC in the same AWS region as your BTP Cloud Foundry Runtime and connect these VPCs via VPC Peering or AWS Transit Gateway. This setup is helpful if you want to run your S/4HANA System in eu-south-1 and your BTP environment is running in eu-central-1, for example. You can find the BTP region code mapping to AWS regions in the regions and API endpoint documentation of SAP BTP.

SAP Private Link service communication across AWS regionsFigure 4: SAP Private Link service communication across AWS regions

AWS to BTP

The communication, initiated from AWS to BTP, is on SAP’s roadmap and planned for future releases. A typical use case for example is to connect an S/4HANA system, running on AWS with BTP services like SAP Forms service by Adobe or SAP Integration Suite. Customers benefit from the largest selection of SAP BTP services available on AWS and take advantage of the stable and private connectivity option via SAP Private Link.

Summary

Today SAP launched SAP Private Link service on AWS in beta which simplifies the process of securely integrating communications between SAP Cloud Foundry based applications and AWS services. In addition, you can create your own services (Endpoint Services) through SAP Private Link, to connect to an S/4HANA System, for example. SAP Private Link service is running on top of AWS PrivateLink and benefits from its security and scalability. There is no need to expose SAP systems to the internet or use the public APIs to communicate with the AWS services. Especially for the described SAP S/4HANA use case it adds an additional level of security, because the SAP system no longer requires a public IP address. Try the new service in your SAP BTP test account and let us know your feedback.

Join the SAP on AWS Discussion

In addition to your customer account team and AWS Support channels, we have recently launched re:Post – A Reimagined Q&A Experience for the AWS Community. Our SAP on AWS Solution Architecture team regularly monitor the SAP on AWS topic for discussion and questions that could be answered to assist our customers and partners. If your question is not support-related, consider joining the discussion over at re:Post and adding to the community knowledge base.