Creating Tunnel Live Data Connections to On-Premise Data Sources

So, what do you do when a user's browser is not on the corporate network? You can either use a tunnel connection or a reverse proxy.

Both of these solutions will work if your organization wants to expose some of your data to users outside of your corporate network, without giving users VPN rights. For example, your company wants to expand a segment of their business, so they hire a consulting team to do market research for them. Your company wants to provide the consultants access to their data but wants to safeguard this data inside their own firewall. They don't want to give the consultants VPN access to their network, so they create a tunnel connection, allowing them to access the data, without compromising your network.

In this lesson, we will explore tunnel live connections.

When using tunnel connections, the data flows from the on-premise data source to the SAP Analytics Cloud system via the SAP BTP cloud connector, but is not stored in SAP Analytics Cloud. Let's take a closer look at using tunnel connections, when creating direct live data connections to on-premise data sources.

A few additional things to keep in mind regarding tunnel connections to on-premise data sources:

• There is no need to configure CORS in the on-premise system. Instead, tunnel connections require that the on-premise data source is configured as an accessible resource in the SAP BTP cloud connector setup.
• SSO can be used with tunnel connections. SAML trust is established between SAP Analytics Cloud and the on-premise data source for connections created with SSO.
  • For SAP HANA, app to app SAML SSO is used.
  • For SAP BW/4HANA and SAP S/4HANA, trust is established through the exchange of certificates between the ABAP system and the SAP BTP cloud connector.
• For SSO, it's not necessary to configure SAP Analytics Cloud to use a custom SAML IdP.
• They are slower than direct live connections because the data has to flow to SAP Analytics Cloud.
• It is not possible to use an SAP Universe when creating a tunnel connection.

Let's take a closer look the standard process for creating tunnel live data connections to on-premise data sources. Creating tunnel live data connections to on-premise data sources can be broken down into three key steps:

1. Configure the on-premise systems to use the SAP BTP cloud connector.
2. Establish trust relationship between the on-premise system and SAP Analytics Cloud.
   Note

   Only required when using SAML SSO as the authentication method.
3. Create the live data connection in SAP Analytics Cloud.

The SAP BTP cloud connector must be installed and configured, as covered earlier in the course.

Since the tunnel connection requires data to be transferred to SAP Analytics Cloud, the feature must explicitly be enabled. The Allow live data to leave my network switch controls whether advanced features are available when you're creating or editing a live data connection. To enable these features:

1. From the side navigation menu, access System → Administration.
2. Select the Data Source Configuration tab.
3. Scroll down to Live Data Sources and toggle Allow live data to securely leave my network on to enable tunnel connections.

Below, you will find a summary of the process steps that are covered in the video at the start of the lesson.

While the key steps to creating tunnel live data connections listed above are the same for all systems, there are system-specific prerequisites and configuration steps at the on-premise system-level. As such, we will use SAP HANA and SAP BW/4HANA as examples in this lesson, but at the end you will find links to the detailed steps to the on-premise system configuration required in order to create tunnel live connections in SAP Analytics Cloud.

This step is completed by the SAP system administrator. Tunnel connections require data to be transferred to SAP Analytics Cloud, so the feature must explicitly be enabled by the administrator. They make the source system an accessible resource by adding it to the access control list in the SAP BTP cloud connector.

For SSO setup, they perform different tasks in the SAP BTP cloud connector, depending on the system:

• For SAP HANA, they disable the Determining Trust Through Allowlist option.
• For ABAP systems, such as SAP BW/4HANA and SAP S/4HANA, a trust connection is established by using principal propagation of this system certificate. They download the system certificate and activate principal propagation.

Once the SAP BTP cloud connector is configured, they provide you with the Location ID, Virtual Host, and Virtual Port as you will need them when creating the connection in SAP Analytics Cloud.

The virtual host and port used to reference the on-premise system in the SAP BTP cloud connector are used in the Host and HTTPS Port fields when creating the tunnel connection. They don't have to match the actual on-premise system host or port.

This step is completed by the on-premise data source administrator. It allows SSO to be established.

• For SAP HANA, app to app SAML SSO is used for authentication. See: Set Up Trust Between SAP Analytics Cloud and Your On-Premise SAP HANA Systems Using a Tunnel Connection | SAP Help Portal
• For ABAP systems such as SAP BW/4HANA and SAP S/4HANA, trust is established through the exchange of system certificates between the on-premise data source and the SAP BTP cloud connector. See Set Up Trust Between the Cloud Connector and Your On-Premise ABAP Systems (SAP BW, SAP BPC, or SAP S/4HANA) | SAP Help Portal

See the unit on Enabling a Custom SAML Identity Provider in the Managing Security and Administration in SAP Analytics Cloud learning journey for detailed steps to setting up and configuring SSO.

The SAP HANA administrator provides you with the SAML Provider Name as you will need it when creating the connection in SAP Analytics Cloud.

The ABAP system administrator provides you with the Client as you will need it when creating the connection in SAP Analytics Cloud.

This step is completed by you, the SAP Analytics Cloud administrator. A new connection is created in SAP Analytics Cloud.

Data modelers can then use data from this live connection by creating new live models in SAP Analytics Cloud.

We will cover the steps in detail in the practice exercise for this lesson, however, using SAP BW/4HANA as an on-premise data source example, let's take a look at the summary of the process flow.

1. In the side navigation menu, go to Connections.
2. Select Add Connection and select SAP BW from the Connect to Live Data options.
3. In the New SAP BW Connection dialog, enter a Connection Name and Description.
4. Enter the following information, as provided by the SAP BW/4HANA administrator:
   • Enter the Location ID for the SAP BTP cloud connector.
   • Enter the Host.
   • Enter the HTTPS Port.
   • Enter the Client.
     Note

     This field is not required for SAP HANA tunnel connections.
5. Select the Authentication Method.
   Note

   For SAP HANA connections, you will download the metadata file and add the SAML Provider Name.
6. Select OK. The new connection is added to the list of connections in the Connections area in SAP Analytics Cloud.

The following image shows the New BW Live Connection dialog completed for a tunnel live data connection to SAP BW/4HANA.

The following image shows the New HANA Live Connection dialog completed for a tunnel live data connection to SAP HANA.

You can find detailed setup instructions for various on-premise data sources on the SAP Help Portal:

• SAP HANA: Live Data Connection to SAP HANA On-Premise Using a Tunnel Connection
• SAP BW and SAP BW/4HANA: Live Data Connection to SAP BW Using a Tunnel Connection
• SAP S/4HANA: Live Data Connection to SAP S/4HANA On-Premise Using a Tunnel Connection

Remember, the connection is not tested until you create a model. To test your live data connection, you can create an SAP Analytics Cloud model using the newly created connection. In this lesson, we'll use SAP BW/4HANA as an example.

The process is the same for all live models, so, if you have previously covered testing the connection and are familiar with creating live models, then continue to the next section.

1. From the Modeler start page, select Live Data Model from the two Create New options.
2. Select system type SAP BW.

   If you're creating a model from an SAP S/4HANA live data connection, you also select the SAP BW system type.

3. Select your newly created connection.
4. Select the Input Help icon to search for a data source or choose one from a list.
5. The model must be created based on a query or view that contains a measure. Drag data from the Available Data list to the Selected Data and Filters areas to build a query.
6. Select OK.

   If the data appears in the data integration view, then you successfully created the connection.

You can find detailed information on creating a model from a live connection here: Create a Model from a Live Data Connection | SAP Help Portal.