Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Securing a Connection Between On-Premise and Cloud

Objective

After completing this lesson, you will be able to describe the importance of securing a connection between on-premise and cloud

Security Configuration

When you implement SAP Business One, Web client and related web services, such as the Service Layer, it is critical to establish a secure connection, especially when the Web client and web services are exposed to the Internet. If you deploy these applications in an unsecure way, such as using self-signed certificates or exposing servers directly to the public network, the system is more vulnerable to attacks and data breaches.

Diagram showing internet connectivity for SAP BTP. An application connects to a destination through HTTP over the internet, passing through a reverse proxy in the DMZ, and reaching the SAP Business One Service Layer.

When Service Layer is exposed to the internet, we recommend securing SAP Business One, Web client and its web services by using NGINX as a reverse proxy. This method is suitable for both on-premise and cloud deployments. The reverse proxy, located in the DMZ, receives requests from the SAP BTP destination on the internet and forwards them to the SAP Business One services, including the Service Layer, within the private network. To carry out this approach, refer to the tailored NGINX configuration files on the SAP Help Portal.

To adapt these configurations to the customer’s environment, you must update:

The internal address and port for the services.
The external public domain name.
The service ports.

This graphic illustrates the architecture for Cloud-to-On-Premise connectivity using SAP Business Technology Platform (SAP BTP). In the SAP BTP environment, an application connects to a destination via the Connectivity service. These services establish a secure, encrypted tunnel over the internet. On the on-premise side, the Cloud Connector enables a secure link to the SAP Business One Service Layer, facilitating seamless integration between cloud applications and on-premise systems while ensuring secure communication across networks.

The Web Client and its web services may be running in an isolated network, for example, within a corporate network. If so, the SAP Business One Service Layer API can be exposed securely to the SAP Business Technology Platform (BTP) by using the SAP Cloud Connector.

The SAP Cloud Connector:

Serves as a link between SAP BTP applications and on-premise systems.
- Combines an easy setup with a clear configuration of the systems that are exposed to the SAP BTP.
- Allows you to use existing on-premise assets without exposing the entire internal landscape.
Runs as an on-premise agent in a secured network, and acts as a reverse invoke proxy between the on-premise network and SAP BTP.
Provides fine-grained control over:
- On-premise systems and resources that you can access through cloud applications.
- Cloud applications using the Cloud Connector.
Enables you to use the features that are required for business-critical enterprise scenarios.
- Recovers broken connections automatically.
- Provides audit logging of inbound traffic and configuration changes.
- Can be run in a high-availability setup.
Note
To learn how to install and configure the SAP Cloud Connector for SAP Business One Service Layer in an isolated network, refer to this blog.

Continue to quiz