Exploring the Network Landscape in Detail

Objective

After completing this lesson, you will be able to describe the Network Landscape and how SAP BTP Connectivity and the Cloud Connector work

Network Landscape in Detail

In an earlier lesson, we had a brief overview of the system landscape on a high level. In this lesson, we'll have a closer look at the system landscape, including network components between the systems, such as forward proxies (subsequently only called proxies) and reverse proxies, and the SAP BTP Connectivity / SAP Cloud Connector respectively.

There are three main use cases:

  • On-Premise to Cloud
  • Cloud to On-Premise using SAP Cloud Connector
  • Cloud to On-Premise using a reverse proxy

Note

Please note that the network landscapes shown here are intended for demonstration purposes. The components and segments in a real network landscape may vary, for instance include a DMZ (demilitarized zone), which is not shown here.

On-Premise to Cloud

This direction is used when sending data from the on-premise system, meaning from the customer's network to the cloud, for instance, during the initial data load.

On-Premise to Cloud communication: The customer's network with SAP S/4HANA and a forwarding proxy; the Internet; and the SAP Cloud Network with a Load Balancer and Proxy, SAP BTP where Cloud Integration is located and SAP Sales and Service Cloud as the final receiver system.
  1. SAP S/4HANA sends data to SAP Cloud Integration, located inside SAP BTP and behind a Load Balancer. Depending on the customer's network, a forwarding proxy may be involved. From the On-Premise perspective, SAP BTP is part of the Internet.
  2. SAP Cloud Integration receives, processes, and forwards messages to SAP Sales and Service Cloud. To transfer messages in this direction, SAP Cloud Connector is not necessary.

Cloud to On-Premise Using SAP Cloud Connector

This direction is used when data is sent from the cloud, meaning from SAP Sales and Service Cloud to the on-premise system. For instance, during the sales document follow-up scenario or in bi-directional integration scenarios, when data in the cloud system has been changed and an update is sent to SAP S/4HANA.

Cloud to On-Premise communication using the SAP Cloud Connector: The SAP Cloud Network with SAP Sales and Service Cloud, a Load Balancer, and SAP BTP where Cloud Integration and the connectivity services are located; the Internet, and the customer's network with SAP Cloud Connector and SAP S/4HANA.
  1. SAP Sales and Service Cloud sends data to SAP Cloud Integration, located inside SAP BTP and behind a Load Balancer. This is all still outside of the customer's network.
  2. SAP Cloud Integration is connected to the Cloud Connector, located inside the customer's network through a virtual tunnel. The tunnel is established from within the customer's network, and allows communication towards the On-Premise network, without opening network ports or adjusting inbound firewall rules. Cloud Connector forwards messages to SAP S/4HANA.

Cloud to On-Premise Using a Reverse Proxy

Instead of SAP Cloud Connector, a reverse proxy, such as SAP Web Dispatcher could be used inside the customer's network. The purpose of a reverse proxy is to direct incoming messages towards On-Premise systems. However, this approach has certain disadvantages like opening network ports, adapting inbound firewall rules, maintenance of the reverse proxy, and possibly more.

The following graphic shows the network landscape with a reverse proxy in use, instead of SAP Cloud Connector:

Cloud to On-Premise communication using a reverse proxy The SAP Cloud Network with SAP Sales and Service Cloud, a Load Balancer, and SAP BTP where Cloud Integration and the connectivity services are located; the Internet, and the customer's network with firwalls and a reverse proxy, and SAP S/4HANA.

SAP BTP Connectivity

SAP Business Technology Platform (BTP) Connectivity is a service provided by SAP that enables secure and reliable communication between on-premise systems and cloud-based applications.

One of the key components of SAP BTP Connectivity is the Cloud Connector, which is a Java software running in the on-premise network that allows secure communication from cloud applications to on-premise systems without the need to change inbound firewall rules.

The following graphic visualizes the system landscape for a cloud solution communicating towards the on-premise landscape by leveraging the SAP BTP Connectivity service and Cloud Connector:

Representation of a system landscape for cloud to on-premise communication using SAP BTP Connectivity service and Cloud Connector.

The following graphic lists the principles of the SAP BTP Connectivity service:

SAP BTP Connectivity principles. The most important two for this course: No changes in inbound firewall settings, and fine-grained access control of resources.

Cloud Connector

The Cloud Connector is an on-premise software, based on Java. It establishes a secure tunnel to the connectivity service on SAP BTP that can be used by cloud applications to send data securely to on-premise systems.

The basic setup of the Cloud Connector is very easy. To give you a better impression, the necessary steps are as follows:

  1. Install Cloud Connector on an on-premise machine that is capable of running Java apps.
  2. Establish a connection to an SAP BTP subaccount.
  3. Configure systems and resources that shall be reachable from SAP BTP.

Reachable systems and resources are referred to as Virtual To Internal System Mappings on the configuration UI.

The configuration of these allows you to do the following:

  • Make systems available under a virtual name, instead of their real host name.
  • Choose which services are reachable (for example, HTTP, HTTPS).
  • Control which resources are reachable.

    (For instance, in the case of HTTP(S), all url paths starting on the root / can be made available or only specific ones, for example, /sap/bc/srt/idoc)

The following screenshot shows the web administrator user interface of the Cloud Connector with a sample system mapping for https where the virtual and internal system hostname has not been changed.

Web administrator user interface of the Cloud Connector with a sample system mapping.

Configure an Integration Flow to Use the Cloud Connector Tunnel

There are several use cases for the SAP BTP Connectivity service. When looking at SAP Cloud Integration, integration flows can leverage the secure tunnel by choosing the On-Premise proxy type in their configuration. This is explained in more detail in a later unit. However, to give you an overview, the following screenshot shows the configuration of an integration flow that uses the system mapping of the previous screenshot.

Configuration dialog of an integration flow where the proxy type On-Premise has been chosen to leverage the Cloud Connector tunnel and the hostname configured according to the mapping entry of SAP Cloud Connector.

The Location ID field also belongs to the Cloud Connector configuration. However, maintaining it is only relevant if you have multiple Cloud Connector instances connected to the same SAP BTP subaccount. In this case, all Cloud Connector instances must have a Location ID assigned during their setup and the Location ID of the desired Cloud Connector must be maintained in the integration flow configuration. As long as only a single Cloud Connector is connected to the SAP BTP subaccount, the Location ID field inside the integration flow configuration can be left empty.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn