cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How can I securely connect a web application hosted on e.g. Azure to an S/4HANA on-premise system?

Go to solution
turkaj
Active Participant

on ‎2023 Jul 13 2:34 PM

1,410

I have developed a web app using ReactJS that is hosted on Azure and I want to retrieve data from an S/4HANA On-Premise system. I am looking for a secure and reliable way to establish this connection. The data that I want to retrieve includes orders, customer information, and inventory levels ... The data transfer needs to happen in near real-time.

I have identified the following possibilities for establishing this connection:

  1. Direct access to the SAP system via OData/SAP Gateway. This would require opening the Gateway web service to the outside, which is very unfavorable for security reasons. The connection would look like this:

    S/4HANA <-> Proxy <-> Web App

  2. Communication via SAP BTP: This option would involve using the Cloud Connector to connect the S/4HANA system to the SAP BTP, and then accessing the data from the web app via the SAP BTP. The connection would look like this:

    S/4HANA -> Cloud Connector -> SAP BTP <- Web App

  3. Use of an SAP Business Connector: This option would involve using an SAP Business Connector to connect the S/4HANA system to the web app. The connection would look like this:

    S/4HANA -> Business Connector <- Web App

  4. Use of SAP PO: This option would involve using SAP Process Orchestration (PO) to connect the S/4HANA system to the web app. The connection would look like this:

    S/4HANA -> SAP PI <- Web App

In terms of security requirements, the data transfer needs to be encrypted and authenticated, and only authorized users should be able to access the data. In terms of technical requirements, the solution needs to support JSON data format and RESTful APIs. In terms of operational requirements, the solution needs to provide monitoring, logging, and error handling capabilities.

I am not sure which of these options is the best and most secure for my use case.

Are there any other options that I should consider?

Are there any best practices or recommendations for securely connecting a web app hosted on Azure with an S/4HANA On-Premise system? It doesn't have to be Azure. It can also be another provider.


I would appreciate any help and advice from the community.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 13 2:59 PM

just a little comment:
I guess you mean SAP Cloud Integration instead of PO, right?
It is powerful and safe and ideal for integrating different worlds.
message payload can be encrypted, HTTP endpoint protected with OAuth, etc

turkaj
Active Participant
‎2023 Jul 13 3:22 PM
0 Kudos

Hi carlos.roggan,

Thanks for your reply.

In this case I did indeed mean SAP PO/PI. Many companies are still using it. SAP Cloud Integration is the solution of the future. SAP Cloud Integration seems like the best solution. Is there another solution for companies that are behind (and they are not few)?

Thanks

Jim

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 13 3:33 PM

Option 2 is the most-used approach and offers all the features you mentioned. Have a look at the CAP framework that would use this approach (https://cap.cloud.sap/docs/get-started/).

turkaj
Active Participant
‎2023 Jul 14 7:27 AM
0 Kudos

Hello carlos.roggan & willem.pardaens,

you are both right. It is best to invest your energy in SAP Cloud Integration and SAP BTP. The second option is definitely the better choice.

Thank you very much Jim

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 14 7:57 AM

Hi Jim,
I just wanted to point out that new development on the classic PI might not make much sense, as SAP will phase out that classic product, although you're right, there are many customers and it will take long.
Buy a license for Cloud Integration if you only want to build one straight-forward scenario also doesn't make much sense, overengineered .
Also have to say that a cloud connector instance would be required anyways, when using cloud integration.
On the other side, if you create an app on BTP which is only a proxy, then CAP sounds overengineered as well, as cap is used for business applications, and a simple lightweight node app would be sufficient
Cheers
Carlos

turkaj
Active Participant
‎2023 Jul 14 8:19 AM
0 Kudos

Hi Carlos,

in this particular case. What do you suggest? I agree with you. I think it is a bit over-engineered to use the BTP just as middleware. In my opinion that is not what it was designed for. In this case, it is to securely read data from the on-premises SAP system. So there is a call to an Gateway service and the data is returned. If you expose that endpoint from the on-premises system to the outside, we have a security risk. That's why the idea is to use SAP BTP. But BTP offers a variety of services. Which one is the right one? And is this the right approach?

Thanks
Jim

Ryan-Crosby
Active Contributor
‎2023 Jul 14 12:32 PM

Hi Shkelqim,

If you are looking for near real-time, then it may be worth considering the use of the event mesh to push data of interest based on events instead of needing to constantly poll for the data.

Regards,

Ryan Crosby

turkaj
Active Participant
‎2023 Jul 17 7:10 AM
0 Kudos

Hi Ryan,

Yes, I was thinking of using an ABAP push channel. This will allow me to push the changes in real time. The remaining challenge is how to get the data securely from the on-premises SAP system to the web application?

willem.pardaens suggested the SAP CAP (Cloud Application Programming Model). This is a good way to develop web applications based on NodeJS, for example. In this case there is already a web application and I don't know if I can build a kind of middleware with CAP, i.e. the communication between the web application and the on-premises system is redirected via SAP BTP. However, as carlos.roggan has written, it might be a bit over-engineered to begin with.

The question remains:

  • What is the way SAP suggests?
  • How can I transfer the data securely and with as little effort as possible (on-premises system --> web application)?

Regards
Jim

View Entire Topic
Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
‎2023 Jul 17 11:14 PM

Another thought on the question "should the Azure app pull the data from S/4, or should S/4 push it to Azure". The answer to this question depends on several factors:

  • The push approach has one major drawback: you need to keep two copies of the data. If it's a big amount of data, that could be expensive (requires an additional potentially big database in the Azure landscape), and there is always the risk, that the "two sources of truth" get out of sync.
  • So if the entire data source is big, but the Azure app will always need only small parts of it, or if it is essential that the Azure app always works on the latest up-to-date data, then "pull" is definitely better.
  • However, if the "response time" as seen by the end-user is most important, "push" could be better, as the Azure app will be faster, if it can immediately access a local copy of the data, than if it has to make a REST call via Internet and SAP BC to the on-premises S/4 system.
  • Another question is about security. You seem to be worried about improper access to sensitive data. Is it safe to store big amounts of that sensitive data in the Azure application?
Show replies
Show replies
turkaj
Active Participant
‎2023 Jul 18 8:13 AM
0 Kudos

In my case, I don't want to store data twice. The data comes from the SAP system and is only displayed to the user when needed. This means that the data is not additionally stored or kept on a non-SAP database. As you write, I do not want to store the data twice for security reasons.

It may be that the data is stored temporarily as a draft for the user. But this is only temporary. For this reason, I will have to look more closely at whether I need a push mechanism at all.

Ask a Question