Introduction

As enterprises adopt real-time, event-driven architectures, Apache Kafka plays a central role in managing high-throughput data streams. Integrating Kafka with SAP Integration Suite opens new possibilities for event-driven business processes—but doing this securely in the cloud can be a challenge.

By combining the Advantco Kafka Adapter for SAP CPI with the Private Link Service on SAP BTP, organizations can securely integrate SAP Integration Suite with Confluent Cloud Kafka clusters, leveraging private networking on AWS and Azure. This approach avoids exposing services over the public internet, meeting strict security and compliance requirements.

The Integration Challenge

In traditional setups, Kafka clients—like SAP Integration Suite —must connect directly to Kafka brokers over public endpoints. This connection typically relies on public DNS resolution, meaning the broker’s IP or hostname is exposed on the internet.

For on-premise Kafka installations, customers often configure SAP Cloud Connector to allow SAP CPI tenants to reach Kafka brokers securely. However, this requires additional setup and complexity, especially in hybrid environments.

Confluent Cloud, a fully managed Kafka service, simplifies event streaming. When deployed with Private Networking, it allows private, secure communication between your infrastructure and Confluent Cloud clusters—without public exposure.

Enter SAP Private Link Service + Advantco Kafka Adapter

When running Confluent Cloud Kafka clusters with Private Link Service enabled, direct communication between SAP CPI and the Kafka brokers isn’t possible—since CPI tenants can’t reach private endpoints directly.

To overcome this, Advantco provides a Kafka BTP Application, deployed on SAP BTP Cloud Foundry, which acts as an intermediary (proxy). It securely forwards requests from the Advantco Kafka Adapter (on SAP Integration Suite) to the Kafka broker via SAP Private Link Service.

Why Private Link Service Matters

Without Private Link:

• SAP Integration Suite would need to connect over the public internet
• Potential compliance and security issues arise
• More complicated networking (VPNs, NATs, etc.)

With Private Link + Advantco BTP App:

• Private, direct, secure communication
• No traffic ever leaves the cloud provider’s internal network
• Simpler, cleaner network architecture

Key Benefits of This Approach

• Secure Connectivity: No public internet exposure, reducing risk.
•  Low Latency & High Performance: Direct, private links reduce network hops.
• Compliance-Friendly: Meets SOC 2, ISO 27001, HIPAA, GDPR standards.
• Multi-Cloud & Hybrid Ready: Supports AWS, Azure, and GCP with SAP BTP.
• Simplified Network Management: No need for VPNs or NAT gateways.

Solution Architecture Overview

1. Advantco Kafka Adapter (SAP Integration Suite)
• Sends produce requests to Advantco Kafka BTP App
• Cannot directly access PrivateLink-enabled brokers
2. Advantco Kafka BTP Application (SAP BTP Cloud Foundry)
• Acts as the bridge between SAP Integration Suite and Kafka
• Deployed in a BTP space with SAP Private Link enabled
• Forwards requests to Kafka brokers securely
3. SAP Private Link Service
• Provides private connectivity from SAP BTP to cloud providers
• Ensures communication with Kafka brokers over private endpoints only
4. Confluent Cloud Kafka (Private Networking Enabled)
• Kafka cluster runs in AWS or Azure, accessible via PrivateLink endpoints only
• No public IP addresses or DNS records are used

Picture 1: Architecture Diagram of the Kafka Private Link Proxy Service on SAP BTP

Flow description:

- Advantco Kafka adapter: an SAP Integration Suite adapter with Private Link Service enabled.

Picture 2: Configure of the Advantco Kafka channel to use Private Link.

- Advantco Kafka Private Link Proxy is an application deployed on BTP Cloud Foundry Space used to receive requests from Advantco Kafka adapter on SAP Integration Suite.

Picture 3: The Advantco Kafka Private Link Proxy application in SAP BTP

- SAP Private Link Service: enables secure, private communication between SAP Business Technology Platform (BTP) and cloud providers (AWS, Azure, GCP) without exposing traffic to the public internet.

- Confluent Cloud with Private Networking: a private cluster bound with Cloud Provider’s Private Link Service. The cluster can be accessed through Private Endpoint only.

AWS and Azure Deployment Scenarios

AWS Deployment

• Confluent Cloud on AWS provides PrivateLink endpoints in the customer’s AWS VPC
• SAP BTP on AWS connects via SAP Private Link Service to those PrivateLink endpoints
• Kafka clients (Advantco Kafka BTP App) connect securely over AWS’s internal network
• PrivateLink setup requested and managed through Confluent Cloud Console
• Requires SAP BTP and Kafka broker to be in the same or peered AWS region

Azure Deployment

• Confluent Cloud on Azure provides Private Endpoints in a VNet
• SAP BTP on Azure uses SAP Private Link Service to connect to those Private Endpoints
• Kafka clients (Advantco Kafka BTP App) connect securely via Microsoft’s private network
• Private Networking enabled and configured via Confluent Cloud Console
• Requires SAP BTP and Kafka broker to be in the same Azure region

Conclusion

By leveraging Advantco Kafka Adapter, SAP Private Link Service, and Confluent Cloud Private Networking, businesses can securely integrate Kafka into their SAP Integration Suite based processes without compromising performance or compliance.