Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Proposed Architecture for File Transfer into SAP Private Cloud

Naor_Shalom
Contributor
‎2024 Nov 24 2:52 PM
4,112

Options Evaluated for SFTP Integration

  1. Integration Suite with SAP S/4 SFTP Folder (via Cloud Connector)
    • Mechanism:
      • Configure the file server as a target in the SAP Cloud Connector.
      • SAP Cloud Connector acts as a reverse proxy, routing SFTP traffic securely to the mapped directory in the SAP S/4 system.
    • Pros:
      • Low cost; leverages existing components.
      • Secure and scalable.
    • Cons:
      • Adds configuration complexity.
      • Slight latency due to indirect communication.
      • 1.png
  2. Direct Integration via SAP BTP (without Cloud Connector)
      • Mechanism:
        • Raise a Service Request (SR) to SAP for:
          1. Provisioning an SFTP server alongside the SAP system.
          2. Setting up a Hyperscaler Load Balancer (LB) for inbound traffic to expose the SFTP service.
        • Whitelist up to 5 IPs or URLs for security approval.
        • Use port 22 for communication.
      • Pros:
        • Direct, streamlined integration.
        • Preferred by SAP for long-term scalability and best practices.
        • Enhanced security with Load Balancer IP filtering.
      • Cons:
        • Higher costs for BTP services, SFTP provisioning, and Load Balancer setup.
        • Requires SAP security team approval for SRs.2.png

      • Typical Customer Scenarios

        • On-Premise Connections:
          Most customers connect to the ECS-hosted SFTP share from their on-premise network. This involves internal routing and does not require exposing traffic to the public Internet.
        • Public Internet Connections:
          Customers occasionally request to enable port 22 traffic between a public Internet IP and the ECS SFTP share. Such requests can include:
          1. Inbound Port 22 Traffic:
            • From a public Internet IP to the ECS virtual machine (VM).
            • Requires careful IP whitelisting to ensure secure access.
          2. Outbound Port 22 Traffic:
            • From the ECS VM to a public Internet IP.
            • Requires an external outbound Load Balancer to handle the traffic.

        Key Notes from SAP Architects

        • Port 22 Restrictions:
          • SAP allows a maximum of 5 whitelisted IPs or URLs for port 22 traffic.
          • Requests exceeding this limit will be rejected.
          • Even for requests under the limit, SAP's security team will review and approve or deny based on risk assessments.
        • External Outbound Load Balancer:
          For outbound traffic (e.g., ECS VM to an Internet IP), customers must request SAP to provision an external outbound Load Balancer as part of the service request.

        Recommendations

        • For cost-sensitive or time-critical setups: Use Option 1 (Integration Suite via Cloud Connector).
        • For a robust, scalable solution that aligns with SAP’s best practices: Use Option 2 (Direct Integration via BTP), considering the additional setup time and costs.

        Next Steps

        1. Confirm the architectural choice based on project priorities, budget, and timelines.
        2. If Option 2 is selected:
          • Raise the necessary SRs for SFTP server provisioning, inbound/outbound Load Balancer setup, and IP whitelisting.
          • Define IP filtering rules, ensuring compliance with SAP’s security requirements.
        3. Test and validate the architecture end-to-end for secure SFTP file transfers.

        Naor Shalom | SAP Cloud architect | SAP PCA

        One software technologies

1 Comment