Cloud Connector

Reverse Proxy

On-Premise

mTLS

SAP Cloud Connector

The secure, reverse-proxy bridge between SAP BTP cloud applications and on-premise SAP systems. Cloud Connector establishes an outbound-only encrypted tunnel — no inbound firewall changes required in the corporate network.

Cloud Connector Architecture — DEWA DMZ Setup

Rendering diagram…

Executive Summary

Cloud Connector is a lightweight Java application installed in the corporate DMZ. It establishes an outbound-only HTTPS tunnel to SAP BTP's Connectivity service — meaning no inbound firewall rules are needed in the corporate network. BTP applications make outbound calls that are routed through the Connectivity service and down the tunnel to reach on-premise systems.

Architecture & Sizing

Installation: JAR/installer — Windows, RHEL, Ubuntu, macOS
Admin UI: HTTPS on port 8443 (localhost only)
Multi-Subaccount: One CC instance → multiple BTP subaccounts
Access Control: Explicit allowlist — deny by default
Protocols: HTTP/HTTPS · RFC (ABAP) · LDAP · TCP
High Availability: Master + Shadow with auto-failover
Current Version: 2.17.x (update regularly)
Standard Sizing: 2 CPU + 4 GB RAM
High-Throughput: 4 CPU + 8 GB RAM

Installation & Configuration

Cloud Connector is installed as a system service on a dedicated Linux server in the DMZ. After installation, connect it to your BTP subaccount via the admin UI on port 8443.

install-cloud-connector.sh

1# Linux installation (Cloud Connector 2.17)
2# 1. Download from SAP Software Downloads
3# https://tools.hana.ondemand.com/#cloud → Cloud Connector
4
5# 2. Install as system service
6sudo rpm -i sapcc-2.17.0-linux-x64.rpm  # RHEL/CentOS
7# or
8sudo dpkg -i sapcc_2.17.0_amd64.deb     # Ubuntu/Debian
9
10# 3. Start the service
11sudo systemctl start scc_daemon
12sudo systemctl enable scc_daemon
13
14# 4. Access admin UI (from local browser)
15# https://localhost:8443
16# Default credentials: Administrator / manage (change immediately!)
17
18# 5. Verify tunnel status
19curl -k https://localhost:8443/api/v1/connector/status \
20  -u Administrator:YourNewPassword

Access Control Configuration

Access control rules define which backend hosts and paths are accessible through the tunnel. The virtual host is what BTP apps see; the backend host is the real internal address.

access-control-rule.json

1{
2  "virtualHost": "s4hana-prod.corp.internal",
3  "virtualPort": 443,
4  "backendHost": "actual-s4-hostname.dewa.local",
5  "backendPort": 44310,
6  "protocol": "HTTPS",
7  "authenticationMode": "CERTIFICATE",
8  "description": "S/4HANA 2023 Production OData Services",
9  "allowedResources": [
10    {
11      "enabled": true,
12      "exactMatchOnly": false,
13      "path": "/sap/opu/odata/sap/"
14    }
15  ]
16}

Virtual Host Naming

Use descriptive virtual hostnames (e.g., s4hana-prod.corp.internal) rather than raw IP addresses. This makes access control rules readable and survives IP changes during infrastructure migrations.

Enterprise Example (DEWA)

DEWA has Cloud Connector 2.17 installed in their Abu Dhabi data center DMZ on a dedicated RHEL 8 server (4 CPU, 8GB RAM). A Master + Shadow HA pair is configured with automatic failover. One Cloud Connector instance serves 5 BTP subaccounts. 23 access control rules are defined covering S/4HANA OData APIs (/sap/opu/odata/) and 4 RFC function module groups. Mutual TLS with an X.509 certificate (rotated annually by the basis team). Cloud Connector admin access is restricted to 2 basis administrators via IP allowlist on the host firewall.

Security Hardening

Critical Security Component

Cloud Connector is a critical security gateway. Treat it with the same security posture as a firewall or VPN concentrator. Harden the host OS, restrict admin UI access, and enable audit logging.

Host hardening: Dedicated VM, minimal OS install, no other services running alongside Cloud Connector.

Admin UI access: Restrict to DEWA basis admin team IPs via host firewall rules. Cloud Connector admin UI should never be reachable from production application servers.

Certificate authentication: Use X.509 certificate authentication (not username/password) for the BTP subaccount connection. Certificates expire after 1 year by default.

Audit log: Enable Cloud Connector audit log and ship to the organisation's SIEM. Logs connectivity attempts, access control rule matches, and admin console actions.

Annual rotation: Rotate the subaccount connection certificate annually. Add calendar reminders 30 days before expiry.

Best Practices

Install in network DMZ

Cloud Connector must reside in the corporate DMZ — not on the S/4HANA application server itself, and not on the internal network without a DMZ buffer.

Always configure HA pair

Deploy a Master + Shadow instance for production. Automatic failover prevents all hybrid connectivity from dropping during Cloud Connector maintenance.

Change default credentials immediately

The default Administrator/manage credentials are publicly documented. Change them immediately after first login before connecting any BTP subaccount.

Define minimum access control rules

Cloud Connector defaults to denying all access. Add only the specific host/port/path combinations that BTP applications actually need.

Update quarterly

SAP releases Cloud Connector security patches regularly. Quarterly updates are essential — outdated versions have known vulnerabilities.

Monitor via BTP Cockpit

Check Cloud Connector availability and tunnel health from BTP Cockpit under Connectivity. Set up alerting for tunnel disconnects.

Common Pitfalls

Installing on S/4HANA application server

Installing Cloud Connector directly on the S/4HANA host violates network security principles — a compromise of Cloud Connector would give direct OS-level access to S/4HANA.

No HA Shadow configured

A single Cloud Connector instance is a critical single point of failure for all BTP-to-on-premise integrations. Shadow setup takes 30 minutes and eliminates this risk.

IP addresses in access control

Using IP addresses instead of hostnames in access control rules breaks automatically after planned IP changes during DR tests or infrastructure migrations.

Overly broad path allowlist

Setting the allowed resource path to "/" exposes all web services on the backend host. Always define the specific OData or RFC path prefixes required.

Unmonitored certificate expiry

The BTP subaccount connection certificate expires silently — when it does, the tunnel drops without warning. Monitor expiry dates and rotate 30 days before expiry.

References

Cloud Connector Installation

Step-by-step installation guide for Windows, Linux, and macOS

Cloud Connector Administration Guide

Complete administration guide including access control, monitoring, and certificates

High Availability Setup

Configuring Master + Shadow Cloud Connector for production high availability

Cloud Connector Security

Security hardening, certificate management, and audit logging for Cloud Connector