SAP Private Link Service
Private network connectivity between SAP BTP and hyperscaler-hosted services (AWS, Azure, GCP) — completely bypassing the public internet. The secure connectivity choice for RISE with SAP, PCE, and cloud-hosted backends.
Executive Summary
SAP Private Link Service provides private network connectivity between BTP applications and services running on AWS, Azure, or GCP — without any traffic traversing the public internet. It replaces Cloud Connector for RISE with SAP (PCE) scenarios and cloud-hosted backends. Private Link requires BTP and the target service to run on the same hyperscaler region.
Architecture & Requirements
- BTP Private Link Service instance: provisioned in the BTP subaccount (plan: standard)
- AWS setup: target system exposes a VPC Endpoint Service (backed by NLB) → BTP creates a VPC Endpoint
- Azure setup: target system exposes Azure Private Link Service (backed by Standard LB) → BTP creates a Private Endpoint
- GCP setup: target exposes GCP Private Service Connect → BTP creates a forwarding endpoint
- Same-hyperscaler/region requirement: BTP subaccount and target VPC/VNet must be on the same cloud provider and region
- Destination configuration: ProxyType must be set to PrivateLink in Destination properties
- Latency advantage: significantly lower than Cloud Connector (direct private network, no tunnel overhead)
- Throughput advantage: no throttling from Cloud Connector — direct fiber-equivalent bandwidth
- Use cases: RISE with SAP (PCE), SAP-hosted hyperscaler services, customer-managed cloud VMs
Performance Comparison
| Metric | Cloud Connector | Private Link |
|---|---|---|
| Latency (DEWA measured) | ~45 ms | ~8 ms |
| Max throughput | Throttled by tunnel | NLB limits (10 Gbps+) |
| Public internet exposure | None (outbound tunnel) | None (private backbone) |
| Firewall changes required | None (outbound only) | None |
| Target system type | On-premise, any host | Cloud-hosted (same hyperscaler) |
| HA configuration | Master + Shadow | NLB handles HA natively |
| Maintenance overhead | Java agent updates | Managed service, zero maintenance |
BTP Private Link Setup
Create the Private Link service instance in BTP, referencing the VPC Endpoint Service ARN from the target AWS account. The connection enters "Pending" state until accepted on the AWS side.
1# Create Private Link service instance (BTP CF CLI)
2cf create-service privatelink standard my-private-link \
3 -c '{
4 "requestMessage": "DEWA S/4HANA PCE connection via Private Link",
5 "resourceId": "arn:aws:vpce-svc-0a1b2c3d4e5f6789",
6 "subnetId": "subnet-0123456789abcdef0"
7 }'
8
9# Check Private Link connection status
10cf service my-private-link
11
12# Once approved (AWS: accept endpoint connection), update Destination
13# In BTP Cockpit → Destinations → S4HANA_PCE_PROD:
14# ProxyType: PrivateLink
15# privateLink: my-private-linkAWS VPC Endpoint Service Configuration
On the AWS side, the S/4HANA PCE system must expose a VPC Endpoint Service backed by a Network Load Balancer. BTP's connection request must then be manually accepted.
1# AWS: Expose S/4HANA PCE via VPC Endpoint Service
2aws ec2 create-vpc-endpoint-service-configuration \
3 --network-load-balancer-arns arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/net/s4hana-nlb/abc123 \
4 --acceptance-required \
5 --private-dns-name s4hana.dewa.internal
6
7# Accept the BTP connection request
8aws ec2 accept-vpc-endpoint-connections \
9 --service-id vpce-svc-0a1b2c3d4e5f6789 \
10 --vpc-endpoint-ids vpce-0a1b2c3d4e5f67890Enterprise Example (DEWA RISE)
DEWA's RISE with SAP deployment runs on AWS eu-west-1. The S/4HANA PCE system exposes a VPC Endpoint Service. The BTP subaccount (eu10 — AWS Frankfurt) creates a Private Link instance that connects directly to the PCE Network Load Balancer.
- Latency improved from 45 ms (Cloud Connector) to 8 ms (Private Link) — 82% reduction
- All S/4HANA API traffic from CAP apps flows via Private Link — zero internet exposure
- UAE data residency compliance met: SAP data never leaves AWS backbone between BTP and PCE
- Cloud Connector decommissioned for PCE traffic — one fewer Java agent to maintain
Security Considerations
Best Practices
Use Private Link instead of Cloud Connector for RISE with SAP and PCE scenarios. Lower latency, higher throughput, no tunnel maintenance overhead.
Ensure your BTP subaccount and the target PCE/VPC are on the same hyperscaler (AWS/Azure/GCP) and the same region. Cross-region or cross-cloud Private Link is not supported.
Private Link connection health depends entirely on the NLB health checks. Configure health checks against the actual S/4HANA health endpoint to get accurate status.
Destinations must explicitly set ProxyType to PrivateLink and reference the Private Link service instance name. The default ProxyType (Internet) bypasses Private Link.
Record the VPC Endpoint Service ARN (AWS) or Azure Private Link Service ID in the infrastructure runbook. Required for reconnection if the Private Link instance is recreated.