Private Cloud Extensions (RISE with SAP / PCE)
Extensibility in SAP S/4HANA Cloud Private Edition — the RISE with SAP deployment model. Full ABAP Cloud development available, mandatory clean core compliance, annual upgrades, and Private Link connectivity to BTP.
Architecture Overview
Executive Summary
S/4HANA Cloud Private Edition (PCE), part of RISE with SAP, is a dedicated cloud deployment — SAP manages infrastructure (servers, OS, database) while the customer manages the application layer. Unlike Public Cloud, PCE allows full ABAP Cloud development (Tier 2) alongside Key User tools (Tier 1) and BTP side-by-side extensions (Tier 3). However, SAP enforces Clean Core compliance as a contract condition — violations can block the annual upgrade.
PCE vs On-Premise vs Public Cloud
| Dimension | PCE (RISE) | On-Premise | Public Cloud |
|---|---|---|---|
| Infrastructure managed by | SAP (cloud hyperscaler) | Customer | SAP |
| ABAP developer access | ✅ Yes (ABAP Cloud only) | ✅ Yes (all ABAP) | ❌ No |
| Clean Core mandatory | ✅ Contractually required | ⚠️ Recommended | ✅ Enforced by SAP |
| Upgrade cadence | Annual (SAP-orchestrated) | ~2 years (customer-managed) | Quarterly (automatic) |
| Custom ABAP modifications | ❌ Forbidden | ⚠️ Possible (strongly discouraged) | ❌ Not possible |
| Side-by-side BTP | ✅ Via Private Link | ✅ Via Cloud Connector | ✅ Via Comm. Arrangement |
| Upgrade effort (clean) | 2-4 weeks | 4-8 weeks | Near-zero (SAP handles) |
| UAE data residency | ✅ AWS UAE possible | ✅ Customer DC in UAE | ⚠️ Limited — check SAP |
PCE-Specific Clean Core Requirements
Private Link Setup (PCE ↔ BTP)
Private Link provides direct private network connectivity between BTP and PCE on the same hyperscaler — no public internet, no Cloud Connector required.
# PCE connectivity via Private Link (AWS example)
# No Cloud Connector needed — Private Link provides direct private network
# 1. PCE team exposes VPC Endpoint Service (NLB-backed)
# AWS Console: VPC → Endpoint Services → Create
# Associate with: S/4HANA PCE load balancer
# Service name: com.amazonaws.vpce.eu-west-1.vpce-svc-xxxx
# 2. BTP subaccount creates Private Link instance
cf create-service privatelink standard pce-private-link \
-c '{
"requestMessage": "DEWA S/4HANA PCE connection",
"resourceId": "com.amazonaws.vpce.eu-west-1.vpce-svc-xxxx"
}'
# 3. PCE team approves VPC endpoint connection (AWS Console)
# 4. Configure Destination in BTP
# Name: S4H_PCE_PROD
# Type: HTTP
# URL: https://s4h-pce-internal.dewa.corp:44310
# ProxyType: PrivateLink
# Authentication: OAuth2SAMLBearerAssertionEnterprise Example — DEWA RISE on AWS UAE
- Deployment
- PCE on AWS ae1 (UAE — data sovereignty)
- ABAP Cloud developers
- 8 (all using BAS ABAP Dev Space)
- ATC BLOCKER findings
- 0 (cleared before annual upgrade)
- Released BAdIs
- 4 (Finance, Procurement, SD)
- RAP Business Objects
- 2 (DEWA Plant Maintenance extensions)
- CAP side-by-side extensions
- 3 on BTP ae1 via Private Link
- Annual upgrade duration
- 3 weeks (vs. 5 months pre-Clean-Core)
Best Practices
SAP will not schedule the annual upgrade until all BLOCKER ATC findings are resolved. Build a sprint plan with buffer.
Private Link is the mandatory and recommended connectivity pattern for PCE-to-BTP. Cloud Connector adds unnecessary latency and security overhead.
SAP sets the mandatory ATC checks for PCE. Align your internal profile to match or exceed SAP's — surprises at upgrade time are avoidable.
Keep the ABAP transport landscape in SAP-managed TMS. Manual transports bypass SAP's upgrade orchestration and create inconsistencies.
Use SAP Cloud ALM as the single source of truth for change management. It integrates with the RISE upgrade orchestration process.