Skip to Content

Connect SAP Private Link Service to Microsoft Azure Private Link Service (Kyma)

Requires Customer/Partner License
Beginner
10 min.
SAP Private Link service, Beginner, SAP BTP cockpit, Tutorial, SAP Business Technology Platform, SAP BTP command line interface
Connect SAP Private Link service to Microsoft Azure Private Link Service and bind the service instance on a Kyma cluster.
You will learn
  • How to create a SAP Private Link service instance to connect to your Microsoft Azure Private Link Service using kubectl CLI
  • How to bind the service instance to your Kyma cluster using kubectl CLI
Madeline SchaeferFebruary 12, 2024
Created by
Madeline-Schaefer
February 7, 2024
Contributors
Madeline-Schaefer

Prerequisites

SAP Private Link service establishes a private connection between applications running on SAP BTP and selected services in your own IaaS provider accounts. By reusing the private link functionality of our partner IaaS providers, you can access your services through private network connections to avoid data transfer via the public internet.

Overview of Link service functionality
  • Step 1

    After you’ve logged in as described in Enable SAP BTP, Kyma Runtime Using the Command Line, you can check all available entitlements for your subaccount. Open a command prompt and enter the following command:

    Shell/Bash
    Copy
    btp list accounts/entitlements

    You can now see a list of service names and service plans, as shown in this example:

    Shell/Bash
    Copy
    $ btp list accounts/entitlements
Showing entitlements for subaccount 9be57735-1234-1234-1234-0123456789ab:

service name          service plan              quota
...
privatelink           standard                  8
...

    Make sure you can find privatelink under the service name column in the output.

  • Step 2

    To create and enable a private link, you need to define the connection to the service first. To do so, you need the Resource-ID Azure service:

    1. Go to the Azure portal.
    2. Navigate to the Azure resource for which you want to find out the Resource ID, for example: Private Link Center > Private link services.
    3. Click on Overview in the menu on the left side of your screen.
      Overview

    4. Click on JSON View in the upper right corner of the overview page.

    5. Search for the Resource ID in a field at the top of the resulting view in a text box labelled Resource ID.
      ResourceID
  • Step 3

    SAP BTP Operator module btp-operator must be enabled before creating and managing SAP Private Link Service Instances in Kyma.
    Otherwise, you get the following error message: resource mapping not found for {...} ensure CRDs are installed first.

    Additionally it is required that btp-operator module is version 1.1.0 or newer.

    To enable the btp-operator module, follow the procedure described in Enable and Disable a Kyma Module.

  • Step 4

    Currently, you do not have any service instances enabled. Therefore, you need to create one. To create a new private link, you need the following information:

    • offering (privatelink),
    • plans (standard),
    • a unique name (for instance, privatelink-test),
    • and the Resource-ID from Microsoft Azure (for example, /subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<my-private-link-service>).

    Enter the following command and fill in the neccessary information:

    Shell/Bash
    Copy
    kubectl create -f - <<EOF
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
  name: privatelink-test
spec:
  serviceOfferingName: privatelink
  servicePlanName: standard
  parameters:
    resourceId: "/subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<privatelink-test>"
    requestMessage: Please Approve
EOF

    If the creation of the service instance was accepted, you receive a success message telling you to proceed.

    Tip: You can edit requestMessage: ... to contain any text that provides more information to the approver.

    Tip: Depending on the chosen service type, you might need additional parameters. Please check the list of supported services and what are the required parameters in your case.

  • Step 5

    To check the current status of the newly created service instance, you need the name of your service instance (in this example privatelink-test). Type in the following:

    Shell/Bash
    Copy
    kubectl get ServiceInstance privatelink-test -o wide

    Under “status”, “ready”, and “message”, you can see the current status.

    Shell/Bash
    Copy
    NAME              OFFERING     PLAN      STATUS             READY   AGE   ID            MESSAGE
privatelink-test  privatelink  standard  CreateInProgress   False   13s   <some UUID>   ServiceInstance is being created

    Execute this command again, in case there’s no change in the current status. If you receive an error message, go back to the previous steps.

    Security Info: In a scenario in which the initiator of the private link connection doesn’t have access to the Azure Portal to approve the newly private endpoint connection him- or herself, please reach out to the person responsible for approving the connection and share the endpoint name responsibly.

  • Step 6

    Return to Microsoft Azure portal:

    1. Select Settings > Private endpoint connections.
    2. Search for the name of the private endpoint you received from the success message in the previous step.
    3. Select the private end point and click Approve.
    Approve your private endpoint

    You should now receive a success message that the approval is pending.

    Security Info: In a scenario in which the person that approves the private endpoint connection wasn’t the one that created the Private Link service in the first place, please verify that the connection originated from a trustworthy origin (for instance, a colleague asking for approval via e-mail). This verification process prevents malicious misuse of resource ids. See also Best Practices for Secure Endpoint Approval.

  • Step 7

    To check the current status of the newly created service instance, you need the name of your service instance (in this example privatelink-test). Type in the following:

    Shell/Bash
    Copy
    kubectl get ServiceInstance privatelink-test -o wide

    You should see the following success message:

    Shell/Bash
    Copy
    NAME              OFFERING     PLAN      STATUS    READY   AGE   ID            MESSAGE
privatelink-test  privatelink  standard  Created   True    2m    <some UUID>   ServiceInstance provisioned successfully
  • Step 8

    When service binding is created Private Link service enables network access to the IP address associated with the Private Endpoint.

    To create a new binding, you need the following information:

    • unique name of the binding (for example privatelink-binding-test)
    • the name of the service instance (privatelink-test)
    • unique name of the secret that will be created (for example privatelink-secret-test)

    Enter the following command to create a new binding with the example information:

    Shell/Bash
    Copy
    kubectl create -f - <<EOF
apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
  name: privatelink-binding-test
spec:
  serviceInstanceName: privatelink-test
  secretName: privatelink-secret-test
EOF

    If the command is successful, a kubernetes secret with the same name as specified in secretName is created. The secret stores information about the private link endpoint in its hostname field. Use the following command to print the hostname field from the secret:

    Shell/Bash
    Copy
    kubectl get secret privatelink-secret-test -o jsonpath='{.data.hostname}' | base64 --decode

    As an example the output might look like the following:

    Shell/Bash
    Copy
    {"fqdn":"someresource.privatelink.blob.core.windows.net","ip_addresses":["10.250.1.5"]}

    Follow the steps in Configure DNS on Kyma.

    Congratulations! You have successfully completed the tutorial.

Back to Top
Back to top