Skip to Content

Connect SAP Private Link Service to Microsoft Azure Private Link Service

test
0 %
Connect SAP Private Link Service to Microsoft Azure Private Link Service
Details

Connect SAP Private Link Service to Microsoft Azure Private Link Service

Requires Customer/Partner License
July 15, 2021
Created by
June 24, 2021
Connect SAP Private Link service (Beta) to Microsoft Azure Private Link Service with Cloud Foundry CLI and bind the service instance to your app or create a service key.

You will learn

  • How to create a SAP Private Link Service (Beta) instance to connect to your Microsoft Azure Private Link Service using Cloud Foundry CLI
  • How to bind the service instance to your application using Cloud Foundry CLI
QR code

Prerequisites

SAP Private Link service (Beta) establishes a private connection between applications running on SAP BTP and selected services in your own IaaS provider accounts. By reusing the private link functionality of our partner IaaS providers, you can access your services through private network connections to avoid data transfer via the public internet.

Overview of SAP Private Link service functionality
Step 1: Check offerings of SAP Private Link Service

After you’ve logged in as described in Install the Cloud Foundry Command Line Interface (CLI), access the Service Marketplace of SAP BTP. Open a command prompt on your computer and type in the following:

cf marketplace

You can now see the offering, the plan, and the description, as is shown in this example:

$ cf marketplace
Getting all service offerings from marketplace in org ... / xy… trial as admin...

offering      plans      description                                                                                                                                                    
privatelink   standard   SAP Private Link service (BETA) establishes a private connection between selected SAP BTP services and selected services in your own IaaS provider accounts.

Make sure you can see privatelink in the sample output.

Log on to answer question
Step 2: Get Resource-ID for Azure Private Link Service

To create and enable a private link, you need to define the connection to the Microsoft Azure Private Link Service first. To do so, you need the Resource-ID of your Microsoft Azure Private Link Service:

  1. Go to the Azure portal and navigate to Private Link Center > Private link services.
  2. Click on the desired Azure Private Link service that you created as part of the prerequisites and select Properties.
  3. Copy the Resource ID and save it for later use.
Get Resource-ID
Log on to answer question
Step 3: Create private link service

Currently, you do not have any service instances enabled. Therefore, you need to create one. To create a new private link, you need the following information:

  • offering (privatelink)
  • plans (standard)
  • a unique name (for instance, privatelink-test)
  • and the Resource-ID from Microsoft Azure (for instance, /subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<my-private-link-service>)

Enter cf create-service and add that information. Your command should look like this:

cf create-service privatelink standard privatelink-test -c '{"resourceId": "Resource-ID"}'

Example:
cf create-service privatelink standard privatelink-test -c '{"resourceId":"/subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<my-private-link-service>"}'

If the creation of the service instance was accepted, you receive a success message telling you to proceed.

Tip: You can add an optional description to your CF CLI cf create service command, for example "requestMessage": "Please approve ASAP." to provide some extra context.

Log on to answer question
Step 4: Check status of private link

To check the current status of the newly created service instance, you need the name of your service instance (in this example privatelink-test). Type in the following:

cf service privatelink-test

Under “message”, you can see the current status. Renew the command after approximately one minute. You should see the following message:

Showing status of last operation from service verify-privatelink...

status:    create in progress
message:   Please approve the connection for Private Endpoint 'endpoint-name' in your Azure portal

Copy the endpoint-name from the success message. You need it in the next step.

Execute this command again, in case there’s no change in the current status. If you receive an error message, go back to the previous steps.

Log on to answer question
Step 5: Approve connection in Azure

Return to Microsoft Azure portal:

  1. Select Settings > Private endpoint connections.
  2. Search for the name of the private endpoint you received from the success message in the previous step.
  3. Select the private end point and click Approve.
Approve your private endpoint

You should now receive a success message that the approval is pending.

Log on to answer question
Step 6: Check status of private link

To check the current status of the newly created service instance, you need the name of your service instance (in this example `privatelink-test). Type in the following:

cf service privatelink-test

You should see the following success message:

status:    create succeeded
message:   Endpoint ready for binding
started:   <date>
updated:   <date>
Log on to answer question
Step 7: Bind application to service instance

Upon the creation of a binding between a CF application and a private link service instance, SAP Private Link service creates a space-scoped Cloud Foundry application security group that enables network access to the IP address associated with the Private Endpoint.

To bind the service instance to your application, You need to know the name of your application and your service instance (in this example privatelink-test). Then, execute the following command:

cf bind-service "app-name" "service-instance"

If you do not have an app that you’d like to bind to your service instance, you can create a service key by running cf create-service-key <service-instance-name> <key-name>.
After the creation of your service binding, your application receives the information on how to connect via the binding credentials. See the following example for binding credentials:

{
    "privatelink": [
        {
            "instance_name": "privatelink-test",
            "label": "privatelink", // can be used to look up the bound instance programmatically
            "credentials": {
                "hostname": "<private-link-IP>" // internal IP which needs to be used to connect to the service
            },
            "tags": [
                "privatelink",
                "privatelinkservice"
            ]
        }
    ]
}
Which of the following command lines do you need to create your private endpoint? You can select more than one answer.
×

Congratulations! You have successfully completed the tutorial.


Next Steps

Back to top