Options Evaluated for SFTP Integration
1. Integration Suite with SAP S/4 SFTP Folder (via Cloud Connector)
- Mechanism:
- Configure the file server as a target in the SAP Cloud Connector.
- SAP Cloud Connector acts as a reverse proxy, routing SFTP traffic securely to the mapped directory in the SAP S/4 system.
- Pros:
- Low cost; leverages existing components.
- Secure and scalable.
- Cons:
2. Direct Integration via SAP BTP (without Cloud Connector)
- Mechanism:
- Raise a Service Request (SR) to SAP for:
- Provisioning an SFTP server alongside the SAP system.
- Setting up a Hyperscaler Load Balancer (LB) for inbound traffic to expose the SFTP service.
- Whitelist up to 5 IPs or URLs for security approval.
- Use port 22 for communication.
- Pros:
- Direct, streamlined integration.
- Preferred by SAP for long-term scalability and best practices.
- Enhanced security with Load Balancer IP filtering.
- Cons:
- Higher costs for BTP services, SFTP provisioning, and Load Balancer setup.
- Requires SAP security team approval for SRs.
Typical Customer Scenarios
- On-Premise Connections:
- Most customers connect to the ECS-hosted SFTP share from their on-premise network. This involves internal routing and does not require exposing traffic to the public Internet.
- Public Internet Connections:
- Customers occasionally request to enable port 22 traffic between a public Internet IP and the ECS SFTP share. Such requests can include:
- Inbound Port 22 Traffic:
- From a public Internet IP to the ECS virtual machine (VM).
- Requires careful IP whitelisting to ensure secure access.
- Outbound Port 22 Traffic:
- From the ECS VM to a public Internet IP.
- Requires an external outbound Load Balancer to handle the traffic.
Key Notes from SAP Architects
- Port 22 Restrictions:
- SAP allows a maximum of 5 whitelisted IPs or URLs for port 22 traffic.
- Requests exceeding this limit will be rejected.
- Even for requests under the limit, SAP's security team will review and approve or deny based on risk assessments.
- External Outbound Load Balancer:
- For outbound traffic (e.g., ECS VM to an Internet IP), customers must request SAP to provision an external outbound Load Balancer as part of the service request.
Recommendations
For cost-sensitive or time-critical setups: Use Option 1 (Integration Suite via Cloud Connector).
For a robust, scalable solution that aligns with SAP’s best practices: Use Option 2 (Direct Integration via BTP), considering the additional setup time and costs.
Next Steps
1. Confirm the architectural choice based on project priorities, budget, and timelines.
2. If Option 2 is selected:
- Raise the necessary SRs for SFTP server provisioning, inbound/outbound Load Balancer setup, and IP whitelisting.
- Define IP filtering rules, ensuring compliance with SAP’s security requirements.
3. Test and validate the architecture end-to-end for secure SFTP file transfers.
No comments:
Post a Comment