|
| 1 | +--- |
| 2 | +title: Connect SAP Private Link Service to Microsoft Azure Private Link Service |
| 3 | +description: Connect SAP Private Link service (Beta) to Microsoft Azure Private Link Service with Cloud Foundry CLI and bind the service instance to your app or create a service key. |
| 4 | +auto_validation: validation |
| 5 | +time: 10 |
| 6 | +tags: [tutorial>beginner, software-product-function>sap-btp-cockpit, tutorial>license, software-product-function>sap-private-link-service, software-product-function>sap-btp-command-line-interface] |
| 7 | +primary_tag: software-product-function>sap-private-link-service |
| 8 | +--- |
| 9 | + |
| 10 | +## Prerequisites |
| 11 | + - You have a global account and subaccount on SAP Business Technology Platform with SAP Private Link service (Beta) entitlement: [Set Up SAP Private Link Service](private-link-onboarding). |
| 12 | + - You have created a Microsoft Azure Private Link Service in the Azure Portal. You only have to create the Load Balancer resources (pool and rules) and the private link service. The section "Create a private endpoint" can be skipped, as SAP Private Link service (Beta) will establish the connection for you. See [Create a Private Link service by using the Azure portal](https://docs.microsoft.com/en-us/azure/private-link/create-private-link-service-portal). |
| 13 | + - You have installed Cloud Foundry CLI. See [Install the Cloud Foundry Command Line Interface (CLI)](cp-cf-download-cli). |
| 14 | + |
| 15 | + |
| 16 | +## Details |
| 17 | +### You will learn |
| 18 | + - How to create a SAP Private Link Service (Beta) instance to connect to your Microsoft Azure Private Link Service using Cloud Foundry CLI |
| 19 | + - How to bind the service instance to your application using Cloud Foundry CLI |
| 20 | + |
| 21 | +SAP Private Link service (Beta) establishes a private connection between applications running on SAP BTP and selected services in your own IaaS provider accounts. By reusing the private link functionality of our partner IaaS providers, you can access your services through private network connections to avoid data transfer via the public internet. |
| 22 | + |
| 23 | +! |
| 24 | + |
| 25 | +--- |
| 26 | + |
| 27 | +[ACCORDION-BEGIN [Step 1: ](Check offerings of SAP Private Link Service )] |
| 28 | + |
| 29 | +After you've logged in as described in [Install the Cloud Foundry Command Line Interface (CLI)](cp-cf-download-cli), access the **Service Marketplace** of SAP BTP. Open a command prompt on your computer and type in the following: |
| 30 | + |
| 31 | +```Bash |
| 32 | +cf marketplace |
| 33 | +``` |
| 34 | + |
| 35 | +You can now see the offering, the plan, and the description, as is shown in this example: |
| 36 | + |
| 37 | +```Bash |
| 38 | +$ cf marketplace |
| 39 | +Getting all service offerings from marketplace in org ... / xy… trial as admin... |
| 40 | + |
| 41 | +offering plans description |
| 42 | +privatelink standard SAP Private Link service establishes private connectivity between SAP BTP and services hosted on Azure or on-premise, without exposing data to the internet. privatelink-ua-trial-test |
| 43 | +``` |
| 44 | + |
| 45 | +Make sure you can see ```privatelink``` in the sample output. |
| 46 | + |
| 47 | +[DONE] |
| 48 | +[ACCORDION-END] |
| 49 | + |
| 50 | +[ACCORDION-BEGIN [Step 2: ](Get Resource-ID for Azure Private Link Service)] |
| 51 | + |
| 52 | +To create and enable a private link, you need to define the connection to the Microsoft Azure Private Link Service first. To do so, you need the Resource-ID of your Microsoft Azure Private Link Service: |
| 53 | + |
| 54 | +1. Go to the Azure portal and navigate to **Private Link Center** > **Private link services**. |
| 55 | +2. Click on the desired Azure Private Link service that you created as part of the prerequisites and select **Properties**. |
| 56 | +3. Copy the **Resource ID** and save it for later use. |
| 57 | + |
| 58 | +! |
| 59 | + |
| 60 | +[DONE] |
| 61 | +[ACCORDION-END] |
| 62 | + |
| 63 | +[ACCORDION-BEGIN [Step 3: ](Create private link service)] |
| 64 | + |
| 65 | +Currently, you do not have any service instances enabled. Therefore, you need to create one. To create a new private link, you need the following information: |
| 66 | + |
| 67 | +- offering (```privatelink```) |
| 68 | +- plans (```standard```) |
| 69 | +- a unique name (for instance, ```privatelink-test```) |
| 70 | +- and the Resource-ID from Microsoft Azure (for instance, ```/subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<my-private-link-service>```) |
| 71 | + |
| 72 | +Enter ```cf create-service``` and add that information. Your command should look like this: |
| 73 | + |
| 74 | +```Bash |
| 75 | +cf create-service privatelink standard privatelink-test -c '{"resourceId": "Resource-ID"}' |
| 76 | +``` |
| 77 | +> **Example**: ```cf create-service privatelink standard privatelink-test -c '{"resourceId":"/subscriptions/<subscription>/resourceGroups/<rg>/providers/Microsoft.Network/privateLinkServices/<my-private-link-service>"}'``` |
| 78 | +
|
| 79 | +If the creation of the service instance was accepted, you receive a success message telling you to proceed. |
| 80 | + |
| 81 | +> **Tip**: You can add an optional description to your CF CLI ```cf create service``` command, for example ```"requestMessage": "Please approve ASAP."``` to provide some extra context. |
| 82 | +
|
| 83 | +[DONE] |
| 84 | +[ACCORDION-END] |
| 85 | + |
| 86 | +[ACCORDION-BEGIN [Step 4: ](Check status of private link)] |
| 87 | + |
| 88 | +To check the current status of the newly created service instance, you need the name of your service instance (in this example ```privatelink-test```). Type in the following: |
| 89 | + |
| 90 | +```Bash |
| 91 | +cf service privatelink-test |
| 92 | +``` |
| 93 | + |
| 94 | +Under "message", you can see the current status. Renew the command after approximately one minute. You should see the following message: |
| 95 | + |
| 96 | +```Bash |
| 97 | +Showing status of last operation from service verify-privatelink... |
| 98 | + |
| 99 | +status: create in progress |
| 100 | +message: Please approve the connection for Private Endpoint 'endpoint-name' in your Azure portal |
| 101 | +``` |
| 102 | +
|
| 103 | +Copy the *endpoint-name* from the success message. You need it in the next step. |
| 104 | +
|
| 105 | +> Execute this command again, in case there's no change in the current status. If you receive an error message, go back to the previous steps. |
| 106 | +
|
| 107 | +[DONE] |
| 108 | +[ACCORDION-END] |
| 109 | +
|
| 110 | +[ACCORDION-BEGIN [Step 5: ](Approve connection in Azure)] |
| 111 | +
|
| 112 | +Return to Microsoft Azure portal: |
| 113 | +
|
| 114 | +1. Select **Settings > Private endpoint connections**. |
| 115 | +2. Search for the name of the private endpoint you received from the success message in the previous step. |
| 116 | +3. Select the private end point and click **Approve**. |
| 117 | +
|
| 118 | +! |
| 119 | +
|
| 120 | +
|
| 121 | +You should now receive a success message that the approval is pending. |
| 122 | +
|
| 123 | +
|
| 124 | +[DONE] |
| 125 | +[ACCORDION-END] |
| 126 | +
|
| 127 | +[ACCORDION-BEGIN [Step 6: ](Check status of private link)] |
| 128 | +
|
| 129 | +To check the current status of the newly created service instance, you need the name of your service instance (in this example ```privatelink-test```). Type in the following: |
| 130 | +
|
| 131 | +```Bash |
| 132 | +cf service privatelink-test |
| 133 | +``` |
| 134 | +
|
| 135 | +You should see the following success message: |
| 136 | +
|
| 137 | +```Bash |
| 138 | +status: create succeeded |
| 139 | +message: Endpoint ready for binding |
| 140 | +started: <date> |
| 141 | +updated: <date> |
| 142 | +``` |
| 143 | +
|
| 144 | +
|
| 145 | +[DONE] |
| 146 | +[ACCORDION-END] |
| 147 | +
|
| 148 | +[ACCORDION-BEGIN [Step 7: ](Bind application to service instance)] |
| 149 | +
|
| 150 | +Upon the creation of a binding between a CF application and a private link service instance, SAP Private Link service creates a space-scoped [Cloud Foundry application security group](https://docs.cloudfoundry.org/concepts/asg.html) that enables network access to the IP address associated with the Private Endpoint. |
| 151 | +
|
| 152 | +To bind the service instance to your application, You need to know the name of your application and your service instance (in this example ```privatelink-test```). Then, execute the following command: |
| 153 | +
|
| 154 | +```Bash |
| 155 | +cf bind-service "app-name" "service-instance" |
| 156 | +``` |
| 157 | +
|
| 158 | +>If you do not have an app that you'd like to bind to your service instance, you can create a service key by running ```cf create-service-key <service-instance-name> <key-name>```. |
| 159 | + After the creation of your service binding, your application receives the information on how to connect via the binding credentials. See the following example for binding credentials: |
| 160 | +
|
| 161 | +> ```JSON |
| 162 | +{ |
| 163 | + "privatelink": [ |
| 164 | + { |
| 165 | + "instance_name": "privatelink-test", |
| 166 | + "label": "privatelink", // can be used to look up the bound instance programmatically |
| 167 | + "credentials": { |
| 168 | + "hostname": "<private-link-IP>" // internal IP which needs to be used to connect to the service |
| 169 | + } |
| 170 | + } |
| 171 | + ] |
| 172 | +} |
| 173 | +``` |
| 174 | +
|
| 175 | +
|
| 176 | +
|
| 177 | +[VALIDATE_1] |
| 178 | +[ACCORDION-END] |
| 179 | +
|
| 180 | +--- |
| 181 | +
|
| 182 | +Congratulations! You have successfully completed the tutorial. |
| 183 | +
|
| 184 | +--- |
0 commit comments