SAP Certified Development Associate - SAP Extension Suite


BTP Hyperscaler Extension

Modern SAP hybrid multi-cloud environments integrate SAP Business Technology Platform (SAP BTP) services to implement SAP S/4HANA intelligent enterprises.

SAP Business Technology Platform - BTP Azure AWS Cloud Architecture

The SAP Business Technology Platform PaaS is built on Data Management, Extensibility & Integration and Analytics, Intelligent Technologies pillars. These pillars are visualized side-by-side with selected SAP enterprise applications in the following diagramm.

SAP Business Technology Platform BTP Architecture

SAP BTP cloud services are available to implement side-by-side extensibility, end-to-end integration, cloud analytics, process automation, AI Machine Learning (ML) or data-to-value scenarios.

Hybrid cloud environments combine enterprise applications with SAP BTP services or integrate edge solutions (e.g. IoT or DMC) with SAP BTP cloud applications like SAP Digital Manufacturing Cloud (DMC) or Asset Performance Management.

SAP Business Technology Platform hybrid multi-cloud architectures with Amazon AWS, Microsoft Azure avoid vendor lock-ins of "one-size-fit-all" PaaS selections. Private Links or Service Manager integrations enable these multi-cloud environments with SAP BTP, but there's no option to subscribe to BTP services natively within control cockpits on Hyperscaler platforms (status 11/2022).

Cloud Environments and Runtimes

Environments constitute the platform-as-a-service (PaaS) offering of the SAP Business Technology Platform on subaccount level. Each environment contain one runtime to build cloud native applications.

Cloud Foundry and Kyma are cloud native runtimes of the SAP BTP Extension Suite, built on Kubernetes which enables the container orchestration, with management and scaling capabilities, on the infrastructure layers of hyperscaler cloud platforms. Kubernetes orchestrates. Under the hood, Gardener abstracts Kubernetes on hyperscaler platforms to enable vendor agnostic developments with same operating experience everywhere.

SAP Business Technology Platform (BTP) Cloud Native Runtimes

Cloud Foundry on Kubernetes is built on the cloud native cf-for-k8s distribution with Istio as routing tier. EIRINI (as Diego substitution) enables Cloud Foundry to deploy applications as pods (workloads) on Kubernetes.

SAP is planning to offer a unified runtime with same developer experience on all cloud platforms to enable to run Cloud Foundry apps in SAP datacenters (status 2022).

SAP Business Technology Platform (BTP) Extension Suite Cloud Unified Runtime

Kubernetes based BTP Environments

Kubernetes (or k8s, where 8 replaces the 8 characters ubernete) is focused on container management and orchestration. K8s offers declarative configuration and monitoring of all kind of workloads in hybrid and multi cluster environments. Middleware services are available as pluggable components.

SAP Business Technology Platform (BTP) Extension Suite Cloud Native Environments

Kubernetes based Cloud Foundry and Kyma environments offer modern cloud technologies with different application implementation options. Serverless Kyma functions hide infrastructure components to enable application development with highly scalable workloads.

Cloud Foundry supports 12-factor-compliant application and stateless microservice developments with maximum degree of automation and buildpacks to enable bring your own language (BYOL) implementations. Cloud Foundry organizations are assigned 1:1 to subaccounts and ensure tenant isolation of business units with user and authorization management.

Multi-tenant applications on provider accounts can be published with the SaaS Provisioning service to multiple consumer accounts. The tenant isolation has to be implemented on application level by tenant ID.

Comparison of Cloud Runtimes

The table below provides a high level comparison of selected Cloud Foundry and Kyma runtime features, which helps to find the best runtime for specific implementations.

Features Cloud Foundry Kyma
Level of workload Isolation Organizations Namespaces
Development Flexibility medium high degree, pluggable operating and monitoring features
Availability of Backing Services Service Broker Service Broker, Kubernetes Operators
Microservice Development use cases less complex "Nano" services recommended approach for complex containerized solutions
Serverless Function support not available supported
Region assignment on subaccount level on subaccount level for runtime and on cluster level

The Kyma runtime offers offers a high degree of flexibility to implement complex containerized serverless solutions.

SAP BTP Hyperscaler Integration

There are two integration options for services of underlying hyperscaler cloud platforms. The SAP BTP Service Manager is the central registry which enables the consumption of hyperscaler cloud services with Open Service Broker standards or Kubernetes Operators.

SAP Business Technology Platform (BTP) Hyperscaler Integration

Kubernetes operators allow to attach backing services to cloud native SAP BTP applications and operator patterns to define custom controller which act on Custom Resource Definitions (CRD). CRD metadata for packaging and development can be managed with the operator framework.

SAP Business Technology Platform Private Link services establish private connections between selected BTP services and services on hyperscaler platforms to avoid public internet network traffic. Private links are available e.g. for Azure App Services or Functions, Cosmos DB, Automation, Key Vault and AWS Lambda, S3, SNS, SQS, SES or Aurora Data API.

SAP Business Technology Platform (BTP) Service Link Integration

Connections between SAP BTP Private Link and Azure Private Link or AWS Endpoint Services allow further integration options e.g. with S/4HANA OData Services.

Security on SAP Business Technology Platform (BTP)

Security on cloud platform shall be implemented with a layered defense in depth strategy on data, application, network and operational level.

SAP Business Technology Platform (BTP) Multi-Cloud Security Defense in Depth

Secured connectivity, cloud identity authentication management and audit logs are examples of defense in depth features on the SAP Business Technology Platform.

SAP Business Technology Platform (BTP) Defense in Depth Architecture Blueprint

SAP BTP network security implementations are limited, because of missing options to separate public and private network segments or to add network components for advanced security implementations (like security groups, routing tables, NAT gateways, OSI level 7 load balancers).

Security of Cloud Application

Further security services like web application firewalls or DNS load balancers can not be configured on the SAP Business Technology Platform (BTP). Security measures like application load balancing, rate limiting or DDoS (Distributed Denial-of-Service) are only limited available, with additional license costs for SAP BTP API Management.

The SAP BTP Credential Store service is based on hyperscaler key management services to provide a secure repository of passwords and keys for applications.

SAP BTP custom domains expose applications with secured by TLS/SSL certificates. Cloud Foundry runtime apps require route mapping to the custom domain and redirect OAuth configuration. Kyma runtime apps can be connected to custom domains using Istio Service Meshs.

Cloud Identity Authentication Management (IAM)

The OAuth protocol enables the implementation of Identity Authentication Management (IAM) on the SAP Business Technology Platform. OAuth Authorization Code Grant is available as part of the Cloud Foundry application layer security and supports the exchange of user credentials to access tokens as part of the login process.

SAP BTP application routers facilitate OAuth grant implementations and act as optional single point of entry for applications. BTP app routers are OAuth clients (I) and prompt users (identities, principals) to login with credentials.

Cloud Foundry runtimes offer a UAA (User Access Authentication) server to grant resource access to client applications with JWT formatted tokens (11). The SAP BTP XSUAA service is an extension of the Cloud Foundry UAA OAuth server (II).

SAP Business Technology Platform (BTP) Security Best Practices

Cloud Platform Application Router

Applications can be securely accessed via the SAP BTP Application Router which can be implemented managed or standalone. Managed approuter are the recommended default option as features of the SAP Launchpad and the SAP Cloud Portal Service. Standalone approuters can be implemented for some special use cases like multi-tenancy and will be listed together with apps in Cloud Foundry spaces.

Some important approuters tasks are to forward requests as reverse proxy to defined routes, serve static content like HTML5 apps, integrate seamlessly with the xsuaa protected HTML5 Application Repository service, provide session handling and to manage authentication flows.

Identity Authentication Management on SAP Business Technology Platforms is controlled by route authentication types, which define whether users get prompted to enter login information (for UAA or IAS services). IAS prompts enable OIDC flows in Kyma environments.

Signed authentication tokens (1) can be forwarded by the Approuter as HTTP authorization header (2) to destinations (without authentication, not for proxy type on-premise). The forwarded tokens (2) get validated in Cloud Foundry runtime apps with the XSUAA public key and the JWT token content (body) is used to enforce authorization by scopes.

SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity Forward Auth Token

BTP Cloud Connectivity Service

The Connectivity service allows SAP BTP applications to securely access remote services that run on the internet or on-premise. Destinations configured on subaccount or instance level in the BTP console provide technical information about targets. Alternatively, destinations can be configured on application level in the Cloud Foundry manifest.yml or as environment variables (Cloud Foundry, Kyma).

SAP BTP destinations enable principal propagation for applications to cloud targets with authentication type OAuth2SAMLBearerAssertion. The authentication type PrincipalPropagation allows propagating principals from cloud applications to SAP systems deployed on-premise or in private clouds.

Cloud Connectors establish connections between the SAP Business Technology Platforms and SAP systems hosted on-premise systems or on Hyperscaler platforms. The installation requires a TLS secured internet connection to the Connectivity Service host. The SAP BTP Connectivity Service host IP address is controlled by the respective infrastructure provider.

SAP BTP principal propagation has to be enabled with trust established between Cloud Connector, Cloud SAML2 IdP and SAP system. NetWeaver rules map user information of the short-lived certificates (created by Cloud Connector) to SAP user IDs.

High availability Cloud Connector installations for SAP Business Technology Platforms are setup with two instances as master and shadow.

SAP BTP Connectivity Service Cloud Connector High Availability

SAP BTP Kubernetes workloads require a proxy, delivered as Docker image and Helm chart to connect with on-premise cloud connectors. The Kyma environment provides a central API Gateway to connect to SAP Cloud solutions.

Hybrid Multi-Cloud Connectivity

SAP BTP connectivity services use destinations to connect to systems and services in hybrid or multi-cloud environments. BTP destination proxy types define the location of the target system as OnPremise, Internet (e.g. S/4HANA Cloud) or PrivateLink.

PrincipalPropagation of SAP Business Technology Platform destinations enable single sign-on (SSO) by forwarding JWT cloud identities to destinations with proxy type OnPremise and authentication type PrincipalPropagation or any proxy type with OAuth2 SAML Bearer Assertion.

Destinations define the following authentication types to access resources:

SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity Principal Propagation

SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity OAuth2SAMLBearerAssertion

SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity OAuth2UserTokenExchange

Resilient Cloud Implementations

The SAP Business Technology Platform offers options to implement resiliency with Business Continuity and Disaster Recovery (BCDR) standard plans, which is limited to restore productive tenants from backups without any guaranteed fixed recovery timeline (RTO). Furthermore, BTP HANA Cloud Services support zone redundant storage which increases the default availability SLA from 99,9% to 99,95%.

Cloud Foundry runtime specific features are high availability, managed on compute and (multi-instance) application level with hyperscaler availability zones, and the Autoscaler Service. The Kyma runtime offers backups of managed Kubernetes periodically.

High-available multi-cloud extension and integration solutions can be deployed on subaccounts across different hyperscaler platforms and regions. Such deployments avoid downtimes needed for major SAP BTP upgrades. To get notified about planned major upgrades, customers can subscribe to cloud system notifications.

SAP BTP Robotic Process Automation (RPA)

SAP Business Technology Platform Process Automation combines Workflow Management with Robotic Process Automation (RPA) technologies. Process Designer and Form Editor enable No-Code development with pre-built content like industry-specific bots for automations, forms or process projects.

SAP BTP RPA helps to transform tedious or repetitive tasks of human workers into digital business processes. Robotic Process Automation can accelerate the digital transformation of business processes with automation. Available RPA content, like packages or templates, simplifies and accelerates the SAP process automation design.

The RPA service is composed of Cloud Factory for orchestration and monitoring, Cloud Studio to design automation processes and Store, with pre-built content and SDKs (e.g. PDF, Excel, Outlook, Word, SAP GUI, SAPUI5), cloud components.

Automations are running on the on-premise desktop agent and can be operated confidently e.g. with SAP Cloud ALM for operations monitoring capabilities.

Robotic Process Automation tasks can be processed unattended (autonomously, fully automated) in the background or attended and interactively (assisted by humans with task centers). SAP recommends to run API Bots in unattended, scheduled mode.

The design capabilities for robotic process automations include drag and drop process tools, advanced workflow management and (interactive) forms. Routing of automated robotic processes can be implemented with condition criteria and decisions based on complex policies or business rules.

Connectors enable automations of web, win, ui, SAP (Web) GUI, HLLAPI applications. Robotic process automations can be operated with performance measurement, alert monitoring, technical and functional traces. Automated processes can offer collaboration and notication capabilities like e-mail, APIs, CAI notifiers or alert management.

RPA data integrations are enabled with SDK packages for PDF, Excel, PowerPoint, MS-Word, BAPI, Outlook, SAPUI5, SAP GUI and built-in Document Information Extraction.

AI Business Services

SAP Business Technology Platform AI Business Services are ready to use intelligent services, which can be integrated within applications or automation scenarios. SAP BTP AI Business Services offer capabilities like Document Information Extraction, Document Classification into user-defined categories, Business Entity Recognition, Service Ticket Intelligence or Personalized Recommendations.

SAP BTP AI Business Services provide reusable models, pre-trained by domain experts, with common pattern across business processes and SAP solutions. These machine learning models are pre-processed to remove noise and outliers. During the training process, BTP AI services check for early stopping conditions to avoid model overfitting and compare resulting models with already existing trained models, to choose the best-fitting model.

AI Service Ticket Intelligence Service

Service Ticket Intelligence machine learning models support text classification or solution recommendation scenario types which have to be specified during the upload of training data.

  1. Text classification analyzes input data with regard to ticket categories and priorities, language detection and sentiment analysis.
  2. Solution recommendations for service agents are based on previous similar tickets.

Text classification of the Service Ticket Intelligence is performed by a Convolutional Neural Network (CNN) with multiple layers. One of these layers is called attention layer, which concentrates on sentence level to investigate token weights like cognitive attention.

AI Personalized Recommendations Service

SAP BTP AI Personalized Recommendations is a offering for batch and real-time inference calls, which are returning recommendations with certain confidence scores. With this service, you can also find out which item attribute or past interactions influenced each recommendation. Inference API endpoints of the recommendation services further allow to boost categorical features with higher priority and force specific desired recommendations.

Intelligent recommendations are embedded in SAP Cloud Solutions like SuccessFactors to create learning paths or to improve the web shop experience with Commerce Cloud. Similar use cases are recommendations for internal procurement and career path planning.

AI Document Information Extraction Service

AI Document Information Extraction extracts business relevant entities from unstructured business documents (such as invoices) with content in headers and tables. Enrich the information with existing master data (e.g. from vendor or employee).

AI Business Entity Recognition

SAP BTP Business Entity Recognition algorithms train neural networks to learn pattern for entity classification in business documents. Currently (11/2022), the service offers four pre-trained SAP models: e-mail business entity, invoice header, address and generic entity. Custom machine learning models can be used to classify any given type of named entity, such as mobile number, first name, last name or address.

The service transforms the initial text into a machine-readable label mask to enable the algorithm to understand where to find and recognize the to be returned class information.

AI Data Attribute Recommendation Service

AI Data Attribute Recommendation applies machine learning to predict and classify data records with model templates to serve single-label, multi-label and multi-class classification tasks using traditional or neural network machine learning models. Model templates generate an empty, not-trained unique model architecture for each input dataset schema.

Available model templates with classification tasks:

Some possible use-cases are: