Advanced connectivity scenarios - Amazon SDK for SAP ABAP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Advanced connectivity scenarios

Amazon SDK for SAP ABAP consumes Amazon Web Services services by making HTTPS calls to Amazon endpoints. In general, Amazon endpoints are accessible over the internet. An SAP system must be able to reach out to the internet to establish these outbound connections. SDK for SAP ABAP never requires an inbound connection from the internet into the SAP system.

The following scenarios offer different ways to establish the outbound connection.

Connection through a proxy server

To establish a connection through a proxy server, use the following steps.

  1. In the SDK, go to Transaction SICF.

  2. Choose Execute.

  3. In the menu, choose Client > Proxy server.

  4. Set Proxy setting as Active.

  5. In the field for No Proxy for the Following Addresses, list any exceptions separated by semicolons.

  6. In the HTTP Protocol and HTTPs Protocol fields, specify the connection details for your proxy server.

The SDK is unaware of the proxy server, and does not require any settings to use the SAP system's proxy server configuration.

Note

If you use Amazon EC2 instance metadata authentication, then the SAP system cannot use the proxy server to access the local instance metadata at http://169.254.169.254. You must include 169.254.169.254 in the field for No Proxy for the Following Addresses.

Connection through a packet inspecting firewall

You can configure a packet inspecting firewall for outbound connection. These firewalls decrypt the SSL traffic, and then re-encrypt it before passing it on to the endpoint. This configuration usually requires the firewall to issue its own certificates to the SAP system that is consuming an Amazon Web Services service. You must install your firewall’s CA certificate in STRUST. For more information, see HTTPS connectivity.

Gateway endpoints

Some Amazon Web Services services offer gateway endpoints to provide a VPC with high-performance access without internet. These endpoints are transparent to SDK for SAP ABAP, and do not require any configuration.

For more information, see Gateway endpoints.

Custom interface endpoints

If you need to override the default endpoint resolution with a custom endpoint, you can use an interface endpoint to provide your VPC with high-performance access without internet. For more information, see Configure an interface endpoint.

When not using private DNS, these endpoints have their own DNS addresses, and an ABAP program must explicitly override the usual endpoint resolution logic. For more information, see Amazon Web Services re:Post – Why can't I resolve service domain names for an interface VPC endpoint?

In the following example, an interface endpoint is created for Amazon STS and Amazon Translate. The SAP system is not using private DNS, and calls the services with custom endpoint. The logical resources defined in /AWS1/IMG represent the physical interface endpoint addresses, such as vpce-0123456789abcdef-hd52vxz.translate.us-west-2.vpce.amazonaws.com. This avoids hard coding the DNS in code.

In the following code, the logical resources in /AWS1/IMG are first resolved to physical endpoint names. They are then provided to the factory methods of Amazon session class (that uses Amazon STS to assume an IAM role) and translate API class.

" This example assumes we have defined our logical endpoints in /AWS1/IMG " as logical resources so that we don't hardcode our endpoints in code. " The endpoints may be different in Dev, QA and Prod environments. DATA(lo_config) = /aws1/cl_rt_config=>create( 'DEMO' ). DATA(lo_resolver) = /aws1/cl_rt_lresource_resolver=>create( lo_config ). " logical resource STS_ENDPOINT should resolve to the interface endpoint " for example vpce-0123456789-abcdefg.sts.us-west-2.vpce.amazonaws.com DATA(lv_sts_endpoint) = lo_resolver->resolve_lresource( 'STS_ENDPOINT' ). " logical resource XL8_ENDPOINT should resolve to the interface endpoint " e.g. vpce-0123456789abcdefg-12345567.translate.us-west-2.vpce.amazonaws.com DATA(lv_xl8_endpoint) = lo_resolver->resolve_lresource( 'XL8_ENDPOINT' ). " the session itself uses the sts service to assume a role, so the " session creation process requires a custom endpoint, specified here DATA(lo_session) = /aws1/cl_rt_session_aws=>create( iv_profile_id = 'DEMO' iv_custom_sts_endpoint = |https://{ lv_sts_endpoint }| ). " now we create an API object, and override the default endpoint with " the custom endpoint DATA(lo_xl8) = /aws1/cl_xl8_factory=>create( io_session = lo_session iv_custom_endpoint = |https://{ lv_xl8_endpoint }| " provide custom endpoint ). " now calls to lo_xl8 go to custom endpoint...

As shown in the example, any method calls on go_xl8 go to the endpoint https://vpce-0123456789abcdefg-12345567.translate.us-west-2.vpce.amazonaws.com.

Accessing endpoints in multiple Regions

Amazon endpoint is automatically determined from your default Amazon Web Services Region that is defined in the SDK profile. You can also specify a region programmatically, overriding the default region. This can be overridden in the factory CREATE() method, or later with the SDK’s configuration object. For more information, see Programmatic configuration.

In the following example, the factory CREATE() method is used to set the region and list the Amazon SQS queues in both us-east-1 and us-west-2 Regions.

REPORT zdemo_sqs_queue_list. parameters: profile type /AWS1/RT_PROFILE_ID OBLIGATORY. START-OF-SELECTION. DATA(go_session) = /aws1/cl_rt_session_aws=>create( profile ). data(lt_region) = VALUE stringtab( ( |us-east-1| ) ( |us-west-2| ) ). LOOP AT lt_region INTO DATA(lv_region). DATA(go_sqs) = /aws1/cl_sqs_factory=>create( io_session = go_session iv_region = conv /AWS1/RT_REGION_ID( lv_region ) ). WRITE: / lv_region COLOR COL_HEADING. LOOP AT go_sqs->listqueues( )->get_queueurls( ) INTO DATA(lo_url). WRITE: / lo_url->get_value( ). ENDLOOP. ENDLOOP.