Advanced connectivity scenarios
Amazon SDK for SAP ABAP consumes Amazon Web Services services by making HTTPS calls to Amazon endpoints. In general, Amazon endpoints are accessible over the internet. An SAP system must be able to reach out to the internet to establish these outbound connections. SDK for SAP ABAP never requires an inbound connection from the internet into the SAP system.
The following scenarios offer different ways to establish the outbound connection.
Scenarios
Connection through a proxy server
To establish a connection through a proxy server, use the following steps.
-
In the SDK, go to Transaction
SICF
. -
Choose Execute.
-
In the menu, choose Client > Proxy server.
-
Set Proxy setting as Active.
-
In the field for No Proxy for the Following Addresses, list any exceptions separated by semicolons.
-
In the HTTP Protocol and HTTPs Protocol fields, specify the connection details for your proxy server.
The SDK is unaware of the proxy server, and does not require any settings to use the SAP system's proxy server configuration.
Note
If you use Amazon EC2 instance metadata authentication, then the SAP system cannot use the proxy
server to access the local instance metadata at http://169.254.169.254
. You
must include 169.254.169.254
in the field for No Proxy for the
Following Addresses.
Connection through a packet inspecting firewall
You can configure a packet inspecting firewall for outbound connection. These firewalls
decrypt the SSL traffic, and then re-encrypt it before passing it on to the endpoint. This
configuration usually requires the firewall to issue its own certificates to the SAP system
that is consuming an Amazon Web Services service. You must install your firewall’s CA certificate in
STRUST
. For more information, see HTTPS
connectivity.
Gateway endpoints
Some Amazon Web Services services offer gateway endpoints to provide a VPC with high-performance access without internet. These endpoints are transparent to SDK for SAP ABAP, and do not require any configuration.
For more information, see Gateway endpoints.
Custom interface endpoints
If you need to override the default endpoint resolution with a custom endpoint, you can use an interface endpoint to provide your VPC with high-performance access without internet. For more information, see Configure an interface endpoint.
When not using private DNS, these endpoints have their own DNS addresses, and an ABAP
program must explicitly override the usual endpoint resolution logic. For more information,
see Amazon Web Services re:Post – Why can't I resolve
service domain names for an interface VPC endpoint?
In the following example, an interface endpoint is created for Amazon STS and
Amazon Translate. The SAP system is not using private DNS, and calls the services with
custom endpoint. The logical resources defined in /AWS1/IMG
represent the
physical interface endpoint addresses, such as
vpce-0123456789abcdef-hd52vxz.translate.us-west-2.vpce.amazonaws.com
. This
avoids hard coding the DNS in code.
In the following code, the logical resources in /AWS1/IMG
are first resolved
to physical endpoint names. They are then provided to the factory methods of Amazon session
class (that uses Amazon STS to assume an IAM role) and translate API class.
" This example assumes we have defined our logical endpoints in /AWS1/IMG " as logical resources so that we don't hardcode our endpoints in code. " The endpoints may be different in Dev, QA and Prod environments. DATA(lo_config) = /aws1/cl_rt_config=>create( 'DEMO' ). DATA(lo_resolver) = /aws1/cl_rt_lresource_resolver=>create( lo_config ). " logical resource STS_ENDPOINT should resolve to the interface endpoint " for example vpce-0123456789-abcdefg.sts.us-west-2.vpce.amazonaws.com DATA(lv_sts_endpoint) = lo_resolver->resolve_lresource( 'STS_ENDPOINT' ). " logical resource XL8_ENDPOINT should resolve to the interface endpoint " e.g. vpce-0123456789abcdefg-12345567.translate.us-west-2.vpce.amazonaws.com DATA(lv_xl8_endpoint) = lo_resolver->resolve_lresource( 'XL8_ENDPOINT' ). " the session itself uses the sts service to assume a role, so the " session creation process requires a custom endpoint, specified here DATA(lo_session) = /aws1/cl_rt_session_aws=>create( iv_profile_id = 'DEMO' iv_custom_sts_endpoint = |https://{ lv_sts_endpoint }| ). " now we create an API object, and override the default endpoint with " the custom endpoint DATA(lo_xl8) = /aws1/cl_xl8_factory=>create( io_session = lo_session iv_custom_endpoint = |https://{ lv_xl8_endpoint }| " provide custom endpoint ). " now calls to lo_xl8 go to custom endpoint...
As shown in the example, any method calls on go_xl8
go to the endpoint
https://vpce-0123456789abcdefg-12345567.translate.us-west-2.vpce.amazonaws.com
.
Accessing endpoints in multiple Regions
Amazon endpoint is automatically determined from your default Amazon Web Services Region that is defined
in the SDK profile. You can also specify a region programmatically, overriding the default
region. This can be overridden in the factory CREATE()
method, or later with the
SDK’s configuration object. For more information, see Programmatic configuration.
In the following example, the factory CREATE()
method is used to set the
region and list the Amazon SQS queues in both us-east-1
and us-west-2
Regions.
REPORT zdemo_sqs_queue_list. parameters: profile type /AWS1/RT_PROFILE_ID OBLIGATORY. START-OF-SELECTION. DATA(go_session) = /aws1/cl_rt_session_aws=>create( profile ). data(lt_region) = VALUE stringtab( ( |us-east-1| ) ( |us-west-2| ) ). LOOP AT lt_region INTO DATA(lv_region). DATA(go_sqs) = /aws1/cl_sqs_factory=>create( io_session = go_session iv_region = conv /AWS1/RT_REGION_ID( lv_region ) ). WRITE: / lv_region COLOR COL_HEADING. LOOP AT go_sqs->listqueues( )->get_queueurls( ) INTO DATA(lo_url). WRITE: / lo_url->get_value( ). ENDLOOP. ENDLOOP.