Skip to Content
ServicesMicrosoft Service OfferingsAzure Storage Account Integration

Azure Storage Account Integration via SAP Private Link

Overview

Integrating SAP BTP applications with Azure Blob Storage or Azure Data Lake Storage Gen2 over the public internet introduces unnecessary network exposure and latency. SAP Private Link Service eliminates both concerns by establishing a direct, private network connection between your BTP subaccount and your Azure Storage Account — routed entirely within the Microsoft backbone.

This integration pattern is the recommended approach for any SAP BTP workload that reads from or writes to Azure Storage, whether for document archiving, data lake ingestion, SAP Integration Suite file adapters, or analytics pipelines.

SAP Private Link Service on BTP (Cloud Foundry) leverages Azure Private Link under the hood — creating a private endpoint in Microsoft’s network that routes traffic directly to your Storage Account without traversing the public internet.

Architecture

The integration connects three distinct network zones:

SAP BTP Subaccount                    Azure Subscription
(Cloud Foundry / Kyma)               (Customer-managed)
┌───────────────────────────┐         ┌──────────────────────────────┐
│  CF App / Kyma Function   │         │  Azure Storage Account       │
│  SAP Integration Suite    │         │  (Blob / ADLS Gen2)          │
│         │                 │         │         │                    │
│  SAP Private Link         │         │  Private Endpoint            │
│  Service Instance         │◄───────►│  (auto-approved)             │
│         │                 │         │         │                    │
│  BTP Destination          │         │  VNet / Subnet               │
└───────────────────────────┘         └──────────────────────────────┘
           No public internet — traffic stays on Microsoft backbone

The Private Link endpoint connection request is initiated from SAP BTP and must be approved in your Azure subscription. We automate this approval step via Azure CLI or Terraform to integrate with your provisioning pipeline.

Service Modules

Connectivity

We provision the SAP Private Link service instance in your BTP subaccount and configure the Azure Private Endpoint connection to your Storage Account.

What we deliver:

  • SAP Private Link service instance provisioning in the target CF space or Kyma namespace
  • Azure Private Endpoint creation in the designated VNet and subnet
  • Connection approval automation (Azure CLI / Terraform) with integration into your provisioning pipeline
  • DNS resolution validation — ensuring BTP services resolve the storage endpoint via private IP
  • Connectivity smoke test from a BTP application to the storage account

2. BTP Destination Configuration

Integration

We create and configure the BTP Destination that exposes the Azure Storage Account connection to your CF applications, Kyma workloads, and SAP Integration Suite.

What we deliver:

  • BTP Destination of type HTTP pointing to the private endpoint hostname
  • Authentication configuration (Managed Identity / Service Principal / SAS token — depending on your security model)
  • Destination property validation and connectivity test via the BTP Destination service API
  • Integration with the Destination service from CF applications using xssec and @sap/xsenv

3. Azure Storage Security Hardening

Security

We harden the Azure Storage Account to accept traffic exclusively from the Private Endpoint and block all public internet access.

What we deliver:

  • Storage Account network rules: deny all public traffic, allow only the Private Endpoint
  • Azure Storage firewall configuration and validation
  • Managed Identity assignment for BTP workloads where applicable (SAP Identity token flow)
  • RBAC role assignment (Storage Blob Data Contributor / Reader) scoped to the BTP service principal
  • Audit logging enablement for blob operations via Azure Monitor

Once public access is disabled on the Storage Account, all existing connections from public IPs will break. Ensure all consuming services are migrated to the Private Link path before enabling network restrictions.

4. Integration Suite File Adapter Integration

Integration

For SAP Integration Suite use cases (inbound / outbound file processing, archiving, data exchange), we configure the CPI SFTP or HTTP adapter to use the private endpoint destination.

What we deliver:

  • SAP Integration Suite iFlow adapter configuration pointing to the BTP Destination
  • Azure Blob container structure design aligned with the integration pattern (inbox / outbox / archive)
  • File naming convention and metadata tagging strategy
  • Error handling and retry configuration for transient storage failures
  • End-to-end integration test with sample payloads

Engagement Model

ScopeDescription
Private Link Connectivity SetupProvision the Private Link instance, Private Endpoint, and validate connectivity — standalone deliverable
Full Integration PackagePrivate Link + Destination + Security hardening + Integration Suite adapter configuration
Architecture ReviewAssessment of your current Azure Storage connectivity and recommendations for Private Link adoption

Technology Stack

LayerTechnology
SAP IntegrationSAP BTP (Cloud Foundry / Kyma), SAP Integration Suite, BTP Destination Service
ConnectivitySAP Private Link Service, Azure Private Link, Azure Private Endpoint
StorageAzure Blob Storage, Azure Data Lake Storage Gen2
SecurityAzure RBAC, Storage Firewall, Managed Identity, Azure Monitor
AutomationTerraform, Azure CLI, GitHub Actions

References

SAP on AzureCI/CD Pipelines