Service offering

Azure Storage Account Integration

Connecting SAP BTP applications to Azure Blob Storage or ADLS Gen2 over the public internet introduces unnecessary network exposure and latency. SAP Private Link Service eliminates both by routing all traffic from your BTP subaccount directly to your Azure Storage Account over the Microsoft backbone — no public endpoints, no NAT, no data crossing the internet. We deliver the complete setup: Private Link instance, Private Endpoint, BTP Destination, storage firewall hardening, and Integration Suite adapter configuration.

SAP Private Link ServiceAzure Private EndpointAzure Blob StorageADLS Gen2BTP Destination ServiceManaged Identity AuthStorage Firewall HardeningIntegration Suite AdapterAzure RBAC

How Private Link Storage Connectivity Works

SAP Private Link Service on BTP leverages Azure Private Link under the hood. A Private Link service instance is provisioned in your BTP Cloud Foundry space or Kyma namespace — it initiates a connection request to a Private Endpoint in your Azure VNet, which is scoped directly to your Storage Account. Once the connection is approved, BTP services resolve the storage hostname to a private IP and all traffic flows entirely within the Microsoft backbone, never touching the public internet.

SAP Private Link connectivity — SAP BTP to Azure Storage over Microsoft backbone, no public internet

SAP BTP Subaccount (Cloud Foundry / Kyma)

CF Application / Kyma FunctionSAP Integration Suite iFlowBTP Destination ServiceSAP Private Link Service InstancePrivate DNS resolution (private IP)

↕ Microsoft backbone — no public internet · all traffic private · TLS encrypted

Azure Subscription (Customer-managed)

Azure Private EndpointVNet / SubnetPrivate DNS Zone (blob.core.windows.net)Azure Storage Account (Blob / ADLS Gen2)Storage Firewall — deny public, allow private endpoint onlyRBAC — Storage Blob Data Contributor (scoped to BTP SP)Azure Monitor — blob operation audit logging

The Storage Account has no public endpoint once hardened. All access — from BTP, from Integration Suite iFlows, from any consuming service — must traverse the Private Endpoint. Any direct public connection attempt is rejected by the storage firewall before it reaches the account.

Connection Approval Flow

The Private Link connection is initiated from SAP BTP and must be approved in your Azure subscription. We automate the approval step and integrate it into your provisioning pipeline so no manual portal action is required.

Private Link connection approval sequence — from BTP instance creation to validated private connectivity

BTP: Create Private Link InstanceTarget resource ID of Azure Storage Account

→

Azure: Pending Endpoint RequestPrivate Endpoint appears in Azure portal as “Pending”

→

CNBS: Approve via CLI / TerraformAutomated approval — no manual portal action needed

→

Private DNS: Resolves to Private IPBTP Private Link hostname → private endpoint IP

→

BTP App: Connects PrivatelyTraffic flows on Microsoft backbone · no internet exposure

The approval step is the most commonly missed piece. Without it the Private Link instance stays pending indefinitely and no connectivity is established. We automate the approval via Azure CLI or Terraform and integrate it into the same pipeline that provisions the Private Endpoint — one operation, not two.

Core Capabilities

Connectivity

Private Link Service Instance & Private Endpoint

We provision the SAP Private Link service instance in the target CF space or Kyma namespace, pointing to the Azure resource ID of the Storage Account. A corresponding Private Endpoint is created in your Azure VNet and subnet. The connection request is automatically approved via Azure CLI or Terraform. DNS resolution is validated to confirm the storage hostname resolves to a private IP — not the public storage endpoint — before any application connectivity is established.

SAP Private Link Service (CF / Kyma) · Azure Private Endpoint · Private DNS zone (blob.core.windows.net) · Terraform automation · Azure CLI approval · DNS resolution validation

BTP Integration

BTP Destination — Private Endpoint Hostname

A BTP Destination of type HTTP is created pointing to the Private Link hostname exposed by the SAP Private Link service instance. Authentication is configured per your security model — Managed Identity token flow (recommended), Service Principal client credentials, or SAS token. The Destination is validated via the BTP Destination service API and tested from a CF application using the standard xsenv / xssec binding pattern. Kyma workloads access the same Destination via the Destination service REST API.

BTP Destination Service · HTTP Destination type · Managed Identity token flow · Service Principal OAuth2 · @sap/xsenv · @sap/xssec · Destination service REST API · Kyma service binding

Security

Storage Hardening — Deny Public, RBAC-Only Access

Once the Private Endpoint is validated, the Storage Account network rules are updated to deny all public internet traffic and allow only the Private Endpoint subnet. Storage firewall configuration is tested by confirming that a direct public connection from outside the private network is rejected with a 403. Azure RBAC is configured to grant the BTP service principal the minimum required role — Storage Blob Data Contributor or Reader — scoped to the specific container, not the entire account. Blob operation audit logging is enabled via Azure Monitor Diagnostic Settings.

Storage firewall (deny public) · Private Endpoint allow-list · Azure RBAC (Storage Blob Data Contributor / Reader) · Container-scoped role assignment · Azure Monitor Diagnostic Settings · blob audit logging · 403 validation test

Integration Suite

CPI iFlow Adapter Configuration

For SAP Integration Suite use cases — inbound file processing, outbound archiving, data exchange pipelines — we configure the appropriate CPI adapter to use the BTP Destination pointing at the private storage endpoint. Azure Blob container structure is designed per the integration pattern: inbox, outbox, and archive containers with appropriate naming conventions and metadata tagging. Error handling and retry configuration is validated for transient storage failures. End-to-end integration tests are run with representative payloads before handover.

SAP Integration Suite · CPI HTTP adapter · CPI SFTP adapter (for file scenarios) · BTP Destination binding · inbox/outbox/archive container design · metadata tagging · error handling · retry policy · end-to-end payload testing

What We Deliver

Private Link Instance & Endpoint

SAP Private Link service instance provisioned in your CF space or Kyma namespace. Azure Private Endpoint created in the designated VNet and subnet, scoped to your Storage Account. Connection approval automated via Azure CLI or Terraform, integrated with your provisioning pipeline. Private DNS zone configured to resolve the storage hostname to the private endpoint IP.

BTP Destination Configuration

BTP Destination of type HTTP created and bound to the Private Link hostname. Authentication configured per your security model — Managed Identity token flow, Service Principal OAuth2 client credentials, or SAS token. Destination validated via the BTP Destination service API. Connectivity smoke test from a CF application or Kyma function confirming private access to the storage account.

Storage Security Hardening

Storage Account network rules updated: public access denied, private endpoint subnet allowed. Storage firewall validated by confirming public access is rejected with a 403. Azure RBAC role assigned to the BTP service principal at container scope — minimum required permissions only. Managed Identity configured where applicable. Blob operation audit logging enabled via Azure Monitor Diagnostic Settings.

Container Architecture & Metadata Design

Azure Blob container structure designed for your integration pattern — inbox, outbox, archive, and staging containers with agreed naming conventions and metadata tagging strategy. Lifecycle management policies configured for automatic archiving and deletion of processed blobs. Access tiers configured per container based on access frequency.

Integration Suite Adapter Setup

CPI adapter configured to use the BTP Destination for private storage access — HTTP or SFTP adapter depending on the integration pattern. Error handling and retry logic validated for transient storage failures. File naming convention, metadata tagging, and archiving flow tested end-to-end with representative payloads. iFlow security review — no hardcoded credentials, adapter configured to use the Destination binding only.

End-to-End Validation & Monitoring

Full connectivity test: BTP app → Destination → Private Link → Private Endpoint → Storage Account, confirmed via live payload. Public access rejection confirmed with a 403 from outside the private network. Azure Monitor alert rules configured for storage availability, latency, and auth failures. Operational runbook covering: Private Link re-provisioning, role rotation, storage firewall rule updates, and DNS troubleshooting.

How Customers Benefit

Zero

Public Internet Exposure for Storage Traffic

All traffic between SAP BTP and Azure Storage flows on the Microsoft backbone. No storage endpoint is reachable from the public internet. Your security team gets a clean answer: this integration does not traverse the internet at any point.

Deny-All

Storage Firewall — Private Access Only

The Storage Account firewall denies all public traffic by default once hardened. Only the Private Endpoint subnet is allowed. Any attempt to access the storage from a public IP — including from within Azure, from other BTP subaccounts, or from the internet — is rejected before it reaches the storage layer.

No Keys

Managed Identity — No Static Credentials

Managed Identity or Service Principal OAuth2 token flow eliminates the need for SAS tokens or storage account keys in application configuration. No credential rotation schedule. No risk of a key leaking in a log or a git history. Access is governed by Azure RBAC with minimum-required permissions at container scope.

Auditable

Every Blob Operation Logged

Azure Monitor Diagnostic Settings capture every read, write, and delete operation on the storage account — caller identity, resource path, timestamp, and result. Combined with RBAC audit logs, this gives compliance and security teams a complete evidence trail without additional tooling.

Native

Works with Integration Suite Out of the Box

The BTP Destination binding pattern is the native way for Integration Suite iFlows to consume external services. Once the Destination is configured, any iFlow can reference the storage connection without embedded credentials or custom HTTP configuration — consistent with how all other BTP external connections are managed.

IaC

Reproducible via Terraform & CLI Automation

Private Endpoint provisioning, connection approval, DNS zone configuration, RBAC assignment, and storage firewall rules are all delivered as Terraform or Azure CLI automation — not a one-time portal walkthrough. Adding a new storage account to the same pattern is hours, not days.

How We Work

Network & Security Design

We review your Azure VNet topology, BTP subaccount structure, and Integration Suite landscape to design the Private Endpoint placement, subnet selection, DNS zone configuration, and RBAC model before any provisioning begins. Authentication method (Managed Identity vs Service Principal) agreed with your security team.

Private Endpoint & Private Link Provisioning

Azure Private Endpoint created via Terraform in the designated subnet. SAP Private Link service instance provisioned in the BTP CF space or Kyma namespace. Connection approved automatically via Azure CLI integrated into the provisioning pipeline. Private DNS zone configured and resolution validated — storage hostname resolves to private IP.

BTP Destination & Container Setup

BTP Destination created and bound to the Private Link hostname with agreed authentication configuration. Azure Blob container structure deployed with naming conventions, metadata tagging, and lifecycle policies. Destination validated via BTP API and smoke-tested from a CF application.

Storage Hardening & RBAC

Storage Account public access disabled — firewall updated to deny all public traffic, allow private endpoint only. Public access rejection confirmed with a 403 test from outside the private network. Azure RBAC role assigned to BTP service principal at container scope. Blob audit logging enabled via Diagnostic Settings.

Integration Suite Configuration & End-to-End Test

CPI adapter configured to use the BTP Destination. Integration Suite iFlow tested end-to-end with representative payloads — write, read, archive cycle confirmed. Error handling and retry logic validated. Monitoring alerts configured. Operational runbook covering Private Link lifecycle, RBAC rotation, and DNS troubleshooting handed over.

Ready to eliminate public storage exposure?

Let’s connect your SAP BTP and Azure Storage — privately, securely, and without public endpoints.

Tell us about your BTP subaccount structure, Azure storage requirements, and Integration Suite use cases — we’ll design and deliver a private connectivity setup that your security team can sign off on.

Get in touch →