Configure network connection

  • 4 minute(s) read
Prev Next

A secure network connection is the foundation for integrating CPQ with SAP ERP. The connection method depends on where and how SAP ERP is hosted. When you establish the connection, RFCs and BAPIs can flow between the systems.

To establish the connection:

  1. Choose the network connection method.

  2. Configure the selected method.

Choose the network connection method

Select the method based on your SAP ERP hosting type:

SAP ERP hosting type

Connection options

On-premise in a private data center or through a hosting partner

  • AWS Site-to-Site VPN

  • SAProuter

On-premise on Amazon Web Services (AWS)

  • VPC Peering

  • AWS Transit Gateway

On-premise on Microsoft Azure

VPN between AWS and Microsoft Azure

On-premise on Google Cloud

VPN between AWS and Google Cloud

SAP RISE (SAP-managed infrastructure on AWS, Microsoft Azure, or Google Cloud)

VPN coordinated through SAP Support

Configure the network connection

Configure the selected network connection method:

AWS Site-to-Site VPN

Connect the Amazon Web Services (AWS) account that hosts CPQ to your on-premise network through an AWS Site-to-Site VPN. This method enables a secure, private network connection without exposing public IP addresses.

To establish a connection:

  1. Open a support ticket with Zilliant to request the VPN setup.

  2. With your Network Infrastructure and SAP BASIS teams, complete Zilliant’s VPN parameters template.

  3. Configure and test the VPN connection with Zilliant.

For more details, read the AWS Site-to-Site VPN User Guide External link indicator in the AWS documentation.

SAProuter

Use SAProuter if your SAP ERP system is already accessible through it. SAProuter is a proxy that enables indirect, secure routing through SAP’s network boundary. It supports IP filtering and encryption with Secure Network Communications (SNC). This method avoids setting up a direct VPN or private link, preserving your existing network security configuration.

To establish a connection:

  1. Open a support ticket with Zilliant to request the SAProuter setup. Include SAProuter and SAP connection details.

  2. With your Network Infrastructure and SAP BASIS teams, configure the connection.

  3. Test the connection with Zilliant.

For details about SAProuter, read SAProuter External link indicator on the SAP support page.

VPC Peering

Virtual Private Cloud (VPC) Peering connects Amazon Web Services (AWS) accounts hosting CPQ and SAP for private, low-latency communication over RFC 1918 IP ranges without traversing the public internet.

This method provides the following benefits:

  • Traffic stays within the AWS backbone with encryption in transit.

  • Ability to apply access control lists (ACL), route tables, and security group rules for granular control.

  • No NAT, VPN, or internet gateway required.

  • No single point of failure.

Note

Peering is non-transitive. Additional routing is required for other networks.

To establish a connection:

  1. Open a support ticket with Zilliant to request the VPC Peering setup. Include AWS VPC details.

  2. Initiate and accept the peering request.

  3. Update route tables for inter-VPC communication.

  4. Modify security groups to allow SAP ports.

  5. Test the connection with Zilliant.

For details, read the AWS documentation. For example, the VPC Peering section in How to connect SAP solutions running on AWS with AWS accounts and services External link indicator in the AWS Blog.

AWS Transit Gateway

AWS Transit Gateway is a centralized network hub that simplifies VPC-to-VPC and hybrid (on-premises) connectivity through scalable, transitive routing.

This method provides the following benefits:

  • Transitive routing—One-to-many and many-to-many connections.

  • Route control—Separate route tables per VPC attachment for fine-grained access.

  • Security—Private traffic path, IAM access control, AWS Network Firewall, security groups, NACLs.

  • Monitoring—VPC flow logs and CloudWatch metrics.

To establish a connection:

  1. Open a support ticket with Zilliant, including AWS Transit Gateway technical specifications.

  2. Create the AWS Transit Gateway and attach the CPQ and SAP VPCs.

  3. Configure route tables and security groups.

  4. Test the connection with Zilliant.

For details, read the AWS documentation. For example, AWS Transit Gateway in How to connect SAP solutions running on AWS with AWS accounts and services External link indicator.

VPN between AWS and Microsoft Azure

Connect Microsoft Azure (hosting SAP ERP) to the Amazon Web Services (AWS) account (hosting CPQ) using IPsec and IKEv2 encryption. This method provides an encrypted and controlled communication channel without the need for direct internet-facing connectivity.

To establish a connection:

  1. Open a support ticket with Zilliant requesting the VPN setup.

  2. Provide the completed Network Infrastructure Template, including the following information:

    • Azure VPN Gateway public IP

    • Local IP ranges (CIDR)

    • IKE version

    • Required routing information

  3. Zilliant will generate the pre-shared key after setup initiation.

  4. Finalize VPN setup and test with Zilliant.

For details, read the AWS and Azure documentation, for example:

VPN between AWS and Google Cloud

Connect Google Cloud (hosting SAP ERP) to the Amazon Web Services (AWS) account (hosting CPQ) with a Site-to-Site VPN using IPsec and IKEv2 encryption. This method provides a secure, encrypted communication without exposing public IP addresses.

To establish a connection:

  1. Open a support ticket with Zilliant to request the VPN setup.

  2. Provide the completed Network Infrastructure Template, including the following information:

    • Google Cloud VPN Gateway public IP

    • Local IP ranges (CIDR)

    • IKE version

    • Required routing information

  3. Zilliant will generate the pre-shared key after setup initiation.

  4. Finalize VPN setup and test with Zilliant.

For details, read the AWS and Google Cloud documentation. For example, Create HA VPN connections between Google Cloud and AWS External link indicator in the Google Cloud documentation.

VPN coordinated through SAP Support

If you host SAP ERP in SAP RISE and run it on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud hyperscaler, your VPN-related requests must go through SAP Support.

To establish a connection:

  1. Contact Zilliant for the following initial VPN parameters:

    • Placeholder public IP

    • Expected remote CIDR range

    • Pre-shared key (PSK)

  2. Submit a Site-to-Site VPN tunnel request to SAP Support using these details.

  3. After SAP completes configuration, provide SAP’s public VPN IP to Zilliant.

  4. Finalize and test the VPN connection with Zilliant.

Initial configuration parameters

  • Zilliant VPN Public IP: Placeholder

  • Remote CIDR range: Placeholder

  • Tunnel type: Route-based

  • IKE version: IKEv2

  • IPsec settings: AES-256 encryption, SHA-2 integrity, DH Group 14

  • Lifetime: Phase 1 – 28,800 sec (8 h), Phase 2 – 3,600 sec (1 h)

  • Expected traffic: SAP RFC (TCP 33xx/32xx), HTTPS

  • Pre-shared key (PSK): Placeholder