sap-commerce-db-sync icon indicating copy to clipboard operation
sap-commerce-db-sync copied to clipboard

Published 20 hours ago verified publisher icon SAP

Is VPN really needed to use DB Sync?

Open lucaszarzur opened this issue 10 months ago • 3 comments

Hello team,

Sorry if this is not the correct place to this doubt, but I didn't found the steps to how to obtain support, and I already contacted the support team from a ticket and the response was "as this is not an Out-Of-The-Box functionality, any inquiries or issues related to it fall outside of our support scope."

The doubt is very simple:

We have a customer with a on promise environment and he is planning to do "move to cloud" project. One of the migration steps is to set up a VPN connection between the DB origin environment and CCV2. However, this will not be easy because the environment where the DB origin is allocated (which is Azure SQL) doesn’t have PrivateLink configured to have a private IP in Customer’s internal network.

This means that the origin DB is accessible only externally, by configuring the partners' IPs on the firewall, not internally.

Changing this configuration will be hard working. But, in the documentation of DB Sync there are considerations about the use of VPN which is, according with SAP, “It is mandatory to establish a secure connection between your on-premise and SAP Commerce Cloud environments. To do so, you can use the self-service VPN feature from the SAP Cloud Portal.

We tested by Groovy the connection with the origin DB without configuring the SAP Commerce’s IP and it worked! Other relevant information is that the origin DB (remembering: is Azure SQL) has the flag “Allow Azure Services and Resources” enabled, which allows other Azure subscriptions to access the environment.

This means that even the origin DB is configured to not be accessible by not allowed IPs, we can connect to it by CCV2.

So the questions are:

1 - The VPN is really needed to use DB Sync?

lucaszarzur avatar Jan 20 '25 14:01 lucaszarzur

Hi, it might be a bit outdated recommendation, as currently "secure connection" can be also considered as for example TLS on JDBC connection to database, so long story short, no it's not mandatory to have VPN tunnel, but such agreement has to be confirmed with Customer obviously.

lnowakowski avatar Jan 20 '25 14:01 lnowakowski

Hi Luca, Historically VPN was required to ensure the secure connection - taking into consideration the nature of data that is being migrated. Hence - setting up VPN is a hard recommendation from SAP but by no means there are checks in place that would forbid using DB Sync without this kind of connection. Regards!

mateuszporzucek avatar Jan 20 '25 14:01 mateuszporzucek

Hi guys,

Very nice! Thank you very much for the quick and effective response.

lucaszarzur avatar Jan 20 '25 15:01 lucaszarzur