CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

SAP Commerce Cloud Architecture - Web and Network Layers

8 min read

SAP Commerce Cloud - Web and Network Layers

In this article we will focus on web and network layers of SAP Commerce Cloud. You will learn what parts of web and network layer you can configure, as well as how you can use these tools to integrate with a Content Delivery Network or a Web Application Firewall.

Table of Contents

Web Layer Configuration

SAP Commerce Cloud uses Apache Web Server in its web layer. You are only able to configure certain aspects of Apache Web Servers:

  1. End Point configuration lets you to define your domains (virtual hosts) in SAP Commerce Cloud. Please refer to documentation for more details on Endpoints configuration.
  2. IP Filter Sets configurations lets you restrict access to your end points based on pre-uploaded IP sets. Please refer to documentation for more details on IP Filter Sets configuration.
  3. SSL Certificates configuration lets you upload your SSL certificates for your domains. Certificate Signing Request (CSR) is currently not supported in SAP Commerce Cloud. SSL certificates need to be uploaded with its body, key and certificate authority. Please refer to Adding SSL Certificates documentation for more on configuration.
  4. Static Files configuration lets you expose your static files from web layer. You need to create a ZIP archive containing all of your static files and the size of the ZIP file should not exceed 1MB. Please refer to Static Files documentation for more on configuration.
  5. Website Redirects configuration lets you define redirect rules for your end points. Only Redirect and RedirectMatch directives are supported in this configuration. Please refer to Website Redirects documentation for more on configuration.
  6. Maintenance Pages configuration lets you define custom Service Unavailable (e.g. 503) pages for your endpoints.  Please refer to Maintenance Pages documentation for more on configuration.
  7. Web Caching configuration lets you to cache your static files on web layer. You should consider caching your static files (e.g. /medias/ or /_ui/) if possible. Please refer to documentation for more details on Web Caching configuration.

It is not possible to change any configuration of Apache Web Servers other than those listed above. For example, if your solution requires to enable Basic Authentication on Apache Web Servers, that won't be possible–you need to handle that requirement on a different layer (e.g. on application layer).

Domain Name System (DNS) Setup

Once you configured your web layer, it is time to configure DNS settings of your domain. You can use one of the two following methods to set up your DNS settings in your DNS provider.

Method Details Example

This is the recommended approach. You don't need to do any configuration on SAP Commerce Cloud Portal, just fetch the default wildcard domain of environment.

In cases where DNS provider does not support CNAME, you can use A-Record method. You don't need to do any configuration on SAP Commerce Cloud Portal, just IP address from one of your end point configurations.

Integrating with your Content Delivery Network or Web Application Firewall Provider

SAP Commerce Cloud does not provide a Content Delivery Network (CDN) or Web Application Firewall (WAF) service, but you are free to integrate with your own CDN or WAF provider. You need to configure your DNS settings, so your domains first point to your CDN/WAF provider and then CDN/WAF points to SAP Commerce Cloud. You only need to configure IP Filter Sets on SAP Commerce Cloud, so you can restrict your end point access only to your CDN/WAF provider. See diagram below for more details.

Please note that currently SAP Commerce Cloud does not support certificate or HTTP Header authorizations for CDN/WAF integration. IP Filter Sets configuration is the only available option to restrict access.

Please note that Web layer does IP whitelisting only based on source IP address and not on X-Forwarded HTTP header. If your solution is required to restrict public access for a period (e.g. during a deployment) and there is a CDN/WAF integration in place, then it is not possible to whitelist IP addresses of internal users on SAP Commerce Cloud web layer.

One possible approach would be to create an internal domain for such use cases. This domain can bypass CDN/WAF and directly points to static IP address of SAP Commerce Cloud environment. This way it would be possible to restrict public access for those using original domain while allowing access for those using internal domain.

Network Layer Configuration

Similar to the Web Layer, you can configure only certain aspects of the Network layer in SAP Commerce Cloud:

  1. Host Alias Management configuration lets you define host alias to retrieve IP address.
  2. Virtual Private Network (VPN) configuration lets you create connections from your SAP Commerce Cloud environments to your selected private networks.
  3. Network Address Translation (NAT) configuration lets you extends capabilities of VPN to establish VPN connectivity when network collide happens.

Virtual Private Network (VPN)

SAP Commerce Cloud provides site-to-site VPN setup where you can connect your SAP Commerce Cloud environments with your private networks. VPN is self-service and configured from SAP Commerce Cloud Portal. Please refer to documentation for more details on Virtual Private Network (VPN) configuration.

You can only use HTTPS (private end points) to connect your SAP Commerce Cloud environments. But you can use any protocol for outbound connections from SAP Commerce Cloud as long as it uses TCP/IP protocol. 

SAP Commerce Cloud does not provide client-to-site VPN option.

If you have to restrict Backoffice endpoints from public internet there are two possible options:

Option Details
Public endpoints with IP Filter Sets configuration Restriction happens on Web Layer using IP Filter Sets configuration. It may be inconvenient to define IP address of each Backoffice user. So an easier option would be asking Backoffice users to connect customer's private network first. Then you can use customer's private networks public IP addresses in the IP Filter Sets configuration. One disadvantage of this setup would be data transfer between customer's private network and SAP Commerce Cloud environment happens over public Internet.
Private endpoints (VPN) Backoffice users still requires to connect customer's private network first to access SAP Commerce Cloud environments.

Network Address Translation (NAT)

If your private network collides with networks listed in the Network Address Translation (NAT) documentation, then you need to use NAT on top of VPN. Please ensure you refer to the documentation for the up to date list of ranges and configure your NAT settings appropriately.


SAP Commerce Cloud uses Apache Web servers in it web layer. You can only configure certain aspects in Web and Network layers. This is to provide a standard and an optimized web/network layer for your SAP Commerce Cloud solution. For more details on other architecture concepts please see our article SAP Commerce Cloud Architecture.