I will preface this by saying that I am a solution architect, and I have a client who wishes to host an app in the cloud. The app needs to access information from SAP and other systems.
What is the best way to securely connect from a cloud machine to an erp system in a corporate network? I would like to do this without altering the firewall. Ideally I would like to have some kind of tunnel from the app to the SAP server.
I saw a company called RunMyProcess which has a software component which you install on a server behind a firewall, which somehow allows them to access your internal systems. I think they use Google Secure Data Connector.
How does this work?
There are a number of ways to do this; it depends on what you're comfortable using and maintaining and how much you want to pay. Amazon's "Virtual Private Cloud" lets you set up a server and connect to it using a tunnel to extend your datacenter. If you're just going to use one computer for the hosted server, you can just set up a tunnel between that computer and your datacenter with just about any provider. You can approach the problem as if the remote system were just someone connecting a server from home.
Your requirement to not alter the firewall (by this I assume you mean open any additional incoming ports to your corporate network) means that you are probably looking at making some outgoing tunnel to the instances in the cloud, and forwarding internal addresses which the instances connect back on, or using the Windows VPN server if you are MS based
This is trivially done with some tools to create and maintain perisistent SSH connections and using the
-Rto forward your ports for your corporate apps out to the cloud, or as a windows service.For example
ssh user@cloudinstances -R 1080:localhost:1080you can forward a proxy out to the instance which the instance can use to connect back to SAP ports.You can use putty service, and putty agent to make all this transparent, if you have windows clients and servers.
And you can alternatively use openvpn which might be more suitable for the ranges of ports that are associated with SAP apps, by creating a bridge between the networks. (In this model you would run an openvpn on each cloud instance)
However one major concern is how you distribute your public keys, or other passwords to the instances, because you now have to take into account the fact that if your instances is compromised then your SAP app is vulnerable.
I think your best bet would be some kind of VPN Tunnel. Chances are your firewall supports this as VPNs are the defacto-standard when it comes to securely connect systems over an untrusted network (Internet). Maybe you could aks your firewall admin to go more into detail.