// Archer endpoint service management for private network connectivity in SAP Converged Cloud. Triggers: endpoint service, private link, archer, private connectivity, service endpoint, internal access, cross-project access
Audit trail investigation on SAP Converged Cloud using Hermes. Triggers: audit, who changed, what happened, hermes, events, compliance, CADF, activity log, trace action, who did, what was done, event history
Autoscaling operations via Castellum. Triggers: autoscaling, castellum, resize, scaling, threshold, auto-resize, capacity management. NOT for: manual quota changes (use sapcc-quota/Limes).
Bare metal node operations via Ironic. Triggers: baremetal, bare metal, ironic, node, provision state, hardware, physical server. NOT for: virtual servers (use sapcc-compute/Nova).
Manage compute instances on SAP Converged Cloud. Covers server lifecycle, flavor selection, status transitions, and cross-service correlation with networking and storage. Use when: listing VMs, checking server status, debugging instance issues, performing server actions (start/stop/reboot), selecting flavors, or investigating why a server won't start. NOT for container workloads (use sapcc-registry) or bare metal.
DNS zone and recordset operations via Designate. Triggers: dns, zone, recordset, domain, designate. NOT for: network ports, floating IPs (use sapcc-networking).
Email service operations via Cronus. Triggers: email, cronus, smtp, template, email usage, sending. NOT for: monitoring alerts (use sapcc-metrics/Maia).
| name | sapcc-connectivity |
| description | Archer endpoint service management for private network connectivity in SAP Converged Cloud. Triggers: endpoint service, private link, archer, private connectivity, service endpoint, internal access, cross-project access |
| version | 1.0.0 |
| metadata | {"service":["archer"],"task":["discover","connect","debug"],"persona":["developer","platform-engineer"]} |
Archer is SAP CC's endpoint service for private network connectivity between projects. Similar to AWS PrivateLink. Not part of vanilla OpenStack. Enables consumers to access services published by other projects via a local IP address without traversing public networks.
| Tool | Purpose | Key Parameters |
|---|---|---|
archer_list_services | List services available for endpoint creation | status (optional) |
archer_get_service | Get service detail by UUID | service_id |
archer_list_endpoints | List endpoints in current project | service_id, status (optional) |
archer_get_endpoint | Get endpoint detail by UUID | endpoint_id |
Producer (other project) Consumer (your project)
┌─────────────────────┐ ┌─────────────────────┐
│ Network Resource │ │ Endpoint │
│ (DB, API, etc.) │◄──private──────│ (local IP in YOUR │
│ │ connection │ network) │
│ Published as │ │ │
│ SERVICE │ │ Created by YOU │
└─────────────────────┘ └─────────────────────┘
Producer/Consumer pattern:
Services are published by OTHER projects (producers). Your project is a consumer. You discover available services with archer_list_services, then create endpoints to connect to them. If you don't see a service you expect, the producer hasn't published it yet or hasn't made it available to your project.
PENDING_APPROVAL → AVAILABLE (happy path)
PENDING_APPROVAL → REJECTED (producer denied access)
An endpoint is NOT usable until status is AVAILABLE. The local IP won't route traffic until the endpoint is fully active.
Not all services auto-approve endpoints. The producer can configure their service to require manual approval of each consumer endpoint. If your endpoint is stuck in PENDING_APPROVAL, the producer must approve it — this is not something you can resolve yourself.
The endpoint provides a local IP address in your network. Use that IP (or DNS pointing to it) to reach the remote service. Don't try to reach the service's original IP — the whole point is that you access it through your local endpoint IP.
Always call archer_list_services first to discover what's available. Services have UUIDs that you need for endpoint creation. Guessing service IDs will fail.
An endpoint's service_id tells you which service it connects to. Use archer_get_service with that UUID to get the service details (what it is, who provides it, what network resource it exposes).
You only see your own project's endpoints with archer_list_endpoints. You cannot see other projects' endpoints. But archer_list_services shows services available to you regardless of which project published them.
1. archer_list_services()
2. Review available services — note name, description, service_id
3. archer_get_service(service_id) for details on a specific service
Filter by status to see only active services: archer_list_services(status="AVAILABLE")
1. archer_list_endpoints()
2. Review each endpoint: status, service_id, IP address
3. For any with status != AVAILABLE, investigate
1. archer_get_endpoint(endpoint_id) → endpoint details including service_id
2. archer_get_service(service_id) → what service it connects to
3. Correlate: you now know your local IP and what remote resource it reaches
1. archer_list_endpoints(service_id=<target_service>) → find your endpoint
2. Check endpoint status:
- AVAILABLE → endpoint is fine, problem is elsewhere (DNS, security groups, application)
- PENDING_APPROVAL → not active yet, contact producer
- REJECTED → producer denied, contact them
- ERROR → platform issue, escalate
3. Verify you're connecting to the endpoint's local IP, not the service's original IP
archer_get_service to identify the producerPrivate connectivity via Archer reduces attack surface: