Connectivity
You must establish connectivity between AWS cloud where your RISE with SAP solution is running and on-premises data centers. You also need a connection for direct data transfer (to avoid routing data via your on-premises locations) and communication between SAP systems and your applications running on AWS cloud. The following image provides an example overview of connectivity to RISE with SAP VPC.
See the following topics for further details:
Topics
Roles and responsibility for establishing connectivity to RISE
Under RISE with SAP, the SAP Enterprise Cloud Services (ECS) team manages the SAP
S/4HANA Private Cloud Environment. The Supplemental Terms and
Conditions provided by SAP has a section on Excluded Tasks. You are responsible
for running such tasks. You can also use a third-party service provider to manage on the
excluded tasks for you. For further details, see SAP Product Policies
The primary task required for deploying RISE with SAP is to establish network connectivity to RISE with SAP VPC on AWS. As per the RISE with SAP agreement, you are responsible for establishing a connection to RISE.
We recommend that you spend time understanding the available options on how to connect your on-premises network and/or existing AWS accounts to RISE with SAP VPC on AWS. Review the subsequent sections for more information.
Connecting to RISE from on-premises networks
Connectivity to RISE with SAP on AWS from on-premises is supported using AWS VPN or AWS Direct Connect or a combination of the two.
Topics
Connecting to RISE with SAP VPC using AWS VPN
Enable access to your remote network from RISE with SAP VPC using AWS Site-to-Site VPN. Traffic between AWS cloud and your on-premises location is encrypted via Internet Protocol security (IPsec) and transferred through a secure tunnel on internet. This option is efficient, fast, and more cost-optimized when compared to AWS Direct Connect. For more information, see Connect your VPC to remote networks using AWS Virtual Private Network.
You can get a maximum bandwidth of up to 1.25 Gbps per VPN tunnel. For more information, see Site-to-Site VPN quotas.
To scale beyond the default maximum limit of 1.25 Gbps throughput of a single VPN
tunnel, see How can
I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a
transit gateway?
When using this option, SAP requires the following details:
-
BGP ASN
-
IP address of your device
You can obtain these details from your VPN device on-premises.
Connecting to RISE with SAP VPC using AWS Direct Connect
Use AWS Direct Connect if you require a higher throughput and more consistent network experience than an internet-based connection. AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. You can create virtual interfaces to public AWS services. For example, you can create interfaces to Amazon S3 or Amazon VPC while bypassing the internet service providers in your network path. For more information, see AWS Direct Connect connections.
You can choose from a dedicated connection of 1 Gbps, 10 Gbps or 100 Gbps Ethernet
port dedicated to a single customer, or a AWS Direct Connect Partner's hosted
connection where the Partner has an established network link with AWS cloud. Hosted
connections are available from 50 Mbps up to 10 Gbps. You can order hosted connections
from an AWS Direct Connect Delivery Partner approved to support this model. For
more information, see AWS Direct Connect Delivery Partners
To connect, use a virtual private gateway in AWS account managed by SAP or a Direct Connect gateway in your AWS account associated with a virtual private gateway in AWS account managed by SAP. For more information, see Direct Connect gateways. Direct Connect gateway can also connect to a AWS Transit Gateway. For more information, see Connecting to RISE using your single AWS account.
You must acquire a Letter of Authorization from SAP to setup a AWS Direct Connect connection in the AWS account managed by SAP.
Connecting to RISE from your AWS account
You can connect to RISE from your AWS account in the following ways.
Topics
Amazon VPC peering
VPC peering enables network connection between two AWS VPCs using private IPv4 and IPv6 addresses. Instances can communicate over the same network. For more information, see What is VPC peering?
Before setup a peering connection, you need to create a request for SAP's approval. For a successful VPC peering, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap. Check with SAP for the CIDR ranges that can be used in RISE with SAP VPC.
VPC peering is one-on-one connection between VPCs, and is not transitive. Traffic cannot transit from one VPC to another via an intermediary VPC. You must setup multiple peering connections to establish direct communication between RISE with SAP VPC and multiple VPCs.
VPC peering works across AWS Regions. All inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic stays on AWS Global Network and never traverses the public internet, reducing threats of common exploits and DDos attacks. Traffic is encrypted using AES-256 encryption at the virtual network layer.
Data transfer for VPC peering within an Availability Zone is free, and for across
Availability Zones is charged per-GB. For more information, see Amazon EC2 pricing
AWS Transit Gateway
AWS Transit Gateway is a network transit hub to interconnect Amazon VPCs. It acts as a cloud router, resolving complex peering setup issues by acting as the central communication hub. You need to establish this connection with AWS account managed by SAP only once.
Transit Gateway in your own AWS account
To establish connection with AWS account managed by SAP, create and share AWS Transit Gateway in your AWS account. SAP then creates an attachment to enable traffic flow through an entry in route table. As AWS Transit Gateway resides in your AWS account, you can retain control over traffic routing. For more information, see Transit gateway peering attachments.
Transit Gateway in AWS account managed by SAP
If you already have an Transit Gateway in another AWS Region, and cannot create another AWS account and Transit Gateway in the Region that has RISE with SAP, then SAP can provide the Transit Gateway in the RISE with SAP account. This account and Transit Gateway in it are both managed by SAP. This enables you to establish cross-Region communication between your own AWS accounts and the RISE with SAP account through Transit Gateway and the SAP-managed Transit Gateway. Other use-cases include using Firewall appliances where Transit Gateway is routing traffic through the appliance, connecting via the Direct Connect Gateway using transit VIF to the Transit Gateway managed by SAP, and connecting via Direct Connect or VPN using private VIFs to the Transit Gateway managed by SAP. You cannot connect VPC attachments of VPCs outside of the RISE environment to the SAP-managed Transit Gateway.
Connecting to RISE using your single AWS account
You can establish connectivity between on-premises and RISE with SAP VPC using your AWS account. This method provides you with more control but also requires managing AWS services in your AWS account. You can use any one of the following options.
-
AWS Transit Gateway – Share AWS Transit Gateway resource in you AWS account with AWS account managed by SAP.
-
AWS VPN with AWS Transit Gateway – Create an IPsec VPN connection between your remote network and transit gateway over the internet. For more information, see How AWS Site-to-Site VPN works and Transit gateway VPN attachments.
-
Direct Connect gateway – Create a Direct Connect gateway with a transit or virtual private gateway. For more information, see Transit gateway attachments to a Direct Connect gateway.
To strengthen the security, see How do I establish an AWS VPN over an AWS Direct Connect connection?
The following image shows this option within the same AWS Region.
The following image shows this option across different AWS Regions.
Connecting to RISE with a shared AWS Landing Zone
Modern SAP landscapes have several connectivity requirements. Services are accessed across on-premises and AWS Cloud as well as across a variety of SaaS solutions and other cloud service providers.
Creating an AWS Landing Zone facilitates secure and scalable connectivity for RISE with SAP. It provides the following benefits:
-
Control over networking configuration
-
Ability to reuse AWS Direct Connect connections across your broader AWS solutions
-
Reduced network hops and latency for connectivity to other SaaS solutions and cloud service providers as they are not routed via on-premises
-
Ability for additional governance and control through use of AWS services
A Landing Zone is designed to help organizations achieve their cloud initiatives by
automating the set-up of an AWS environment that follows AWS Well
Architected
The key components and benefits of a Landing Zone include:
-
Multi-account structure – it sets a baseline environment across multiple AWS accounts using an organization unit (OU) structure for different workloads. For instance, production, development, shared services, etc.
-
AWS Identity and Access Management – it configures AWS Identity and Access Management
(IAM) roles and policies for secure access and management of permissions. -
Networking – it sets up a Amazon Virtual Private Cloud
(Amazon VPC) with subnets, routing tables, and security groups, following the best practices for network isolation and security. -
Logging and monitoring – it configures AWS services, such as AWS Config
, AWS CloudTrail , Amazon GuardDuty for centralized logging, monitoring, and auditing of resource changes and security events. -
Security – it implements AWS security best practices, such as like enabling AWS Config Rules, setting up AWS CloudTrail trails, and creating AWS Security Hub
standards. -
Automation – it uses AWS CloudFormation
templates and AWS Service Catalog to automate the deployment and management of the Landing Zone environment. -
Customization – it allows for customization and extension based on specific organizational requirements, such as adding additional AWS services or integrating with existing on-premises infrastructure.
We recommend using an AWS Landing Zone for RISE with SAP connectivity.
Building an AWS Landing Zone
You can implement AWS Landing Zones using AWS Control Tower
In a simple scenario, a Landing Zone contains a minimal footprint focused on connectivity that is typically centred around AWS Transit Gateway. For more information, see Landing zone.
The following is a general overview of the process:
-
Define requirement – understand your organization's security, compliance, and operational requirements. This will help determine the appropriate guardrails, controls, and services to be included in the Landing Zone.
-
Design architecture – plan the overall architecture, including the number of accounts (management, shared services, workload accounts), network design (VPCs, subnets, routing), shared services (logging, monitoring, identity management), and security controls (IAM, service control policies, guardrails).
-
Setup AWS Control Tower – AWS Control Tower helps in setting up and governing a multi-account AWS environment based on best practices. It allows you to create and provision new AWS accounts and deploy baseline security configurations across those accounts.
-
Configure AWS Organizations – Organizations enables you to centrally manage and govern your AWS accounts. Configure Organizations in AWS Control Tower by creating the necessary organizational units (OUs) and service control policies (SCPs).
-
Deploy core accounts and services – create and configure the core accounts, such as the management account, shared services accounts (for logging, security tooling), and any other required shared accounts. Deploy shared services, such as CloudTrail, Config, and Security Hub.
-
Deploy network architecture – set up the network architecture, including VPCs, subnets, route tables, and any necessary network appliances or services (for example, Transit Gateway for a hub-and-spoke model).
-
Configure IAM – establish IAM roles, policies, and groups for controlling access and permissions across the Landing Zone accounts.
-
Implement security controls – deploy security services and guardrails, such as Security Hub, Firewall Manager, AWS WAF, and AWS Config Rules, to enforce security best practices and compliance requirements.
-
Configure logging and monitoring – set up centralized logging and monitoring solutions, such as CloudWatch, CloudTrail, and Config, to capture and analyze logs and events across the Landing Zone accounts.
-
Deploy workload accounts – deploy workload accounts with your Landing Zone. You can create an AWS account to connect to RISE with SAP VPC. We recommended connecting using Transit Gateway for flexibility and ease of management.
-
Automate and maintain – use AWS CloudFormation templates or other Infrastructure as Code tools to automate the deployment and maintenance of the Landing Zone resources. Establish processes for ongoing maintenance, updates, and compliance checks.
AWS Professional
Services
Connect to RISE through nearest AWS Direct Connect POP (including AWS Local Zone)
AWS Direct Connect Point of Presence (POP) is a physical cross-connect that allows users to
establish a network connection from their premises to an AWS Region or AWS Local Zone.
You can use the nearest Direct Connect POP located in AWS Local Zone to benefit from lower
network latency to RISE with SAP VPC that runs on parent AWS Region. For more information,
see AWS Direct Connect Traffic Flow with AWS Local Zone
Here is an example scenario - You are based in Philippines, and you would like to deploy RISE with SAP in AWS Singapore Region. You can use Direct Connect POP in Manila to setup Direct Connect from your on-premise data centre or offices. This strategy provides a lower network latency compared to a connecting directly to the AWS Region in Singapore.
The following diagram displays RISE connectivity through nearest AWS Direct Connect POP.
The following are some considerations when using AWS Direct Connect POP:
-
Use separate VPCs for Region (RISE with SAP VPC) and Local Zones based non-SAP workloads
-
Use Direct Connect Gateway in AWS Direct Connect POP and Private VIF connectivity
-
Use Direct Connect Gateway in AWS Direct Connect POP and Transit VIF connectivity for Region VPCs (RISE with SAP VPC)
If resilience is critical, setup a secondary Direct Connect to the AWS Region running RISE with SAP VPC. Use AWS Site-to-Site VPN to the AWS Region for a more cost-optimized connectivity option. These services operate within the parent AWS Region, serving as a fallback connectivity option ensuring uninterrupted connectivity in the event of disruptions or failures.
Decision tree on connectivity to RISE
You must establish required connectivity to proceed with RISE with SAP on AWS. The following are a few connectivity patterns described in the preceding sections:
-
direct to RISE VPC, supported with Site-to-Site VPN
-
direct to RISE VPC, supported with Direct Connect
-
connectivity through your AWS account via VPC Peering
-
connectivity through Transit Gateway, supporting multi-account deployments
-
connectivity through SAP-managed Transit Gateway supporting multi-account deployments
You must also consider if you want to connect:
-
directly to an AWS Region where the RISE with SAP VPC is going to be deployed
-
or through AWS Local Zone to benefit from lower latency to connect to the RISE with SAP VPC
The decision tree displayed in the following diagram helps you decide which connectivity is suitable based on your requirements, such as future plan of additional AWS or RISE accounts, dedicated line (security, performance), and bandwidth needs.
Other considerations
This sections provides information about other considerations when connecting to RISE.
Topics
SAP Business Technology Platform (BTP) with RISE on AWS
You can use SAP Business Technology Platform BTP services on AWS to extend the
functionality of the RISE with SAP. SAP recommends SAP Cloud Connector to connect RISE
with SAP VPC with SAP BTP via internet. When both RISE with SAP and SAP BTP run on AWS,
the network traffic is encrypted and contained within AWS Global Network, without going
through the internet (see the following diagram). This provides better security and
performance for any integration use-cases between RISE with SAP and SAP BTP. For more
information, see Amazon VPC FAQs
As displayed in the preceding diagram, you can configure Transit Gateway to handle
both RISE and BTP network traffic. For more information, see How to route internet traffic from on-premise via Amazon VPC?
SAP also offers SAP Private Link Service for SAP BTP on AWS. SAP Private Link connects SAP BTP on AWS with a secure connection without using public IPs in your AWS account.
You can connect to an AWS endpoint service from an SAP BTP application running on
Cloud Foundry. By establishing this connection, you can directly connect to AWS services
or for example. to an S/4HANA system. For a complete list of supported AWS services, see
Consume Amazon Web Services in SAP BTP
You can establish a secure and private communication between SAP BTP and AWS
services with SAP Private Link Service
SAP Private Link for AWS currently supports connections initiated from SAP BTP Cloud Foundry to AWS.
For AWS services across AWS Regions, you can create a VPC in the same AWS Region
as your SAP BTP Cloud Foundry Runtime, and connect these VPCs via VPC peering or
AWS Transit Gateway. For a list of supported Regions, see Regions and API Endpoints Available for the Cloud Foundry Environment
Connecting to cloud solutions or SaaS from RISE
When modernizing the SAP landscape, you may subscribe to several SAP cloud solutions or SaaS from independent software vendors to complement RISE with SAP solution.
When the cloud solutions are running on AWS, the connectivity from RISE with SAP is kept within the AWS global network without requiring internet connectivity. The connectivity is retained through the provided squid proxy server within RISE with SAP VPC.
If your cloud is running on other data centre or with another cloud service provider, then you need internet connectivity.
SaaS cloud solutions do not offer connectivity via VPN, Direct Connect or any other means of private connectivity. You can implement a centralized egress to internet architecture to manage this connectivity. For more information, see Centralized egress to internet .
Connectivity patterns for multi-cloud to RISE
In a complex connectivity scenario, you may need to integrate RISE with SAP setup with on-premises, AWS-hosted systems, and a variety of SaaS solutions and other cloud service providers.
Managing connectivity directly from the AWS environment decouples dependencies with on-premises networking infrastructure, improving availability and resiliency of the overall landscape.
You can use public or private connectivity to connect multi-cloud with RISE.
Public connectivity
Connectivity is routed over the public internet. This pattern is typically used for connectivity from RISE with SAP to SaaS solutions that runs across multiple clouds. When building connectivity routed over the public internet, consider the following:
-
ensure that all communication is encrypted
-
protect end-points by using AWS services, such as Elastic Load Balancers and AWS Shield
-
monitor endpoints using Amazon CloudWatch
-
ensure that traffic between two public IP addresses hosted on AWS is routed over the AWS network
Private connectivity
The following three are the options to establish private connectivity between different cloud service providers:
-
Site-to-site VPN encrypted tunnel routed over public internet
-
private interconnect using AWS Direct Connect in a managed infrastructure (use Azure ExpressRoute for Azure and Google Dedicated Interconnect for Google Cloud Platform)
-
private interconnect using an AWS Direct Connect in a facility with a multi-cloud connectivity provider
The following diagram describes the factors to choose a multi-cloud connectivity method.
For more information, see Designing private network connectivity between AWS and Microsoft
Azure
How to implement chargeback capability for connectivity to RISE
If you are a company with subsidiaries, you may have different RISE contracts, leading to deployments in separate AWS accounts while requiring an interlinked network connectivity. In this instance, you need to deploy Transit Gateway connection in a Landing Zone (multi-account) setup. It can scale your RISE deployment and integrate with multiple RISE with SAP VPCs.
Transit Gateway Flow Logs enables effective cost management. Transit Gateway Flow Logs can be integrated with Cost and Usage Report (CUR) that can be attributed as chargeback to the business units. For more information, see Logging network traffic using Transit Gateway Flow Logs .
The preceding diagram displays how Transit Gateway can be used to connect multiple RISE with SAP VPCs and provide chargeback capability through the Flow Logs.
For more information, see the following blogs:
Use the following steps to enable this setup:
-
Enable Transit Gateway Flow Logs. For more information, see Create a flow log that publishes to Amazon S3.
-
Setup Cost and Usage Reporting and setup Athena to utilize the reporting. For more information, see Creating Cost and Usage Reports and Querying Cost and Usage Reports using Amazon Athena .
-
Obtain the Transit Gateway data processing charge per-account.
-
Decide a cost allocation strategy - distribute costs evenly across all accounts or distribute proportionally across all accounts.
-
Calculate the total network traffic and percentage allocation per account using AWS Transit Gateway
query. -
Estimate cost per account, by collecting from CloudWatch that collects Network In(Upload) and NetworkOut(Download).
-
NetworkIn(Upload) + NetworkOut(Download) per usage account/ total data processed in network account
-
% of usage x total cost = chargeback cost per usage account
-
-