Connectivity - General SAP Guides

Connectivity

You must establish connectivity between AWS cloud where your RISE with SAP solution is running and on-premises data centers. You also need a connection for direct data transfer (to avoid routing data via your on-premises locations) and communication between SAP systems and your applications running on AWS cloud. The following image provides an example overview of connectivity to RISE with SAP VPC.

Example connectivity between an AWS account managed by SAP and your data centers or other AWS accounts

See the following topics for further details:

Roles and responsibility for establishing connectivity to RISE

Under RISE with SAP, the SAP Enterprise Cloud Services (ECS) team manages the SAP S/4HANA Private Cloud Environment. The Supplemental Terms and Conditions provided by SAP has a section on Excluded Tasks. You are responsible for running such tasks. You can also use a third-party service provider to manage on the excluded tasks for you. For further details, see SAP Product Policies.

The primary task required for deploying RISE with SAP is to establish network connectivity to RISE with SAP VPC on AWS. As per the RISE with SAP agreement, you are responsible for establishing a connection to RISE.

We recommend that you spend time understanding the available options on how to connect your on-premises network and/or existing AWS accounts to RISE with SAP VPC on AWS. Review the subsequent sections for more information.

Connecting to RISE from on-premises networks

Connectivity to RISE with SAP on AWS from on-premises is supported using AWS VPN or AWS Direct Connect or a combination of the two.

Connecting to RISE with SAP VPC using AWS VPN

Enable access to your remote network from RISE with SAP VPC using AWS Site-to-Site VPN. Traffic between AWS cloud and your on-premises location is encrypted via Internet Protocol security (IPsec) and transferred through a secure tunnel on internet. This option is efficient, fast, and more cost-optimized when compared to AWS Direct Connect. For more information, see Connect your VPC to remote networks using AWS Virtual Private Network.

You can get a maximum bandwidth of up to 1.25 Gbps per VPN tunnel. For more information, see Site-to-Site VPN quotas.

To scale beyond the default maximum limit of 1.25 Gbps throughput of a single VPN tunnel, see How can I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a transit gateway?

When using this option, SAP requires the following details:

  • BGP ASN

  • IP address of your device

You can obtain these details from your VPN device on-premises.

Connecting to RISE with SAP VPC using AWS Direct Connect

Use AWS Direct Connect if you require a higher throughput and more consistent network experience than an internet-based connection. AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. You can create virtual interfaces to public AWS services. For example, you can create interfaces to Amazon S3 or Amazon VPC while bypassing the internet service providers in your network path. For more information, see AWS Direct Connect connections.

You can choose from a dedicated connection of 1 Gbps, 10 Gbps or 100 Gbps Ethernet port dedicated to a single customer, or a AWS Direct Connect Partner's hosted connection where the Partner has an established network link with AWS cloud. Hosted connections are available from 50 Mbps up to 10 Gbps. You can order hosted connections from an AWS Direct Connect Delivery Partner approved to support this model. For more information, see AWS Direct Connect Delivery Partners.

To connect, use a virtual private gateway in AWS account managed by SAP or a Direct Connect gateway in your AWS account associated with a virtual private gateway in AWS account managed by SAP. For more information, see Direct Connect gateways. Direct Connect gateway can also connect to a AWS Transit Gateway. For more information, see Connecting to RISE using your single AWS account.

You must acquire a Letter of Authorization from SAP to setup a AWS Direct Connect connection in the AWS account managed by SAP.

Connecting to RISE from your AWS account

You can connect to RISE from your AWS account in the following ways.

Amazon VPC peering

VPC peering enables network connection between two AWS VPCs using private IPv4 and IPv6 addresses. Instances can communicate over the same network. For more information, see What is VPC peering?

Before setup a peering connection, you need to create a request for SAP's approval. For a successful VPC peering, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap. Check with SAP for the CIDR ranges that can be used in RISE with SAP VPC.

VPC peering is one-on-one connection between VPCs, and is not transitive. Traffic cannot transit from one VPC to another via an intermediary VPC. You must setup multiple peering connections to establish direct communication between RISE with SAP VPC and multiple VPCs.

VPC peering works across AWS Regions. All inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic stays on AWS Global Network and never traverses the public internet, reducing threats of common exploits and DDos attacks. Traffic is encrypted using AES-256 encryption at the virtual network layer.

Data transfer for VPC peering within an Availability Zone is free, and for across Availability Zones is charged per-GB. For more information, see Amazon EC2 pricing. In your AWS account, use the Availability Zone ID of AWS account managed by SAP to avoid cross-Availability Zone data transfer charges. You can ask for the Availability Zone ID from SAP. For more information, see Availability Zone IDs for your AWS resources.

VPC peering connections between multiple accounts in multiple Regions

AWS Transit Gateway

AWS Transit Gateway is a network transit hub to interconnect Amazon VPCs. It acts as a cloud router, resolving complex peering setup issues by acting as the central communication hub. You need to establish this connection with AWS account managed by SAP only once.

Transit Gateway in your own AWS account

To establish connection with AWS account managed by SAP, create and share AWS Transit Gateway in your AWS account. SAP then creates an attachment to enable traffic flow through an entry in route table. As AWS Transit Gateway resides in your AWS account, you can retain control over traffic routing. For more information, see Transit gateway peering attachments.

Connections between multiple accounts in multiple Regions using AWS Transit Gateway

Transit Gateway in AWS account managed by SAP

If you already have an Transit Gateway in another AWS Region, and cannot create another AWS account and Transit Gateway in the Region that has RISE with SAP, then SAP can provide the Transit Gateway in the RISE with SAP account. This account and Transit Gateway in it are both managed by SAP. This enables you to establish cross-Region communication between your own AWS accounts and the RISE with SAP account through Transit Gateway and the SAP-managed Transit Gateway. Other use-cases include using Firewall appliances where Transit Gateway is routing traffic through the appliance, connecting via the Direct Connect Gateway using transit VIF to the Transit Gateway managed by SAP, and connecting via Direct Connect or VPN using private VIFs to the Transit Gateway managed by SAP. You cannot connect VPC attachments of VPCs outside of the RISE environment to the SAP-managed Transit Gateway.

Connections between multiple accounts in multiple Regions using AWS Transit Gateway

Connecting to RISE using your single AWS account

You can establish connectivity between on-premises and RISE with SAP VPC using your AWS account. This method provides you with more control but also requires managing AWS services in your AWS account. You can use any one of the following options.

The following image shows this option within the same AWS Region.

Example connections in a single Region

The following image shows this option across different AWS Regions.

Example connections across Regions

Connecting to RISE with a shared AWS Landing Zone

Modern SAP landscapes have several connectivity requirements. Services are accessed across on-premises and AWS Cloud as well as across a variety of SaaS solutions and other cloud service providers.

Creating an AWS Landing Zone facilitates secure and scalable connectivity for RISE with SAP. It provides the following benefits:

  • Control over networking configuration

  • Ability to reuse AWS Direct Connect connections across your broader AWS solutions

  • Reduced network hops and latency for connectivity to other SaaS solutions and cloud service providers as they are not routed via on-premises

  • Ability for additional governance and control through use of AWS services

A Landing Zone is designed to help organizations achieve their cloud initiatives by automating the set-up of an AWS environment that follows AWS Well Architected framework. It provides scalability to cater to all scenarios, from the simplest connectivity, where only RISE with SAP connectivity to on-premises environments is required, to complex requirements with connectivity to multiple SaaS solutions, multiple CSPs and on-premises connectivity.

The key components and benefits of a Landing Zone include:

  • Multi-account structure – it sets a baseline environment across multiple AWS accounts using an organization unit (OU) structure for different workloads. For instance, production, development, shared services, etc.

  • AWS Identity and Access Management – it configures AWS Identity and Access Management (IAM) roles and policies for secure access and management of permissions.

  • Networking – it sets up a Amazon Virtual Private Cloud (Amazon VPC) with subnets, routing tables, and security groups, following the best practices for network isolation and security.

  • Logging and monitoring – it configures AWS services, such as AWS Config, AWS CloudTrail, Amazon GuardDuty for centralized logging, monitoring, and auditing of resource changes and security events.

  • Security – it implements AWS security best practices, such as like enabling AWS Config Rules, setting up AWS CloudTrail trails, and creating AWS Security Hub standards.

  • Automation – it uses AWS CloudFormation templates and AWS Service Catalog to automate the deployment and management of the Landing Zone environment.

  • Customization – it allows for customization and extension based on specific organizational requirements, such as adding additional AWS services or integrating with existing on-premises infrastructure.

We recommend using an AWS Landing Zone for RISE with SAP connectivity.

Connecting to RISE with a shared AWS Landing Zone

Building an AWS Landing Zone

You can implement AWS Landing Zones using AWS Control Tower. It provides an automated process for building the Landing Zone, including management and governance services.

In a simple scenario, a Landing Zone contains a minimal footprint focused on connectivity that is typically centred around AWS Transit Gateway. For more information, see Landing zone.

The following is a general overview of the process:

  1. Define requirement – understand your organization's security, compliance, and operational requirements. This will help determine the appropriate guardrails, controls, and services to be included in the Landing Zone.

  2. Design architecture – plan the overall architecture, including the number of accounts (management, shared services, workload accounts), network design (VPCs, subnets, routing), shared services (logging, monitoring, identity management), and security controls (IAM, service control policies, guardrails).

  3. Setup AWS Control Tower – AWS Control Tower helps in setting up and governing a multi-account AWS environment based on best practices. It allows you to create and provision new AWS accounts and deploy baseline security configurations across those accounts.

  4. Configure AWS Organizations – Organizations enables you to centrally manage and govern your AWS accounts. Configure Organizations in AWS Control Tower by creating the necessary organizational units (OUs) and service control policies (SCPs).

  5. Deploy core accounts and services – create and configure the core accounts, such as the management account, shared services accounts (for logging, security tooling), and any other required shared accounts. Deploy shared services, such as CloudTrail, Config, and Security Hub.

  6. Deploy network architecture – set up the network architecture, including VPCs, subnets, route tables, and any necessary network appliances or services (for example, Transit Gateway for a hub-and-spoke model).

  7. Configure IAM – establish IAM roles, policies, and groups for controlling access and permissions across the Landing Zone accounts.

  8. Implement security controls – deploy security services and guardrails, such as Security Hub, Firewall Manager, AWS WAF, and AWS Config Rules, to enforce security best practices and compliance requirements.

  9. Configure logging and monitoring – set up centralized logging and monitoring solutions, such as CloudWatch, CloudTrail, and Config, to capture and analyze logs and events across the Landing Zone accounts.

  10. Deploy workload accounts – deploy workload accounts with your Landing Zone. You can create an AWS account to connect to RISE with SAP VPC. We recommended connecting using Transit Gateway for flexibility and ease of management.

  11. Automate and maintain – use AWS CloudFormation templates or other Infrastructure as Code tools to automate the deployment and maintenance of the Landing Zone resources. Establish processes for ongoing maintenance, updates, and compliance checks.

AWS Professional Services or AWS Partners provide assistance for building and maintaining a landing zone for RISE with SAP.

Connect to RISE through nearest AWS Direct Connect POP (including AWS Local Zone)

AWS Direct Connect Point of Presence (POP) is a physical cross-connect that allows users to establish a network connection from their premises to an AWS Region or AWS Local Zone. You can use the nearest Direct Connect POP located in AWS Local Zone to benefit from lower network latency to RISE with SAP VPC that runs on parent AWS Region. For more information, see AWS Direct Connect Traffic Flow with AWS Local Zone.

Here is an example scenario - You are based in Philippines, and you would like to deploy RISE with SAP in AWS Singapore Region. You can use Direct Connect POP in Manila to setup Direct Connect from your on-premise data centre or offices. This strategy provides a lower network latency compared to a connecting directly to the AWS Region in Singapore.

The following diagram displays RISE connectivity through nearest AWS Direct Connect POP.

Connect to RISE through nearest AWS Direct Connect POP (including AWS Local Zone)

The following are some considerations when using AWS Direct Connect POP:

  • Use separate VPCs for Region (RISE with SAP VPC) and Local Zones based non-SAP workloads

  • Use Direct Connect Gateway in AWS Direct Connect POP and Private VIF connectivity

  • Use Direct Connect Gateway in AWS Direct Connect POP and Transit VIF connectivity for Region VPCs (RISE with SAP VPC)

If resilience is critical, setup a secondary Direct Connect to the AWS Region running RISE with SAP VPC. Use AWS Site-to-Site VPN to the AWS Region for a more cost-optimized connectivity option. These services operate within the parent AWS Region, serving as a fallback connectivity option ensuring uninterrupted connectivity in the event of disruptions or failures.

Example connections across Regions

Decision tree on connectivity to RISE

You must establish required connectivity to proceed with RISE with SAP on AWS. The following are a few connectivity patterns described in the preceding sections:

  • direct to RISE VPC, supported with Site-to-Site VPN

  • direct to RISE VPC, supported with Direct Connect

  • connectivity through your AWS account via VPC Peering

  • connectivity through Transit Gateway, supporting multi-account deployments

  • connectivity through SAP-managed Transit Gateway supporting multi-account deployments

You must also consider if you want to connect:

  • directly to an AWS Region where the RISE with SAP VPC is going to be deployed

  • or through AWS Local Zone to benefit from lower latency to connect to the RISE with SAP VPC

The decision tree displayed in the following diagram helps you decide which connectivity is suitable based on your requirements, such as future plan of additional AWS or RISE accounts, dedicated line (security, performance), and bandwidth needs.

Example connections across Regions

Other considerations

This sections provides information about other considerations when connecting to RISE.

SAP Business Technology Platform (BTP) with RISE on AWS

You can use SAP Business Technology Platform BTP services on AWS to extend the functionality of the RISE with SAP. SAP recommends SAP Cloud Connector to connect RISE with SAP VPC with SAP BTP via internet. When both RISE with SAP and SAP BTP run on AWS, the network traffic is encrypted and contained within AWS Global Network, without going through the internet (see the following diagram). This provides better security and performance for any integration use-cases between RISE with SAP and SAP BTP. For more information, see Amazon VPC FAQs.

Example connections across Regions

As displayed in the preceding diagram, you can configure Transit Gateway to handle both RISE and BTP network traffic. For more information, see How to route internet traffic from on-premise via Amazon VPC?

SAP also offers SAP Private Link Service for SAP BTP on AWS. SAP Private Link connects SAP BTP on AWS with a secure connection without using public IPs in your AWS account.

Connecting multiple accounts using AWS PrivateLink

You can connect to an AWS endpoint service from an SAP BTP application running on Cloud Foundry. By establishing this connection, you can directly connect to AWS services or for example. to an S/4HANA system. For a complete list of supported AWS services, see Consume Amazon Web Services in SAP BTP.

You can establish a secure and private communication between SAP BTP and AWS services with SAP Private Link Service. By using private IP address ranges (RFC 1918), you reduce the attack surface of the application. The connection does not require an internet gateway. If you do not require this extra layer of security, you can still connect via the public APIs of SAP BTP without SAP Private Link, and benefit from AWS global network. For more information, see Amazon VPC FAQs.

SAP Private Link for AWS currently supports connections initiated from SAP BTP Cloud Foundry to AWS.

For AWS services across AWS Regions, you can create a VPC in the same AWS Region as your SAP BTP Cloud Foundry Runtime, and connect these VPCs via VPC peering or AWS Transit Gateway. For a list of supported Regions, see Regions and API Endpoints Available for the Cloud Foundry Environment.

Connecting multiple accounts in multiple Regions using AWS PrivateLink

Connecting to cloud solutions or SaaS from RISE

When modernizing the SAP landscape, you may subscribe to several SAP cloud solutions or SaaS from independent software vendors to complement RISE with SAP solution.

When the cloud solutions are running on AWS, the connectivity from RISE with SAP is kept within the AWS global network without requiring internet connectivity. The connectivity is retained through the provided squid proxy server within RISE with SAP VPC.

Connecting to cloud solutions or SaaS from RISE

If your cloud is running on other data centre or with another cloud service provider, then you need internet connectivity.

Connecting to cloud solutions or SaaS from RISE

SaaS cloud solutions do not offer connectivity via VPN, Direct Connect or any other means of private connectivity. You can implement a centralized egress to internet architecture to manage this connectivity. For more information, see Centralized egress to internet .

Connectivity patterns for multi-cloud to RISE

In a complex connectivity scenario, you may need to integrate RISE with SAP setup with on-premises, AWS-hosted systems, and a variety of SaaS solutions and other cloud service providers.

Managing connectivity directly from the AWS environment decouples dependencies with on-premises networking infrastructure, improving availability and resiliency of the overall landscape.

You can use public or private connectivity to connect multi-cloud with RISE.

Connectivity patterns for multi-cloud to RISE

Public connectivity

Connectivity is routed over the public internet. This pattern is typically used for connectivity from RISE with SAP to SaaS solutions that runs across multiple clouds. When building connectivity routed over the public internet, consider the following:

  • ensure that all communication is encrypted

  • protect end-points by using AWS services, such as Elastic Load Balancers and AWS Shield

  • monitor endpoints using Amazon CloudWatch

  • ensure that traffic between two public IP addresses hosted on AWS is routed over the AWS network

Private connectivity

The following three are the options to establish private connectivity between different cloud service providers:

  • Site-to-site VPN encrypted tunnel routed over public internet

  • private interconnect using AWS Direct Connect in a managed infrastructure (use Azure ExpressRoute for Azure and Google Dedicated Interconnect for Google Cloud Platform)

  • private interconnect using an AWS Direct Connect in a facility with a multi-cloud connectivity provider

The following diagram describes the factors to choose a multi-cloud connectivity method.

Connectivity patterns for multi-cloud to RISE

For more information, see Designing private network connectivity between AWS and Microsoft Azure.

How to implement chargeback capability for connectivity to RISE

If you are a company with subsidiaries, you may have different RISE contracts, leading to deployments in separate AWS accounts while requiring an interlinked network connectivity. In this instance, you need to deploy Transit Gateway connection in a Landing Zone (multi-account) setup. It can scale your RISE deployment and integrate with multiple RISE with SAP VPCs.

Transit Gateway Flow Logs enables effective cost management. Transit Gateway Flow Logs can be integrated with Cost and Usage Report (CUR) that can be attributed as chargeback to the business units. For more information, see Logging network traffic using Transit Gateway Flow Logs .

How to implement chargeback capability for connectivity to RISE

The preceding diagram displays how Transit Gateway can be used to connect multiple RISE with SAP VPCs and provide chargeback capability through the Flow Logs.

For more information, see the following blogs:

Use the following steps to enable this setup:

  1. Enable Transit Gateway Flow Logs. For more information, see Create a flow log that publishes to Amazon S3.

  2. Setup Cost and Usage Reporting and setup Athena to utilize the reporting. For more information, see Creating Cost and Usage Reports and Querying Cost and Usage Reports using Amazon Athena .

  3. Obtain the Transit Gateway data processing charge per-account.

    1. Decide a cost allocation strategy - distribute costs evenly across all accounts or distribute proportionally across all accounts.

    2. Calculate the total network traffic and percentage allocation per account using AWS Transit Gateway query.

    3. Estimate cost per account, by collecting from CloudWatch that collects Network In(Upload) and NetworkOut(Download).

      1. NetworkIn(Upload) + NetworkOut(Download) per usage account/ total data processed in network account

      2. % of usage x total cost = chargeback cost per usage account