Connectivity - General SAP Guides

Connectivity

You must establish connectivity between AWS cloud where your RISE with SAP solution is running and on-premises data centers. You also need a connection for direct data transfer (to avoid routing data via your on-premises locations) and communication between SAP systems and your applications running on AWS cloud. The following images provides an overview of options for connectivity to RISE with SAP VPC.


        Example connectivity between an AWS account managed by SAP and your data centers
           or other AWS accounts

See the following topics for more details.

On-premises to AWS connectivity

RISE with SAP on AWS connectivity is supported by AWS VPN and AWS Direct Connect. You can connect your Amazon VPC and RISE with SAP VPC via your AWS account or by establishing a direct connection between the two.

For more information, see the following resources.

Connecting to RISE with SAP VPC using AWS VPN

Enable access to your remote network from RISE with SAP VPC using AWS Site-to-Site VPN. Traffic between AWS cloud and your on-premises location is encrypted via Internet Protocol security (IPsec) and transferred through a secure tunnel on internet. This option is efficient, fast, and more cost-optimized when compared to AWS Direct Connect. You can get a maximum bandwidth of up to 1.25 Gbps per VPN tunnel. For more information, see Site-to-Site VPN quotas.

Connecting to RISE with SAP VPC using AWS Direct Connect

Use AWS Direct Connect if you require a higher throughput and more consistent network experience than an internet-based connection. AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. You can create virtual interfaces to public AWS services. For example, you can create interfaces to Amazon S3 or Amazon VPC while bypassing the internet service providers in your network path.

You can choose from a dedicated connection of 1 Gbps, 10 Gbps or 100 Gbps Ethernet port dedicated to a single customer, or a AWS Direct Connect Partner's hosted connection where the Partner has an established network link with AWS cloud. Hosted connections are available from 50 Mbps up to 10 Gbps. You can order hosted connections from an AWS Direct Connect Delivery Partner approved to support this model. For more information, see AWS Direct Connect Delivery Partners.

To connect, use a virtual private gateway in AWS account managed by SAP or a Direct Connect gateway in your AWS account associated with a virtual private gateway in AWS account managed by SAP. For more information, see Direct Connect gateways. Direct Connect gateway can also connect to a AWS Transit Gateway. For more information, see Connecting to RISE with SAP using your AWS account.

You must acquire a Letter of Authorization from SAP to setup a AWS Direct Connect connection in the AWS account managed by SAP.

AWS Direct Connect internet access

Inbound internet traffic can be implemented to access SAP systems via internet gateway. Traffic is inspected by AWS WAF and protected by AWS Shield. An elastic load balancer in front of the SAP system enables the use of private IPs for the SAP application server.

Note

SAP only allows HTTPS or TLS1.2 for inbound internet connections.

Connectivity between AWS accounts

The following two options are available to connect your AWS account with AWS account managed by SAP on the third layer.

Amazon VPC peering

VPC peering enables network connection between two VPCs using private IPv4 and IPv6 addresses. Instances can communicate over the same network. For more information, see What is VPC peering?

Before setup a peering connection, you need to create a request for SAP's approval. For a successful VPC peering, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap. Check with SAP for the CIDR ranges that can be used in RISE with SAP VPC.

VPC peering is one-on-one connection between VPCs, and is not transitive. Traffic cannot transit from one VPC to another via an intermediary VPC. You must setup multiple peering connections to establish direct communication between RISE with SAP VPC and multiple VPCs. For more details, see AWS Transit Gateway.

VPC peering works across AWS Regions. All inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic stays on AWS Global Network and never traverses the public internet, reducing threats of common exploits and DDos attacks. Traffic is encrypted using AES-256 encryption at the virtual network layer.

Data transfer for VPC peering within an Availability Zone is free, and for across Availability Zones is charged per-GB. For more information, see Amazon EC2 pricing. In your AWS account, use the Availability Zone ID of AWS account managed by SAP to avoid cross-Availability Zone data transfer charges. You can ask for the Availability Zone ID from SAP. For more information, see Availability Zone IDs for your AWS resources.


            VPC peering connections between multiple accounts in multiple Regions

AWS Transit Gateway

AWS Transit Gateway is a network transit hub to interconnect Amazon VPCs. It acts as a cloud router, resolving complex peering setup issues by acting as the central communication hub. You need to establish this connection with AWS account managed by SAP only once.

To establish connection with AWS account managed by SAP, create and share AWS Transit Gateway in your AWS account. SAP then creates an attachment to enable traffic flow through an entry in route table. As AWS Transit Gateway resides in your AWS account, you can retain control over traffic routing.

For cross-Region peering, connect AWS Transit Gateway in AWS account managed by SAP with AWS Transit Gateway in a different Region in your AWS account. AWS Transit Gateway in AWS account managed by SAP is currently limited to cross-Region peering. For more information, see Transit gateway peering attachments.


            Connections between multiple accounts in multiple Regions using AWS Transit Gateway

Connecting to RISE with SAP using your AWS account

You can establish connectivity between on-premises and RISE with SAP VPC using you AWS account. This method provides you with more control but also requires managing AWS services in your AWS account. You can use any one of the following options.

The following image shows this option within the same AWS Region.


          Example connections in a single Region

The following image shows this option across different AWS Regions.


          Example connections across Regions

SAP Business Technology Platform (BTP) with RISE with SAP on AWS

You can use SAP Business Technology Platform BTP services on AWS to extend the functionality of the RISE with SAP. SAP recommends SAP Cloud Connector to connect RISE with SAP VPC with SAP BTP via internet. When both RISE with SAP and SAP BTP run on AWS, the network traffic is encrypted and contained within AWS Global Network, without going through the internet. This provides better security and performance for any integration use-cases between RISE with SAP and SAP BTP. For more information, see Amazon VPC FAQs.

SAP also offers SAP Private Link Service for SAP BTP on AWS. SAP Private Link connects SAP BTP on AWS with a secure connection without using public IPs in your AWS account.


          Connecting multiple accounts using AWS PrivateLink

You can connect to an AWS endpoint service from an SAP BTP application running on Cloud Foundry. By establishing this connection, you can directly connect to AWS services or for example. to an S/4HANA system. For a complete list of supported AWS services, see Consume Amazon Web Services in SAP BTP.

You can establish a secure and private communication between SAP BTP and AWS services with SAP Private Link Service. By using private IP address ranges (RFC 1918), you reduce the attack surface of the application. The connection does not require an internet gateway. If you do not require this extra layer of security, you can still connect via the public APIs of SAP BTP without SAP Private Link, and benefit from AWS global network. For more information, see Amazon VPC FAQs.

SAP Private Link for AWS currently supports connections initiated from SAP BTP Cloud Foundry to AWS.

For AWS services across AWS Regions, you can create a VPC in the same AWS Region as your SAP BTP Cloud Foundry Runtime, and connect these VPCs via VPC peering or AWS Transit Gateway. For a list of supported Regions, see Regions and API Endpoints Available for the Cloud Foundry Environment.


          Connecting multiple accounts in multiple Regions using AWS PrivateLink