How to connect SAP solutions operating in AWS to AWS accounts and services

In recent IT infrastructure, it is important to exchange data between different services and PaaS or SaaS solutions.AWS customers who use SAP services such as Hana Enterprise Cloud (HEC), Rise With Sap or SAP Business Technology Platform (BTP) use the connection services provided by AWS to improve security and performance.I hear a voice that wants to reduce complexity and reduce costs.

Customers need a connection from on -premises to the SAP solution that runs on AWS.The scenarios include a hybrid setup in the data center of your on -premises, and a user access for simply using SAP solutions.It is also necessary to exchange data between the SAP solution and the other services operating on AWS.This blog describes the connection options with general SAP services that operate on AWS.

I would like to explain various options.In addition, we will introduce how to connect from the AWS account managed by the customer (described in the following text as "Customer Management AWS Account") to the AWS account managed by SAP (described as "SAP Management AWS Account").For customers who have already operated the system on AWS, this is important for reusing existing AWS connections and connecting future and future SAP solutions to AWS services.

This blog focuses on how to connect to the SAP service introduced above, rather than explain the technical details of the AWS network technology.

The connection method differs depending on the SAP product.I would like to explain in detail from now on.

SAP HANA ENTERPRISE Cloud (HEC) / Rise with SAP

SAP HANA ENTERPRISE Cloud (HEC) and Rise With SAP are SAP services that run on AWS and are provided by multiple AWS regions.As of today, SAP will be able to provide these services in 17 of the 25 AWS regions and will continue to be added.AWS offers multiple options to connect to your Amazon Virtual Private Cloud (VPC).Both managed services are provided as a private cloud, so you need a private connection.AWS offers multiple private connection options.The connection options supported by SAP are based on AWS VPN connection and AWS Direct Connect.

AWS VPN

This is a simple and expensive way to connect to the SAP system hosted on AWS via AWS Site-to-Site VPN.AWS Site-to-Site VPN creates an encryption tunnel between your network and Amazon Virtual Private Cloud or AWS Transit Gateway.Traffic between on -premises and AWS is encrypted by IPsec and transferred in a safe tunnel using public Internet.The advantage of AWS VPN connection is that it can be efficiently and promptly introduced and low cost compared to AWS Direct Connect.

AWS Direct Connect

If you need a higher throughput and stable network than the Internet -based connection, you can connect on -premises and AWS cloud using AWS Direct Connect.

AWS Direct Connect is provided by multiple partners and can be selected from various bandwidth and implementation options.Detailed information about the connection option is described in the AWS White Paper Amazon Virtual Private Cloud Connection Options, and the inconsistency is described in the AWS Direct Connect Residence Recommendations.

The AWS Direct Connect provider uses a dedicated private network connection between your intranet and Amazon VPC.Traffic provides a bandwidth and throughput that is more reliable than VPN, without going through the Internet.

You can also connect to the SAP management AWS account using the existing AWS Direct Connect used for other workloads on AWS.Therefore, you can extend the connection with a virtual private gateway in the SAP management AWS account and connect it with a private virtual interface (VIF) or Direct Connect Gateway.

Connection between AWS accounts

HEC and Rise With SAP are operating on the AWS account managed and owned by SAP.However, you can create your own AWS account to use additional workloads or native AWS services.There are two options to connect the SAP management AWS account and the customer management AWS account.

1. VPCピアリング

VPC (Virtual Private Cloud) pearing enables a traffic flow using a private IPv4 address or IPv6 address with a network connection between two VPCs.You can communicate between instances as if they were in the same network.

In order to pierce two VPCs, it is necessary to prevent the defined inter -defined inter -room routing (CIDR) block from overlapping, otherwise the pearing connection will fail.The recommendation is to define the CIDR range in cooperation with the SAP and confirm that the range managed by the SAP is suitable for its network design.When a pearing connection is required, the SAP needs to accept the pearing connection with his AWS VPC.

VPC pearing is a one -on -one connection between VPCs.If you need to communicate directly to the managed SAP service with multiple VPCs, you need to set multiple pearing connections.If the AWS account or VPC is large, this may be complicated and difficult to manage, so it is necessary to consider option 2 (see below) in such scenarios.

VPC pearing also works across AWS regions.As an example, it is possible to pierce the customer account running on the EU-WEST-1 and the EU-CENTRAL-1 SAP account.All traffic between regions is encrypted, and there are no single -disorder or bandwidth bottle neck.Traffic always stays on global AWS backbones and does not go through public Internet, reducing threats such as general vulnerabilities and DDOS attacks.

Connection via VPC pearing over region

The advantage is that the cost of VPC pearing is also lower than that of the Traffic routing via AWS Transit Gateway or on -premises, in addition to simple settings and regional functions.Recently, AWS has announced the price change for VPC pearing.From May 1, 2021, all data transfer via the VPC pearing connection that stays in the Availability Zone (AZ) will be free will be free.

You can request the SAP az ID and confirm that it is the same as the AZ ID used in the customer management AWS account.

2. AWS Transit Gateway

The second way to connect two or more AWS accounts is to use AWS Transit Gateway.AWS Transit Gateway is a network transe hub that can be used for interconnection of Amazon VPC.The AWS Transit Gateway will function as a cloudrootter, and the connection between the SAP management AWS account must be established only once.By deploying AWS Transit Gateway as a central communication hub, you can solve complex pearing settings and simplify.

To connect to the SAP management AWS account, you need to create AWS Transit Gateway with your AWS account and share it with the SAP management AWS account.After that, the SAP can attach a VPC for SAP managed services to AWS Transit Gateway and enable traffic flows via the root table entry.In this setting, you can constantly control traffic routing because AWS Transit Gateway exists and can be managed in your account.

Connection via AWS Transit Gateway

To connect multiple VPCs across AWS accounts and AWS regions, you can establish a pearing connection between multiple AWS Transit Gateway in different regions.

リージョンを跨いでConnection via AWS Transit Gateway

By using the pearing between AWS Transit Gateway across the region, the traffic remains in the AWS network and applies the same considerations described in the VPC pearing option.This is also effective for different VPCs where the IPv4 CIDR range is not duplicated.

If you are using AWS Transit Gateway and AWS Direct Connect in combination, this setting can route the SAP management AWS account and the on -premises traffic in two directions or establish a connection between AWS accounts.

SAP Business Technology Platform

SAP Business Technology Platform (BTP) offers a variety of services and different environments such as Cloud Foundry, ABAP, and Kyma.All of these three environments are running on AWS.KYMA is the latest version released on April 24.As of today, SAP BTP is available for nine commercial AWS regions.

To connect to a BTP service, you can access public endpoints via the Internet. If you need a more stable network environment, you can use AWS Direct Connect to the BTP platform. However, in this usage, AWS Direct Connect must establish a connection between the on -premises network and the public AWS endpoints. On the other hand, unlike BTP, in the case of HEC and Rise with SAP, AWS Direct Connect uses a private virtual interface to access resources in VPC and connect to the resource private IP address. To access BTP with AWS Direct Connect, you need to connect to a public IP address using a public virtual interface. For more information about the differences between public and private virtual interfaces, please refer to the AWS Knowledge Center.

In addition, the SAP blog Accessing Sap Cloud Platform VIA AWS Direct Connect describes how to set up the step -by -step of the AWS Direct Connect in this case.

SAP Cloud Connector

Sap Cloud Connector (SCC) is a recommended solution to connect the BTP service and the SAP system running on AWS.SAP Cloud Connector establishes secure communication between BTP services and SAP systems without disclosing the SAP system on the Internet.In order to establish access to the SAP system, there is no need to open an inbound connection in the security group or use a reverse proxy on DMZ.The SAP Cloud Connector works as a reverse -inbok proxy and establishes a permanent TLS tunnel to the SAP BTP sub -account.In this architecture, the back -end SAP system is invisible from the Internet, and the target area to be attacked decreases.

SAP Cloud Connector provides software -based HA implementation and protects it from obstacles.Also, as the following architecture shows, you can implement SAP Cloud Connector in the Amazon EC2 Auto Scaling Group to protect from EC2 instances.

SAP BTP connection via SAP Cloud Connector

SAP Data Warehouse Cloud, SAP Analytics Cloud and Sap Hana Cloud

All of these are SaaS or PaaS solutions provided via SAP BTP, operating in a multi -tenant environment.Therefore, a one -on -one connection cannot be established between the on -premises network or customer management AWS account and the VPC of the SAP management AWS account of these SaaS/PaaS solutions.VPC pearing or AWS Transit Gateway cannot connect these solutions to multiple AWS accounts.However, the same connection principle as BTP connection applies.

You can use SAP Cloud Connector to a SAP system that runs on AWS such as S/4hana or BW/4hana.In addition to direct cooperation with Sap Cloud Connector's backends, three services can directly cooperate with various AWS services such as Amazon S3.

Sap Data Warehouse Cloud can be connected to Amazon S3, Amazon Redshift, or Amazon Athena, etc.For more information, see Sap Discovery Center.

The SAP Analytics Cloud provides cooperation with Amazon S3, Amazon Redshift, and Amazon EMR.

SAP HANA Cloud can be connected to Amazons3 and Amazon Athena.

For additional connection information and data sources, see the SAC document, DWC document, or HANA Cloud documentation.

summary

HECまたはRISE with SAPなどのマネージドオファリングの場合、カスタマー管理AWSアカウントとSAPサービスが実行されるSAP管理AWSアカウントを接続するには、VPCピアリングはシンプルで効率的な方法です。AWS Transit Gatewayはより複雑なネットワーク設計に適したソリューションであり、SAP管理AWSアカウントを複数のAWSアカウントまたはVPCに接続できます。AWS Transit Gatewayがお客様のAWSアカウントにのみ設置できることは、お客様が考慮すべきポイントです。
お客様はAWS VPNまたはAWS Direct Connectを介してAWSへの既存接続を活用し、上記で説明した接続オプションでAWSリソースに接続できます。必要がない場合は、AWS to AWSの通信を使用し、オンプレミス経由でトラフィックをルーティングしないことをお勧めします。 これにより、AWSネットワークの速度、レイテンシー、セキュリティの利点を受けることができます。
SAP BTPサービスはパブリックインターフェイスを提供します。SAP Cloud Connectorを使って、TLS暗号化が効いた安全な方法で、SAP BTPが提供するマルチテナントサービスへの接続を確立できます。

AWS is selected as a SAP customer with more than 5000 and is an innovative platform, AWS.Amazon.Please refer to COM/JP/SAP.

The translation was in charge of Specialist Sa Ash.The original text is here.