IBM Cloud Docs
SAP on VMware Cloud Foundation (VCF) for Classic

SAP on VMware Cloud Foundation (VCF) for Classic

This is a baseline solution pattern containing the design and architecture decisions for an SAP deployment to VMware Cloud Foundation (VCF) for Classic on IBM Cloud to meet common requirements. Actual client solutions depend on the specific requirements that are set by the client.

Architecture diagram

Figure 1 illustrates a network and component architecture for a single zone, multi-region deployment to facilitate disaster recovery (DR).

A recommended approach for optimization of the DR environment is to run selected nonproduction environments on DR infrastructure. In the case of a disaster declaration, the nonproduction environment can be repurposed for DR. This is applicable for only the application layer because the DR database should be constantly replicated from production.

  • The primary region supports production workloads on VMware running SAP Certified Bare Metal Server ESXi hosts.

  • The secondary region supports nonproduction and DR workloads if the customer has DR requirements.

A screenshot of a computer Description automatically generated
Figure 1: SAP on IBM Cloud VMware® vCenter Server® Architecture

Understanding the architecture diagram

The diagram illustrates a high level architecture and the numbered items on the diagram correspond to the following descriptions:

  1. Two separate IBM Cloud regions, one containing production and the other containing both nonproduction and DR
  2. Client network connectivity is accomplished by using Direct Link to each region
  3. Site to site VPN access for managed service providers
  4. Public connectivity routes through IBM Cloud Internet Services IBM Cloud Internet Services (CIS) which can provide load balancing, failover, and Distributed Denial-of-Service(DDoS) services
  5. IBM Cloud® Juniper vSRX firewall to provide underlay network routing and security services
  6. NSX-T™ (tier-0 and tier-1) to provide VMware overlay network routing and isolation.
  7. Management network to provide VMware management and automation
  8. Bare Metal Server VMware ESXi hosts
  9. Veeam backup server Bare Metal Server
  10. High performance endurance storage for VMware environment
  11. IBM Cloud Object Storage for long term backups
  12. Bastion host for administrative access and privileged access management

For VMware specific architecture patterns, see Architecture pattern for single site vCenter Server deployment topologies.

Design scope considerations

Design decisions that need to be considered for an end to end deployment of SAP on VMware on IBM Cloud include:

  • Compute: Bare Metal Servers and Virtual infrastructure
  • Storage: Primary, Backup and Archive
  • Networking: Enterprise Connectivity, Edge Gateways, Segmentation and Isolation, Cloud Native Connectivity and Load Balancing
  • Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response
  • Resiliency: Backup and Restore, Disaster Recovery, High Availability
  • Service Management: Monitoring, Logging, Alerting, Management and Orchestration

The Architecture framework provides a consistent approach to design cloud solutions by addressing requirements across a predefined set of aspects and domains. Aspects and domains are architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure you have considered applicable requirements for each aspect and domain. After you have identified the applicable requirements and domains that are in scope, you can evaluate and select the best “fit for purpose” components for your enterprise cloud solution.

Figure 2 is an architecture Heatmap for SAP on IBM Cloud VMware Cloud Foundation (VCF) for Classic that illustrates the domains that are covered in this solution by using the architecture framework.

A screenshot of a computer Description automatically generated
Figure 2: Domains covered in this pattern

Requirements

The following represents a baseline set of requirements that are applicable to most clients and critical to successful SAP deployment.

Requirements
Aspect Requirement
Network Enterprise connectivity to customer data centers to provide access to on-premise applications
Map and convert customer SAP network functionality into VMware on IBM Cloud networking services
Migrate and redeploy customer IP addressing scheme within the VMware on IBM Cloud environment
Provide network isolation with the ability to segregate applications based on attributes such as data classification, public versus internal apps, and function
Security Provide data encryption in transit and at rest
Migrate customer Intrusion Detection System(IDS) and Identity and Access Management(IAM) services to target VMware on IBM Cloud
Retain the same firewall rulesets across existing datacenters
Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is specifically required, documented, and approved and include Intrusion Prevention System (IPS) and Intrusion Detection System (IDS)
Resiliency Multi-site capability to support a disaster recovery strategy and solution leveraging IBM Cloud infrastructure disaster recovery capabilities
Provide backups for data retention
Recovery Time Objective(RTO) and Recovery Point Objective(/RPO) = 4 hours/15 minutes. Rollback to original environments should occur no later than specified RTOs
99.9% Availability
Backups production: Daily full, logs per SAP product standard
30 days retention time nonproduction: Weekly full, logs per SAP product standard, 14 days retention time
Service Management Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure
Ability to diagnose issues and exceptions and identify error sources
Automate management processes to keep applications and infrastructure secure, up to date, and available
Other Migrate SAP workloads from existing data center to VMware on IBM Cloud
Customer’s SAP systems and applications run on NetWeaver & SAP HANA, AnyDB or S/4HANA
Provide an image replication migration solution that minimizes disruption during cut-over
Cloud infrastructure for the proposed Infrastructure as a Service (IaaS) solution must be SAP Certified
IBM Cloud IaaS will be deployed to support SAP and surrounding non-SAP workloads
A customer that doesn't want to adopt RISE at this time but wants to consider a cloud deployment solution that would facilitate a future RISE transformation

Components

Table 2 contains a list of IBM Cloud components used in the solution. It is supported by the architecture considerations and architecture decisions that are included in the pattern document set.

Components
Category Solution components How it is used in a solution
Database HANA or AnyDB (Db2, Oracle, MSSQL) Database for SAP application portfolio
Compute VMware® vCenter Server® NetWeaver and SAP HANA DB
Storage Network File Storage(NFS) ESXi host servers primary storage for NetWeaver and SAP HANA DB, or AnyDB
IBM Cloud Object Storage Backup and archive, application logs, operational logs, and audit logs
Networking Site to site VPN Remote access to manage resources in a private network
Direct Link Connect Enterprise to cloud network connectivity
IBM Cloud® Juniper vSRX with content security bundle (CSB) Edge gateway and security services
Service Endpoints Private network access to cloud services, for example, Key Protect, Cloud Object Storage, and so on.
NSX-T™ Load Balancer Application load balancing for web servers, app servers, and database servers
IBM Cloud Internet Services (CIS) Public load balancing and DDoS
IBM Cloud DNS Services Domain name resolution
NSX-T™/VLANs Network segmentation and isolation
IBM Cloud Transit Gateway Provides Direct Link connectivity and GRE tunnel endpoint for bring your own IP (BYOIP) scenarios
SAP Web Dispatcher
NSX-T™ Load balancer
Load balancing workloads across multiple workload instances over the private network
Security Endurance NFS Storage with VMware vSphere encryption Network File Storage encryption at rest
IBM Cloud Object Storage Encryption with provider keys Cloud Object Storage encryption at rest
SAP HANA Data Volume Encryption (DVE) SAP HANA database encryption at rest
IBM Cloud® Identity and Access Management IBM Cloud Identity and Access Management
Privileged Identity and Access Management Bring your own bastion jump server (or Privileged Access Gateway) with privileged access management (PAM) software that is deployed in on isolated VXLan
BYO bastion jump server on virtual server instance (VSI) with privileged access management software Remote access with privileged access management
IBM Cloud® Juniper vSRX with content security bundle (CSB) Core network protection Intrusion Protection System and Intrusion Detection System at all ingress/egress Unified Threat Management (UTM) Firewall
IBM Cloud Internet Services (CIS) DDoS protection and Web Application Firewall (WAF)
Resiliency SAP HANA System Replication (HSR) Provide 99.95% availability for SAP HANA DB
Veeam Software (Veeam) Controls both the backups and restores of all VSIs or Bare Metal Servers
High Availability Infrastructure High availability solution on a single zone with an application SLA of 99.9% with vMotion enabled
Service Management (Observability) IBM Cloud Monitoring
VMware Aria Operations
VMware Aria Operations for Logs
VMware Aria Operations for Networks
Application and operational monitoring
IBM Cloud Log Analysis Application and operational logs

The following sections in this guide contain the considerations and architecture decisions for the aspects and domains that are in play in this solution pattern.