SAP on VMware Cloud Foundation (VCF) for Classic
This is a baseline solution pattern containing the design and architecture decisions for an SAP deployment to VMware Cloud Foundation (VCF) for Classic on IBM Cloud to meet common requirements. Actual client solutions depend on the specific requirements that are set by the client.
Architecture diagram
Figure 1 illustrates a network and component architecture for a single zone, multi-region deployment to facilitate disaster recovery (DR).
A recommended approach for optimization of the DR environment is to run selected nonproduction environments on DR infrastructure. In the case of a disaster declaration, the nonproduction environment can be repurposed for DR. This is applicable for only the application layer because the DR database should be constantly replicated from production.
-
The primary region supports production workloads on VMware running SAP Certified Bare Metal Server ESXi hosts.
-
The secondary region supports nonproduction and DR workloads if the customer has DR requirements.
Understanding the architecture diagram
The diagram illustrates a high level architecture and the numbered items on the diagram correspond to the following descriptions:
- Two separate IBM Cloud regions, one containing production and the other containing both nonproduction and DR
- Client network connectivity is accomplished by using Direct Link to each region
- Site to site VPN access for managed service providers
- Public connectivity routes through IBM Cloud Internet Services IBM Cloud Internet Services (CIS) which can provide load balancing, failover, and Distributed Denial-of-Service(DDoS) services
- IBM Cloud® Juniper vSRX firewall to provide underlay network routing and security services
- NSX-T™ (tier-0 and tier-1) to provide VMware overlay network routing and isolation.
- Management network to provide VMware management and automation
- Bare Metal Server VMware ESXi hosts
- Veeam backup server Bare Metal Server
- High performance endurance storage for VMware environment
- IBM Cloud Object Storage for long term backups
- Bastion host for administrative access and privileged access management
For VMware specific architecture patterns, see Architecture pattern for single site vCenter Server deployment topologies.
Design scope considerations
Design decisions that need to be considered for an end to end deployment of SAP on VMware on IBM Cloud include:
- Compute: Bare Metal Servers and Virtual infrastructure
- Storage: Primary, Backup and Archive
- Networking: Enterprise Connectivity, Edge Gateways, Segmentation and Isolation, Cloud Native Connectivity and Load Balancing
- Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response
- Resiliency: Backup and Restore, Disaster Recovery, High Availability
- Service Management: Monitoring, Logging, Alerting, Management and Orchestration
The Architecture framework provides a consistent approach to design cloud solutions by addressing requirements across a predefined set of aspects and domains. Aspects and domains are architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure you have considered applicable requirements for each aspect and domain. After you have identified the applicable requirements and domains that are in scope, you can evaluate and select the best “fit for purpose” components for your enterprise cloud solution.
Figure 2 is an architecture Heatmap for SAP on IBM Cloud VMware Cloud Foundation (VCF) for Classic that illustrates the domains that are covered in this solution by using the architecture framework.
Requirements
The following represents a baseline set of requirements that are applicable to most clients and critical to successful SAP deployment.
Aspect | Requirement |
---|---|
Network | Enterprise connectivity to customer data centers to provide access to on-premise applications |
Map and convert customer SAP network functionality into VMware on IBM Cloud networking services | |
Migrate and redeploy customer IP addressing scheme within the VMware on IBM Cloud environment | |
Provide network isolation with the ability to segregate applications based on attributes such as data classification, public versus internal apps, and function | |
Security | Provide data encryption in transit and at rest |
Migrate customer Intrusion Detection System(IDS) and Identity and Access Management(IAM) services to target VMware on IBM Cloud | |
Retain the same firewall rulesets across existing datacenters | |
Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is specifically required, documented, and approved and include Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) | |
Resiliency | Multi-site capability to support a disaster recovery strategy and solution leveraging IBM Cloud infrastructure disaster recovery capabilities |
Provide backups for data retention | |
Recovery Time Objective(RTO) and Recovery Point Objective(/RPO) = 4 hours/15 minutes. Rollback to original environments should occur no later than specified RTOs | |
99.9% Availability | |
Backups production: Daily full, logs per SAP product standard 30 days retention time nonproduction: Weekly full, logs per SAP product standard, 14 days retention time |
|
Service Management | Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure |
Ability to diagnose issues and exceptions and identify error sources | |
Automate management processes to keep applications and infrastructure secure, up to date, and available | |
Other | Migrate SAP workloads from existing data center to VMware on IBM Cloud |
Customer’s SAP systems and applications run on NetWeaver & SAP HANA, AnyDB or S/4HANA | |
Provide an image replication migration solution that minimizes disruption during cut-over | |
Cloud infrastructure for the proposed Infrastructure as a Service (IaaS) solution must be SAP Certified | |
IBM Cloud IaaS will be deployed to support SAP and surrounding non-SAP workloads | |
A customer that doesn't want to adopt RISE at this time but wants to consider a cloud deployment solution that would facilitate a future RISE transformation |
Components
Table 2 contains a list of IBM Cloud components used in the solution. It is supported by the architecture considerations and architecture decisions that are included in the pattern document set.
Category | Solution components | How it is used in a solution |
---|---|---|
Database | HANA or AnyDB (Db2, Oracle, MSSQL) | Database for SAP application portfolio |
Compute | VMware® vCenter Server® | NetWeaver and SAP HANA DB |
Storage | Network File Storage(NFS) | ESXi host servers primary storage for NetWeaver and SAP HANA DB, or AnyDB |
IBM Cloud Object Storage | Backup and archive, application logs, operational logs, and audit logs | |
Networking | Site to site VPN | Remote access to manage resources in a private network |
Direct Link Connect | Enterprise to cloud network connectivity | |
IBM Cloud® Juniper vSRX with content security bundle (CSB) | Edge gateway and security services | |
Service Endpoints | Private network access to cloud services, for example, Key Protect, Cloud Object Storage, and so on. | |
NSX-T™ Load Balancer | Application load balancing for web servers, app servers, and database servers | |
IBM Cloud Internet Services (CIS) | Public load balancing and DDoS | |
IBM Cloud DNS Services | Domain name resolution | |
NSX-T™/VLANs | Network segmentation and isolation | |
IBM Cloud Transit Gateway | Provides Direct Link connectivity and GRE tunnel endpoint for bring your own IP (BYOIP) scenarios | |
SAP Web Dispatcher NSX-T™ Load balancer |
Load balancing workloads across multiple workload instances over the private network | |
Security | Endurance NFS Storage with VMware vSphere encryption | Network File Storage encryption at rest |
IBM Cloud Object Storage Encryption with provider keys | Cloud Object Storage encryption at rest | |
SAP HANA Data Volume Encryption (DVE) | SAP HANA database encryption at rest | |
IBM Cloud® Identity and Access Management | IBM Cloud Identity and Access Management | |
Privileged Identity and Access Management | Bring your own bastion jump server (or Privileged Access Gateway) with privileged access management (PAM) software that is deployed in on isolated VXLan | |
BYO bastion jump server on virtual server instance (VSI) with privileged access management software | Remote access with privileged access management | |
IBM Cloud® Juniper vSRX with content security bundle (CSB) | Core network protection Intrusion Protection System and Intrusion Detection System at all ingress/egress Unified Threat Management (UTM) Firewall | |
IBM Cloud Internet Services (CIS) | DDoS protection and Web Application Firewall (WAF) | |
Resiliency | SAP HANA System Replication (HSR) | Provide 99.95% availability for SAP HANA DB |
Veeam Software (Veeam) | Controls both the backups and restores of all VSIs or Bare Metal Servers | |
High Availability Infrastructure | High availability solution on a single zone with an application SLA of 99.9% with vMotion enabled | |
Service Management (Observability) | IBM Cloud Monitoring VMware Aria Operations VMware Aria Operations for Logs VMware Aria Operations for Networks |
Application and operational monitoring |
IBM Cloud Log Analysis | Application and operational logs |
The following sections in this guide contain the considerations and architecture decisions for the aspects and domains that are in play in this solution pattern.