IBM Cloud Docs
SAP on VPC

SAP on VPC

The SAP on VPC architecture illustrated in figure 1 provides a high-level summary of the pattern for an SAP single-zone, multi-region deployment on IBM Cloud VPC.

The primary region supports production workloads on VPC running on either SAP-certified Bare Metal Servers or VSIs. The secondary region supports nonproduction and disaster recovery workloads if the customer has DR requirements. The components deployed to the Edge VPC provide security functions and resource isolation to the IBM Cloud workloads.

Architecture diagram

A diagram of a computer network description automatically generated
Figure 1: High level architecture.

The diagram illustrates a high level architecture and the numbered items on the diagram correspond to the following descriptions:

  1. Client network connectivity is accomplished through Direct Link with VPN access for MSPs.

  2. An Edge VPC is deployed which contains routing and security functions.

  3. Transit Gateway to the Workload VPC hosting the SAP applications and databases.

  4. Public connectivity also routes through Cloud Internet Services (CIS) which can provide load balancing, failover, and DDoS services, then routes to the edge VPC

  5. Global Transit Gateway connecting the Workload VPC across regions to facilitate replication for DR purposes.

A diagram of a computer network description automatically generated
Figure 2: Detailed network and component architecture for a single-zone, multi-region deployment

In this view, the diagram outlines a detailed network and component architecture for a single-zone, multi-region deployment to faciliate disaster recovery. The numbered items on the diagram correspond to the following descriptions:

  1. Two separate IBM Cloud regions, one containing production, the other containing both nonproduction and DR.

  2. Client network connectivity is accomplished through Direct Links to each region with VPN access for managed service providers.

  3. An Edge VPC is deployed which contains routing and security functions. For security purposes, all ingress and egress traffic routes through the Edge VPC. It contains an sFTP server, Bastion host (jump), Firewalls providing advanced security functions and the SAP router and Web Dispatcher.

  4. The Edge VPC is connected to the workload VPC through a local Transit Gateway.

  5. Public connectivity routes through Cloud Internet services, which can provide load balancing, failover, and DDoS services, then routes to the edge VPC

  6. The VPC APP subnet contains SAP components that are hosted on redundant SAP certified VSIs or Bare metal that uses either local storage (BM) or shared block storage in an SAP Scale-out environment.

  7. The VPC DB subnet hosts the SAP database, in this case HANA hosted on SAP certified VSIs or Bare metal that uses either local storage (BM) or block storage.

  8. Virtual Private endpoints are used to provide connectivity to cloud native services from each VPC

  9. Global Transit Gateway connecting the core and workload VPC across regions for data replication purposes between the two regions.

  10. Multiple instances of redundant VSIs or BMs are used to provide 99.95% availability within a zone

Design scope

Following the architecture framework, SAP on VPC covers design considerations and architecture decisions for the following aspects and domains:

  • Compute: Bare Metal and Virtual infrastructure

  • Storage: Primary, Backup, Archive, and Migration

  • Networking: Enterprise Connectivity, Edge Gateways, segmentation and isolation, Cloud Native Connectivity and Load Balancing

  • Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response

  • Resiliency: Backup and Restore, Disaster Recovery, and High Availability

  • Service Management: Monitoring, Logging, Alerting, Management, and Orchestration

The architecture framework, described in Introduction to the architecture framework, provides a consistent approach to design cloud solutions by addressing requirements across a pre-defined set of aspects and domains. The requirements are architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure that you have considered applicable requirements for each aspect and domain. After you have identified the requirements and domains that are in scope, you can evaluate and select the best fit for purpose components for your enterprise cloud solution.

A diagram of a computer network description automatically generated
Figure 3: The domains that are covered in this solution

Requirements

The following represents a baseline set of requirements, which are applicable to most clients and critical to successful SAP deployment.

Table 1. Requirements
Aspects Requirements
Network
  • Enterprise connectivity to customer data centers to provide access to applications from on-premises
  • Map and convert existing customer SAP Network functionality into IBM Cloud and VPC networking services.
  • Migrate and redeploy customer IP addressing scheme within the IBM Cloud environment.
  • Provide network isolation with the ability to separate applications based on attributes such as data classification, public instead of internal apps and function.
Security
  • Provide data encryption in transit and at rest.
  • Migrate customer Intrusion Dectection and Identity Access and Management Services to target IBM Cloud environment.
  • Retain the same firewall rulesets across existing DCs.
  • Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved, and include Intrusion Prevention(IPS) and Intrusion Detection(IDS) services.
Resiliency
  • Multi-site capability to support a disaster recovery strategy and solution that use IBM Cloud infrastructure DR capabilities.
  • Provide backups for data retention.
  • RTO/RPO = 4 hours/15 minutes; Rollback to original environments should occur no later than specified RTOs.
  • 99.95 Availability.
  • Backups.
  • Production: Daily Full, logs per SAP product standard, 30 days retention time.
  • Non-production: Weekly full, logs per SAP product standard, 14 days retention time.
Service Management
  • Provide health and system monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure
  • Ability to diagnose issues and exceptions and identify error sources.
  • Automate management processes to keep applications and infrastructure secure, up to date, and available.
Other
  • Migrate SAP workloads from existing data center to IBM Cloud VPC.
  • Customer's SAP systems and applications that are run on NetWeaver (application) and HANA (DB), AnyDB, or S/4 HANA.
  • Provide an Image Replication migration solution that minimizes disruption during cut-over.
  • Cloud infrastructure for the proposed IaaS solution must be SAP Certified.
  • IBM Cloud IaaS is deployed to support SAP and surrounding non-SAP workloads.
  • Customer does not want to adopt RISE currently but wants to consider a Cloud deployment solution that facilitates a future RISE transformation

Components

Table 2. Components
Aspects Solution components How the component is used
Compute VPC VSIs NetWeaver and HANA DB
Storage VPC Block Storage NetWeaver and HANA DB servers primary storage. Backup storage
Cloud Object Storage Backup and archive, application logs, operational logs, and audit logs
Networking VPC Virtual Private Network (VPN) Remote access to manage resources in a private network
Virtual Private Gateway & Virtual Private Endpoint (VPE) For private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on.
VPC Load Balancers Application Load Balancing for web servers, app servers, and database servers
Public Gateway For web server access to the internet
Cloud Internet Services (CIS) Public Load balancing and DDoS of web servers traffic across zones in the region
DNS Services
VPCs and subnets Network Segmentation/Isolation
Transit Gateway Connect across multiple VPCs
IBM Cloud Application Load Balancer (ALB)
SAP Web Dispatcher
Load balancing workloads across multiple workload instances over the private network
Security Block Storage encryption with provider keys Block Storage Encryption at rest
Cloud Object Storage Encryption Cloud Object Storage Encryption at rest
HANA Data Volume Encryption (DVE) HANA Database Encryption at rest
IAM IBM Cloud Identity and Access Management
Privileged Identity and Access Management Bring your own Bastion host (or Privileged Access Gateway) with Privileged Access Management(PAM) software that is deployed in Edge VPC
Bring your own Bastion Host on VPC VSI with PAM software Remote access with Privileged Access Management
Virtual Private Clouds (VPCs), Subnets, Security Groups, ACLs Core Network Protection
Cloud Internet Services (CIS) DDoS protection and Web App Firewall

One of the following components:

  • Intrusion Prevention(IPS)/Intrusion Detection(IDS) at all ingress/egress
  • Unified Threat Management (UTM) Firewall
Resiliency HANA System Replication (HSR) Provide 99.95% availability for HANA DB
Veeam Controls both the backups and restores of all VSIs or BMs. Veeam Backup & Replication 12
Service Management (Observability) IBM Cloud Monitoring Apps and operational monitoring
IBM Log Analysis Apps and operational logs

The architecture framework is used to guide and determine the applicable aspects and domains for which architecture decisions need to be made. The following sections contain the considerations and architecture decisions for the aspects and domains that are in play in this solution pattern.