SAP on VPC
The SAP on VPC architecture illustrated in figure 1 provides a high-level summary of the pattern for an SAP single-zone, multi-region deployment on IBM Cloud VPC.
The primary region supports production workloads on VPC running on either SAP-certified Bare Metal Servers or VSIs. The secondary region supports nonproduction and disaster recovery workloads if the customer has DR requirements. The components deployed to the Edge VPC provide security functions and resource isolation to the IBM Cloud workloads.
Architecture diagram
The diagram illustrates a high level architecture and the numbered items on the diagram correspond to the following descriptions:
-
Client network connectivity is accomplished through Direct Link with VPN access for MSPs.
-
An Edge VPC is deployed which contains routing and security functions.
-
Transit Gateway to the Workload VPC hosting the SAP applications and databases.
-
Public connectivity also routes through Cloud Internet Services (CIS) which can provide load balancing, failover, and DDoS services, then routes to the edge VPC
-
Global Transit Gateway connecting the Workload VPC across regions to facilitate replication for DR purposes.
In this view, the diagram outlines a detailed network and component architecture for a single-zone, multi-region deployment to faciliate disaster recovery. The numbered items on the diagram correspond to the following descriptions:
-
Two separate IBM Cloud regions, one containing production, the other containing both nonproduction and DR.
-
Client network connectivity is accomplished through Direct Links to each region with VPN access for managed service providers.
-
An Edge VPC is deployed which contains routing and security functions. For security purposes, all ingress and egress traffic routes through the Edge VPC. It contains an sFTP server, Bastion host (jump), Firewalls providing advanced security functions and the SAP router and Web Dispatcher.
-
The Edge VPC is connected to the workload VPC through a local Transit Gateway.
-
Public connectivity routes through Cloud Internet services, which can provide load balancing, failover, and DDoS services, then routes to the edge VPC
-
The VPC APP subnet contains SAP components that are hosted on redundant SAP certified VSIs or Bare metal that uses either local storage (BM) or shared block storage in an SAP Scale-out environment.
-
The VPC DB subnet hosts the SAP database, in this case HANA hosted on SAP certified VSIs or Bare metal that uses either local storage (BM) or block storage.
-
Virtual Private endpoints are used to provide connectivity to cloud native services from each VPC
-
Global Transit Gateway connecting the core and workload VPC across regions for data replication purposes between the two regions.
-
Multiple instances of redundant VSIs or BMs are used to provide 99.95% availability within a zone
Design scope
Following the architecture framework, SAP on VPC covers design considerations and architecture decisions for the following aspects and domains:
-
Compute: Bare Metal and Virtual infrastructure
-
Storage: Primary, Backup, Archive, and Migration
-
Networking: Enterprise Connectivity, Edge Gateways, segmentation and isolation, Cloud Native Connectivity and Load Balancing
-
Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response
-
Resiliency: Backup and Restore, Disaster Recovery, and High Availability
-
Service Management: Monitoring, Logging, Alerting, Management, and Orchestration
The architecture framework, described in Introduction to the architecture framework, provides a consistent approach to design cloud solutions by addressing requirements across a pre-defined set of aspects and domains. The requirements are architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure that you have considered applicable requirements for each aspect and domain. After you have identified the requirements and domains that are in scope, you can evaluate and select the best fit for purpose components for your enterprise cloud solution.
Requirements
The following represents a baseline set of requirements, which are applicable to most clients and critical to successful SAP deployment.
Aspects | Requirements |
---|---|
Network |
|
Security |
|
Resiliency |
|
Service Management |
|
Other |
|
Components
Aspects | Solution components | How the component is used |
---|---|---|
Compute | VPC VSIs | NetWeaver and HANA DB |
Storage | VPC Block Storage | NetWeaver and HANA DB servers primary storage. Backup storage |
Cloud Object Storage | Backup and archive, application logs, operational logs, and audit logs | |
Networking | VPC Virtual Private Network (VPN) | Remote access to manage resources in a private network |
Virtual Private Gateway & Virtual Private Endpoint (VPE) | For private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on. | |
VPC Load Balancers | Application Load Balancing for web servers, app servers, and database servers | |
Public Gateway | For web server access to the internet | |
Cloud Internet Services (CIS) | Public Load balancing and DDoS of web servers traffic across zones in the region | |
DNS Services | ||
VPCs and subnets | Network Segmentation/Isolation | |
Transit Gateway | Connect across multiple VPCs | |
IBM Cloud Application Load Balancer (ALB) SAP Web Dispatcher |
Load balancing workloads across multiple workload instances over the private network | |
Security | Block Storage encryption with provider keys | Block Storage Encryption at rest |
Cloud Object Storage Encryption | Cloud Object Storage Encryption at rest | |
HANA Data Volume Encryption (DVE) | HANA Database Encryption at rest | |
IAM | IBM Cloud Identity and Access Management | |
Privileged Identity and Access Management | Bring your own Bastion host (or Privileged Access Gateway) with Privileged Access Management(PAM) software that is deployed in Edge VPC | |
Bring your own Bastion Host on VPC VSI with PAM software | Remote access with Privileged Access Management | |
Virtual Private Clouds (VPCs), Subnets, Security Groups, ACLs | Core Network Protection | |
Cloud Internet Services (CIS) | DDoS protection and Web App Firewall | |
One of the following components: |
|
|
Resiliency | HANA System Replication (HSR) | Provide 99.95% availability for HANA DB |
Veeam | Controls both the backups and restores of all VSIs or BMs. Veeam Backup & Replication 12 | |
Service Management (Observability) | IBM Cloud Monitoring | Apps and operational monitoring |
IBM Log Analysis | Apps and operational logs |
The architecture framework is used to guide and determine the applicable aspects and domains for which architecture decisions need to be made. The following sections contain the considerations and architecture decisions for the aspects and domains that are in play in this solution pattern.