IBM Cloud Docs
Connectivity to your SAP system landscape

Connectivity to your SAP system landscape

IBM Cloud has many connectivity options, including low latency worldwide connections between your private internal network and IBM Cloud's private network backbone.

You can securely connect to your infrastructure in multiple ways by using various protocols and ports, based on the infrastructure chosen and the different network types:

Interconnectivity between IBM Cloud network

  • Transit Gateway, handling interconnectivity across the IBM Cloud private backbone between the networks with defined and controlled communication between resources worldwide across the IBM Cloud network or across multiple IBM Cloud accounts (useful for Managed Service Providers of SAP). Transit Gateways are used to support hybrid workloads, frequent data transfers, and private workloads by providing dynamic scalability, high availability, and private, in-transit data between hosts on IBM Cloud.
    • Local routing, connect VPCs in same region
    • Global routing, connect VPCs across regions
    • Classic Infrastructure routing, connect to VLANs on Classic Infrastructure network
    • Cross-account connection (also known as account-to-account routing), connect VPCs across multiple IBM Cloud accounts. See Adding a cross-account connection (VPC only)

Connectivity options within the IBM Cloud Classic Infrastructure network

  • Classic SSL VPN, basic SSL Tunnel with user/password to various PoP or Data centers, which is built in to IBM Cloud® Classic Infrastructure, enabled per user account and is a good option for administrators during initial stages of deployments to IBM Cloud. It is not for bulk users due to bandwidth caps.
  • Classic IPSecVPN, service from the IBM Cloud catalog, which can be provisioned and has advanced configuration options available for the IPsec Tunnel
  • IBM Cloud® Direct Link for Classic Infrastructure, the most robust connection available in varying types from your internal network to IBM Cloud's Availability Zones (also known as data centers) that use Network Service Providers, Point of Presence (PoP), or directly between the data center colocation Room (also called a Meet Me Room). This option is available up to 10 Gbps network throughput as a Routed OSI Layer-2/3 connection, and is designed for enterprise workload connections. Note: If you are using VPC Infrastructure, this option is not necessary as IBM Cloud® Direct Link 2.0 can also connect to Classic Infrastructure

IBM Cloud® Classic Infrastructure offers firewalls that can provide your Bare Metal Servers with a layer of security that is provisioned on demand and designed to eliminate service interruptions.

Within the Classic Infrastructure network, there are many Gateway Appliance and Firewalls to help prevent unwanted traffic from hitting your server, help reduce your attack vulnerability, and let your server resource be dedicated for its use. Based on your specific performance and feature requirements, you can choose one of the following options:

Connectivity options within the IBM Cloud VPC Infrastructure network

  • Floating IP, a public internet IPv4 address, which can be configured with Security Groups to allow only certain network connection access on defined protocols and ports from specified source/target addresses. For initial tests option is often used, with more detail in the short guide on Connecting to your Linux Virtual Server instance.
  • VPC IPSecVPN, service from the IBM Cloud catalog and deploys a VPN Gateway to a VPC and creating a VPN Connection with advanced configuration options available for the IPsec Tunnel; including integration with authentication strategies such as Microsoft Active Directory.
  • IBM Cloud® Direct Link 2.0, the latest enhancement and the most robust connection available, now with access to both Classic Infrastructure network and VPC Infrastructure network simultaneously from your internal network to IBM Cloud's Availability Zones (Data centers) that use Network Service Providers, Point of Presence (PoP), or directly between the data center colocation Room (also called a Meet Me Room). This is available up to 10 Gbps network throughput as a Routed OSI Layer-2/3 connection, and is designed for enterprise workload connections.

VPC VPN Gateway

To connect to a virtual server on VPC through a secure IPsec tunnel, a VPN Gateway is created for the VPC. For a tutorial that describes the setup of connectivity to the VPC VPN Gateway using the open source strongSwan IPSec-based VPN client on an external network, refer to the tutorial "Use a VPC/VPN gateway for secure and private on-premises access to cloud resources".

Accessing the classic infrastructure

Optional setup.

IBM Cloud VPC infrastructure can access other resources on IBM Cloud Classic Infrastructure, such as high-performance IBM Cloud® Bare Metal Servers designed for SAP HANA.

You have multiple options to achieve this access, notably a one-to-one association, or IBM Cloud® Transit Gateway with increased flexibility. This is described in the above section Interconnectivity between IBM Cloud network.

All options require upgrading the IBM Cloud account to be VRF-enabled.

For more information on VPC access to Classic Infrastructure, see Setting up access to classic infrastructure. For more information on Transit Gateway, see Getting started with IBM Cloud Transit Gateway.

Network connectivity and network security for SAP systems running in IBM Power Virtual Server

Network connectivity

To arrange connection through to IBM Cloud or an on-premises network, a private subnet must exist for the IBM Power Virtual Server.

  • Power Virtual Server workspace will be connected over Transit gateway to:

    1. The Virtual Private Cloud(VPC) with VPC instances (Windows, HANA Studio)
    2. Other Power Virtual Server workspaces
    3. On-premises networks through Direct Link.

  • By using local transit gateway, the networks in the same region are connected. In order to connect networks from another regions, global transit gateway must be used.

  • Other IBM Cloud services may be reached directly through public IBM Cloud service IPs or hostnames or over Virtual Private Endpoints configured in connected VPC (like IBM Cloud Object Storage etc.)

Network connectivity over VPN

IBM Power Virtual Server do not support a native VPN Service. However, IBM Cloud provides two VPN services:

  1. VPN for VPC offers site-to-site gateways, which connect your on-premises network to the IBM Cloud VPC network.
  2. Client VPN for VPC offers client-to-site servers, which allow clients on the internet to connect to VPN servers, while still maintaining secure connectivity.
  • Once connectivity to VPC Network is established, it is then easier to reach the IBM Power Virtual Server instances provided that the VPC and Power Virtual Server workspace are attached to same Transit Gateway.
  • Outgoing public internet and external network traffic from Power Virtual Server instances goes over the internet proxy service running on Virtual Server Instance (VSI) in VPC.
  • Incoming public internet and external network traffic to Power Virtual Server instances are achieved using Cloud Internet Service and Load Balancer Service

Network Security

By considering all network connectivity options, we differentiate between connections coming to Power Virtual Server workspace over VPC and directly through transit gateway.

On the target side (IBM Cloud networks or the on-premises network), it is required to perform the necessary configuration of the network security and permit connections to be established to/from IBM Power Virtual Servers.