Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connectivity

You must establish connectivity between Amazon cloud where your RISE with SAP solution is running and on-premises data centers. You also need a connection for direct data transfer (to avoid routing data via your on-premises locations) and communication between SAP systems and your applications running on Amazon cloud. The following image provides an example overview of connectivity to RISE with SAP VPC.

See the following topics for further details:

Roles and responsibility for establishing connectivity to RISE

Under RISE with SAP, the SAP Enterprise Cloud Services (ECS) team manages the SAP S/4HANA Private Cloud Environment. The Supplemental Terms and Conditions provided by SAP has a section on Excluded Tasks. You are responsible for running such tasks. You can also use a third-party service provider to manage on the excluded tasks for you. For further details, see SAP Product Policies.

The primary task required for deploying RISE with SAP is to establish network connectivity to RISE with SAP VPC on Amazon. As per the RISE with SAP agreement, you are responsible for establishing a connection to RISE.

We recommend that you spend time understanding the available options on how to connect your on-premises network and/or existing Amazon Web Services accounts to RISE with SAP VPC on Amazon. Review the subsequent sections for more information.

Connecting to RISE from on-premises networks

Connectivity to RISE with SAP on Amazon from on-premises is supported using Amazon VPN or Amazon Direct Connect or a combination of the two.

Connecting to RISE with SAP VPC using Amazon VPN

Enable access to your remote network from RISE with SAP VPC using Amazon Site-to-Site VPN. Traffic between Amazon cloud and your on-premises location is encrypted via Internet Protocol security (IPsec) and transferred through a secure tunnel on internet. This option is efficient, fast, and more cost-optimized when compared to Amazon Direct Connect. For more information, see Connect your VPC to remote networks using Amazon Virtual Private Network.

You can get a maximum bandwidth of up to 1.25 Gbps per VPN tunnel. For more information, see Site-to-Site VPN quotas.

To scale beyond the default maximum limit of 1.25 Gbps throughput of a single VPN tunnel, see How can I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a transit gateway?

When using this option, SAP requires the following details:

You can obtain these details from your VPN device on-premises.

Connecting to RISE with SAP VPC using Amazon Direct Connect

Use Amazon Direct Connect if you require a higher throughput and more consistent network experience than an internet-based connection. Amazon Direct Connect links your internal network to an Amazon Direct Connect location over a standard Ethernet fiber-optic cable. You can create virtual interfaces to public Amazon services. For example, you can create interfaces to Amazon S3 or Amazon VPC while bypassing the internet service providers in your network path. For more information, see Amazon Direct Connect connections.

You can choose from a dedicated connection of 1 Gbps, 10 Gbps or 100 Gbps Ethernet port dedicated to a single customer, or a Amazon Direct Connect Partner's hosted connection where the Partner has an established network link with Amazon cloud. Hosted connections are available from 50 Mbps up to 10 Gbps. You can order hosted connections from an Amazon Direct Connect Delivery Partner approved to support this model. For more information, see Amazon Direct Connect Delivery Partners.

To connect, use a virtual private gateway in Amazon Web Services account managed by SAP or a Direct Connect gateway in your Amazon Web Services account associated with a virtual private gateway in Amazon Web Services account managed by SAP. For more information, see Direct Connect gateways. Direct Connect gateway can also connect to a Amazon Transit Gateway. For more information, see Connecting to RISE using your single Amazon Web Services account.

You must acquire a Letter of Authorization from SAP to setup a Amazon Direct Connect connection in the Amazon Web Services account managed by SAP.

Connecting to RISE from your Amazon Web Services account

You can connect to RISE from your Amazon Web Services account in the following ways.

Amazon VPC peering

VPC peering enables network connection between two Amazon VPCs using private IPv4 and IPv6 addresses. Instances can communicate over the same network. For more information, see What is VPC peering?

Before setup a peering connection, you need to create a request for SAP's approval. For a successful VPC peering, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap. Check with SAP for the CIDR ranges that can be used in RISE with SAP VPC.

VPC peering is one-on-one connection between VPCs, and is not transitive. Traffic cannot transit from one VPC to another via an intermediary VPC. You must setup multiple peering connections to establish direct communication between RISE with SAP VPC and multiple VPCs.

VPC peering works across Amazon Web Services Regions. All inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic stays on Amazon Global Network and never traverses the public internet, reducing threats of common exploits and DDos attacks. Traffic is encrypted using AES-256 encryption at the virtual network layer.

Data transfer for VPC peering within an Availability Zone is free, and for across Availability Zones is charged per-GB. For more information, see Amazon EC2 pricing. In your Amazon Web Services account, use the Availability Zone ID of Amazon Web Services account managed by SAP to avoid cross-Availability Zone data transfer charges. You can ask for the Availability Zone ID from SAP. For more information, see Availability Zone IDs for your Amazon resources.

Amazon Transit Gateway

Amazon Transit Gateway is a network transit hub to interconnect Amazon VPCs. It acts as a cloud router, resolving complex peering setup issues by acting as the central communication hub. You need to establish this connection with Amazon Web Services account managed by SAP only once.

Transit Gateway in your own Amazon Web Services account

To establish connection with Amazon Web Services account managed by SAP, create and share Amazon Transit Gateway in your Amazon Web Services account. SAP then creates an attachment to enable traffic flow through an entry in route table. As Amazon Transit Gateway resides in your Amazon Web Services account, you can retain control over traffic routing. For more information, see Transit gateway peering attachments.

Transit Gateway in Amazon Web Services account managed by SAP

If you already have an Transit Gateway in another Amazon Region, and cannot create another Amazon Web Services account and Transit Gateway in the Region that has RISE with SAP, then SAP can provide the Transit Gateway in the RISE with SAP account. This account and Transit Gateway in it are both managed by SAP. This enables you to establish cross-Region communication between your own Amazon Web Services accounts and the RISE with SAP account through Transit Gateway and the SAP-managed Transit Gateway. Other use-cases include using Firewall appliances where Transit Gateway is routing traffic through the appliance, connecting via the Direct Connect Gateway using transit VIF to the Transit Gateway managed by SAP, and connecting via Direct Connect or VPN using private VIFs to the Transit Gateway managed by SAP. You cannot connect VPC attachments of VPCs outside of the RISE environment to the SAP-managed Transit Gateway.

Connecting to RISE using your single Amazon Web Services account

You can establish connectivity between on-premises and RISE with SAP VPC using your Amazon Web Services account. This method provides you with more control but also requires managing Amazon services in your Amazon Web Services account. You can use any one of the following options.

The following image shows this option within the same Amazon Region.

The following image shows this option across different Amazon Regions.

Connecting to RISE with a shared Amazon Landing Zone

Modern SAP landscapes have several connectivity requirements. Services are accessed across on-premises and Amazon Cloud as well as across a variety of SaaS solutions and other cloud service providers.

Creating an Amazon Landing Zone facilitates secure and scalable connectivity for RISE with SAP. It provides the following benefits:

A Landing Zone is designed to help organizations achieve their cloud initiatives by automating the set-up of an Amazon environment that follows Amazon Well Architected framework. It provides scalability to cater to all scenarios, from the simplest connectivity, where only RISE with SAP connectivity to on-premises environments is required, to complex requirements with connectivity to multiple SaaS solutions, multiple CSPs and on-premises connectivity.

The key components and benefits of a Landing Zone include:

We recommend using an Amazon Landing Zone for RISE with SAP connectivity.

Building an Amazon Landing Zone

You can implement Amazon Landing Zones using Amazon Control Tower. It provides an automated process for building the Landing Zone, including management and governance services.

In a simple scenario, a Landing Zone contains a minimal footprint focused on connectivity that is typically centred around Amazon Transit Gateway. For more information, see Landing zone.

The following is a general overview of the process:

Amazon Professional Services or Amazon Partners provide assistance for building and maintaining a landing zone for RISE with SAP.

Connect to RISE through nearest Amazon Direct Connect POP (including Amazon Local Zone)

Amazon Direct Connect Point of Presence (POP) is a physical cross-connect that allows users to establish a network connection from their premises to an Amazon Web Services Region or Amazon Local Zone. You can use the nearest Direct Connect POP located in Amazon Local Zone to benefit from lower network latency to RISE with SAP VPC that runs on parent Amazon Web Services Region. For more information, see Amazon Direct Connect Traffic Flow with Amazon Local Zone.

Here is an example scenario - You are based in Philippines, and you would like to deploy RISE with SAP in Amazon Singapore Region. You can use Direct Connect POP in Manila to setup Direct Connect from your on-premise data centre or offices. This strategy provides a lower network latency compared to a connecting directly to the Amazon Region in Singapore.

The following diagram displays RISE connectivity through nearest Amazon Direct Connect POP.

The following are some considerations when using Amazon Direct Connect POP:

If resilience is critical, setup a secondary Direct Connect to the Amazon Web Services Region running RISE with SAP VPC. Use Amazon Site-to-Site VPN to the Amazon Web Services Region for a more cost-optimized connectivity option. These services operate within the parent Amazon Web Services Region, serving as a fallback connectivity option ensuring uninterrupted connectivity in the event of disruptions or failures.

Decision tree on connectivity to RISE

You must establish required connectivity to proceed with RISE with SAP on Amazon. The following are a few connectivity patterns described in the preceding sections:

You must also consider if you want to connect:

The decision tree displayed in the following diagram helps you decide which connectivity is suitable based on your requirements, such as future plan of additional Amazon or RISE accounts, dedicated line (security, performance), and bandwidth needs.

Other considerations

This sections provides information about other considerations when connecting to RISE.

SAP Business Technology Platform (BTP) with RISE on Amazon

You can use SAP Business Technology Platform BTP services on Amazon to extend the functionality of the RISE with SAP. SAP recommends SAP Cloud Connector to connect RISE with SAP VPC with SAP BTP via internet. When both RISE with SAP and SAP BTP run on Amazon, the network traffic is encrypted and contained within Amazon Global Network, without going through the internet (see the following diagram). This provides better security and performance for any integration use-cases between RISE with SAP and SAP BTP. For more information, see Amazon VPC FAQs.

As displayed in the preceding diagram, you can configure Transit Gateway to handle both RISE and BTP network traffic. For more information, see How to route internet traffic from on-premise via Amazon VPC?

SAP also offers SAP Private Link Service for SAP BTP on Amazon. SAP Private Link connects SAP BTP on Amazon with a secure connection without using public IPs in your Amazon Web Services account.

You can connect to an Amazon endpoint service from an SAP BTP application running on Cloud Foundry. By establishing this connection, you can directly connect to Amazon services or for example. to an S/4HANA system. For a complete list of supported Amazon services, see Consume Amazon Web Services in SAP BTP.

You can establish a secure and private communication between SAP BTP and Amazon services with SAP Private Link Service. By using private IP address ranges (RFC 1918), you reduce the attack surface of the application. The connection does not require an internet gateway. If you do not require this extra layer of security, you can still connect via the public APIs of SAP BTP without SAP Private Link, and benefit from Amazon global network. For more information, see Amazon VPC FAQs.

SAP Private Link for Amazon currently supports connections initiated from SAP BTP Cloud Foundry to Amazon.

For Amazon services across Amazon Regions, you can create a VPC in the same Amazon Region as your SAP BTP Cloud Foundry Runtime, and connect these VPCs via VPC peering or Amazon Transit Gateway. For a list of supported Regions, see Regions and API Endpoints Available for the Cloud Foundry Environment.

Connecting to cloud solutions or SaaS from RISE

When modernizing the SAP landscape, you may subscribe to several SAP cloud solutions or SaaS from independent software vendors to complement RISE with SAP solution.

When the cloud solutions are running on Amazon, the connectivity from RISE with SAP is kept within the Amazon global network without requiring internet connectivity. The connectivity is retained through the provided squid proxy server within RISE with SAP VPC.

If your cloud is running on other data centre or with another cloud service provider, then you need internet connectivity.

SaaS cloud solutions do not offer connectivity via VPN, Direct Connect or any other means of private connectivity. You can implement a centralized egress to internet architecture to manage this connectivity. For more information, see Centralized egress to internet .

Connectivity patterns for multi-cloud to RISE

In a complex connectivity scenario, you may need to integrate RISE with SAP setup with on-premises, Amazon-hosted systems, and a variety of SaaS solutions and other cloud service providers.

Managing connectivity directly from the Amazon environment decouples dependencies with on-premises networking infrastructure, improving availability and resiliency of the overall landscape.

You can use public or private connectivity to connect multi-cloud with RISE.

Public connectivity

Connectivity is routed over the public internet. This pattern is typically used for connectivity from RISE with SAP to SaaS solutions that runs across multiple clouds. When building connectivity routed over the public internet, consider the following:

Private connectivity

The following three are the options to establish private connectivity between different cloud service providers:

The following diagram describes the factors to choose a multi-cloud connectivity method.

For more information, see Designing private network connectivity between Amazon and Microsoft Azure.

How to implement chargeback capability for connectivity to RISE

If you are a company with subsidiaries, you may have different RISE contracts, leading to deployments in separate Amazon Web Services accounts while requiring an interlinked network connectivity. In this instance, you need to deploy Transit Gateway connection in a Landing Zone (multi-account) setup. It can scale your RISE deployment and integrate with multiple RISE with SAP VPCs.

Transit Gateway Flow Logs enables effective cost management. Transit Gateway Flow Logs can be integrated with Cost and Usage Report (CUR) that can be attributed as chargeback to the business units. For more information, see Logging network traffic using Transit Gateway Flow Logs .

The preceding diagram displays how Transit Gateway can be used to connect multiple RISE with SAP VPCs and provide chargeback capability through the Flow Logs.

For more information, see the following blogs:

Use the following steps to enable this setup: