Connecting to RISE from on-premises networks - General SAP Guides
Connecting to RISE with SAP VPC using Amazon VPNConnecting to RISE with SAP VPC using Amazon Direct ConnectConnecting to RISE with SAP VPC using SD-WANImplementation steps for connectivity between RISE and your on-premises networks
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting to RISE from on-premises networks

Connectivity to RISE with SAP on Amazon from on-premises is supported using Amazon VPN or Amazon Direct Connect or a combination of the two.

Connecting to RISE with SAP VPC using Amazon VPN

Enable access to your remote network from RISE with SAP VPC using Amazon Site-to-Site VPN. Traffic between Amazon cloud and your on-premises location is encrypted via Internet Protocol security (IPsec) and transferred through a secure tunnel on internet. This option is efficient, and faster to implement when compared to Amazon Direct Connect. For more information, see Connect your VPC to remote networks using Amazon Virtual Private Network.

You can get a maximum bandwidth of up to 1.25 Gbps per VPN tunnel. For more information, see Site-to-Site VPN quotas.

To scale beyond the default maximum limit of 1.25 Gbps throughput of a single VPN tunnel, see How can I achieve ECMP routing with multiple Site-to-Site VPN tunnels that are associated with a transit gateway?

When using this option, SAP requires the following details:

  • BGP ASN

  • IP address of your device

You can obtain these details from your Amazon VPN device on-premises.

When connecting your remote network directly to RISE using Amazon Site-to-Site Amazon VPN, the cost for the Amazon VPN Connection and the cost for data transfer out are included in the RISE subscription.

For more information see: Amazon Site-to-Site Amazon VPN Pricing.

Note: Because the cost associated with the lifecycle and operation of a "Customer gateway device" (a physical device or software application on your side of the Site-to-Site Amazon VPN connection) varies, this is not taken into consideration in this document.

Connecting to RISE with SAP VPC using Amazon Direct Connect

Use Amazon Direct Connect if you require a higher throughput or more consistent network experience than an internet-based connection. Amazon Direct Connect links your internal network to an Amazon Direct Connect location over a standard Ethernet fiber-optic cable. You can create different types of virtual interfaces (VIFs) to connect with various Amazon services. For example, you can create a Public VIF to communicate with public services like Amazon S3 or a Private/Transit VIF for private resources such as Amazon VPC, while bypassing the internet service providers in your network path. For more information, see Amazon Direct Connect connections.

You can choose from a dedicated connection of 1 Gbps, 10 Gbps, 100 or 400 Gbps or an Amazon Direct Connect Partner’s hosted connection where the Partner has an established network link with Amazon cloud. Hosted connections are available from 50 Mbps. 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 25 Gbps. You can order hosted connections from an Amazon Direct Connect Delivery Partner approved to support this model. For more information, see Amazon Direct Connect Delivery Partners.

To connect, use a virtual private gateway in Amazon account managed by SAP or a Direct Connect gateway in your Amazon account associated with a virtual private gateway in Amazon account managed by SAP. For more information, see Direct Connect gateways. Direct Connect gateway can also connect to a Amazon Transit Gateway. For more information, see Connecting to RISE using your single Amazon account.

You must acquire a Letter of Authorization from SAP to setup a Amazon Direct Connect dedicated connection in the Amazon account managed by SAP.

When connecting your remote network directly to RISE using Amazon Direct Connect, the cost for data transfer out (egress) is included in the RISE subscription. Costs associated to the capacity (the maximum rate that data can be transferred through a network connection) and the port hours (the time that a port is provisioned for your use with Amazon or an Amazon Direct Connect Delivery Partners) are not included in the RISE subscription. Amazon Direct Connect does not have setup charges, and you may cancel at any time, however, services provided by your Amazon Direct Connect Delivery Partners or other local service provider may have other terms and conditions that apply.

For more information, see: Amazon Direct Connect Pricing

Connecting to RISE with SAP VPC using SD-WAN

What is SD-WAN

Software-Defined Wide Area Networking (SD-WAN) is a networking technology that uses software to manage and route traffic across different networks such as Multi-Path Label Switching (MPLS), public internet, or the Amazon backbone focusing on improving connectivity and application performance. SD-WAN primarily operates at layer 3 (Network Layer) of the network OSI model offering centralized control, routing, path selection, IP-based policies, and the ability to prioritize specific mission critical applications, such as SAP, making it well-suited for cloud-based RISE with SAP environments.

Although SD-WAN primarily operates at Layer 3, using an overlay network such as broadband internet, it can utilize Layer 2 (Data Link) technologies such as Amazon Direct Connect as the underlay network for transport, and Layer 3 (Network) technologies such as Amazon Site-to-Site VPN.

In SD-WAN architecture, an SD-WAN headend acts as a hub or centralized network component, while SD-WAN edge devices deployed at branch offices, remote sites or data centers which serves as the entry and exit points for WAN Traffic.

You can refer to more detailed information in the Reference Architectures for Implementing SD-WAN Solutions on Amazon.

Scenario A: SD-WAN appliances (edge and/or headend/hub) on-premises

Amazon Transit Gateway Connect allows you to extend your SD-WAN network to Amazon using GRE (Generic Routing Encapsulation) tunnels without needing additional Amazon infrastructure. Through Transit Gateway Connect Peer, you can establish GRE tunnels between your transit gateway in your Amazon account and the SD-WAN appliance on-premises which are connected via Amazon Direct Connect connection as underlying transport.

The appliance must be configured to send and receive traffic over a GRE tunnel to and from the transit gateway using the Connect attachment. The appliance must be configured to use BGP (Border Gateway Protocol) for dynamic route updates and health checks.

Each connection can be configured with its own route table and BGP peer, enabling you to extend your on-premises network segmentation via Virtual routing and forwarding (VRF) to aws. The RISE with SAP VPC is attached to the Amazon Transit Gateway.

This setup provides a streamlined way to connect your SD-WAN environment with RISE with SAP on Amazon using Amazon Direct Connect, maintaining network separation while simplifying the overall architecture.

In this scenario, the overlay network is SD-WAN (with GRE Tunnels) with the headend/hub or edge devices deployed on on-premises, and the underlay transport is Amazon Direct Connect

Pattern A-1: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with your Amazon landing zone

SD-WAN devices integration with Transit Gateway and Direct Connect with your landing zone

The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. You can create Transit Gateway connect attachments using an Amazon Direct Connect connection as underlying transport in your Amazon account.

Outbound from RISE with SAP VPC:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the Direct Connect connection as the underlay transport and connects the Transit Gateway to the corporate data center SD-WAN device with GRE tunneling and BGP.

Inbound to RISE with SAP VPC:

  1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link.

  2. Transit Gateway forwards the traffic to the destination RISE with SAP VPC.

Pattern A-2: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with no Amazon landing zone

SD-WAN devices integration with Transit Gateway and Direct Connect with no landing zone

The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. In RISE with SAP, you can request SAP to create Transit Gateway connect attachments using a Direct Connect connection as underlying transport. Customers can leverage SAP-managed Direct Connect gateway (DXGW) if required.

Outbound from RISE with SAP VPC:

  1. Traffic initiated from RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the Direct Connect connection as transport and connects the Transit Gateway to the corporate data center SD-WAN device using GRE tunneling and BGP.

Inbound to RISE with SAP VPC:

  1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link.

  2. Transit Gateway forwards the traffic to the destination RISE with SAP VPC.

Scenario B: SD-WAN appliances (edge and/or headend/hub devices) in Amazon

In this scenario, the virtual appliances of the SD-WAN network are deployed in a VPC within aws. Then, you use a VPC attachment as underlying transport for the Transit Gateway connect attachment between the SD-WAN virtual appliances and the Transit Gateway in your Amazon account(s). Similar to Scenario A, Transit Gateway connect attachments support GRE for higher bandwidth performance compared to a VPN connection. It supports BGP for dynamic routing and removes the need to configure static routes. In addition, its integration with Transit Gateway Network Manager provides advanced visibility through global network topology, attachment level performance metrics, and telemetry data.

Between on-premises and Amazon, the overlay network is SD-WAN with GRE or IPSec tunnels with the headend/hub deployed within Amazon, and the underlay transport could be Internet, MLPS, or Direct Connect. Following are the architecture patterns under this scenario:

Note: Network patterns covered in the following sections are applicable only with your existing or a new landing zone setup on aws. For SD-WAN appliances deployment and connectivity directly with Amazon Account – managed by SAP, refer to Pattern A-2.

Pattern B-1: SD-WAN appliances in Amazon integrated with Amazon Transit Gateway Connect with your Amazon landing zone

SD-WAN appliances integrated with Transit Gateway and Direct Connect with your landing zone

The preceding diagram illustrates a pattern of integrating your SD-WAN network with Transit Gateway using connect attachments and placing (third-party) virtual appliances of the SD-WAN network in an Appliance VPC within aws. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology.

Outbound from RISE with SAP:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the VPC attachment as transport and connects Transit Gateway to the third-party appliance in the Appliance VPC using GRE tunneling and BGP.

  3. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center.

Inbound to RISE with SAP:

  1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the Appliance VPC via the SD-WAN overlay over the Direct Connect link.

  2. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via the connect attachment.

  3. Transit Gateway forwards the traffic to the destination RISE VPC.

Pattern B-2: SD-WAN appliances in Amazon integrated with Amazon Site-to-Site VPN

SD-WAN appliances iintegrated with Site-to-Site VPN

The diagram above illustrates a pattern of integrating your SD-WAN network with Transit Gateway using an Amazon Site-Site VPN connection and placing (third party) virtual appliances of the SD-WAN network in an Appliance VPC within aws. You may use this option when your third-party virtual appliance does not support GRE. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology.

Outbound from RISE with SAP:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway Elastic Network Interface (TGW ENI).

  2. The traffic is routed between the Transit Gateway and the third-party virtual appliance using the Site-to-Site VPN connection.

  3. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center.

Inbound to RISE WITH SAP:

  1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the appliance VPC via the SD-WAN overlay over the Amazon Direct Connect link.

  2. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via Site-to-Site VPN connection.

  3. Transit Gateway forwards the traffic to TGW ENI of the destination RISE VPC.

Implementation steps for connectivity between RISE and your on-premises networks

This section provides a deeper dive into the implementation steps for connectivity between RISE with SAP and your on-premise environments (without any Customer managed Amazon Account usage). The two options we will step into are: first, creating highly resilient deployment for critical workloads, and second, creating cost effective alternative for non-critical workloads.

For each option we’ll provide clarity on the details SAP needs, the steps you will take in your on-premise environment.

Option 1: Resilient Deployment for Critical Workloads

Resilient Deployment for Critical Workloads

Amazon Direct Connect (DX) comes in two connection types, namely Dedicated and Hosted. A Dedicated DX is a physical Ethernet connection associated with a single customer, between the customer’s private network and aws. Hosted DX is a physical Ethernet connection that an Amazon Direct Connect Partner provisions on behalf of a customer. Learn about Amazon Direct Connect to familiarize yourself with the service.

To set up a resilient Direct Connect solution for your RISE with SAP deployment, follow these implementation steps:

Prerequisites

Before configuring the Direct Connect connection, ensure your on-premises network is ready. This includes:

  • Reviewing the Amazon documentation on BGP with Amazon Direct Connect for detailed guidance on router configuration.

  • Configuring Border Gateway Protocol (BGP) on your routers with MD5 authentication. BGP is a requirement for using Direct Connect.

  • Verifying that your network can support multiple BGP connections for redundancy.

Initiate the Setup Process

Start by contacting your SAP ECS (Enterprise Cloud Services) representative and request the "Amazon Connectivity Questionnaire" for RISE with SAP on Amazon Direct Connect setup. This questionnaire will help gather the necessary information to provision the Direct Connect connection.

We advise you to set up redundant connections for high availability by completing the questionnaire for each Direct Connect connection you plan to establish. Review the Direct Connect Resiliency Recommendations to understand best practices.

Complete the SAP Questionnaire

When filling out the Amazon Connectivity Questionnaire, specify that you want to set up a resilient Amazon Direct Connect configuration.

In the questionnaire, provide the following details about your Direct Connect connection:

  • Whether it’s a new or dedicated Direct Connect connection

  • The Direct Connect provider or partner you’ll be using

  • The specific Direct Connect region/location

  • The minimum number of Direct Connect links required

  • The subnet CIDR blocks for the primary and secondary Direct Connect links (in /30 CIDR format)

  • The VLAN ID

  • The Autonomous System Number (ASN) of your on-premises router

  • The IP address ranges of your on-premises network (to allow for proper firewall configuration) Additionally, include information about your on-premises router, such as the make, model, and interface details.

Submit the completed questionnaire to your SAP ECS representative. SAP will then use this information to provision the necessary Direct Connect resources in your RISE with SAP environment on aws.

SAP’s Responsibilities

After you submit the completed questionnaire, SAP will handle the following tasks (the list below is illustrative only for this context):

  • Create a virtual interface (depending on your DX type: hosted or dedicated)

  • Create the Direct Connect Gateway

  • If you need SAP to provision Transit Gateway in RISE VPC,

    • Setup the Transit Gateway (including the ASN you provided)

    • Create the Transit Gateway attachment for your VPC

    • Update the route tables to allow the Transit Gateway to communicate with the RISE with SAP network VPC

    • Associate the Transit Gateway with the Direct Connect Gateway, including the CIDR of the RISE with SAP network that will be advertised to your network

Complete the Setup Process

Once you receive the necessary information from SAP, such as the VLAN ID, BGP peer IPs, and optional BGP authentication key, configure your on-premises routers accordingly. This includes setting up the VLAN interface and BGP for the Direct Connect connection. Consult the Amazon documentation on router configuration for Direct Connect for detailed instructions.

Configure for active/active topology: Implement routing policies to balance traffic across the redundant Direct Connect connections, leveraging BGP communities or more-specific subnet advertisements to influence path selection from Amazon to your on-premises network.

Establish and Test the Connections

Coordinate with SAP to enable the BGP sessions for both Direct Connect connections. Verify the BGP paths and test failover scenarios by simulating the failure of one connection to ensure traffic properly fails over to the other.

Confirm end-to-end connectivity with SAP for both paths. You can also leverage the Amazon Direct Connect Resiliency Toolkit to perform scheduled failover tests and verify the resiliency of your connections. and validate the resiliency of your connections.

Maintain the Connections

Regularly review and update the Direct Connect configurations as needed. Coordinate any changes with SAP. Monitor the performance and availability of both connections, and refer to the Amazon documentation on Monitoring Direct Connect for best practices.

By following these steps, you can establish a resilient Amazon Direct Connect solution to securely connect your on-premises infrastructure with the RISE with SAP environment on Amazon, ensuring high availability and reliable network performance.

Option 2: Cost Effective Alternative for Non-Critical Workloads

Cost Effective Alternative for Non-Critical Workloads

Some Amazon customers prefer the benefits of one or more Amazon Direct Connect connections as their primary connectivity to Amazon, coupled with a lower-cost backup solution. Additionally, they may want an agile and adaptable connection that can be quickly established or decommissioned between network locations globally. To achieve these objectives, they can implement Amazon Direct Connect connections with an Amazon Site-to-Site VPN backup.

The Site-to-Site VPN connection consists of three key components:

  1. Virtual Private Gateway (VGW) - The router on the Amazon side

  2. Customer Gateway (CGW) - The router on the customer side

  3. The S2S VPN connection that binds the VGW and CGW together over two secure IPSec tunnels in an active/passive configuration For in-depth documentation on establishing the Amazon Site-to-Site VPN connection, you can refer to the Amazon documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html.

Prerequisites

This approach builds on the steps outlined in the previous Option 1 for setting up a Resilient Amazon Direct Connect solution. After completing those Direct Connect implementation steps, you can add an Site-to-Site VPN connection as a failover option.

While your Direct Connect connections are being provisioned, you can begin preparing your on-premises infrastructure for the VPN setup: * Review the Amazon documentation on Site-to-Site VPN to understand the requirements and best practices. * Ensure your firewalls allow the necessary traffic for the VPN tunnels. * Confirm you have two customer gateway devices or a single device capable of managing multiple VPN tunnels.

The addition of an Site-to-Site VPN connection provides a faster and more agile backup to your primary Direct Connect links. It’s a similar process to setting up the Direct Connect, but with a few key differences.

Initiate the Setup Process

Start by contacting your SAP ECS representative again and request the "Amazon Connectivity Questionnaire" for adding an Amazon Site-to-Site VPN connection to your RISE on Amazon setup. Inform SAP of your intent to implement the VPN as a failover to your Direct Connect links.

Complete the SAP Questionnaire

When filling out the Amazon Connectivity Questionnaire this time, specify that you want to set up an Amazon Site-to-Site VPN in addition to the Direct Connect connections.

In the Amazon Connectivity Questionnaire, you’ll need to provide the following information about the VPN connection in addition to the details filled out for the DX:

  • Customer VPN Gateway details such as the make and model of your customer gateway device(s)

  • Customer VPN Gateway Internet facing public IP Address

  • Type of Routing (static / dynamic)

  • BGP ASN for Dynamic Routing (Customer gateway ASN for BGP. Only 16 bit ASN is supported.)

  • ASN for the Amazon side of the BGP session (16- or 32-bit ASN)

  • Customer Side BGP Peer IP-address (if different from VPN peer IP provided)

  • Second Public IP Address (OPTIONAL: only if active-active mode is used)

  • Customer On-Premises Network IP ranges Submit the completed questionnaire to SAP. They will then create the VPN connection and provide you with the configuration details.

SAP’s Responsibilities

After you submit the completed questionnaire, SAP will handle the following tasks (the list below is illustrative only for this context): * Create the customer gateway (with your provided information like BGP ASN, IP address, and optional private certificate) * Create the Amazon Site-to-Site VPN and attach it to the RISE with SAP Transit Gateway and your customer gateway * Provide the VPN configuration file for you to set up on your on-premises router * If you need SAP to provision Transit Gateway in RISE VPC, SAP will add the necessary route to the Transit Gateway route table and update the security groups

Using the information received from SAP, configure the VPN tunnels on your on-premises router. Implement routing policies to prefer the Direct Connect connection over the VPN as the primary path.

Refer to the Amazon documentation on router configuration for Direct Connect for guidance on the necessary settings.

Test and Verify Connections

Coordinate with SAP to enable the VPN connection and verify end-to-end connectivity. Test failover scenarios by simulating a Direct Connect failure and ensure traffic properly fails over to the VPN.

Confirm with SAP that the failover is working as expected for both the Direct Connect and VPN paths.

Maintain the Connections

Regularly review and update the configurations for both the Direct Connect and VPN connections. Coordinate any changes with SAP.

Monitor the performance and availability of both connections, and refer to the Amazon documentation on monitoring Direct Connect and VPN for best practices.

By implementing this Direct Connect with Site-to-Site VPN failover solution, you can achieve a highly resilient connectivity setup for your RISE with SAP deployment on Amazon, ensuring seamless failover and reliable network performance.