Amazon Cloud WAN - General SAP Guides
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Cloud WAN

Amazon Cloud WAN is a managed wide-area networking (WAN) service designed to simplify the process of building, managing, and monitoring unified global networks that connect cloud and on-premises resources. It enables organizations to centrally connect data centers, branch offices, remote sites, and Amazon Virtual Private Clouds (VPCs) across the Amazon global backbone, using a centralized dashboard and policy-driven automation. For more information, see Amazon Cloud WAN documentation.

Connecting to RISE from on-premises using Amazon Cloud WAN in your Amazon account

To establish a connection with RISE Environment (Amazon account managed by SAP), create and share Amazon Cloud WAN via Amazon Resource Access Manager (RAM) in your Amazon account. Afterwards, SAP will accept the shared Cloud WAN and create an VPC attachment to enable traffic flow through an entry in route table. As Amazon Cloud WAN resides in your Amazon account, you can retain control over traffic routing.

Here is high level step-by-step guide to create Cloud WAN global:

  1. In Amazon Network Manager, create a global network and associated core network.

  2. Create a Core Network Policy (CNP) that defines segments, Autonomous System Number (ASN) range, Amazon Regions and tags to be used to attach to segments.

  3. Apply the network policy.

  4. Share the core network using the resource access manager with SAP ECS that manages RISE with SAP Account.

  5. Create and tag attachments.

  6. Update routes in your attached VPCs to include the core network.

You can find out more details from these documentations:

Cloud WAN

  1. Attaching Amazon Site-to-Site VPN (S2S VPN) to Amazon Cloud WAN – Create a Site-to-Site VPN connection with Target Gateway Type set to Not Associated. You can create an Amazon S2S VPN attachment for Amazon Cloud WAN under Site-to-Site VPN connections from the Amazon VPC console. Once the Amazon S2S VPN is created, you can attach it to Amazon Cloud WAN core network. For more information, see How Site-to-Site VPN connection can be created for Amazon Cloud WAN.

  2. Attaching Amazon Direct Connect gateway with Amazon Cloud WAN – Create a Direct Connect gateway with a transit virtual interface and attach Cloud WAN to Direct Connect gateway which exist in your Amazon Account. For more information, see Amazon Cloud WAN attachment to a Direct Connect gateway. For detailed steps to create the transit virtual interface for Direct Connect Gateway, you can refer to Amazon documentation - Create a transit virtual interface to the Amazon Direct Connect gateway.

You can estimate the costs of deploying Amazon Cloud WAN from the pricing documentation. Below are pricing examples for you to consider.

Scenario A. Amazon Cloud WAN connecting two VPCs in same Region

Cloud WAN connecting two VPCs in same Region

Pricing example – Amazon Cloud WAN connecting two VPCs in same Regions

[note: cost between Amazon Regions vary. For more information see: Amazon EC2 pricing Data Transfer]

100GB of data sent from a VPC in Region X in the Amazon account – managed by SAP via Cloud WAN that resides in the Amazon account – managed by customer ending at a VPC managed by customer.

100GB * $0.02 per-GB = $2 (Cloud WAN data processing) (Billed to Amazon account – managed by SAP)

Apart from data processing there would be VPC attachment cost to Amazon account – managed by SAP. Cloud WAN pricing would vary depending upon region where SAP VPC is attached to Cloud WAN.

For example, SAP VPC is in Region US East (N. Virginia). You pay $0.065 per hour for VPC attachments in the US East (N. Virginia) Region.

$0.065 * 730 = $47.45 (Monthly fixed cost billed to Amazon account , managed by SAP)

Hence the total cost = $49.45

Data processing and VPC Attachment costs are charged to the VPC owner who sends the traffic to Amazon Cloud WAN. As the sending VPC is residing in the Amazon account – managed by SAP and the cost for data transfer is included in the RISE subscription, thus the Amazon account – managed by Customer will not incur data transfer and attachment cost for this example.

The Amazon account - managed by customer will only be billed for the price Cloud WAN per VPC attachment per hour. Data out of an AZ will always go via Cloud WAN endpoint in that AZ to reach other VPC, so there is no cross AZ Data Transfer costs.

Scenario B. Amazon Cloud WAN connecting two VPCs in different Regions

Cloud WAN connecting two VPCs in different Regions

Pricing example – Amazon Cloud WAN connecting two VPCs in different Regions

[note: cost between Amazon Regions vary. For more information see: Amazon EC2 pricing Data Transfer]

100GB of data sent from a VPC in region Y in the Amazon account - managed by Customer via Amazon Cloud WAN to Amazon Account - managed by SAP in different region X.

100GB * $0.02 per-GB = $2 (Cloud WAN data processing) + 100GB * ($0.01 - $0.138 per-GB) = $1 - $13.8 (Region out) = $3 - $15.8 (Total - billed to Amazon account – managed by Customer)

Data processing is charged to the VPC owner who sends the traffic to Cloud WAN. As the sending VPC is residing in the Amazon account – managed by customer all data transfer costs for this example are billed to the Amazon account – managed by Customer. In addition, the Amazon account – managed by Customer will be billed for the price per VPC attachment per hour in region Y. VPC attachment charges in Region X would be charged to Amazon account – managed by SAP and the charges are included in the RISE subscription.