Connecting to RISE using SD-WAN - General SAP Guides
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting to RISE using SD-WAN

What is SD-WAN

Software-Defined Wide Area Networking (SD-WAN) is a networking technology that uses software to manage and route traffic across different networks such as Multi-Path Label Switching (MPLS), public internet, or the Amazon backbone focusing on improving connectivity and application performance. SD-WAN primarily operates at layer 3 (Network Layer) of the network OSI model offering centralized control, routing, path selection, IP-based policies, and the ability to prioritize specific mission critical applications, such as SAP, making it well-suited for cloud-based RISE with SAP environments.

Although SD-WAN primarily operates at Layer 3, using an overlay network such as broadband internet, it can utilize Layer 2 (Data Link) technologies such as Amazon Direct Connect as the underlay network for transport, and Layer 3 (Network) technologies such as Amazon Site-to-Site VPN.

In SD-WAN architecture, an SD-WAN headend acts as a hub or centralized network component, while SD-WAN edge devices deployed at branch offices, remote sites or data centers which serves as the entry and exit points for WAN Traffic.

You can refer to more detailed information in the Reference Architectures for Implementing SD-WAN Solutions on Amazon.

Scenario A: SD-WAN appliances (edge and/or headend/hub) on-premises

Amazon Transit Gateway Connect allows you to extend your SD-WAN network to Amazon using GRE (Generic Routing Encapsulation) tunnels without needing additional Amazon infrastructure. Through Transit Gateway Connect Peer, you can establish GRE tunnels between your transit gateway in your Amazon account and the SD-WAN appliance on-premises which are connected via Amazon Direct Connect connection as underlying transport.

The appliance must be configured to send and receive traffic over a GRE tunnel to and from the transit gateway using the Connect attachment. The appliance must be configured to use BGP (Border Gateway Protocol) for dynamic route updates and health checks.

Each connection can be configured with its own route table and BGP peer, enabling you to extend your on-premises network segmentation via Virtual routing and forwarding (VRF) to Amazon. The RISE with SAP VPC is attached to the Amazon Transit Gateway.

This setup provides a streamlined way to connect your SD-WAN environment with RISE with SAP on Amazon using Amazon Direct Connect, maintaining network separation while simplifying the overall architecture.

In this scenario, the overlay network is SD-WAN (with GRE Tunnels) with the headend/hub or edge devices deployed on on-premises, and the underlay transport is Amazon Direct Connect

Pattern A-1: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with your Amazon landing zone

SD-WAN devices integration with Transit Gateway and Direct Connect with your landing zone

The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. You can create Transit Gateway connect attachments using an Amazon Direct Connect connection as underlying transport in your Amazon account.

Outbound from RISE with SAP VPC:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the Direct Connect connection as the underlay transport and connects the Transit Gateway to the corporate data center SD-WAN device with GRE tunneling and BGP.

Inbound to RISE with SAP VPC:

  1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link.

  2. Transit Gateway forwards the traffic to the destination RISE with SAP VPC.

Pattern A-2: SD-WAN devices integration with Amazon Transit Gateway and Amazon Direct Connect with no Amazon landing zone

SD-WAN devices integration with Transit Gateway and Direct Connect with no landing zone

The preceding diagram illustrates a pattern of how you can extend and segment your SD-WAN traffic to Amazon without adding extra infrastructure. In RISE with SAP, you can request SAP to create Transit Gateway connect attachments using a Direct Connect connection as underlying transport. Customers can leverage SAP-managed Direct Connect gateway (DXGW) if required.

Outbound from RISE with SAP VPC:

  1. Traffic initiated from RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the Direct Connect connection as transport and connects the Transit Gateway to the corporate data center SD-WAN device using GRE tunneling and BGP.

Inbound to RISE with SAP VPC:

  1. Traffic from the corporate data center SD-WAN device to the RISE VPC is forwarded to the Transit Gateway via the GRE tunnel of the Transit Gateway attachment over the Direct Connect link.

  2. Transit Gateway forwards the traffic to the destination RISE with SAP VPC.

Scenario B: SD-WAN appliances (edge and/or headend/hub devices) in Amazon

In this scenario, the virtual appliances of the SD-WAN network are deployed in a VPC within Amazon. Then, you use a VPC attachment as underlying transport for the Transit Gateway connect attachment between the SD-WAN virtual appliances and the Transit Gateway in your Amazon account(s). Similar to Scenario A, Transit Gateway connect attachments support GRE for higher bandwidth performance compared to a VPN connection. It supports BGP for dynamic routing and removes the need to configure static routes. In addition, its integration with Transit Gateway Network Manager provides advanced visibility through global network topology, attachment level performance metrics, and telemetry data.

Between on-premises and Amazon, the overlay network is SD-WAN with GRE or IPSec tunnels with the headend/hub deployed within Amazon, and the underlay transport could be Internet, MLPS, or Direct Connect. Following are the architecture patterns under this scenario:

Note: Network patterns covered in the following sections are applicable only with your existing or a new landing zone setup on Amazon. For SD-WAN appliances deployment and connectivity directly with Amazon Account – managed by SAP, refer to Pattern A-2.

Pattern B-1: SD-WAN appliances in Amazon integrated with Amazon Transit Gateway Connect with your Amazon landing zone

SD-WAN appliances integrated with Transit Gateway and Direct Connect with your landing zone

The preceding diagram illustrates a pattern of integrating your SD-WAN network with Transit Gateway using connect attachments and placing (third-party) virtual appliances of the SD-WAN network in an Appliance VPC within Amazon. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology.

Outbound from RISE with SAP:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway.

  2. The Transit Gateway connect attachment uses the VPC attachment as transport and connects Transit Gateway to the third-party appliance in the Appliance VPC using GRE tunneling and BGP.

  3. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center.

Inbound to RISE with SAP:

  1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the Appliance VPC via the SD-WAN overlay over the Direct Connect link.

  2. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via the connect attachment.

  3. Transit Gateway forwards the traffic to the destination RISE VPC.

Pattern B-2: SD-WAN appliances in Amazon integrated with Amazon Site-to-Site VPN

SD-WAN appliances iintegrated with Site-to-Site VPN

The diagram above illustrates a pattern of integrating your SD-WAN network with Transit Gateway using an Amazon Site-Site VPN connection and placing (third party) virtual appliances of the SD-WAN network in an Appliance VPC within Amazon. You may use this option when your third-party virtual appliance does not support GRE. It’s common to have SD-WAN edge appliances deployed at branch locations, and on-premises data center to create a full mesh topology.

Outbound from RISE with SAP:

  1. Traffic initiated from the RISE VPC to the corporate data center is routed to the Transit Gateway Elastic Network Interface (TGW ENI).

  2. The traffic is routed between the Transit Gateway and the third-party virtual appliance using the Site-to-Site VPN connection.

  3. The third-party virtual appliance encapsulates the traffic, which uses the SD-WAN overlay – on top of the Direct Connect link – to reach the corporate data center.

Inbound to RISE WITH SAP:

  1. Traffic from branches outside Amazon to the RISE VPC reaches the internet gateway of the appliance VPC via the SD-WAN overlay over the internet. Similarly, traffic from the corporate data center to the RISE VPC reaches the virtual private gateway of the appliance VPC via the SD-WAN overlay over the Amazon Direct Connect link.

  2. The third-party virtual appliance in the appliance VPC forwards the traffic to the Transit Gateway via Site-to-Site VPN connection.

  3. Transit Gateway forwards the traffic to TGW ENI of the destination RISE VPC.