Technical

Initial Signoff
Analysis
Discovery

You are
HERE Sizing and Technical Assessment
Migration Planning Readout Onboarding

RISE with SAP S/4HANA Cloud, private edition

Sales & Services Authorization Enablement
Connectivity Options
Cloud Architecture & Advisory Team (CAA), March 2023

INTERNAL – Authorized for Partners

Learning Objectives

RISE with SAP S/4HANA Cloud, private edition, will hereafter be referred to as “PCE”.

After finishing this course, you should be able to:

➢ Explain customer and network segregation

➢ Discuss connectivity options for the SAP multi-cloud strategy

➢ Explain an example PCE Landscape

➢ Explain DNS and demarcation

➢ Explain connectivity scope and components for Azure, AWS, and GCP

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 2
Reference Architecture Customer and Network Segregation
Integration On demand public
◼ Each customer is isolated from the internet access
SAP Corporate Network Admin. Firewall Reverse Proxy Farm
◼ Access to customer’s systems is only with Web Application
Firewall
possible with 2-factor authentication

Customer Isolation
Strong
◼ Each customer receives their own
Authentication
isolated landscape
Management Networks ◼ Each customer’s landscape is fully
Shared integrated into the customer corporate
SAP Corporate Administrative Administrative
Jump Host network using SAP Cloud Peering,
Infrastructure
MPLS or VPN links
Strong ◼ At least one Site to Site connection is
Authentication mandatory

Note: restricted to very limited SAP

administrators; used only in rare
IaaS – Administration
cases e.g. applying new storage
Platform & API IaaS DC Customer 2 Customer 3
Management
IaaS Specific, e.g.: AWS
Direct Connect, Microsoft
Administration Azure ExpressRoute,
◼ Administration is done using shared …etc.
administrative infrastructure and
management networks Note: relevant only in case
of IaaS involvement
Branch 1

Customer 1 Customer 2 Customer 3

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only Onsite Network Onsite Network Onsite Network
Branch 2 3
(Main Site)
 Multi-cloud strategy

Connect

Extend Integrate Build

Secure Tunnel
Connectivity
Business Technology Platform

OData

https + SSO
Cloud

(Internet)
Connector
RISE with SAP
S/4HANA SAP Web
Cloud, private Dispatcher
edition
SAP and non-SAP Cloud Applications

https + SSO
Point to point connection
(Internet)
https, RFC, SNC, sFTP, SSO
<<Customer>> Onsite Network
VPN, MPLS, Cloud Peering,
or hyperscaler specific

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 4
High-level example landscape

EXTERNAL
*.customerdomain.com /
*.sap.ondemand.com
Inbound

Users,Web
Services… Outbound

Inbound External Outbound External

HTTPS only CUSTOMER ON-PREM

External Perimeter Customer IT services & on-Prem
SSL Termination – WAF – Load Balancing Encrypt systems
https://<tier>.<external domain>* INTERNAL
*.sap.[customer].[*]
Shared Outbound
LB HTTPs
Outbound
HTTP(s) Load Decrypt DEV Internal
HTTP(s)
Balancers Encrypt
QA

HTTPs Site2Site Inbound

PRD Internal DNS
Front-end
Cloud Service SAP Cloud Connectivity
Backbone Connectors Decrypt

DNS HTTPs
Back-end Trusted RFCs

SAProuter
HTTPs
Others

DEV QA PRD
Web
VM/Host DB In/Outbound LB Certificate
Dispatcher
Customer segments as per SAP Cloud Reference Architecture

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 5
Typical DNS Configuration

Customer Network
DR Server

<virtual hostname>.<sap>.<customer>.<*>
User Access

Always access the <virtual hostname>.<loc2>.<customer>.<*>

<hostname>.<customer>.<*> new virtual name

DR CNAME
*.sap.<customer>.<*>
Mapping

Existing SAP Application

Primary
CNAME Primary Server
Customer Customer DNS Servers
Mapping (Primary and Secondary)
Connection

*.<customer>.<*>
DNS Zone <virtual hostname>.<loc1>.<customer>.<*>
Delegation*

*.sap.<customer>.<*>

Customer Onsite DNS Servers

(Primary and Secondary)

* Customer to provide bi-directional communication on Port 53 (TCP/UDP)

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 6
 Network connectivity points of demarcation

PCE Backbone Network

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 7
High-level network overview @ Azure

Customer Isolation
Dedicated Azure SAPPCE on Azure
HANA Enterprise Cloud
subscription per customer with Azure

On-premises network Gateway Subnet Public Subnet Production

Private subnet
Cloud Edition Subnet

ExpressRoute
http(s)

Standard
Load Balancer
(SLB)
VPN tcp
Gateway Backbone Services
Application E.g., dedicated DNS
Gateway Subnet
Customer
instances
Connectivity Instances
https
VPN https CGS
ExpressRoute Non-http(s)
Non-http(s)
VNET Peering
Internet
https SLB (S-NAT)

On-demand Public Internet Access Application

Outbound HTTP(s) and non-HTTP(s) Gateway + WAF
Inbound HTTP(s) only Virtual network

*** Typical scenario. Some variances may occur with Internet Architecture
© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 8
Network Connectivity scope

▪ The following network scope and additional services are included in the PCE scope by default
▪ Customers are required to provide a /22 (non-overlapping) IP range for each site
▪ SAP inherits Azure SLAs

SAP Connectivity Service Amount Primary DC Amount Secondary DC

Site to Site VPN WAN Azure VPN package 650MBit/s including 1TB traffic 1 1
1 TB Egress for VPN WAN Azure VPN 1TB additional internet traffic package 1 1
Express Route Gateway WAN Azure Expressroute 1Gbit/s gateway package 1 1
2TB egress for Express Route WAN Azure Expressroute 1TB additional traffic package 2 2
200Mbit/s Bandwidth / Port for Express Route WAN Azure Expressroute 100Mbit/s port speed package 2 2
2TB egress for VNET peering WAN Azure VNet Peering 1TB traffic package 2 2
2TB egress for Global VNET peering WAN Azure global VNet Peering 1TB traffic package 2 2

Additional services Service Amount Primary DC Amount Secondary DC

AAG external inbound Non-Prod Azure Loadbalancer package including 1TB traffic 1
Azure SLB inbound Azure Loadbalancer package including 1TB traffic 1
Azure SLB Inbound (DR) Azure Loadbalancer package including 1TB traffic 1
AAG external inbound Prod Azure Loadbalancer package including 1TB traffic 2 2
Azure SLB Outbound Azure Loadbalancer package including 1TB traffic 1
Azure SLB Outbound (DR) Azure Loadbalancer package including 1TB traffic 1
Additional traffic estimated Azure Loadbalancer package including 1TB traffic 1 1

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 9
Example of Customer Network Setup
AWS Direct Connect AWS Direct
RISE with SAP S/4HANA Cloud, private edition
Customer network must Connect
support Border Gateway AWS <<Region>>
Protocol (BGP) with BGP
MD5 authentication Customer HQ or DC
VPC

VPN S2S
Tunnel
(IPSec)
Availability Zone #1
Production subnet

Cloud Connector Web Dispatcher S/4HANA HANA DB (S/4)

Customer Remote
Offices
Load Balancer

Availability Zone #2
HTTPS INTERNET
Production subnet
Internet users

Cloud Connector Web Dispatcher S/4HANA HANA DB (S/4)

Customer subscription in AWS
if applicable VPC
Peering
AWS <<Region>>

VPC

Notes:
▪ This is typical deployment architecture for RISE with SAP S/4HANA Cloud, private edition in Azure however some variances
may occur with Internet Architecture.
© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only
SAP’s Responsibility ▪ At least one site-to-site connection is mandatory.
10
Customer’s Responsibility
Network Connectivity scope

▪ The following network scope and additional services are included in the PCE scope by default
▪ Customers are required to provide a /22 (non-overlapping) IP range
▪ SAP inherits AWS SLAs

SAP Connectivity Service Amount Primary DC Amount Secondary DC

Site to Site VPN WAN AWS VPN package 650MBit/s including 1TB traffic 1
1 TB Egress for VPN WAN AWS VPN 1TB additional internet traffic package 1
Direct Connect Link 200Mb/s WAN AWS One Direct Connect Link 100Mb/s package 2
2TB Egress for Direct Connect WAN AWS Direct Connect 1TB additional traffic package 2
2 TB Egress for intra-region VPC Peering WAN AWS VPC Peering 1TB traffic package 2
2 TB Egress for inter-region VPC Peering WAN AWS Inter-Region VPC Peering 1TB traffic package 2

Additional services Service Amount Primary DC Amount Secondary DC

ALB Non-Prod (Internal & External) AWS Loadbalancer package including 1TB traffic 2
ALB Prod(Internal & External) AWS Loadbalancer package including 1TB traffic 2
Outbound non-http AWS Loadbalancer package including 1TB traffic 1
Additional traffic estimated AWS Loadbalancer package including 1TB traffic 1

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 11
Example of Customer Network Setup
RISE with SAP S/4HANA Cloud, private edition
Connectivity Filestore subnet Production subnet
Customer on-premise from RFC1918
network Cloud Filestore
Cloud VPN
SAP
Systems
TCP/UDP
VPC Peering
SAP
HTTPS Internal LB
Systems

Direct/Partner
Interconnect SAP
HTTPS Systems
Public Subnet
non-HTTPS
CGS
HTTPS Servers

non-HTTPS Cloud NAT

Private Cloud
VPC
HTTPS External LB HTTPS
INTERNET Cloud Armor
(WAF, IP Allow/Deny, Custom Rules etc.)
Notes:
© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only
▪ This is typical deployment architecture for RISE with SAP S/4HANA Cloud, private edition in Azure however some variances
may occur with Internet Architecture. 12
▪ At least one site-to-site connection is mandatory.
Network Connectivity Scope

▪ The following network scope and additional services are included in the PCE scope by default
▪ Customers are required to provide a /22 (non-overlapping) IP range for each site
▪ SAP inherits GCP SLAs

SAP Connectivity Service Amount Primary DC Amount Secondary DC

Site to Site VPN WAN GCP VPN package including 1TB traffic 1 1
1 TB Additional Egress for VPN WAN GCP VPN 1TB additional internet traffic package 1 1
2 x 100 Mbps (Redundant) Partner Interconnect WAN GCP Interconnect 100Mbit/s bandwidth package 2 2
2TB egress for Partner Interconnect WAN GCP Interconnect 1TB additional traffic package 2 2
2TB egress for VPC peering WAN GCP VPC Peering 1TB package 2 2

Additional services Service Amount Primary DC Amount Secondary DC

Inbound ILB (non-PROD) GCP Loadbalancer package including 1TB traffic 1 1
Outbound ILB GCP Loadbalancer package including 1TB traffic 1 1
Inbound ILB (PROD) GCP Loadbalancer package including 1TB traffic 1 1
Additional traffic estimated GCP Loadbalancer package including 1TB traffic 1 1

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 13
Supporting documentation

▪ VPN questionnaire
▪ Azure/AWS/GCP connectivity questionnaires
▪ HEC DNS integration scenarios

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 14
Summary

Now, you should be able to

▪ Describe customer and network segregation

▪ Explain the connectivity options for the SAP multi-cloud strategy

▪ Walk through an example PCE landscape and discuss connectivity

▪ Discuss DNS and demarcation

▪ Explain Azure, AWS and GCP connectivity scope and components

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | INTERNAL - SAP and Partners Only 15
Thank you.
Please reach out to your Regional SAP Partner CAA in case of any additional clarifications/questions
Follow us

www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.