Introduction

Purpose

The purpose of this document is to outline the infrastructure and network architecture for SyWay project.

Scope

This document will describe describes the high-level infrastructure and network design for SAP RISE and non-RISE deployments. It will also cover It also covers the network design for specialized integration scenarios and deployment in China region.

Out of scope:

• Infrastructure and network design for SaaS applications as infrastructure and network responsibility falls under the service provider’s responsibility.
• SD-WAN and cloud infrastructure detailed design or configurations as it will be managed by Syensqo IT and SAP RISE.
• Existing Syensqo systems in Syensqo that SyWay project will be integrating integrates with.

Overview

SyWay systems can be classified into 3 hosting models:

• SAP RISE and Azure operating model.

Assumptions

• Azure will be chosen as SyWay cloud service provider for all regions.
• Syensqo network will connect to Azure tenants via ExpressRoute for all regions
• Standard SAP RISE integration patterns will be leveraged when integrating S/4HANA, SAP connectors and SAP SaaS applications. 
• As of writing this document, there are pending architectural decisions regarding China infrastructure. These designs will be added to this document as they are finalized.

Overview

SyWay systems can be classified into 3 hosting models:

¹See KDD026 - SAP S/4HANA Deployment Model for the comparison between various deployment options for S/4HANA and the decision.

In addition to the different hosting models, SyWay systems can be deployed to 1 or more region (North America, Europe EU or to both EU and China )regions. The  The figure below describes how SyWay systems will be are deployed across Syensqo’s network.

Infrastructure Architecture

SAP RISE

Overview

S/4HANA will be the core system that will be 4HANA is hosted in SAP RISE along with supporting connectors and web dispatchers. SyWay project will would leverage a common Sandbox, Development , Integration Testing and training landscape that will be landscape that are deployed in Europe region and individual Integration Testing, Training, UAT, Parallel Testing and Production systems that will be are deployed to all 3 EU and China regions.

The table below describes lists the landscape and systems that will be hosted in the 3 , systems and the corresponding system ID (SID) for the three different regions.

 ¹System  ¹System will be shared across all non-PRD systems.

Landscape Provisioning

²SAP RISE landscape will be provisioned in stages to optimize cost. The following diagrams illustrates the systems that will be provision for the different phases.

Europe

...

S/4HANA High Availability and Disaster Recovery

In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA will be provisioned with the following RISE add-ons.

• Short distance disaster recovery
• 99.9% SLA

With these add-ons, S/4HANA production will be deployed across 2 availability zones and with pacemaker clusters for HA.

...

The table below describe how HA is achieved for the different components.

...

requires each region to host a development system which will be used for RISE administrations (e.g., upgrades). Hence ECD and WCD will be in the landscape and will be added to the transport route but not have a system role.

³Web dispatcher will be shared between Parallel Run and Training landscape. 

Post Go-Live Landscape

Post release 4 Group 2 go-live a 4-tier landscape (DEV, QAS, PAR and PRD) will be maintained. SBX, INT and TRG landscapes will be decommissioned. 

The table below summaries the SLA for HA and DR.

SAP RISE VM Specs

<<Placeholder>>

Non-RISE

Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE will be hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE.

• SAP WWI Server    
• SAP TM Optimizer    
• Syniti Replicate    
• Syniti Connector    
• SWIFT Connector    
• Vertex    
• NextLabs Policy Server

<<Placeholder for landscaope overview & VM details>>

Network Architecture 

Network Design

SAP RISE 

172.16.32.0/20 IP range has been allocated for for all SAP RISE provisioning. The following table lists down the IP allocation for the different subnets.

...

172.16.32.0/23.0/23

...

172.16.32.0 - 172.16.33.225

...

510

...

172.16.34.0/27

...

172.16.34.0 - 172.16.34.31

...

30

...

172.16.34.32/27

...

172.16.34.32 - 172.16.34.63

...

30

...

172.16.34.64/27

...

172.16.34.64 - 172.16.34.95

...

30

...

172.16.34.96/27

...

172.16.34.96 - 172.16.34.127

...

30

...

172.16.34.128/127

...

172.16.34.128 - 172.16.34.159

...

30

...

172.16.34.160/27

...

172.16.34.160 - 172.16.34.191

...

30

...

172.16.34.192/26

...

172.16.34.192 - 172.16.34.255

...

30

...

172.16.35.0/24

...

172.16.35.0 - 172.16.35.255

...

254

...

172.16.36.0/22

...

172.16.44.0/22

...

172.16.44.0 - 172.16.47.255

...

1022

 ¹System shared across all non-PRD systems.

²SAP RISE requires each region to host a development system which will be used for RISE administrations (e.g., upgrades). Hence ECD and WCD will be in the landscape and will be added to the transport route but not have a system role.

High Availability and Disaster Recovery

The table below summaries the SLA for HA and DR for production and non-production systems

S/4HANA

In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA Production is provisioned with the following RISE add-ons.

• Short distance disaster recovery
• 99.9% SLA

With these add-ons, S/4HANA production is deployed across 2 availability zones with synchronous database replication and automated fail-over via pacemaker clusters as shown below.

The table below describes how HA is achieved for the different components.

SAP Connectors

Two instances of SAP Cloud connectors are deployed across 2 AZs and configured as active-standby nodes. In the event of a failure, the standby node will take over as active node

The following connectors do not have out of the box high-availability and will require SAP RISE team to manually failover the system in the event of a failure.

• SAP Data Provisioning Agent - Currently not supported (SAP Note 3275211)
• SAC Agent - Currently not supported (SAP Note 3595999)
• OpenText Connector

SAP RISE VM Details

Non-RISE

Overview

Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE, are hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE. Depending on complexity, separate documents may be used to describe the architecture for these applications. 

Hosting Region

Following considerations were taken into account in deciding the Azure hosting regions

• NextLabs provides attribute-based access control (ABAC) and evaluates access to sensitive data during runtime execution. To prevent performance issues, NextLabs will require low latency network connection to S/4HANA.
• NextLabs have its own Azure subscription and will be hosted in the same region & physical zone as S/4HANA. vNET peering will be established between SAP RISE and NextLabs vNET to achieve low latency connectivity.
• Other applications can be hosted in region that is in line with Syensqo's Azure deployment strategy. 
• Different subscriptions will be created for different environment: non-PRD, Pre-PRD and PRD

Azure Low Level Design

Azure landscape for SyWay is managed my Syensqo IT as part of their overall Azure management. See Azure management roles and responsibility for more details. 

Following tables lists down SyWay Azure details.

VM Details

SQL Server

Shared File Systems

Network Architecture 

Europe 

The figure below describes the overall network connectivity for SAP RISE and non-RISE Azure vNETs in Europe.

SAP RISE

• SAP RISE tenant is deployed in Azure North Europe. 
• Connection SAP RISE is established via ExpressRoute which is connecting through Megaport Paris and Dublin.

Non-RISE

• Non-RISE systems will be deployed in Azure France Central. 
• Workloads are deployed to Non-PRD and PRD vNETs.
• Syensqo Azure shared services deployed in Azure France Central leveraged for SyWay non-RISE systems.
• Connection between SAP RISE and non-RISE will traverse Megaport EMEA hub.

NextLabs

• NextLabs systems will be deployed in Azure North Europe (same region as SAP RISE).
• Workloads are deployed to 4 vNETs: DEV, QAS, PAR and PRD
• Connection to Syensqo WAN will be established via Azure vWAN and ExpressRoute in Paris. 
• vNET Peering is configured between the HUB vNET and and SAP RISE, and HUB vNET and the 4 NextLabs vNETs.
• Azure firewall is deployed in the HUB vNET to route traffic between SAP RISE and NextLabs.
• Syensqo Azure shared services deployed in Azure North Europe leveraged for SyWay NextLabs systems.

China

TBC

SAP RISE ExpressRoute Design

The table below lists down the regional hub and Azure edge location for NAM, EMEA and China regions.

Europe

The following diagram describes the ExpressRoute design between Megaport and SAP RISE in EU region.  

Image Added

China

TBC

IP Allocation

The 172.16.32.0/19 IP range has been allocated for SyWay. The following table lists down the IP allocation for the different regions and subnets.

DNS Architecture

Domain Name

The following domains names are used for the respective RISE regions.

DNS Integration

2-way DNS integration is configured between Syensqo and SAP RISE DNS. 

• Syensqo DDI team has select DNS Domain Delegation as the integration method. Syensqo DNS are configured to redirect SAP RISE DNS queries to the respective SAP RISE DNS deployed in the different regions.
• SAP RISE DNS have a DNS forwarder configured to redirect all Syensqo DNS queries to the respective Syensqo regional DNS servers. 

The table below lists the Syensqo and SAP RISE DNS servers.

Network Firewall

For SyWay project, the following firewalls will be leveraged to manage the corresponding traffic.

Internet Traffic

To connect SyWay systems deployed in Azure (SAP RISE or non-RISE) and SaaS applications, a middleware (i.e., using Cloud connector and SAP Integration Suite ) based integration approach will be preferred. If the integration scenario requires direct connection between S/4HANA and SaaS applications, the following sections covers how inbound and outbound network connections can be established.    

Outbound Internet Traffic

• Outbound HTTPS traffic from SAP RISE is routed through the Customer Gateway server which has an internet proxy (Squid Proxy) installed in the VM.
• Outbound non-HTTP traffic (e.g., SDTP) from SAP RISE is NAT-ed via Azure Standard Load Balancer. 
• Outbound internet traffic from Non-RISE application is routed to Azure firewall in Syensqo Hub. 

The following outbound traffic is configured in SAP RISE.

Following is the Customer Gateway server connection details.

Inbound Internet traffic

• SAP RISE uses Azure Application Gateway with Web Application Firewall to manage inbound HTTPS traffic. Non-HTTP inbound traffic are not permitted and will required further approvals from SAP.
• For non-RISE, Syensqo's Azure DMZ which uses Azure WAF + Application Gateway will be leveraged. Incoming HTTPS will also be filtered through Azure firewall in Syensqo Hub vNET before it is routed to the non-RISE vNET. 

User Access

The following sections describes how SAP RISE and non-RISE systems are access by users within (internal) and outside (external) Syensqo network. For SaaS application access, users can access them through their existing internet access. 

These section cover the network perspective and does not include the authentication processes where single sign-on will be configured with Syensqo Identity provider.

Internal Access

End users will access SyWay systems via browser, mobile app or SAPGUI (for S/4HANA) (refer KDD036). The figure below describes the network traffic from user's terminal to SyWay systems.

SAP RISE Web Access:

• Primary mode of access for SAP RISE system is through HTTPS.  
• User's HTTPS traffic is routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection. 
• In SAP RISE, Azure load balancer is provisioned to load balance the incoming HTTPS traffic to SAP web dispatchers.
• SAP web dispatchers act as  proxies and forward the request to S/4HANA application server. 

SAP RISE SAPGUI Access

• SAP administrators and support staff may access S/4HANA using SAPGUI which uses TCP protocol.
• User's SAPGUI connections are routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection. 
• In SAP RISE, a pacemaker cluster is configured between SCS and ERS servers for HA and Azure load balancer is used to direct network traffic to the active SCS node.
• SCS redirects users to one of the available S/4HANA application server and there after, the communication is directly between user's SAPGUI and the application server.

Non-RISE Access:

• User traffic is routed from Syensqo local site network to Syensqo's Hub vNET through SDWAN, Megaport and ExpressRoute connection. 
• In the hub vNET, traffic is filtered through Azure firewall before being routed to Non-RISE vNET and non-RISE application.

SaaS:

• Primary mode of access for SaaS applications is via HTTPS.  
• User's HTTPS traffic is routed from Syensqo local site network to Zscaler which acts as a proxy and connects to the SaaS applications. 

External Access

No direct external access from the internet is enabled for SyWay systems hosted in RISE. Users with a Syensqo-issued device can access systems hosted in RISE from outside the Syensqo network via ZScaler Private Access (ZPA).

ZPA App Connectors will be deployed in non-RISE Azure vNET and will be registered with Syensqo's Zscaler Exchange. Users will connect from their terminal using Zscaler client connector and the network traffic will traverse as shown below. 

Anchor
Integration Integration

Integration

The following sections describes the network design and flow for the following integration scenarios.

SAP Cloud Connector

The SAP Cloud connector are deployed in SAP RISE and acts as a reverse invocation proxy to establish network connection between SAP RISE systems and SAP BTP services (Integration suite, API management, SAP Analytics Cloud etc.) and Ariba Cloud Integration Gateway (CIG). Due to its reverse invoke capabilities, the network traffic originates from SAP Cloud connector to SAP BTP and once the link as been established, data can be exchanged between SAP RISE systems and BTP. HTTPS or RFC protocols are used between SAP Cloud Connector and S/4HANA, and HTTPS protocol is used between Cloud Connector and S/4HANA.

To enable outbound internet traffic from SAP RISE, SAP has provisioned a customer gateway server (CGS) with a forward internet proxy installed on it.

Non-RISE 

<<Placeholder>>

SAP RISE Network Connectivity

North America (NAM) and Europe (EMEA) SAP RISE vNETs will be connected to Syensqo regional hub routers via ExpressRoute and Megaport Virtual Cross Connect (VXC) as shown below.

The table below lists down the regional hub and Azure edge location for NAM and EMEA regions.

...

EIM Data Provisioning Agent

EIM Data Provisioning Agent (DPA) is used to integrate S/4HANA and SAP Datasphere. The network connection to SAP Datasphere is initiated by DPA and CGS is used to facilitate the internet connection to SAP Datasphere. 

DPA uses the HTTPS or RFC protocols to communicate with S/4HANA and uses the HTTPS protocol to communicate with SAP Datasphere.   

OpenText Connector

OpenText connector facilitates the connection between S/4HANA and the OpenText cloud. The connection is initiated from S/4HANA to the OpenText connector and to OpenText cloud via CGS.

The HTTPS protocol is used for communication between all components. 

SAP Router

SAP has configured a VPN connection between the Syensqo SAP RISE tenant and SAP's Management network (used by SAP support). SAP Router is deployed in SAP RISE to manage SAP support's connection to SAP systems.

Appendix

Azure Management Roles and Responsibility 

Anchor
role_res role_res

Following is the roles and responsibility for SyWay's Azure tenants management. 

<<Placeholder for China>>

DNS Architecture

SAP RISE Domain 

The following domains will be used for the respective RISE regions.

...

*.sap.eu.cloud.syensqo.com

...

*.sap.us.cloud.syensqo.com

...

*.sap.cn.cloud.syensqo.com

DNS Integration

SAP RSIE supports 3 different DNS integration types: DNS Zone Transfer, Conditional DNS Forward and DNS Domain Delegation.

Conditional DNS forwarding has been choose for Syensqo for the following reasons:

• Reduced network traffic and complexity.
• Limits security exposure by only forwarding queries for specified domains.
• Easier to manage in the event Syensqo changes it DNS provider.
• Simple configuration and maintenance.

The table below lists down the Syensqo and SAP DNS that will be integrated.

...

Network Firewall

An active-active cluster of Palo-Alto Firewall VM-Series is deployed to North America and Europe Megaport locations along slide SD-WAN regional hub routers. The figure below illustrates the architecture Europe regional hub routers and firewall. The same architecture applies for North America.

Image Removed

Network connection to and from SyWay systems (SAP RISE and Non-RISE), will be controlled by the respective regional firewalls. To allow network connections, firewall requests for must be submitted to the network team

<<placeholder for allowed east to west traffic>> 

<<firewall request procedure>>

 Internet Traffic

All inbound and outbound internet traffic will be filtered by the firewalls hosted in Megaport except for integration scenarios mentioned in integration

Outbound Internet Traffic

...

Outbound internet traffic from SAP RISE or Syway vNET will be routed to the regional hub router and firewall. The firewall will filter the traffic before allowing it to the external application.

If the external application requires source IP to be whitelisted before accepting the connection, a public IP can be assigned at the firewall.

<<placeholder for China>> 

Inbound Internet traffic

...

Inbound traffic from external application will be filtered through the firewall before the region hub router routes it to SAP RISE or Syway vNET. The external application will need to provide a static public IP or FQDN to be whitelisted on Syensqo firewall. Syensqo firewall will also manage the public IP and translation to internal IP.

<<placeholder for China>> 

User Access

...