Introduction
Purpose
The purpose of this document is to outline the infrastructure and network architecture for SyWay project.
Scope
This document will describe the high-level infrastructure and network design for SAP RISE and non-RISE deployments. It will also cover the network design for specialized integration scenarios and deployment in China region.
Out of scope:
- Infrastructure and network design for SaaS applications.
- SD-WAN and cloud infrastructure detailed design or configurations.
- Existing systems in Syensqo that SyWay project will be integrating with.
- SAP RISE and Azure operating model.
Assumptions
- Azure will be chosen as SyWay cloud service provider for all region.
- Syensqo network will connect to Azure tenants via ExpressRoute for all regions
- Standard SAP RISE integration patterns will be leveraged when integrating S/4HANA, SAP connectors and SAP SaaS applications.
- As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.
Overview
SyWay systems can be classified into 3 hosting models:
Hosting model | Description |
SAP RISE1 | S/4HANA and SAP applications that are hosted in SAP RISE cloud tenants and managed by SAP. |
Non-RISE | On-premise applications that cannot be hosted in SAP RISE will be hosted in Azure tenants managed by Syensqo IT. |
SaaS | Applications that follow the SaaS model and are access from the internet |
1See KDD026 - SAP S/4HANA Deployment Model for the comparison between various deployment options for S/4HANA and the decision.
In addition to the different hosting models, SyWay systems can be deployed to 1 or more regions (North America, Europe and China). The figure below describes how SyWay systems will be deployed across Syensqo’s network.
Infrastructure Architecture
SAP RISE
Overview
S/4HANA will be the core system that will be hosted in SAP RISE along with supporting connectors and web dispatchers. SyWay project will leverage a common Sandbox (SBX), Development (DEV), Integration Testing (INT) and training (TRN) landscape that will be deployed in Europe region and individual UAT (QAS), Parallel Testing (PAR) and Production (PRD) systems that will be deployed to all three regions.
The table below describes the landscape and systems that will be hosted in the three different regions.
Region | Land-scape | Systems | |||||
S/4HANA (HANA DB) | Web Dispatcher | SAP Cloud connector | SAP Data Provisioning Agent | SAC Agent | OpenText Connector | ||
Europe | SBX | ERS/HRS | WRS | ☐ | ☐ | ☐ | ☐ |
DEV | ERD/HRD | WRD | CRD1 | DRD1 | SRD1 | ORD1 | |
INT | ERT/HRT | WRT | ☐ | ☐ | ☐ | ☐ | |
TRG | ER2/HR2 | ☐ | ☐ | ☐ | ☐ | ☐ | |
UAT | ERQ/HRQ | WRQ | ☐ | ☐ | ☐ | ☐ | |
PAR | ER1/HR1 | WR1 | ☐ | ☐ | ☐ | ☐ | |
PRD | ERP/HRP | WRP & WRS | CRP | DRP | SRP | ORP | |
North America | UAT | ☑ | ☑1 | ☑1 | ☑1 | ☑1 | ☑1 |
PAR | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ | |
PRD | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |
China | UAT | ☑ | ☑1 | ☑1 | ☑1 | ☑1 | ☑1 |
PAR | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ | |
PRD | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |
1System will be shared across all non-PRD systems
Landscape Provisioning
The following diagrams illustrates the different RISE landscapes that will be provision for the different phases. Post Go-Live, INT and PAR landscapes will be decommissioned and a 5 tier landscape will be maintained.
Europe
S/4HANA High Availability and Disaster Recovery
In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA PRD will be provisioned with the following RISE add-ons.
- Short distance disaster recovery
- 99.9% SLA
With these add-ons, S/4HANA production will be deployed across 2 availability zones with pacemaker clusters as shown below.
The table below describe how HA is achieved for the different components.
| Component | HA Design |
|---|---|
| Web Dispatcher | Deployed to both AZs in active-active configuration and Azure load balancer is used to distribute incoming HTTP traffic to both instances. |
| S/4HANA Application servers | Two application servers will be deployed to each AZs in an active-active configuration. |
| S/4HANA Message server (SCS & ERS) | Pacemaker cluster is configured between SCS and ERS servers to ensure SCS & ERS services fails over accordingly in the event of a failure. |
| SAPMNT Shared folder | NetApp files is used to host the SAPMNT shared folder and is mounted across all S/4HANA application, SCS and ERS servers. |
| HANA DB | Two HANA nodes are deployed across 2 AZs in an active-standby configuration. HANA synchronous replication is configured to replicate data from the active to standby node. Pacemaker cluster is configured to ensure that the standby node is promoted to active node in the event of a failure. |
The table below summaries the SLA for HA and DR for PRD and non-PRD systems
| Landscape | Availability SLA | RPO | RTO |
|---|---|---|---|
| PRD | 99.9% | 12h | ~0 |
| Non-PRD | 99.5 | N/A | N/A |
Non-RISE
Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE will be hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE.
- SAP WWI Server
- SAP TM Optimizer
- Syniti Replicate
- Syniti Connector
- SWIFT Connector
- Vertex
- NextLabs Policy Server
Network Architecture
Overview
The figure below describes the overall network connectivity for SAP RISE and non-RISE Azure vNETS.
SAP RISE Tenant will be provisioned in the same region as Syensqo Azure tenant. To enable connectivity between SAP RISE and Syensqo network:
- SAP will provision the ExpressRoute circuits and ExpressRoute Gateway in SAP RISE Tenant.
- Syensqo network team will connect Syensqo regional hub routers and SAP RISE ExpressRoute circuit via Megaport Virtual Cross Connect (VXC) .
Non-RISE vNET will be provisioned in Syensqo Azure tenant. To enable connectivity between SAP RISE and non-RISE systems, vNET peering will be configured between Syensqo Hub vNET, SAP RISE vNet and non-RISE vNET as shown above. Azure firewall provisioned in Syensqo Hub vNET will be used to control network traffic between the two tenants.
The table below lists down the regional hub and Azure edge location for NAM, EMEA and China regions.
| Region | Megaport Location | Azure Edge location |
|---|---|---|
| Europe | Paris Equinix PA2/3 & Paris Interxion PAR5 | Dublin |
| North America | Ashburn Equinix DC4 & Reston Core Site VA1 | TBC |
| China | TBC | TBC |
IP Allocation
SAP RISE
172.16.32.0/20 IP range has been allocated for for SAP RISE. The following table lists down the IP allocation for the different regions and subnets.
| RISE Region | Region IP Allocation | RISE Subnet | Subnet IP Allocation | Range | Usable Hosts |
|---|---|---|---|---|---|
| Europe | 172.16.32.0/22 | Production | 172.16.32.0/23.0/23 | 172.16.32.0 - 172.16.33.225 | 510 |
| Parallel Testing | 172.16.34.0/27 | 172.16.34.0 - 172.16.34.31 | 30 | ||
| UAT | 172.16.34.32/27 | 172.16.34.32 - 172.16.34.63 | 30 | ||
| Development | 172.16.34.64/27 | 172.16.34.64 - 172.16.34.95 | 30 | ||
| Sandbox | 172.16.34.96/27 | 172.16.34.96 - 172.16.34.127 | 30 | ||
| Test | 172.16.34.128/127 | 172.16.34.128 - 172.16.34.159 | 30 | ||
| Training | 172.16.34.160/27 | 172.16.34.160 - 172.16.34.191 | 30 | ||
| Unassigned | 172.16.34.192/26 | 172.16.34.192 - 172.16.34.255 | 30 | ||
| Unassigned | 172.16.35.0/24 | 172.16.35.0 - 172.16.35.255 | 254 | ||
| North America | 172.16.36.0/22 | Production | TBC | TBC | TBC |
| Parallel Testing | TBC | TBC | TBC | ||
| UAT | TBC | TBC | TBC | ||
| China | 172.16.40.0/22 | Production | TBC | TBC | TBC |
| Parallel Testing | TBC | TBC | TBC | ||
| UAT | TBC | TBC | TBC | ||
| Unassigned | 172.16.44.0/22 | - | 172.16.44.0/22 | 172.16.44.0 - 172.16.47.255 | 1022 |
DNS Architecture
Domain Name
The following domains will be used for the respective RISE regions.
| RISE Region | SAP RISE Domain | Non-RISE Domain |
|---|---|---|
| Europe | TBC | |
| North America | TBC | |
| China | TBC |
DNS Integration
SAP RSIE supports 3 different DNS integration types: DNS Zone Transfer, Conditional DNS Forward and DNS Domain Delegation.
Conditional DNS forwarding has been choose for Syensqo for the following reasons:
- Reduced network traffic and complexity.
- Limits security exposure by only forwarding queries for specified domains.
- Easier to manage in the event Syensqo changes it DNS provider.
- Simple configuration and maintenance.
The table below lists down the Syensqo and SAP DNS that will be integrated.
| Region | Syensqo Primary DNS | Syensqo Secondary DNS | SAP RISE DNS |
|---|---|---|---|
| Europe | 172.18.164.7 (DNS_EMEA_01) | 172.18.164.22 (DNS_EMEA_02) | |
| North America | 172.19.113.69 (DNS_US_01) | 172.19.113.86 (DNS_US_02) | |
| China | 172.23.193.86 (DNS_APAC_02) | 172.23.193.70 (DNS_APAC_01) |
Network Firewall
An active-active cluster of Palo-Alto Firewall VM-Series is deployed along slide North America and Europe SD-WAN regional hub routers hosted in Megaport. The figure below illustrates the architecture Europe regional hub routers and firewall. The same architecture applies for North America.
Network connection to and from SyWay systems (SAP RISE and Non-RISE), will be controlled by the respective regional firewalls. To allow network connections, firewall requests for must be submitted to the network team
Internet Traffic
All inbound and outbound internet traffic will be filtered by the firewalls hosted in Megaport except for integration scenarios mentioned in integration section.
Outbound Internet Traffic
Outbound internet traffic from SAP RISE or non-RISE vNET will be routed to the regional hub router and firewall. The firewall will filter the traffic before allowing it to the external application.
If the external application requires source IP to be whitelisted before accepting the connection, a public IP can be assigned at the firewall.
Inbound Internet traffic
Inbound traffic from external application will be filtered through the firewall before the region hub router routes it to SAP RISE or non-RISE vNET. The external application will need to provide a static public IP or FQDN to be whitelisted on Syensqo firewall. Syensqo firewall will also manage the public to internal IP translation.
User Access
The following sections describes how SAP RISE and non-RISE systems will be access by users within (internal) and outside (external) Syensqo network. For SaaS application access, users can access them through their existing internet access.
Internal Access
End users will access SyWay systems via browser, mobile app or SAPGUI (for S/4HANA). The figure below describe the network traffic from user's terminal to SyWay systems.
SAP RISE Web Access:
- Primary mode of access for SAP RISE system will be through HTTPS.
- User's HTTPS traffic will be routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
- In SAP RISE, Azure load balancer will be provisioned to load balance the incoming HTTPS traffic to SAP web dispatchers.
- SAP web dispatchers will act as proxies and forward the request to S/4HANA application server.
SAP RISE SAPGUI Access
- SAP administrators and support staff may access S/4HANA using SAPGUI which uses TCP protocol.
- User's SAPGUI connection will be routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
- In SAP RISE, a pacemaker cluster will be configured between SCS and ERS servers for HA and Azure load balancer is used to direct network traffic to the active SCS node.
- SCS will redirect users to one of the available S/4HANA application server and there after, the communication will be between user's SAPGUI and the application server.
Non-RISE Access:
- User traffic will be routed from Syensqo local site network to Syensqo's Hub vNET through SDWAN and ExpressRoute connection.
- In the hub vNET, traffic will be filtered through Azure firewall before being routed to Non-RISE vNET and non-RISE application.
External Access
For SyWay systems, external access will be enabled for S/4HANA.
SAP will deploy ZPA App Connector in RISE vNET and allow connections from Syensqo's Zscaler Exchange as shown below.
Integration
The following sections describes the network design and flow for the following integration scenarios.
SAP Cloud Connector
The SAP Cloud connector will be hosted in SAP RISE and acts as a reverse invocation proxy to establish network connection between SAP RISE systems and SAP BTP services (Integration suite, API management, SAP Analytic Cloud etc.). Due to its reverse invoke capabilities, the network traffic will originate from SAP Cloud connector to SAP BTP and once the link as been establish, data can be exchanged between SAP RISE systems and BTP.
To enable outbound internet traffic from SAP RISE, SAP will provision a customer gateway server (CGS) with an internet proxy installed on it.
EIM Data Provisioning Agent
EIM Data Provisioning Agent (DPA) will be used to integrate S/4HANA and SAP Datasphere. CGS will be used as a proxy and the network connection to SAP Datasphere will be initiated by DPA.
OpenText Connector
OpenText connector will be facilitate the connection between S/4HANA and OpenText cloud. The connection will be initiated from S/4HANA to OpenText connector and to OpenText cloud via CGS.