| Status | |
| Owner | |
| Stakeholders |
Introduction
Purpose
The purpose of the document is to outline the application architecture of S/4HANA instance deployed in Europe region.
Scope & Objectives
This document describes the high-level architecture design for S/4HANA and the supporting systems that are deployed together in the RISE environment. It will cover the following topics:
- Landscape overview
- Application and components
- Application security and access
- Operational architecture
Out of scope:
- Detailed architecture designs that are managed by SAP RISE.
- RISE operating model.
Key Decisions and Requirement
| Description | Rationale |
|---|---|
| SAP Private Cloud deployment model was selected for S/4HANA deployment | Please refer to KDD026 - SAP S/4HANA Deployment Model. |
| SAP GTS will be co-deployed with S/4HANA as a separate client. | Please refer to KDD074 - Architecture of SAP GTS |
| Embedded Fiori deployment model - SAP Fiori front-end server is deployed on S/4HANA | S/4HANA will be the only backend system for Fiori and there is a strict dependency between Fiori and S/4HANA version. Hence an embedded deployment will be preferred and it also optimizes hosting and maintenance costs. Embedded deployment option is also recommended for S/4HANA by SAP. |
| SSL and SNC will be configured for S/4HANA to encrypt web and RFC traffic | Synesqo cybersecurity requires all data in transit to be encrypted. |
| Configure SSO for S/4HANA | As part of SyWay project, a common authentication mechanism (e.g., SAML) will be adopted for ease of access and unified user experience. |
| 99.9% SLA and SAP RISE short distance disaster recovery for production systems. | Based on Syensqo existing non-functional requirements. |
Application Architecture
Overview
SAP RISE application architecture is represented in the diagram below.
SAP RISE Details
The table below summaries SAP RISE details.
Customer SID | YSQ |
|---|---|
Customer Number | 3008440 |
Installation Number | 21360356 |
S-User for PCE | S0026961840 |
Cloud Provider | Azure |
Cloud Region | North Europe (Ireland - Dublin) |
Planned Downtime | First Tuesday each month, 15:00 - 19:00 UTC |
Application Components
S/4HANA
S/4HANA is an Enterprise resource planning solution based on SAP HANA database and SAP ABAP platform. It is a core component in SyWay landscape. SAP Fiori and GTS components will be co-deployed with S/4HANA. A two tier deployment approach will be adopted for S/4HANA systems: Application and DB.
For Sandbox, Development, Integration testing and Training S/4HANA systems, 1 application and 1 DB server will be deployed.
For UAT and Parallel Testing S/4HANA systems, multiple application servers will be deployed with 1 DB server.
For Production, high availability is in scope and S/4HANA components (like message server, app and DB) are deployed across 2 availability zones with pacemaker clusters to ensure no single point of failure.
CI - Central Instance, SCS - SAP Central Services, PAS - Primary Application Server, AAS - Additional Application Server
SAP Web Dispatcher
SAP Web dispatcher acts as a web proxy for S/4HANA systems. It facilitates and load balances incoming HTTP traffic.
- For all non-PRD landscape, one web dispatcher will be deployed
- For PRD, two web dispatchers will be deployed for HA purposes and Azure load balancer will used to load balance HTTP traffic to the 2 PRD web dispatchers.
SAP Cloud Connector
The SAP Cloud connector acts as a reverse invocation proxy to establish network connection between SAP RISE systems and SAP BTP services (Integration suite, API management, SAP Analytics Cloud etc.) and Ariba Cloud Integration Gateway (CIG). Due to its reverse invoke capabilities, the network traffic originates from SAP Cloud connector to SAP BTP and once the link as been established, data can be exchanged between SAP RISE systems and BTP. HTTPS or RFC protocols are used between SAP Cloud Connector and S/4HANA, and HTTPS protocol is used between Cloud Connector and S/4HANA.
To enable outbound internet traffic from SAP RISE, SAP has provisioned a customer gateway server (CGS) with a forward internet proxy installed on it.
A 2 tier landscape will be adopted for SAP cloud connector: non-PRD and PRD. The non-PRD cloud connector will be shared across all non-PRD landscape.
Data Provisioning Agent
Data Provisioning Agent (DPA) is used to integrate S/4HANA and SAP Datasphere. The network connection to SAP Datasphere is initiated by DPA and CGS is used to facilitate the internet connection to SAP Datasphere.
DPA uses the HTTPS or RFC protocols to communicate with S/4HANA and uses the HTTPS protocol to communicate with SAP Datasphere.
A 2 tier landscape will be adopted for DPA: non-PRD and PRD. The non-PRD instance will be shared across all non-PRD landscape.
SAP Analytic Cloud (SAC) Agent
SAC Agent facilitates secure data connectivity and data transfer from S/4HANA to the SAP Analytics Cloud. It leverages SAP Cloud connector connection to BTP to transmit data from S/4HANA to SAC. The HTTPS protocol is used for communication S/4HANA, SAC agent and SAC.
A 2 tier landscape will be adopted for SAC agent: non-PRD and PRD. The non-PRD SAC agent will be shared across all non-PRD landscape.
OpenText Connector
OpenText connector facilitates the connection between S/4HANA and the OpenText cloud. The connection is initiated from S/4HANA to the OpenText connector and to OpenText cloud via CGS. The HTTPS protocol is used for communication between all components.
A 2 tier landscape will be adopted for OpenText Connector: non-PRD and PRD. The non-PRD instance will be shared across all non-PRD landscape.
Supporting Components (SAP Router and DNS)
These are components deployed to SAP RISE landscape and are managed by SAP. Syensqo users will not have access to these applications and can raise requests to SAP to manage any changes.
- SAP Router: Single instance deployed in SAP RISE to manage SAP support's connection to Syensqo RISE systems.
- DNS: Two instances deployed in SAP RISE to manage SAP RISE domain and will be integrated with Syensqo DNS using Conditional DNS Forwarding.
System Landscape
The table below describes the environment and the corresponding application & SID deployed.
Region | Landscape | Systems | |||||
S/4HANA (HANA DB) | Web Dispatcher | SAP Cloud connector | SAP Data Provisioning Agent | SAC Agent | OpenText Connector | ||
Europe | Sandbox | ERS (HRS) | WRS | N/A | N/A | N/A | N/A |
Development | ERD (HRD) | WRD | CRD1 | DRD1 | SRD1 | ORD1 | |
Integration Testing | ERT (HRT) | WRT | N/A | N/A | N/A | N/A | |
Training | ER2 (HR2) | WR2 | N/A | N/A | N/A | N/A | |
UAT | ERQ (HRQ) | WRQ | N/A | N/A | N/A | N/A | |
Parallel Testing | ER1 (HR1) | WR1 | N/A | N/A | N/A | N/A | |
Production | ERP (HRP) | WRP & WRH | CRP | DRP | SRP | ORP | |
The following sections describes the system details for each tier.
Sandbox
| Application | Primary Role | SID | Instance | Physical Hostname | Physical IP | Virtual hostname | Virtual IP | Ports |
|---|---|---|---|---|---|---|---|---|
| S/4HANA | Central Instance | ERS | ASCS01 D00 | |||||
| HANA DB | HRS | ERS (tenant DB) HRS (system DB | ||||||
| Web Dispatcher | Web Dispatcher | WRS | 00 |
Development
| Application | Primary Role | SID | Instance | Physical Hostname | Physical IP | Virtual hostname | App Virtual IP | Ports |
|---|---|---|---|---|---|---|---|---|
| S/4HANA | Central Instance | ERD | ASCS01 D00 | hec42v303048.irl.sap.eu.cloud.syensqo.com | 172.16.33.48 | vhysqerdci.irl.sap.eu.cloud.syensqo.com vhysqerdcs.irl.sap.eu.cloud.syensqo.com | 172.16.33.49 172.16.33.50 | HTTP - 8000 HTTPS - 44300 RFC - 3300 Dispatcher - 3200 Message server - 3601 |
| HANA DB | HRD (system DB) ERD (tenant DB) | 06 | vhysqhrddb01.irl.sap.eu.cloud.syensqo.com | 172.16.33.42 | System DB - 30615 Tenant DB- 30641 | |||
| Web Dispatcher | Web Dispatcher | WRS | W80 | vhysqwrdwd01.irl.sap.eu.cloud.syensqo.com | 172.16.33.44 | HTTP - 8080 HTTPS - 44380 | ||
| SAP Cloud connector | SAP Cloud connector | CRD | N/A | vhysqcrdcc01.sap.eu.cloud.syensqo.com | 172.16.33.46 | HTTP - 8080 HTTPS - 44380 | ||
| Data Provisioning Agent | Data Provisioning Agent | DRD | ||||||
| SAC Agent | SAC Agent | SRD | ||||||
| OpenText Connector | OpenText Connector | ORD |
Integration Testing
UAT
Training
Parallel Run
Production
S/4HANA Client and Transport Strategy
Please see S/4HANA Client Strategy for client details in S/4HANA.
Application Security
User Access
SAP Fiori (web access) will be the primary mode of access for S/4HANA for business users.
Support users will access S/4HANA via web and SAPGUI.
Authentication
SAML SSO - Fiori
Identity Authentication Services within SAP Cloud Identity Services will be configured to act as a Identity provider proxy as shown below.
Authorization
Provide the authorization guidelines/principles followed for the applicationCommunication Security
Provide the details of the communication security controls implemented based on the classificationData Security
Provide the details of the data security controls implemented based on the classificationOther Controls
Provide the details of any other controls implemented based on the classificationOperation Architecture
Change and Configuration Management
This section will include the details related to change and configuration management of SAP and non-SAP systems.Transport Management
Provide the details on how transport management will be handledRelease Management
Provide the details on how release management will be handledMonitoring
This section will include the details related to monitoring enabled for the applicationApplication Monitoring
Provide the details of application monitoring configurationSystem Monitoring
Provide the details of System monitoring configurationSizing
Provide the details of sizing approach and the future recommendationsHigh Availability
Provide the details of High Availability. You may provide a reference to other document or attach a document, if the section contains lot of contentDisaster Recovery
Provide the details of Disaster Recovery. You may provide a reference to other document or attach a document, if the section contains lot of contentBackup/Restore
Provide the details of Backup/Restore. You may provide a reference to other document or attach a document, if the section contains lot of contentMaintenance Plan
Provide the details of system and application maintenance plan. This should follow the upgrade strategyExceptions
This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.See also
Provide links or references to relevant documents for further context on this architecture decision and its impact. Listing related architectural decisions here can clarify dependencies.