Introduction

Purpose

The purpose of this document is to outline the infrastructure and network architecture for SyWay project.

Scope

This document describes the high-level infrastructure and network design for SAP RISE and non-RISE deployments. It also covers the network design for specialized integration scenarios and deployment in China region.

Out of scope:

Infrastructure and network design for SaaS applications.
SD-WAN and cloud infrastructure detailed design or configurations.
Existing Syensqo systems that SyWay project integrates with.
SAP RISE and Azure operating model.

Assumptions

Azure will be chosen as SyWay cloud service provider for all regions.
Syensqo network will connect to Azure tenants via ExpressRoute for all regions
Standard SAP RISE integration patterns will be leveraged when integrating S/4HANA, SAP connectors and SAP SaaS applications.
As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.

Overview

SyWay systems can be classified into 3 hosting models:

Hosting model	Description
SAP RISE¹	S/4HANA and SAP applications that are hosted in SAP RISE cloud tenants and managed by SAP.
Non-RISE	On-premise applications that cannot be hosted in SAP RISE and are hosted in Azure tenants managed by Syensqo IT.
SaaS	Applications that follow the SaaS model and are access from the internet

¹See KDD026 - SAP S/4HANA Deployment Model for the comparison between various deployment options for S/4HANA and the decision.

In addition to the different hosting models, SyWay systems can be deployed to 1 or more regions (North America, Europe and China). The figure below describes how SyWay systems are deployed across Syensqo’s network.

Infrastructure Architecture

SAP RISE

Overview

S/4HANA is hosted in SAP RISE along with supporting connectors and web dispatchers. SyWay project would leverage a common Sandbox, Development landscape that are deployed in Europe region and individual Integration Testing, Training, UAT, Parallel Testing and Production systems that are deployed to all three regions.

The table below lists the landscape, systems and the corresponding system ID (SID) for the three different regions.

Region	Landscape	Systems
Region	Landscape	S/4HANA (HANA DB)	Web Dispatcher	SAP Cloud connector	SAP Data Provisioning Agent	SAC Agent	OpenText Connector
Europe	Sandbox	ERS (HRS)	WRS	N/A	N/A	N/A	N/A
	Development	ERD (HRD)	WRD	CRD¹	DRD¹	SRD¹	ORD¹
	Integration Testing	ERT (HRT)	WRT	N/A	N/A	N/A	N/A
	Training	ER2 (HR2)	WR2	N/A	N/A	N/A	N/A
	UAT	ERQ (HRQ)	WRQ	N/A	N/A	N/A	N/A
	Parallel Testing	ER1 (HR1)	WR1	N/A	N/A	N/A	N/A
	Production	ERP (HRP)	WRP & WRH	CRP	DRP	SRP	ORP
North America	Integration Testing	EXT (HXT)	WXT	CXD¹	DXD¹	SXD¹	TBC¹
	Training	EX2 (HX2)	WX2	N/A	N/A	N/A	N/A
	UAT	EXQ (HXQ)	WXQ	N/A	N/A	N/A	N/A
	Parallel Testing	EX1 (HX1)	WX1	N/A	N/A	N/A	N/A
	Production	EXP (HXP)	WXP	CXP	DXP	SXP	TBC
China	Integration Testing	ECT (HCT)	WCT	CCD¹	DCD¹	SCD¹	OCD¹
	Training	EC2 (HC2)	WC2	N/A	N/A	N/A	N/A
	UAT	ECQ (HCQ)	WCQ	N/A	N/A	N/A	N/A
	Parallel Testing	EC1 (HC1)	WC1	N/A	N/A	N/A	N/A
	Production	ECP (HCP)	WCP	CCP	DCP	SCP	OCP

¹System shared across all non-PRD systems

Landscape Provisioning

The following diagrams illustrates the different RISE landscapes that are provision for the different phases. Post Go-Live, INT and PAR landscapes will be decommissioned and a 5 tier landscape will be maintained.

Europe

SyWay Project > Network and Infrastructure Architecture DD-TEC-070 > image-2025-5-2_16-51-6-1.png

High Availability and Disaster Recovery

The table below summaries the SLA for HA and DR for production and non-production systems

Landscape	Availability SLA	RPO	RTO
Production	99.9%	0	Contractually-guaranteed: 12 hours Achievable: ~10 minutes
Non-Production	98%	N/A	N/A

S/4HANA

In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA Production is provisioned with the following RISE add-ons.

Short distance disaster recovery
99.9% SLA

With these add-ons, S/4HANA production is deployed across 2 availability zones with synchronous database replication and automated fail-over via pacemaker clusters as shown below.

The table below describes how HA is achieved for the different components.

Component	HA Design
Web Dispatcher	Deployed to both AZs in active-active configuration and Azure load balancer is used to distribute incoming HTTP traffic to both instances.
S/4HANA Application servers	Two application servers are deployed to each AZs in an active-active configuration.
S/4HANA Message server (SCS & ERS)	Pacemaker cluster is configured between SCS and ERS servers to ensure SCS & ERS services fails over accordingly in the event of a failure.
SAPMNT Shared folder	NetApp files is used to host the SAPMNT shared folder and is mounted across all S/4HANA application, SCS and ERS servers.
HANA DB	Two HANA nodes are deployed across 2 AZs in an active-standby configuration. HANA synchronous replication is configured to replicate data from the active to standby node. Pacemaker cluster is configured to ensure that the standby node is promoted to active node in the event of a failure.

SAP Connectors

Two instances of SAP Cloud connectors are deployed across 2 AZs and configured as active-standby nodes. In the event of a failure, the standby node will take over as active node

Further clarification is required from SAP RISE team post system build regarding HA for the following components.

SAP Data Provisioning Agent - Currently not supported (SAP Note 3275211)
SAC Agent - Currently not supported (SAP Note 3595999)
OpenText Connector

SAP RISE VM Details

Region	Azure Region	SID	Purpose	Physical Hostname	Virtual Hostname	CPU	Memory/GB	OS
Europe	North Europe (Dublin)	ERD	App Server	hec42v303048.irl.sap.eu.cloud.syensqo.com (172.16.33.48)	vhysqerdci.sap.eu.cloud.syensqo.com (172.16.33.49) vhysqerdcs.sap.eu.cloud.syensqo.com (172.16.33.50)	8	32	SUSE SLES15
		HRD	HANA DB	hec42v302672.irl.sap.eu.cloud.syensqo.com (172.16.33.37)	vhysqerddb.sap.eu.cloud.syensqo.com (172.16.33.51) vhysqhrddb01.sap.eu.cloud.syensqo.com (172.16.33.42) vhysqhrddb.sap.eu.cloud.syensqo.com (172.16.33.43)	32	256	SUSE SLES15
		WRD	Web Dispatcher	hec42v302675.irl.sap.eu.cloud.syensqo.com (172.16.33.40)	vhysqwrdwd01.sap.eu.cloud.syensqo.com (172.16.33.44)	2	8	SUSE SLES15
		CRD	Cloud Connector	hec42v302678.irl.sap.eu.cloud.syensqo.com (172.16.33.45)	vhysqcrdcc01.sap.eu.cloud.syensqo.com (172.16.33.46)	2	8	SUSE SLES15
		DRD	Data Provisioning Agent	hec42v302676.irl.sap.eu.cloud.syensqo.com (172.16.33.41)	vhysqdrddpa01.irl.sap.eu.cloud.syensqo.com (172.16.33.47)	4	16	SUSE SLES15
		SRD	SAC Agent	hec42v302674.irl.sap.eu.cloud.syensqo.com (172.16.33.39)	vhysqsrdweb01.irl.sap.eu.cloud.syensqo.com (172.16.33.38)	4	16	SUSE SLES15

Non-RISE

Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE, are hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE:

SAP WWI Server
SAP TM Optimizer
Syniti Replicate
Syniti Connector
SWIFT Connector
Vertex
NextLabs Policy Server

Network Architecture

Overview

The figure below describes the overall network connectivity for SAP RISE and non-RISE Azure VNets.

SAP RISE Tenant is provisioned in the same region as Syensqo Azure tenant.
ExpressRoute circuits and ExpressRoute Gateway are provisioned in SAP RISE Tenant.
Syensqo regional firewall and SAP RISE ExpressRoute circuit are connected via Megaport Virtual Cross Connect (VXC) managed by Syensqo IT.
Non-RISE vNET is provisioned in Syensqo Azure tenant and Syensqo Azure Hub will be leveraged for the management of Non-RISE vNET.
Network traffic between SAP RISE and Non-RISE systems will be routed through Megaport and Syensqo Azure Hub.
Since NextLabs application requires low latency network connectivity to S/4HANA, a separate vNET will be provisioned to host NextLabs application and vNET peering will be configured between SAP RISE and NextLab vNETs.
Azure NSG will be used to secure the network traffic between SAP RISE and NextLabs vNET.
vNET peering will also be configured between Syensqo Hub and NextLabs vNETs for management purposes.

The table below lists down the regional hub and Azure edge location for NAM, EMEA and China regions.

Region	Megaport Location	Azure Edge location
Europe	Paris Equinix PA2/3 & Paris Interxion PAR5	Dublin
North America	Ashburn Equinix DC4 & Reston Core Site VA1	TBC
China	TBC	TBC

IP Allocation

SAP RISE

The 172.16.32.0/19 IP range has been allocated for SAP RISE globally. The following table lists down the IP allocation for the different regions and subnets.

RISE Region	Region IP Allocation	RISE Subnet	Subnet IP Allocation	Range	Usable Hosts
Europe	172.16.32.0/22	Production	172.16.34.0/25	172.16.34.0 - 172.16.34.127	126
		Production (HA components)	172.16.34.128/25	172.16.34.128 - 172.16.34.255	126
		ECS Services	172.16.32.0/24	172.16.32.0 - 172.16.32.255	254
		Sandbox	172.16.33.0/27	172.16.37.0 - 172.16.37.63	30
		Development	172.16.33.64/27	172.16.33.64 - 172.16.33.127	30
		Integration Test	172.16.33.128/27	172.16.33.128 - 172.16.33.191	30
		QA / UAT	172.16.33.192/27	172.16.33.192 - 172.16.33.255	30
		Pre-Production	172.16.34.0/27	172.16.34.0 - 172.16.34.63	30
		Training	172.16.34.64/27	172.16.34.64 - 172.16.34.127	30
		Unassigned	172.16.37.128/25	172.16.37.128 - 172.16.37.255	126
		Unassigned	172.16.38.0/24	172.16.38.0 - 172.16.38.255	254
North America	172.16.36.0/22	TBC	TBC	172.16.36.0 - 172.16.39.255	TBC
China	172.16.40.0/22	TBC	TBC	172.16.40.0 - 172.16.43.255	TBC
Unassigned	172.16.44.0/22	-	-	172.16.44.0 - 172.16.47.255	1022
Unassigned	172.16.48.0/20	-	-	172.16.48.0 - 172.16.63.255	4094

DNS Architecture

Domain Name

The following domains names are used for the respective RISE regions.

RISE Region	SAP RISE Domain	Non-RISE Domain
Europe	*.sap.eu.cloud.syensqo.com	TBC
North America	*.sap.us.cloud.syensqo.com	TBC
China	*.sap.cn.cloud.syensqo.com	TBC

DNS Integration

SAP RISE supports 3 different DNS integration types: DNS Zone Transfer, Conditional DNS Forwarding and DNS Domain Delegation.

Conditional DNS Forwarding has been chosen for Syensqo for the following reasons:

Reduced network traffic and complexity.
Limits security exposure by only forwarding queries for specified domains.
Easier to manage in the event Syensqo changes it DNS provider.
Simple configuration and maintenance.

The table below lists the Syensqo and SAP DNS servers that are integrated.

Region

Syensqo Primary DNS

SAP RISE DNS

Europe

Primary - 172.18.164.7 (DNS_EMEA_01)

Secondary - 172.18.164.22 (DNS_EMEA_02)

DNS –CSN-A-HA IP - 172.16.32.14 (vhysqirlcsna-ha.irl.sap.eu.cloud.syensqo.com)

DNS –CSN-B-HA IP - 172.16.32.30 (vhysqirlcsnb-ha.irl.sap.eu.cloud.syensqo.com)

DNS –CSN-C-HA IP - 172.16.32.46 (vhysqirlcsnc-ha.irl.sap.eu.cloud.syensqo.com)

North America

Primary - 172.19.113.69 (DNS_US_01)

Secondary - 172.19.113.86 (DNS_US_02)

TBC

China

Primary - 172.23.193.86 (DNS_APAC_02)

Secondary - 172.23.193.70 (DNS_APAC_01)

TBC

Network Firewall

For SyWay project, the following firewalls will be leveraged to manage the corresponding traffic.

Firewall	Network Traffic
Regional Hub Firewall	Incoming network traffic to SAP RISE.. Outgoing network traffic from SAP RISE.
Syensqo Azure Firewall	Incoming network traffic to Non-RISE and NextLabs vNETs. Outgoing network traffic from Non-RISE and NextLabs vNETs.

Internet Traffic

All inbound and outbound internet traffic are filtered by the firewalls hosted in Megaport except for integration scenarios mentioned in integration section.

Outbound Internet Traffic

Outbound internet traffic from SAP RISE is routed to the regional hub firewall which filters the traffic before allowing it to the external application.
Outbound internet traffic from Non-RISE application is routed to Azure firewall in Syensqo Hub which filters the traffic before allowing it to the external application.

If the external application requires source IP to be whitelisted before accepting the connection, a public IP can be assigned at the respective firewall.

Inbound Internet traffic

Currently there is no requirements for inbound internet traffic to SAP RISE and non-RISE systems. This type of integration will be considered if there are no other alternatives and the purpose of this section to document the approach if the need arises.

Inbound internet traffic to SAP RISE are filtered through the regional firewall before it is routed to SAP RISE.
Inbound internet traffic to non-RISE vNET are filtered through Azure firewall in Syensqo Hub vNET before it is routed to the non-RISE vNET.

User Access

The following sections describes how SAP RISE and non-RISE systems are access by users within (internal) and outside (external) Syensqo network. For SaaS application access, users can access them through their existing internet access.

These section cover the network perspective and does not include the authentication processes where single sign-on will be configured with Syensqo Identity provider.

Internal Access

End users will access SyWay systems via browser, mobile app or SAPGUI (for S/4HANA) (refer KDD036). The figure below describes the network traffic from user's terminal to SyWay systems.

SAP RISE Web Access:

Primary mode of access for SAP RISE system is through HTTPS.
User's HTTPS traffic is routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
In SAP RISE, Azure load balancer is provisioned to load balance the incoming HTTPS traffic to SAP web dispatchers.
SAP web dispatchers act as proxies and forward the request to S/4HANA application server.

SAP RISE SAPGUI Access

SAP administrators and support staff may access S/4HANA using SAPGUI which uses TCP protocol.
User's SAPGUI connections are routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
In SAP RISE, a pacemaker cluster is configured between SCS and ERS servers for HA and Azure load balancer is used to direct network traffic to the active SCS node.
SCS redirects users to one of the available S/4HANA application server and there after, the communication is directly between user's SAPGUI and the application server.

Non-RISE Access:

User traffic is routed from Syensqo local site network to Syensqo's Hub vNET through SDWAN, Megaport and ExpressRoute connection.
In the hub vNET, traffic is filtered through Azure firewall before being routed to Non-RISE vNET and non-RISE application.

SaaS:

Primary mode of access for SaaS applications is via HTTPS.
User's HTTPS traffic is routed from Syensqo local site network to Zscaler which acts as a proxy and connects to the SaaS applications.

External Access

No direct external access from the internet is enabled for SyWay systems hosted in RISE. Users with a Syensqo-issued device can access systems hosted in RISE from outside the Syensqo network via ZScaler Private Access (ZPA).

SAP has deployed ZPA App Connectors in the RISE vNET, and allows connections from Syensqo's Zscaler Exchange as shown below.

SyWay Project > Network and Infrastructure Architecture DD-TEC-070 > image-2025-4-17_13-19-9-1.png

Integration

The following sections describes the network design and flow for the following integration scenarios.

SAP Cloud Connector

The SAP Cloud connector are deployed in SAP RISE and acts as a reverse invocation proxy to establish network connection between SAP RISE systems and SAP BTP services (Integration suite, API management, SAP Analytics Cloud etc.) and Ariba Cloud Integration Gateway (CIG). Due to its reverse invoke capabilities, the network traffic originates from SAP Cloud connector to SAP BTP and once the link as been established, data can be exchanged between SAP RISE systems and BTP. HTTPS or RFC protocols are used between SAP Cloud Connector and S/4HANA, and HTTPS protocol is used between Cloud Connector and S/4HANA.

To enable outbound internet traffic from SAP RISE, SAP has provisioned a customer gateway server (CGS) with a forward internet proxy installed on it.

EIM Data Provisioning Agent

EIM Data Provisioning Agent (DPA) is used to integrate S/4HANA and SAP Datasphere. The network connection to SAP Datasphere is initiated by DPA and CGS is used to facilitate the internet connection to SAP Datasphere.

DPA uses the HTTPS or RFC protocols to communicate with S/4HANA and uses the HTTPS protocol to communicate with SAP Datasphere.

OpenText Connector

OpenText connector facilitates the connection between S/4HANA and the OpenText cloud. The connection is initiated from S/4HANA to the OpenText connector and to OpenText cloud via CGS.

The HTTPS protocol is used for communication between all components.

SAP Router

SAP has configured a VPN connection between the Syensqo SAP RISE tenant and SAP's Management network (used by SAP support). SAP Router is deployed in SAP RISE to manage SAP support's connection to SAP systems.