Introduction
Purpose
The purpose of this document is to outline the infrastructure and network architecture for SyWay project.
Scope
This document will describe the high-level infrastructure and network design for SAP RISE and non-RISE deployments. It will also cover the network design for specialized integration scenarios and deployment in China region.
Out of scope:
- SaaS applications as infrastructure and network responsibility falls under the service provider’s responsibility.
- SD-WAN and cloud infrastructure detailed design or configurations as it will be managed by Syensqo IT and SAP RISE.
- Existing systems in Syensqo that SyWay project will be integrating with.
Overview
SyWay systems can be classified into 3 hosting models:
Hosting model | Description |
SAP RISE | S/4HANA and SAP applications that are hosted in SAP RISE cloud tenants and managed by SAP. |
Non-RISE | Non-SAP and SAP applications that cannot be hosted in SAP RISE will be hosted in Syensqo Azure tenants. |
SaaS | Applications that follow the SaaS model and managed by the service providers. |
In addition to the different hosting models, SyWay systems can be deployed to 1 or more region (North America, Europe and China). The figure below describes how SyWay systems will be deployed across Syensqo’s network.
Infrastructure Architecture
SAP RISE
Overview
S/4HANA will be the core system that will be hosted in SAP RISE along with supporting connectors and web dispatchers. SyWay project will leverage a common Sandbox, Development, Integration Testing and training landscape that will be deployed in Europe region and individual UAT, Parallel Testing and Production systems that will be deployed to all 3 regions.
The table below describes the landscape and systems that will be hosted in the 3 regions.
Region | Land-scape | Systems | |||||
S/4HANA | Web Dispatcher | SAP Cloud connector | SAP Data Provisioning Agent | SAC Agent | OpenText Connector | ||
Europe | SBX | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ |
DEV | ☑ | ☑ | ☑1 | ☑1 | ☑1 | ☑1 | |
INT | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | |
TRG | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ | |
UAT | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | |
PAR | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | |
PRD | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |
North America | UAT | ☑ | ☑ | ☑1 | ☑1 | ☑1 | ☑1 |
PAR | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ | |
PRD | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |
China | UAT | ☑ | ☑ | ☑1 | ☑1 | ☑1 | ☑1 |
PAR | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ | |
PRD | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |
1System will be shared across all non-PRD systems
Landscape Provisioning
SAP RISE landscape will be provisioned in stages to optimize cost. The following diagrams illustrates the systems that will be provision for the different phases.
Europe
S/4HANA High Availability and Disaster Recovery
In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA will be provisioned with the following RISE add-ons.
- Short distance disaster recovery
- 99.9% SLA
With these add-ons, S/4HANA production will be deployed across 2 availability zones and with pacemaker clusters for HA.
The table below describe how HA is achieved for the different components.
| Component | HA Design |
|---|---|
| Web Dispatcher | Deployed to both AZs in active-active configuration and Azure load balancer is used to distribute incoming HTTP traffic to both instances. |
| S/4HANA Application servers | 2 application servers will be deployed to each AZs in an active-active configuration. |
| S/4HANA Message server (SCS & ERS) | Pacemaker cluster is configured between SCS and ERS servers to ensure SCS & ERS services fails over in the event of a failure. |
| SAPMNT Shared folder | NetApp files is used to host the SAPMNT shared folder and is mounted across all S/4 application, SCS and ERS servers. |
| HANA DB | 2 HANA nodes are deployed across 2 AZs in an active-standby configuration. HANA synchronous replication is configured to replicate data from the active to standby node. Pacemaker cluster is configured to ensure that the standby node is promoted to active node in the event of a failure. |
The table below summaries the SLA for HA and DR.
| Landscape | Availability SLA | RPO | RTO |
|---|---|---|---|
| PRD | 99.9% | 12h | ~0 |
| Non-PRD | 99.5 | N/A | N/A |
SAP RISE VM Specs
<<Placeholder>>
Non-RISE
Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE will be hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE.
- SAP WWI Server
- SAP TM Optimizer
- Syniti Replicate
- Syniti Connector
- SWIFT Connector
- Vertex
- NextLabs Policy Server
<<Placeholder for landscaope overview & VM details>>
Network Architecture
Network Design
SAP RISE
172.16.32.0/20 IP range has been allocated for for all SAP RISE provisioning. The following table lists down the IP allocation for the different subnets.
| RISE Region | Region IP Allocation | RISE Subnet | Subnet IP Allocation | Range | Usable Hosts |
|---|---|---|---|---|---|
| Europe | 172.16.32.0/22 | Production | 172.16.32.0/23.0/23 | 172.16.32.0 - 172.16.33.225 | 510 |
| Parallel Testing | 172.16.34.0/27 | 172.16.34.0 - 172.16.34.31 | 30 | ||
| UAT | 172.16.34.32/27 | 172.16.34.32 - 172.16.34.63 | 30 | ||
| Development | 172.16.34.64/27 | 172.16.34.64 - 172.16.34.95 | 30 | ||
| Sandbox | 172.16.34.96/27 | 172.16.34.96 - 172.16.34.127 | 30 | ||
| Test | 172.16.34.128/127 | 172.16.34.128 - 172.16.34.159 | 30 | ||
| Training | 172.16.34.160/27 | 172.16.34.160 - 172.16.34.191 | 30 | ||
| Unassigned | 172.16.34.192/26 | 172.16.34.192 - 172.16.34.255 | 30 | ||
| Unassigned | 172.16.35.0/24 | 172.16.35.0 - 172.16.35.255 | 254 | ||
| North America | 172.16.36.0/22 | Production | |||
| Parallel Testing | |||||
| UAT | |||||
| China | 172.16.40.0/22 | Production | |||
| Parallel Testing | |||||
| UAT | |||||
| Unassigned | 172.16.44.0/22 | - | 172.16.44.0/22 | 172.16.44.0 - 172.16.47.255 | 1022 |
Non-RISE
<<Placeholder>>
SAP RISE Network Connectivity
North America (NAM) and Europe (EMEA) SAP RISE vNETs will be connected to Syensqo regional hub routers via ExpressRoute and Megaport Virtual Cross Connect (VXC) as shown below.
The table below lists down the regional hub and Azure edge location for NAM and EMEA regions.
| Region | Megaport Location | Azure Edge location |
|---|---|---|
| Europe | Paris Equinix PA2/3 & Paris Interxion PAR5 | Dublin |
| North America | Ashburn Equinix DC4 & Reston CoreSite VA1 |
<<Placeholder for China>>
DNS Architecture
SAP RISE Domain
The following domains will be used for the respective RISE regions.
| RISE Region | Domain |
|---|---|
| Europe | |
| North America | |
| China |
DNS Integration
SAP RSIE supports 3 different DNS integration types: DNS Zone Transfer, Conditional DNS Forward and DNS Domain Delegation.
Conditional DNS forwarding has been choose for Syensqo for the following reasons:
- Reduced network traffic and complexity.
- Limits security exposure by only forwarding queries for specified domains.
- Easier to manage in the event Syensqo changes it DNS provider.
- Simple configuration and maintenance.
The table below lists down the Syensqo and SAP DNS that will be integrated.
| Region | Syensqo Primary DNS | Syensqo Secondary DNS | SAP RISE DNS |
|---|---|---|---|
| Europe | 172.18.164.7 (DNS_EMEA_01) | 172.18.164.22 (DNS_EMEA_02) | |
| North America | |||
| China |
Network Firewall
An active-active cluster of Palo-Alto Firewall VM-Series is deployed to North America and Europe Megaport locations along slide SD-WAN regional hub routers. The figure below illustrates the architecture Europe regional hub routers and firewall. The same architecture applies for North America.
Network connection to and from SyWay systems (SAP RISE and Non-RISE), will be controlled by the respective regional firewalls. To allow network connections, firewall requests for must be submitted to the network team
<<placeholder for allowed east to west traffic>>
<<firewall request procedure>>
Internet Traffic
All inbound and outbound internet traffic will be filtered by the firewalls hosted in Megaport except for integration scenarios mentioned in integration
Outbound Internet Traffic
Outbound internet traffic from SAP RISE or Syway vNET will be routed to the regional hub router and firewall. The firewall will filter the traffic before allowing it to the external application.
If the external application requires source IP to be whitelisted before accepting the connection, a public IP can be assigned at the firewall.
<<placeholder for China>>
Inbound Internet traffic
Inbound traffic from external application will be filtered through the firewall before the region hub router routes it to SAP RISE or Syway vNET. The external application will need to provide a static public IP or FQDN to be whitelisted on Syensqo firewall. Syensqo firewall will also manage the public IP and translation to internal IP.
<<placeholder for China>>