Introduction
Purpose
The purpose of this document is to outline the infrastructure and network architecture for SyWay project.
Scope
This document describes the high-level infrastructure and network design for SAP RISE and non-RISE deployments. It also covers the network design for specialized integration scenarios and deployment in China region.
Out of scope:
- Infrastructure and network design for SaaS applications.
- SD-WAN and cloud infrastructure detailed design or configurations.
- Existing Syensqo systems that SyWay project integrates with.
- SAP RISE and Azure operating model.
Assumptions
- Azure will be chosen as SyWay cloud service provider for all regions.
- Syensqo network will connect to Azure tenants via ExpressRoute for all regions
- Standard SAP RISE integration patterns will be leveraged when integrating S/4HANA, SAP connectors and SAP SaaS applications.
- As of writing this document, there are pending architectural decisions regarding North America & China, and RISE infrastructure. These designs will be added to this document as they are finalized.
Overview
SyWay systems can be classified into 3 hosting models:
Hosting model | Description |
SAP RISE1 | S/4HANA and SAP applications that are hosted in SAP RISE cloud tenants and managed by SAP. |
Non-RISE | On-premise applications that cannot be hosted in SAP RISE and are hosted in Azure tenants managed by Syensqo IT. |
SaaS | Applications that follow the SaaS model and are access from the internet |
1See KDD026 - SAP S/4HANA Deployment Model for the comparison between various deployment options for S/4HANA and the decision.
In addition to the different hosting models, SyWay systems can be deployed to 1 or more regions (North America, Europe and China). The figure below describes how SyWay systems are deployed across Syensqo’s network.
Infrastructure Architecture
SAP RISE
Overview
S/4HANA is hosted in SAP RISE along with supporting connectors and web dispatchers. SyWay project would leverage a common Sandbox, Development landscape that are deployed in Europe region and individual Integration Testing, Training, UAT, Parallel Testing and Production systems that are deployed to all three regions.
The table below lists the landscape, systems and the corresponding system ID (SID) for the three different regions.
Region | Landscape | Systems | |||||
S/4HANA (HANA DB) | Web Dispatcher | SAP Cloud connector | SAP Data Provisioning Agent | SAC Agent | OpenText Connector | ||
Europe | Sandbox | ERS (HRS) | WRS | N/A | N/A | N/A | N/A |
Development | ERD (HRD) | WRD | CRD1 | DRD1 | SRD1 | ORD1 | |
Integration Testing | ERT (HRT) | WRT | N/A | N/A | N/A | N/A | |
Training | ER2 (HR2) | WR2 | N/A | N/A | N/A | N/A | |
UAT | ERQ (HRQ) | WRQ | N/A | N/A | N/A | N/A | |
Parallel Testing | ER1 (HR1) | WR1 | N/A | N/A | N/A | N/A | |
Production | ERP (HRP) | WRP & WRH | CRP | DRP | SRP | ORP | |
North America | Integration Testing | TBC | TBC | TBC1 | TBC1 | TBC1 | TBC1 |
Training | TBC | TBC | N/A | N/A | N/A | N/A | |
UAT | TBC | TBC | N/A | N/A | N/A | N/A | |
Parallel Testing | TBC | TBC | N/A | N/A | N/A | N/A | |
Production | TBC | TBC | TBC | TBC | TBC | TBC | |
China | Integration Testing | TBC | TBC | TBC1 | TBC1 | TBC1 | TBC1 |
Training | TBC | TBC | N/A | N/A | N/A | N/A | |
UAT | TBC | TBC | N/A | N/A | N/A | N/A | |
Parallel Testing | TBC | TBC | N/A | N/A | N/A | N/A | |
Production | TBC | TBC | TBC | TBC | TBC | TBC | |
1System shared across all non-PRD systems
Landscape Provisioning
The following diagrams illustrates the different RISE landscapes that are provision for the different phases. Post Go-Live, INT and PAR landscapes will be decommissioned and a 5 tier landscape will be maintained.
Europe
High Availability and Disaster Recovery
The table below summaries the SLA for HA and DR for production and non-production systems
| Landscape | Availability SLA | RPO | RTO |
|---|---|---|---|
| Production | 99.9% | 0 | Contractually-guaranteed: 12 hours Achievable: ~10 minutes |
| Non-Production | 98% | N/A | N/A |
S/4HANA
In SAP RISE, High Availability (HA) and Disaster Recovery (DR) is applicable to Production instances. For SyWay project, S/4HANA Production is provisioned with the following RISE add-ons.
- Short distance disaster recovery
- 99.9% SLA
With these add-ons, S/4HANA production is deployed across 2 availability zones with synchronous database replication and automated fail-over via pacemaker clusters as shown below.
The table below describes how HA is achieved for the different components.
| Component | HA Design |
|---|---|
| Web Dispatcher | Deployed to both AZs in active-active configuration and Azure load balancer is used to distribute incoming HTTP traffic to both instances. |
| S/4HANA Application servers | Two application servers are deployed to each AZs in an active-active configuration. |
| S/4HANA Message server (SCS & ERS) | Pacemaker cluster is configured between SCS and ERS servers to ensure SCS & ERS services fails over accordingly in the event of a failure. |
| SAPMNT Shared folder | NetApp files is used to host the SAPMNT shared folder and is mounted across all S/4HANA application, SCS and ERS servers. |
| HANA DB | Two HANA nodes are deployed across 2 AZs in an active-standby configuration. HANA synchronous replication is configured to replicate data from the active to standby node. Pacemaker cluster is configured to ensure that the standby node is promoted to active node in the event of a failure. |
SAP Connectors
Two instances of SAP Cloud connectors are deployed across 2 AZs and configured as active-standby nodes. In the event of a failure, the standby node will take over as active node
Further clarification is required from SAP RISE team post system build regarding HA for the following components.
- SAP Data Provisioning Agent - Currently not supported (SAP Note 3275211)
- SAC Agent - Currently not supported (SAP Note 3595999)
- OpenText Connector
Non-RISE
Systems that follow an IaaS or on-premises deployment model and are not hosted in SAP RISE, are hosted in Syensqo’s Azure subscription. The following systems are classified as Non-RISE:
- SAP WWI Server
- SAP TM Optimizer
- Syniti Replicate
- Syniti Connector
- SWIFT Connector
- Vertex
- NextLabs Policy Server
Network Architecture
Overview
The figure below describes the overall network connectivity for SAP RISE and non-RISE Azure VNets.
SAP RISE Tenant is provisioned in the same region as Syensqo Azure tenant. To enable connectivity between SAP RISE and Syensqo network:
- ExpressRoute circuits and ExpressRoute Gateway are provisioned in SAP RISE Tenant.
- Syensqo regional hub routers and SAP RISE ExpressRoute circuit are connected via Megaport Virtual Cross Connect (VXC) managed by Syensqo IT .
Non-RISE vNET is provisioned in Syensqo Azure tenant. To enable connectivity between SAP RISE and non-RISE systems, vNET peering is configured between Syensqo Hub vNET, SAP RISE vNet and non-RISE vNET as shown above. Azure firewall provisioned in Syensqo Hub vNET is used to control network traffic between the two tenants.
The table below lists down the regional hub and Azure edge location for NAM, EMEA and China regions.
| Region | Megaport Location | Azure Edge location |
|---|---|---|
| Europe | Paris Equinix PA2/3 & Paris Interxion PAR5 | Dublin |
| North America | Ashburn Equinix DC4 & Reston Core Site VA1 | TBC |
| China | TBC | TBC |
IP Allocation
SAP RISE
The 172.16.32.0/19 IP range has been allocated for SAP RISE globally. The following table lists down the IP allocation for the different regions and subnets.
| RISE Region | Region IP Allocation | RISE Subnet | Subnet IP Allocation | Range | Usable Hosts |
|---|---|---|---|---|---|
| Europe | 172.16.32.0/22 | Production | 172.16.34.0/25 | 172.16.34.0 - 172.16.34.127 | 126 |
| Production (HA components) | 172.16.34.128/25 | 172.16.34.128 - 172.16.34.255 | 126 | ||
| ECS Services | 172.16.32.0/24 | 172.16.32.0 - 172.16.32.255 | 254 | ||
| Sandbox | 172.16.33.0/27 | 172.16.37.0 - 172.16.37.63 | 30 | ||
| Development | 172.16.33.64/27 | 172.16.33.64 - 172.16.33.127 | 30 | ||
| Integration Test | 172.16.33.128/27 | 172.16.33.128 - 172.16.33.191 | 30 | ||
| QA / UAT | 172.16.33.192/27 | 172.16.33.192 - 172.16.33.255 | 30 | ||
| Pre-Production | 172.16.34.0/27 | 172.16.34.0 - 172.16.34.63 | 30 | ||
| Training | 172.16.34.64/27 | 172.16.34.64 - 172.16.34.127 | 30 | ||
| Unassigned | 172.16.37.128/25 | 172.16.37.128 - 172.16.37.255 | 126 | ||
| Unassigned | 172.16.38.0/24 | 172.16.38.0 - 172.16.38.255 | 254 | ||
| North America | 172.16.36.0/22 | TBC | TBC | 172.16.36.0 - 172.16.39.255 | TBC |
| China | 172.16.40.0/22 | TBC | TBC | 172.16.40.0 - 172.16.43.255 | TBC |
| Unassigned | 172.16.44.0/22 | - | - | 172.16.44.0 - 172.16.47.255 | 1022 |
| Unassigned | 172.16.48.0/20 | - | - | 172.16.48.0 - 172.16.63.255 | 4094 |
DNS Architecture
Domain Name
The following domains names are used for the respective RISE regions.
| RISE Region | SAP RISE Domain | Non-RISE Domain |
|---|---|---|
| Europe | TBC | |
| North America | TBC | |
| China | TBC |
DNS Integration
SAP RISE supports 3 different DNS integration types: DNS Zone Transfer, Conditional DNS Forwarding and DNS Domain Delegation.
Conditional DNS Forwarding has been chosen for Syensqo for the following reasons:
- Reduced network traffic and complexity.
- Limits security exposure by only forwarding queries for specified domains.
- Easier to manage in the event Syensqo changes it DNS provider.
- Simple configuration and maintenance.
The table below lists the Syensqo and SAP DNS servers that are integrated.
| Region | Syensqo Primary DNS | SAP RISE DNS |
|---|---|---|
| Europe | Primary - 172.18.164.7 (DNS_EMEA_01) Secondary - 172.18.164.22 (DNS_EMEA_02) | DNS –CSN-A-HA IP - 172.16.32.14 (vhysqirlcsna-ha.irl.sap.eu.cloud.syensqo.com) DNS –CSN-B-HA IP - 172.16.32.30 (vhysqirlcsnb-ha.irl.sap.eu.cloud.syensqo.com) DNS –CSN-C-HA IP - 172.16.32.46 (vhysqirlcsnc-ha.irl.sap.eu.cloud.syensqo.com) |
| North America | Primary - 172.19.113.69 (DNS_US_01) Secondary - 172.19.113.86 (DNS_US_02) | TBC |
| China | Primary - 172.23.193.86 (DNS_APAC_02) Secondary - 172.23.193.70 (DNS_APAC_01) | TBC |
Network Firewall
An active-active cluster of Palo-Alto Firewall VM-Series is deployed alongside North America and Europe SD-WAN regional hub routers hosted in Megaport. The figure below illustrates the architecture of the Europe regional hub routers and firewall. The same architecture applies for North America.
Network connection to and from SyWay systems (SAP RISE and Non-RISE), are controlled by the respective regional firewalls. To allow network connections, firewall requests for must be submitted to the network team
Internet Traffic
All inbound and outbound internet traffic are filtered by the firewalls hosted in Megaport except for integration scenarios mentioned in integration section.
Outbound Internet Traffic
Outbound internet traffic from SAP RISE or non-RISE vNET are routed to the regional hub router and firewall. The firewall filters the traffic before allowing it to the external application.
If the external application requires source IP to be whitelisted before accepting the connection, a public IP can be assigned at the firewall.
Inbound Internet traffic
Inbound traffic from external application are filtered through the firewall before the region hub router routes it to SAP RISE or non-RISE vNET. The external application will need to provide a static public IP or FQDN to be whitelisted on Syensqo firewall. Syensqo firewall also manage the public to internal IP translation.
User Access
The following sections describes how SAP RISE and non-RISE systems are access by users within (internal) and outside (external) Syensqo network. For SaaS application access, users can access them through their existing internet access.
These section cover the network perspective and does not include the authentication processes where single sign-on will be configured with Syensqo Identity provider.
Internal Access
End users will access SyWay systems via browser, mobile app or SAPGUI (for S/4HANA) (refer KDD036). The figure below describes the network traffic from user's terminal to SyWay systems.
SAP RISE Web Access:
- Primary mode of access for SAP RISE system is through HTTPS.
- User's HTTPS traffic is routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
- In SAP RISE, Azure load balancer is provisioned to load balance the incoming HTTPS traffic to SAP web dispatchers.
- SAP web dispatchers act as proxies and forward the request to S/4HANA application server.
SAP RISE SAPGUI Access
- SAP administrators and support staff may access S/4HANA using SAPGUI which uses TCP protocol.
- User's SAPGUI connections are routed from Syensqo local site network to SAP RISE through SDWAN and ExpressRoute connection.
- In SAP RISE, a pacemaker cluster is configured between SCS and ERS servers for HA and Azure load balancer is used to direct network traffic to the active SCS node.
- SCS redirects users to one of the available S/4HANA application server and there after, the communication is directly between user's SAPGUI and the application server.
Non-RISE Access:
- User traffic is routed from Syensqo local site network to Syensqo's Hub vNET through SDWAN, Megaport and ExpressRoute connection.
- In the hub vNET, traffic is filtered through Azure firewall before being routed to Non-RISE vNET and non-RISE application.
SaaS:
- Primary mode of access for SaaS applications is via HTTPS.
- User's HTTPS traffic is routed from Syensqo local site network to Zscaler which acts as a proxy and connects to the SaaS applications.
External Access
No direct external access from the internet is enabled for SyWay systems hosted in RISE. Users with a Syensqo-issued device can access systems hosted in RISE from outside the Syensqo network via ZScaler Private Access (ZPA).
SAP has deployed ZPA App Connectors in the RISE vNET, and allows connections from Syensqo's Zscaler Exchange as shown below.
Integration
The following sections describes the network design and flow for the following integration scenarios.
SAP Cloud Connector
The SAP Cloud connector are deployed in SAP RISE and acts as a reverse invocation proxy to establish network connection between SAP RISE systems and SAP BTP services (Integration suite, API management, SAP Analytics Cloud etc.) and Ariba Cloud Integration Gateway (CIG). Due to its reverse invoke capabilities, the network traffic originates from SAP Cloud connector to SAP BTP and once the link as been established, data can be exchanged between SAP RISE systems and BTP. HTTPS or RFC protocols are used between SAP Cloud Connector and S/4HANA, and HTTPS protocol is used between Cloud Connector and S/4HANA.
To enable outbound internet traffic from SAP RISE, SAP has provisioned a customer gateway server (CGS) with a forward internet proxy installed on it.
EIM Data Provisioning Agent
EIM Data Provisioning Agent (DPA) is used to integrate S/4HANA and SAP Datasphere. The network connection to SAP Datasphere is initiated by DPA and CGS is used to facilitate the internet connection to SAP Datasphere.
DPA uses the HTTPS or RFC protocols to communicate with S/4HANA and uses the HTTPS protocol to communicate with SAP Datasphere.
OpenText Connector
OpenText connector facilitates the connection between S/4HANA and the OpenText cloud. The connection is initiated from S/4HANA to the OpenText connector and to OpenText cloud via CGS.
The HTTPS protocol is used for communication between all components.
SAP Router
SAP has configured a VPN connection between the Syensqo SAP RISE tenant and SAP's Management network (used by SAP support). SAP Router is deployed in SAP RISE to manage SAP support's connection to SAP systems.