SAP and Amazon Web Services (AWS) offer different SAP business applications from the AWS cloud.
One of the tenets of the cloud is the accessibility over internet. However, for business-critical applications such as SAP, many organizations do not allow internet connectivity for several reasons, such as security, latency, etc. This section discusses some other ways you can connect to AWS from your data center or office.
AWS Direct Connect
AWS Direct Connect is a network service using IEEE 802.1Q virtual local area networking (VLAN) that provides private, low-latency, and high-speed connections to AWS cloud. At the time of writing, AWS Direct Connect traffic is not encrypted out of the box; however, encryption can be implemented by your organization. You can either have a dedicated connection or use delivery partners through a hosted connection. Dedicated connections support up to 100 Gbps while hosted connection goes up to 10 Gbps.
The top of the figure below shows what a connection from an on-premise data center or office location would look like using AWS Direct Connect. Since global companies have multiple locations, the SiteLink feature of AWS Direct Connect lets you create a private network connection on an AWS backbone among the locations.
AWS Direct Connect and SAP Landscapes: In our experience, the majority of organizations moving their SAP landscapes to AWS use AWS Direct Connect for latency, throughput, and security reasons.
Virtual Private Networks
A virtual private network (VPN) uses Internet Protocol security (IPsec) to create a secure connection to AWS over the internet; all data over VPN is encrypted. As far as connectivity to AWS, you can use following VPN options:
- AWS Site-to-Site VPN: This option offers VPN tunnel between AWS and the customer gateway used to connect to an office location for AWS. It has built-in redundancy with two tunnels and supports throughputs of up to 1.25 Gbps.
- AWS Client VPN: This option connects an end user to AWS using an OpenVPN client and supports up to 10 Mbps bandwidth.
- AWS VPN CloudHub: If you have more than one site-to-site connection, say, at multiple office locations, this option lets your office locations communicate with AWS cloud as well as with each other.
- Third-party VPN appliance: This option involves bringing your own software model, where the software is installed on an AWS server similar to any other third parties and is not provided or maintained by AWS.
AWS Transit Gateway
From our AWS Direct Connect and VPN discussions earlier in this chapter, we hope you noticed a pattern for scaling: If you’re still not convinced that scaling has met your organization’s needs, we’re at the connectivity option that you might be looking for. AWS Transit Gateway acts as a central hub for connectivity between your on-premise network and AWS cloud (specifically Amazon VPC). Think of AWS Transit Gateway as a scalable cloud router that connects your VPNs and AWS Direct Connect instances to Amazon VPC instances, as shown in the next figure, instead of establishing complex connections (such as peering) among Amazon VPC instances.
AWS Transit Gateway is a regional service that operates at layer 3 (network) of the open systems interconnection (OSI) model, and you can create more than one in a region as well. As your organization’s AWS footprint increases, you can peer inter-region transit gateways to use the AWS network backbone.
Editor’s note: This post has been adapted from a section of the book SAP on AWS: Architecture, Migration, and Operation by Ravi Kashyap, Rajendra Narikimelli, and Rozal Singh.
Comments