Networking for Rise with SAP..What Basis Consultants Should Know!!

With the introduction of Rise with SAP, the ERP landscape has undergone a significant transformation, marked by extensive cloud migration strategies and digital transformation endeavors, and with ERP 6.0 EHPx end of mainstream support in 2027 nearing by the day, enterprises have fast-forwarded their vision of moving to Rise with SAP. During this phase of a boom in transition and transformation to Rise with SAP, Basis consultants play a pivotal role as their responsibilities encompass a spectrum of tasks, ranging from technical assessments of source applications and infrastructure as Partner Cloud Architects to executing the conversion/migration process to Rise. Additionally, they play a crucial role in orchestrating seamless connectivity between on-premises environments and SAP S/4HANA hosted in a Rise with SAP framework, collaborating with SAP ECS and on-premises networking/infrastructure teams.

Among above mentioned essential tasks, "collaborating with SAP ECS and on-premises networking/infrastructure teams" might seem mundane at first glance. However, in reality, it demands a good understanding of networking concepts for Basis consultants to navigate the intricacies of hybrid environments effectively. This involves optimizing user experience, bolstering security through testing and recommending SAP networking standards, and ultimately driving business success.

In this article, we will try to explore the critical intersection of networking and SAP Basis, with a specific focus on establishing connectivity for end users and on-premises applications to Rise with SAP. This aspect stands as one of the most crucial elements for deeming the transition to Rise with SAP successful. Furthermore, the significance of networking knowledge for Basis consultants, exploring key networking concepts and technologies relevant to Rise with SAP will also be explained.

Knowing Networking for Rise with SAP:

We know that at its core, SAP Basis serves as the technical foundation that enables SAP applications to function smoothly, encompassing installation/migration/upgrade, configuration, and maintenance tasks. With Rise with SAP offering a cloud migration and digital transformation opportunity for clients, a seamless connectivity experience post-migration becomes extremely crucial and hence the networking knowledge for Basis consultants becomes paramount to address areas like:

1. Infrastructure Connectivity and Hybrid Environments:

Rise with SAP often entails a hybrid environment, where certain SAP systems and applications are maintained on-premises while SAP S/4HANA is migrated to the cloud. In such scenarios, Basis consultants play a pivotal role in coordinating with SAP ECS and on-premises network teams to facilitate seamless communication between on-premises and cloud environments. This involves providing inputs for establishing secure and reliable connectivity channels, optimizing network performance, and ensuring compatibility between different network architectures. We will further explore secured connectivity options between on-premises and Rise with SAP later in this article.

2. Performance Optimization:

Efficient networking is essential for optimizing the performance of SAP applications, ensuring responsiveness, scalability, and reliability. Basis consultants need to understand key networking concepts such as latency, bandwidth, Quality of Service (QoS), and routing protocols relevant to SAP that would enable designing the network architectures that meet network performance objectives for SAP S/4HANA running on Rise with SAP. By following SAP recommended best practices in network design and configuration, Basis consultants can help enhance the overall user experience and enable organizations to derive maximum value from their SAP investments. For more insights on network performance analysis for SAP, refer: https://community.sap.com/t5/technology-blogs-by-sap/network-performance-analysis-for-sap-netweaver-abap/ba-p/13548557

3. Security Implementation and Compliance:

Protecting sensitive business data within SAP systems is of paramount importance, especially in the context of cloud environments. Basis consultants with networking knowledge are well-positioned to support the implementation of robust security measures, including firewalls, intrusion detection/prevention systems (IDS/IPS), encryption protocols, and access controls by coordinating and collaborating with network security teams for on-premises firewalls as well as with SAP ECS teams to ensure secured access to Rise with SAP is established. For more insights on securing Rise with SAP, refer: https://community.sap.com/t5/technology-blogs-by-sap/securing-rise-with-sap/ba-p/13519419

4. Troubleshooting and Diagnostics:

Inevitably, issues and challenges arise within SAP environments, ranging from network connectivity issues to performance bottlenecks. Basis consultants proficient in networking concepts and tools are equipped to diagnose and resolve such issues effectively. By leveraging network monitoring, troubleshooting, and diagnostic tools, Basis consultants can identify root causes, implement corrective actions or coordinate with networking teams, and minimize downtime, thereby ensuring business continuity and customer satisfaction.

Secured Connectivity to Rise with SAP, What are the Options?:

In the context of Rise with SAP, several networking methods and technologies are supported by SAP to establish and manage secured access and connectivity from an on-premises environment. Let's explore these methods in detail:

1. Virtual Private Network (VPN):

VPNs act as the quickest option and play a crucial role in securely connecting on-premises networks with cloud environments, enabling encrypted communication over public networks such as the Internet. Rise with SAP supports various VPN configurations, including:

• BGP (Border Gateway Protocol): BGP is a dynamic routing protocol commonly used in medium to large-scale networks to facilitate efficient routing of traffic between autonomous systems. Basis consultants with at least a basic understanding of how BGP/dynamic routing works, can support the networking team in testing and validating the BGP-based dynamic VPN connections that automate route advertisement between on-premises and cloud networks.
• Static Routing: Static routing involves manually configuring static routes between network devices, specifying the next-hop IP address for each destination network. While less flexible than dynamic routing protocols like BGP, static routing can be suitable for smaller networks with simpler topologies. Know-how of VPN technology can be of great advantage especially when a Basis consulting is performing technical assessment as a Partner Cloud Architect.

Tunneling Limitations and Allowances:

Rise with SAP typically allows for a certain number of VPN tunnels between on-premises and cloud environments, each serving as a secure conduit for data transmission. Basis consultants when playing the role of Partner Cloud Architect need to assess the organization's workload, connectivity requirements, and compliance constraints to determine the optimal number of tunnels required. Additionally, Basis consultants/Partner Cloud Architects must consider the following tunneling limitations and allowances, when designing architecture for Rise with SAP:

• Bandwidth Limitation: One important consideration with IPsec tunnels is the maximum available bandwidth for chosen hyperscaler which is capped at 1.25 Gbps for AWS and Azure, and 3 Gbps for GCP but for standard Rise with SAP package offered bandwidth is 650 Mbps with some free egress traffic allowance.
• Maximum Tunnel Allowance: Rise with SAP imposes limits on the number of VPN tunnels that can be established between on-premises networks and cloud environments. As a standard package up to 10 non-redundant VPN tunnels and 5 redundant VPN tunnels are offered, but more tunnels can be provisioned on request for an additional fee.? Basis consultants/ Partner Cloud Architects must be considerate of these allowances while designing network architectures and planning connectivity deployments.

One very important point to note, SAP only supports site-to-site VPN connections for Rise with SAP. Point-to-site connections are not supported. Hence VPN client-based SSL connections have to travel via a connected on-premises site to Rise with SAP.

2. High Bandwidth Dedicated Connectivity Options:

When establishing connectivity between on-premises networks and cloud environments, considerations must be made regarding bandwidth requirements, network latency, and throughput capabilities. VPN connections although quick to set up, have inherent bandwidth limitations and also latency issues as the secured IPSEC channel utilizes the internet for data transmission. To overcome connectivity performance and reliability issues, Rise with SAP supports the dedicated high-bandwidth connectivity options offered by the chosen hyperscaler, each with its maximum bandwidth allowance and performance characteristics:

• AWS Direct Connect
• Azure ExpressRoute
• Google Cloud Interconnect

All of the above services offer dedicated, high-speed connectivity between on-premises data centers and cloud service providers, bypassing the public Internet and offering predictable latency and throughput. Though the hyperscalers provide multiple bandwidth options for these dedicated connections e.g. AWS Direct Connect offers bandwidth from 50 Mbps to 100 Gbps, while Microsoft Azure ExpressRout offers a bandwidth from 50 Mbps to 10 Gbps. However, SAP has limited the port bandwidth capacity to 200 Mbps under the standard package, an additional bandwidth capacity upgrade option is available. Hence, the Basis consultants along with the network team must assess the organization's data transfer requirements and select the appropriate dedicated connection bandwidth tier to meet performance objectives.

3. Connecting to Rise with SAP Over the Internet:

In today's dynamic yet connected business landscape, not all users have access to dedicated connectivity or site-to-site VPNs when interfacing with SAP ERP systems, especially those who frequently work remotely. However, as SAP doesn't inherently support point-to-site VPN connectivity to Rise with SAP, an alternative solution is necessary to enable secure remote access to SAP applications hosted on this platform.

Addressing these concerns, remote users can securely connect to Rise with SAP applications over the internet via an application load balancer exposed to the web and fortified by a Web Application Firewall (WAF). This configuration ensures that all incoming traffic traverses a protected pathway, effectively mitigating potential security threats and unauthorized access attempts. The application load balancer efficiently directs incoming requests to the SAP Web Dispatcher, acting as a reverse proxy, orchestrating communication between external clients, facilitated by the load balancer, and the SAP S/4HANA system hosted on Rise with SAP. Leveraging the SAP Fiori-based interface, this setup offers users a seamless and responsive experience when interacting with SAP applications remotely, enhancing productivity and usability

4. Extending Connectivity via VPC Peering (An additional option):

When clients and enterprises encounter limitations due to the exhaustion of the default or maximum assigned quotas for network services from SAP, like VPN and dedicated connections (Direct Connect, ExpressRoute or Cloud Interconnect), Rise with SAP offers an additional option of VPC peering that can augment network connectivity. VPC peering facilitates the seamless connection of virtual private clouds (VPCs) or Virtual Networks (VNets), enabling communication between resources hosted within or end users connecting from distinct VPCs/VNets. By establishing peering connections, organizations leveraging Rise with SAP can overcome constraints on network capacity and scale their infrastructure dynamically to meet evolving demands.

For more detailed insights on various secured connectivity options to Rise with SAP, I strongly recommend to refer: https://community.sap.com/t5/technology-blogs-by-sap/rise-with-sap-s-4hana-cloud-private-edition-secure-cloud-connectivity/ba-p/13558064

Conclusion:

In conclusion, when embarking on a project for Rise with SAP, networking knowledge and expertise can emerge as a crucial differentiator for Basis consultants. By complementing their SAP technical skills with a solid understanding of networking principles and protocols, Basis consultants gain a unique advantage in navigating the intricacies of hybrid environments and facilitating smooth transitions to and beyond Rise with SAP. As Rise with SAP reshapes the ERP landscape, the fusion of SAP Basis expertise and networking proficiency becomes a potent catalyst for the success of Basis consultants, positioning them as enterprise cloud architects driving excellence and growth in their careers.