SAP forms the critical backbone of thousands of enterprises, supporting critical business functions such as finance, supply chain, warehouse management, and more. Google Cloud provides a highly scalable and resilient infrastructure to run such workloads and offers tools, such as Smart Analytics and Machine Learning that can accelerate your organization’s digital transformation.
In fact, a recent study by Forrester found that running SAP on Google Cloud can generate a 160% return on investment and a payback period of six months or less, thanks to legacy infrastructure cost savings, downtime avoidance, and productivity improvements.
How you deploy your SAP systems across your network has a tremendous impact on its availability, resilience, and performance. In addition to separate production and high-availability (HA) environments, SAP deployments typically include sandbox, development, quality assurance (QA), and disaster recovery environments as well.
Because most of the Google network is virtual, SAP administrators can easily design complex landscapes that suit your organization’s SAP deployment and organizational structure while also meeting security and operational requirements.
As you get started with SAP on Google Cloud, you’ll need to decide how to configure your networking to ensure the availability and performance of various SAP systems. Here’s a look at your options.
VPC and shared VPC
A virtual private cloud (VPC) is a secure, isolated private network hosted within Google Cloud. VPCs are global in Google Cloud, so a single VPC can span multiple regions without communicating across the public internet. Similarly, subnets can span across zones within a region. A zone represents a single failure domain, so typical SAP deployments place production and HA systems in different zones to ensure resiliency. Google Cloud simplifies this type of deployment, because subnets containing both production and HA systems can span multiple zones.
This capability also simplifies SAP clustering, since the cluster’s virtual IP (VIP) address can be in the same range as those of the production and HA machines. This configuration shields the floating IP using Google internal load balancers and is applicable to HA clustering of the application layer (ASCS and ERS) and the HANA database layer (HANA Primary and Secondary).
Shared VPCs are a feature unique to Google Cloud that allows an organization to connect resources from multiple projects to a common VPC network. This lets them communicate with each other securely and efficiently using internal IPs. You can also centrally control the network for all SAP projects (service) from the Host project while using firewalls to inspect communication between compute engines in the same subnet, and between those in different subnets. (Best practice is to limit the communication between these systems to only the required ports — typically via SAP remote function call (RFC) communication at Layer 4.)
When designing your network, start with a host project containing one or more Shared VPC networks. You can attach additional service projects to a host project, which allows them to participate in the Shared VPC. It’s common practice to have multiple service projects operated and administered by various departments or teams in your organization.
Depending on your needs, you can deploy SAP on a single Shared VPC or multiple ones. The two scenarios differ in terms of network control, SAP environment isolation, and network inspection. Let’s look more closely at these differences.
Scenario 1: Deploying SAP on a single Shared VPC
If you require only a single network inspection, deploying SAP on a single Shared VPC has the advantage of simplicity and reduces administrative overhead.
Network control:The Shared VPC serves as the network hub, allowing central network management based on identity access management (IAM) roles for the network team(s) in both production and non-production environments.SAP environment isolation:You can create projects and subnets for each SAP environment. Projects help group resources together for finer IAM control and billing visibility, while subnets provide network isolation for individual SAP environments. In service projects, compute engines can communicate by default; however, you can adopt simple firewall rules to block communication between compute engines within a subnet or in separate subnets.Network inspection:Use Google Cloud firewalls to allow only the required ports for communication between SAP systems. Leverage network tags and service accounts to define granular control for both north-south and east-west traffic.
Scenario 2: Multiple Shared VPCs for SAP deployment
In scenarios requiring additional network inspections, you can create multiple Shared VPCs, typically one per environment. Use peering between these Shared VPCs to enable RFC communication among the SAP development, QA, and production systems.
Network isolation: Multiple Shared VPCs are completely isolated from each other except via specific ports opened in Google Cloud firewalls. This allows additional East-West traffic inspection by a Network Virtual Appliance (NVA) within a Google Cloud network. Network control:As the number of Shared VPCs increases, activities such as peering and firewall policies also increase. This diminishes the central network control that Shared VPCs offer, so the network team should plan to manage the policies in each VPC separately.
Hybrid scenarios – for example, one Shared VPC for the production environment and one Shared VPC for all non-production systems — are also possible. This arrangement allows network inspection between production and non-production systems, and limits the number of central network administration layers to two.
Configuring the networking environment for multiple SAP systems can be a complex process. Thanks to Google Cloud’s Shared Virtual Clouds and other tools, SAP administrators can create scalable, secure networks that provide logic, resilience, and visibility to their cloud deployments.
Cloud BlogRead More