SAP HANA Migration: Turning your WAN Inside OutJune 27, 2016
For decades, SAP ERP is at the core of numerous enterprises across multiple verticals. SAP software runs manufacturing, logistics, sales, supply chain and other critical functions, which means availability, performance and scalability are all essential. Yet, maintaining business-critical application infrastructure is not a simple task. To address the challenge of reducing the integration and maintenance efforts of enterprise SAP instances, SAP created the pre-packaged SAP HANA. Instead of deploying the full SAP stack (software, application servers, databases) using on-premise, customer-owned, hardware, it is now possible to access a pre-packaged SAP instance in the SAP HANA Enterprise Cloud (HEC).
While the benefits of HEC are obvious, migrating SAP from the data center into a Cloud-based hosted instance isn’t trivial. Take for instance a global enterprise that runs SAP in a major datacenter in Spain (Figure 1). It is backhauling traffic to that data center from manufacturing and distribution facilities throughout the world. A decision has been made to move from the on-premise SAP instance to a HEC instance, which is hosted in Germany, a totally different geography.
HEC has two primary connectivity options. Using dual IPSEC tunnels into a private IP or placing the instance on the public Internet. In this case, the enterprise wanted to avoid exposing the instance to the Internet, so a firewall had to be used to establish the connectivity to HEC.
The WAN design must now address two key challenges. First, integrate the HEC instance into the corporate WAN using the IPSEC tunnels. Second, Create optimal, low-latency routing from every location to HEC.
What is the best way to connect HEC to the WAN?
Backhaul all sites, connect only data center firewalls to HEC
To keep it simple, legacy backhauling to the datacenter is kept, but another leg is added from the datacenter to HEC, adding latency. Depending on the distance and Internet routing, congestion and jitter between the datacenter and HEC, the user experience could be impacted.
A full site-to-site mesh using firewalls
Ideally, traffic from each site will go directly to HEC instead of the datacenter. However, firewall-based site-to-site mesh is no longer available as there are only 2 IPSEC tunnels to connect to. An intermediate firewall has to be deployed in Germany, and connect to HEC. However, the enterprise has no datacenter or footprint in Germany, and the new firewall is a mission critical element for the enterprise, as it will become the global chokepoint for accessing HEC.
A redundant, full site-to-site mesh using a Cloud Network
In this scenario, all sites and HEC connect to a Cloud-based network using IPSEC tunnels, and a full mesh is achieved in the Cloud. Backhaul and single chokepoint are eliminated as the Cloud network provides built in resiliency and optimal, low latency routing and secure connectivity between all sites and HEC. In addition, mobile users can connect to the Cloud Network from anywhere and directly access HEC without the added latency of going through the datacenter firewalls.
If you are a SAP customer and are considering migrating your business to SAP HANA Enterprise Cloud, drop us a note. We’d love to tell you more about Cato Networks and our solutions.