Technology Blog Posts by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Network Resilience & Redundancy at RISE with SAP: A personal take

HarshaAchar
Advisor
Advisor
a month ago
0 Kudos
577

You've probably delved into various ECS documents detailing high availability (HA) and disaster recovery (DR) strategies for SAP applications. However, ensuring robust network connectivity between your on-premises setup or any cloud provider and ECS is equally crucial but often overlooked (we can argue on that over a coffee!). Let's explore how to enhance your network's resilience and redundancy, focusing on common connectivity methods I’ve seen and routing strategies especially for a RISE with SAP Private Cloud Edition. 

Who is this for?

For network architects wrangling with ECS on connectivity design and decisions. Background networking knowledge is essential. I won’t discuss more on the connectivity concepts but will detail elements that you can leverage to enhance the resilience & redundancy of your network connectivity to ECS

Considerations with SAP ECS

ECS recommends that customers treat the ECS network, where SAP systems reside, as a logical extension of their own network infrastructure. As a result of this (as of this writing), ECS does not natively offer advanced routing techniques, tunnel monitoring tools, or automated tunnel failover mechanisms. Instead, the responsibility for designing and implementing the desired redundancy and resiliency in connectivity rests with you, the customer. This entails leveraging additional (third-party) tools and appropriately configuring your on-premises/hyperscaler network equipment in collaboration with ECS to achieve the required level of network resilience.

Deciding on VPN Connection? Proceed with Caution

In the rush to get projects off the ground, many organizations establish a basic VPN tunnel to connect their on-premises infrastructure to the SAP RISE environment, often relying on a single tunnel. This "quick fix" approach, while expedient, can introduce several challenges:

  • Latency and Performance Issues: VPNs, operating over the public internet, are susceptible to congestion and unpredictable bandwidth, leading to inconsistent response times.
  • Scalability Concerns: As your organization grows, increasing VPN bandwidth to meet demands can be problematic.
  • High Availability Limitations: Achieving high availability with a single VPN tunnel is inherently challenging.

These issues are particularly pronounced during brownfield migration projects, where reliable and high-performance connectivity is vital for efficient data migration to ECS.

Implementing Redundant VPN Tunnels

To bolster your network's resilience, consider the following strategies:

  • Multiple VPN Tunnels Over a Single ISP: Establishing multiple VPN tunnels between the same endpoints—your site and ECS—over a single ISP link can provide parallel paths for data transmission. While this setup offers some redundancy, it remains vulnerable to ISP-level outages.
  • Multiple VPN Tunnels Over Redundant ISPs: For greater resilience, set up VPN tunnels over multiple ISPs. This approach eliminates reliance on a single ISP, creating a fully redundant network. Each ISP provides independent paths for VPN connectivity, enhancing fault tolerance.

Untitled.jpg Example scenario with redundant VPN tunnel

Optimizing Routing for Resilience

Effective routing is key to maximizing the benefits of your redundant VPN setup: For routing, using protocols like BGP dynamically adjusts routing tables based on network conditions, ensuring efficient use of available tunnels. For policy-based routing, add static route and weight the backup route. Honestly, though, you'll save yourself a world of headaches by leaning into dynamic routing with BGP

If you’re choosing to have active-active VPN tunnel, then each of those routes can be assigned different costs or priority, and the edge device will handle the traffic. It can be round-robin, load balancing or simple failover although the suggested one is simple failover.

Note traffic sent through one tunnel might return via another, leading to asymmetric routing. This can cause problems, especially with stateful firewalls that expect return traffic on the same interface.

By using route preference techniques such as AS path prepending can influence the preferred path for incoming traffic. For instance, using AS path prepending to make one tunnel less preferred, guiding traffic through the desired path. Also, ECMP (Equal-Cost Multi-Path) allows for load balancing across multiple paths of equal cost, distributing traffic evenly and reducing the risk of asymmetry.

Continuously monitoring the performance of each VPN tunnel and adjusting routing preferences based on metrics like latency, jitter, and packet loss might be required. This proactive approach ensures that traffic uses the most efficient and stable paths.

And you don't have to go it alone! There are some excellent tools out there to help you out. You can use any tools like Palo Alto Networks – Tunnel Monitoring where Palo Alto firewalls offer built-in tunnel monitoring features like ICMP probing, Dead Peer Detection (DPD) and also Automatic failover. Similarly, ManageEngine OpManager provides Real-Time Monitoring with alerts and notifications. Also, SolarWinds Network Performance Monitor (NPM) provides Site-to-Site VPN Monitoring.

Other hyperscaler connectivity

When it comes to hyperscaler connectivity, that's a whole different ballgame! Think of it less about ECS and more about the specific cloud provider's playbook. For the nitty-gritty details, your best bet is to dive into hyperscaler documentation and get that done by ECS.

AWS Direct Connect

Refer to this to know more on AWS Direct Connect Resiliency. Decide on the architecture and ask ECS to configure the resiliency model when they order the Direct Connect Connection. Depending on if you’re working with AWS Direct Connect Partner, you might want to involve them as well in the discussions.

Azure Express Route

For Express Route redundancy, refer Express Route Private Peering. With the decided architecture you might want to work with ECS to ensure advertised routes over ExpressRoute circuit is visible on ECS side. For weighted path, you’ll have to work with ECS to get it configured, and for AS path prepending, on the less preferred tunnel, configure a route-map to prepend your AS number multiple times.

Further Tips

  • Firewall Configuration: Ensure that your firewalls are configured to allow traffic from multiple interfaces (ports & protocols)
  • NAT Traversal: Be cautious with NAT configurations, as they can complicate routing and lead to asymmetry. ECS might push you back if you’ve NAT configurations.
  • Resiliency Testing: Regularly test failover scenarios to ensure that redundant paths function correctly without introducing asymmetry. Talk to your ECS representatives to plan this
  • Documentation: Maintain thorough documentation of your network configuration and work with ECS representative to track and review modifications that could affect routing.

 

 

Got other connectivity curiosities you'd like me to poke into for SAP ECS? Drop a comment below—I'm always happy to write another blog post about it! If this post sparked more questions than answers (or just got your tech gears grinding), don't hesitate to reach out! I'm happy to chat more about ECS and dive deeper into any technical topics you have in mind