../
Interconnecting SAP, On-Premises and AWS
This post is handwritten, no LLM's were used to write and mock this up.
Lately, I have been working on projects that involve connecting on-premises data centers with SAP RISE/ECS.
Although there are multiple approaches to achieving this, if your business case allows it, introducing a third player into the equation
(Using an AWS account as a router mimicking a hub-and-spoke model [1]) can provide the following benefits:
However, it can also introduce challenges, such as:
Keep in mind that this topology has been discussed by AWS previously [2].
Having said this, let me deepen into the stated points above.
[+] Govern the network communication, making it easier to solve network problems.
Having control of the network gives you more flexibility when diagnosing errors. Once the communication between your
on-premises infrastructure and AWS is established and proven functional, you can focus on troubleshooting the other parts.
By narrowing down the issue in this way, you simplify the resolution process.
[+] Seamlessly introduce new cloud services (e.g., RDS, Lambda, etc.) empowering your business outcomes.
Introducing new cloud services into your on-premises workspace becomes easier when you already have part of your business operating in the cloud.
This setup allows you to reduce costs associated with legacy servers and take advantage of a pay-as-you-go model, which may be more cost-effective for your organization.
From my personal experience, I have observed clients implement Amazon S3 and significantly reduce costs for data that required a considerable retention period.
While the specifics can vary from business to business, all organizations can benefit from moving some of their workloads into the cloud, ultimately leading to improved outcomes.
[+] Easily route or introduce other third-party services without disruption.
Similiar to the point above, if you have more than one data center (e.g. country-based data centers),
this topology model makes it easier to include any new components. Enabling you a much more faster time-to-market.
[-] Adding a new component to the network architecture requires skilled personnel to maintain, update, and manage it effectively.
That is the main purpose of this tech post, building this topology effectively and updating it as changes come,
requires you to have skilled personnel. This can be your starting point or can help you decide if you want to go
with this approach.
Feel free to email me: [g5o] at [lockedinspace] dot [com]
if you have more technical questions. Will answer as soon as possible.
Having said this, let's begin the technical approach to make this work
Putting things in place
Having a diagram helps understanding where each piece goes, for this topology we will have three actors.
Each square in the diagram represents one component in the topology.
For on-premises, the range depicted (192.168.1.0/24) refers to the data center CIDR block.
AWS services are contained in a Virtual Private Cloud (VPC [3]), and the range 10.1.0.0/16 refers to our account VPC.
For SAP's side, we will provide the range through a formulary, the provided range must not collide with our VPC's range.
SAP has various methods of establishing the connection, for this tech post, we will stick with the Transit Gateway [4] method.
Using AWS VPN Site-to-Site [5] will enable us to establish a connection between our data-center and AWS.
The resulting diagram would be:
Let's separate the diagram in two parts, so we can explain in more details each section.
On-Premises to AWS (and vice-versa)
This part involves in allowing your On-Premises data center to communicate with your AWS account. In the example depicted above, this is done through
a VPN Site-to-Site [6] tunnel.
Before establishing the connection, keep in mind the following prerequisites:
Ensure that your On-Premises network and your AWS VPC CIDR blocks do not overlap.
Ensure your router or firewall supports IPSec VPN. That's cause AWS uses that tunneling protocols for the VPN Site-to-Site service.
Once the prerequisites are met, you will need to create a Transit Gateway (TGW) [7] in your AWS Account and attach it to your VPC.
Next, define a Customer Gateway (CGW) [8] in AWS representing your on-premises endpoint.
VPN Connection: Once the TGW and CGW are configured, establish a VPN connection between them. You can choose static or dynamic (BGP) routing.
A high level overview of how a connection between your On-Premises and AWS looks like:
Keep in mind that in this example we are creating a VPN tunnel, which essentially travels the public internet through an encrypted connection. If your busienss case does not allow this you can use a Direct Connection.
Also note that we are using a TGW (Transit Gateway) instead of a VGW (Virtual Private Gateway) on the AWS side, going for this approach makes the infrastructure much scalable, enabling you to easely connect multiple accounts VPCs into the equation.
Once everthing is set up, you can test the reachability with a simple test. Issue an ICMP request from one of your On-Premises servers and ping an EC2 instance in AWS.
If the Security Group in AWS allows inbound connections from the 192.168.1.0/24 CIDR range (same for On-Premises firewall), servers from both ends will see each other.
AWS to SAP RISE / ECS (and vice-versa)
As for 2024, you will need to share with SAP some details through an excel file.
SAP will demand the following AWS information:
Customer VPC ID: Your AWS account VPC ID (e.g. vpc-049219323832386)
Customer Customer Transit Gateway ID: Your TGW ID (e.g. tgw-0622323832386ca2)
Customer AWS Account ID: The account ID where your VPC and TGW are hosted (e.g. 1158239581382659)
Customer Network IP ranges: Your AWS VPC CIDR Range (e.g. 10.1.0.0/16)
They will also demand some information for your VPN setup:
Customer VPN Gateway Details: The software used in your On-Premises (e.g. Sophos XG UTM (IPsec)
Customer VPN Gateway Inter for facing public IP Address: Your public On-Premises IP address (e.g. 195.125.24.13/32)
Type of Routing: Can be static or dynamic (e.g. static)
BGP ASN for Dynamic Routing: Blank in this case cause we are using static routing
ASN for the AWS side of the BGP: The default ASN (e.g. 64512)
Customer On-Premises Network IP ranges: Your On-Premises IP range (e.g. 192.168.1.0/24)
Some important notes:
You will need to provide to SAP a non-overlapping /22 or higher CIDR range reserved exclusively for them. (e.g. 10.15.0.0/22), this /22 range will be used for SAP in order to build their SAP infrastructure services. Visit https://cidrclash.com to check if both CIDR ranges collide.
Feel free to ask SAP IT team if any concerns arise during the formulary setup, issues are quite common, but they will gladly support you if any mishap occurs.
Next steps once provided details are valid
You will need to share your TGW using Resource Access Manager (RAM) [9] to the provided SAP HEC AWS account.
Once SAP accepts your share request, they will modify the TGW route table to propagate their infra CIDR (10.15.0.0/22 ) with yours (On-Premises and AWS, 192.168.1.0/24 and 10.1.0.0/16 CIDR's).
After they verify everything, you will allow SAP's CIDR range (10.15.0.0/22) into your firewalls (SG, and Sophos router).
With that, you should be able to query SAP nameservers from both your On-Premises and AWS servers.
Conclusion
Analyze if your business can take advantage of the cloud, if that's the case, you can kill two birds with one stone.
Gaining the governance of the network communications and take foot into the cloud and progessively migrate your workloads there.
This will enable your organization to leverage on plenty AWS services such as Lambda for your day-to-day operations and boost your On-Premises workforce.
As always, if you feel stuck or need some guidance on how to tackle this scenario (or similar), feel free to e-mail me with your concerns.
References
-
[1] Visible Network Labs. What is a Hub and Spoke Network?, June 5, 2023.
https://visiblenetworklabs.com/2023/06/05/what-is-a-hub-and-spoke-network/
-
[2] AWS Connectivity with SAP RISE, Amazon Web Services 2025.
https://docs.aws.amazon.com/sap/latest/general/connectivity-rise.html
-
[3] AWS VPC, Amazon Web Services 2025.
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
-
[4] AWS Transit Gateway (TGW), Amazon Web Services 2025.
https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
-
[5] AWS VPN Site-to-Site (AWS VPN S2S), Amazon Web Services 2025.
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
-
[6] What is AWS Site-to-Site VPN?, Amazon Web Services 2025.
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
-
[7] What is Amazon VPC Transit Gateways?, Amazon Web Services 2025.
https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
-
[8] Customer Gateway, Amazon Web Services 2025.
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#CustomerGateway
-
[9] What is AWS Resource Access Manager?, Amazon Web Services 2025.
https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
date: 2024-10-05
author: "[g5o] at [lockedinspace] dot [com] "