SAP S4 Rise / Private Cloud
This information is based on SAP's current best practices for connectivity:
The following three options are recommended for connectivity to S/4HANA Cloud, Private Edition / S/4 Rise.
- VPN (IPSEC)
- VPC or VNET Peering
- Internet Based Firewall Access (Content Server and WebSockets Only)
The connectivity architecture between AWS, Azure and Google Cloud are analogous, with minor variances in implementation
In this scenario, a Virtual Private Network (VPN) Gateway client is deployed in the docuflow middleware Tenant and is configured to connect to the SAP RISE Tenant VPN Gateway. Traffic for the SAP communications are routed through this secured connection.
Azure and AWS provide options for Highly Available connections as an option.
Virtual Network Peering is a mechanism that connects two virtual networks between Tenants in a Virtual Private Cloud (VPC).
Microsoft calls their implementation VNET and AWS/Google use the term VPC Peering.
In all cases, Peering provides a virtual, internal, low latency, high bandwidth network connection between Tenants in the same VPC provider.
In this scenario, a Web Application Firewall (WAF) is configured to allow specific traffic connectivity into the SAP RISE Tenant.
AWS, Google and Azure all offer WAF as a service within the tenant.
NOTE: Only HTTPS is supported. This includes all Content Server connections and ECM Server when WebSockets are enabled (WebSockets require S/4 Hana 1909 or later)
*https://community.sap.com/t5/technology-blogs-by-sap/websocket-rfc-rfc-for-the-internet/ba-p/13502531
