| copyright | lastupdated | subcollection | keywords | authors | version | deployment-url | docs | content-type | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
2024-01-12 |
pattern-sap-on-powervs |
|
1.0 |
reference-architecture |
{{site.data.keyword.attribute-definition-list}}
{: #sap-on-powervs} {: toc-content-type="reference-architecture"} {: toc-version="1.0"}
The primary region supports Production workloads on Power Virtual Server. The secondary region supports nonproduction and disaster recovery workloads should the customer have DR requirements. The components deployed to the Edge VPC provide security functions and resource isolation to the IBM Cloud workloads.
Figure 1 illustrates a high level architecture for a single-zone, multi-region deployment on IBM Cloud Power Virtual Server.
{: #architecture-diagram}
{: caption="Figure 1. SAP Single-zone, multi-region deployment on IBM Cloud PowerVS" caption-side="bottom"}
-
Client network connectivity is accomplished through Direct Link with VPN access for MSPs.
-
An Edge VPC is deployed which contains routing and security functions.
-
Transit Gateway to Power Virtual Server hosting the SAP application and databases
-
Public connectivity also routes through Cloud Internet Services (CIS) which can provide load balancing, failover, and DDoS services, then routes to the edge VPC
-
Global Transit Gateway connecting the PowerVS environment across regions to facilitate replication for DR purposes.
Figure 2 illustrates a detailed architecture for a single-zone, multi-region deployment on IBM Cloud Power Virtual Server.
{: caption="Figure 2. A single-zone, multi-region deployment to facilitate disaster recovery" caption-side="bottom"}
{: #architecture-description}
-
Two separate IBM Cloud regions, one containing production, the other containing both nonproduction and DR.
-
Client network connectivity is accomplished through Direct Links to each region with VPN access for MSPs.
-
An Edge VPC is deployed which contains routing and security functions. For security purposes, all ingress and egress traffic will route through the Edge VPC. It contains an sFTP server, Bastion host (jump), Firewalls providing advanced security functions and the SAP router and Web Dispatcher.
-
The Edge VPC is connected to PowerVS through a local Transit Gateway and hosts the SAP application and databases.
-
Public connectivity routes through Cloud Internet services that can provide load balancing, failover, and DDoS services, then routes to the edge VPC
-
PowerVS contains SAP Application components that are hosted on redundant SAP certified LPARS in an SAP Scale-out environment.
-
SAP HANA is hosted on separate SAP certified LPARs in the same zone, by using local Tier 1 storage.
-
Virtual Private endpoints are used to provide connectivity to cloud native services
-
Global Transit Gateway connecting PowerVS across regions for data replication purposes between the two regions.
-
Multiple LPARs are used to provide 99.95% availability within a zone
-
Bare Metals in classic to provide backups by using IBM Storage Protect
{: #design-scope}
Design decisions that need to be considered for an end-2-end SAP on PowerVS deployment and which are covered in this accelerator include:
- Compute: Bare Metal and Virtual Servers
- Storage: Primary, Backup, and Archive
- Networking: Enterprise Connectivity, Edge Gateways, Segmentation and Isolation, Cloud Native Connectivity and Load Balancing
- Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response
- Resiliency: Backup and Restore, Disaster Recovery, High Availability
- Service Management: Monitoring, Logging, Alerting, Management/Orchestration
The Architecture Framework, described in Introduction to the Architecture Framework, provides a consistent approach to designing cloud solutions by addressing requirements across a pre-defined set of aspects and domains, which are technology-agnostic architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure the applicable requirements for each aspect and domain have been considered.
{: caption="Figure 3. Domains that are covered in this solution" caption-side="bottom"}
{: #requirements}
The following represents a baseline set of requirements, which we believe are applicable to most clients and critical to a successful SAP deployment.
| Aspect | Requirement |
|---|---|
| Network | Enterprise connectivity to customer data centers to provide access to applications from on-premises |
| Map and convert existing customer SAP Network functions into IBM Cloud and PowerVS networking services | |
| Migrate/Redeploy customer IP addressing scheme within the IBM Cloud environment | |
| Provide network isolation with the ability to segregate applications based on attributes such as data classification, public versus internal apps, and function | |
| Security | Provide data encryption in transit and at rest |
| Migrate customer IDS/IAM Services to target IBM Cloud environment | |
| Retain the same firewall rulesets across existing DCs | |
| Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved, and include IPS/IDS services | |
| Resiliency | Multi-site capability to support a disaster recovery strategy and solution using IBM Cloud infrastructure DR capabilities |
| Provide backups for data retention | |
| RTO/RPO = 4 hours/15 minutes; Rollback to original environments should occur no later than specified RTOs | |
| 99.95 Availability | |
| Backups | |
| - Prod: Daily Full, logs per SAP product standard, 30 days retention time | |
| - Non-Prod: Weekly full, logs per SAP product standard, 14 days retention time | |
| Service Management | Provide Health and System Monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure |
| Ability to diagnose issues and exceptions and identify error sources | |
| Automate management processes to keep applications and infrastructure secure, up to date, and available | |
| Other | Migrate SAP workloads from existing data center to IBM PowerVS |
| Customer's SAP systems and applications that are run on NetWeaver (application) and HANA (DB), AnyDB, or S/4 HANA | |
| Provide an Image Replication migration solution that minimizes disruption during cut-over | |
| Cloud infrastructure for the proposed IaaS solution must be SAP Certified | |
| IBM Cloud IaaS is deployed to support SAP and surrounding non-SAP workloads | |
| The customer does not want to adopt RISE at this time but wants to consider a Cloud deployment solution that would facilitate a future RISE transformation | |
| {: caption="Table 1. Requirements" caption-side="bottom"} |
{: #components}
| Aspects | Solution components | How the component is used |
|---|---|---|
| Compute | VPC VSIs | Edge VPC |
| Bare Metal (IBM Storage Protect) | IBM Storage Protect(BM) | |
| Power Virtual Server | NetWeaver and HANA DB | |
| Storage | Flash storage from IBM FS9000 series devices | NetWeaver and HANA DB servers primary storage production on Tier 1. Non-Production on Tier 3. |
| Cloud Object Storage | Backup and archive, application logs, operational logs, and audit logs | |
| Block storage | ||
| Networking | VPC Virtual Private Network (VPN) | Remote access to manage resources in a private network |
| Virtual Private Gateway & Virtual Private Endpoint (VPE) | For private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on. | |
| Cloud Internet Services (CIS) | Public Load balancing and DDoS of web servers traffic across zones in the region | |
| DNS Services | Domain Naming System services | |
| VPCs and subnets | Network Segmentation/Isolation | |
| Transit Gateway | Connects across VPC, PowerVS, and Classic | |
| IBM Cloud Application Load Balancer (ALB) | Load balancing workloads across multiple workload instances over the private network | |
| SAP Web Dispatcher | ||
| Security | Block Storage encryption with provider keys | Block Storage Encryption at rest |
| Cloud Object Storage Encryption | Cloud Object Storage Encryption at rest | |
| PowerVS Tier 1 or Tier 3 storage | Power VS uses IBM FlashSystem Storage with AES-256 (Advanced Encryption Standard) hardware-based encryption | |
| HANA Data Volume Encryption (DVE) | HANA Database Encryption at rest | |
| IAM | IBM Cloud Identity & Access Management | |
| Privileged Identity and Access Management | BYO Bastion host (or Privileged Access Gateway) with PAM SW deployed in Edge VPC | |
| BYO Bastion Host on VPC VSI with PAM SW | Remote access with Privileged Access Management | |
| Virtual Private Clouds (VPCs), Subnets, Security Groups, ACLs | Core Network Protection and isolation | |
| Isolated PowerVS LPARs | ||
| Cloud Internet Services (CIS) | DDoS protection and Web App Firewall | |
| Choose one of the following: \n - Fortigate \n - Palo Alto | IPS/IDS protection at all ingress/egress \n Unified Threat Management (UTM) Firewall | |
| Resiliency | HANA System Replication (HSR) | Provide 99.95% availability for HANA DB |
| IBM Storage Protect | Backups and restores for images and file systems. | |
| GRS | ||
| DBACOCKPIT, HANACOCKPIT, backint | SAP HANA backups | |
| Native database backup capabilities | AnyDB backups | |
| Service Management (Observability) | IBM Cloud Monitoring | Apps and operational monitoring |
| IBM Log Analysis | Application and operational logs | |
| {: caption="Table 2. Components" caption-side="bottom"} |
As mentioned earlier, the Architecture Framework is used to guide and determine the applicable aspects and domains for which architecture decisions need to be made based on customer requirements. The following sections contain the considerations, and architecture decisions for the aspects and domains that are in scope for this solution pattern.