IBM Cloud Docs
SAP on Power Virtual Server

SAP on Power Virtual Server

The primary region supports Production workloads on Power Virtual Server. The secondary region supports nonproduction and disaster recovery workloads should the customer have DR requirements. The components deployed to the Edge VPC provide security functions and resource isolation to the IBM Cloud workloads.

Figure 1 Illustrates a high level architecture for a single-zone, multi-region deployment on IBM Cloud Power Virtual Server.

Architecture Diagram

SAP Single-zone, multi-region deployment on IBM Cloud PowerVS
SAP Single-zone, multi-region deployment on IBM Cloud PowerVS

  1. Client network connectivity is accomplished through Direct Link with VPN access for MSPs.

  2. An Edge VPC is deployed which contains routing and security functions.

  3. Transit Gateway to Power Virtual Server hosting the SAP application and databases.

  4. Public connectivity also routes through Cloud Internet Services (CIS) which can provide load balancing, failover, and DDoS services, then routes to the edge VPC.

  5. Global Transit Gateway connecting the PowerVS environment across regions to facilitate replication for DR purposes.

Figure 2 Illustrates a detailed architecture for a single-zone, multi-region deployment on IBM Cloud Power Virtual Server.

A single-zone, multi-region deployment to facilitate disaster recovery
A single-zone, multi-region deployment to facilitate disaster recovery

Architecture description

  1. Two separate IBM Cloud regions, one for Primary workload and the other for Disaster Recovery. If Cost Optimized Disaster Recovery is considered, some Non Production systems may share the same compute with Disaster Recovery systems.

  2. Enterprise network connectivity from On-premise to IBM Cloud is accomplished through Direct Links.

  3. An Edge VPC is deployed which contains routing and security functions. For security purposes, all ingress and egress traffic will route through the Edge VPC. It contains an sFTP server, Bastion host (jump), Firewalls providing advanced security functions and the SAP router and Web Dispatcher.

  4. Besides Power Workloads in Power workspace, x86 workloads may be implemented in a Workload VPC. To backup Power workloads, Secure Automated Backup with Compass by Cobalt Iron is implemented. The private end point for this backup service is located in VPC.

  5. VPCs are connected to Power workspace through a local Transit Gateway.

  6. Public connectivity routes through Cloud Internet Services which can provide global load balancing, failover, and DDoS services, then routes to the VPC Landing Zone.

  7. SAP workloads may be hosted on redundant SAP certified LPARS in PowerVS.

  8. SAP Application and SAP HANA should be placed on SAP certified LPARs within the zone with proximity considered.

  9. Virtual Private endpoints are used to provide connectivity to cloud native services.

  10. Global Transit Gateway connecting PowerVS across regions for data replication purposes between the two regions.

  11. To achieve 99.95% infrastructure availability, multiple LPARs in the same placement group within a zone can be implemented.

Design scope

Design decisions that need to be considered for an end-2-end SAP on PowerVS deployment and which are covered in this accelerator include:

  • Compute: Bare Metal and Virtual Servers
  • Storage: Primary, Backup, and Archive
  • Networking: Enterprise Connectivity, Edge Gateways, Segmentation and Isolation, Cloud Native Connectivity and Load Balancing
  • Security: Data, Identity and Access Management, Infrastructure and Endpoint, Threat Detection and Response
  • Resiliency: Backup and Restore, Disaster Recovery, High Availability
  • Service Management: Monitoring, Logging, Alerting, Management/Orchestration

The Architecture Framework, described in Introduction to the Architecture Framework, provides a consistent approach to designing cloud solutions by addressing requirements across a pre-defined set of aspects and domains, which are technology-agnostic architectural areas that need to be considered for any enterprise solution. It can be used as a guide to make the necessary design and component choices to ensure the applicable requirements for each aspect and domain have been considered.

domains that are covered in this solution
Domains that are covered in this solution

Requirements

The following represents a baseline set of requirements, which we believe are applicable to most clients and critical to a successful SAP deployment.

Requirements
Aspect Requirement
Network Enterprise connectivity to customer data centers to provide access to applications from on-premises
Map and convert existing customer SAP Network functions into IBM Cloud and PowerVS networking services
Migrate/Redeploy customer IP addressing scheme within the IBM Cloud environment
Provide network isolation with the ability to segregate applications based on attributes such as data classification, public versus internal apps, and function
Security Provide data encryption in transit and at rest
Migrate customer IDS/IAM Services to target IBM Cloud environment
Retain the same firewall rulesets across existing DCs
Firewalls must be restrictively configured to provide advanced security features and prevent all traffic, both inbound and outbound, except that which is required, documented, and approved, and include IPS/IDS services
Resiliency Multi-site capability to support a disaster recovery strategy and solution using IBM Cloud infrastructure DR capabilities
Provide backups for data retention
RTO/RPO = 4 hours/15 minutes; Rollback to original environments should occur no later than specified RTOs
99.95 Availability

Backups

  • Prod: Daily Full, logs per SAP product standard, 30 days retention.
  • Non-Prod: Weekly full, logs per SAP product standard, 14 days retention time.
Service Management Provide Health and System Monitoring with ability to monitor and correlate performance metrics and events and provide alerting across applications and infrastructure
Ability to diagnose issues and exceptions and identify error sources
Automate management processes to keep applications and infrastructure secure, up to date, and available
Other Migrate SAP workloads from existing data center to IBM PowerVS
Customer's SAP systems and applications that are run on NetWeaver (application) and HANA (DB), AnyDB, or S/4 HANA
Provide an Image Replication migration solution that minimizes disruption during cut-over
Cloud infrastructure for the proposed IaaS solution must be SAP Certified
IBM Cloud IaaS is deployed to support SAP and surrounding non-SAP workloads
The customer does not want to adopt RISE at this time but wants to consider a Cloud deployment solution that would facilitate a future RISE transformation

Components

Components
Aspects Solution components How the component is used
Compute VPC VSIs Edge VPC
Bare Metal (IBM Storage Protect) IBM Storage Protect(BM)
Power Virtual Server NetWeaver and HANA DB
Storage Flash storage from IBM FS9000 series devices NetWeaver and HANA DB servers primary storage production on Tier 1. Non-Production on Tier 3.
Cloud Object Storage Backup and archive, application logs, operational logs, and audit logs
Block storage
Networking VPC Virtual Private Network (VPN) Remote access to manage resources in a private network
Virtual Private Gateway & Virtual Private Endpoint (VPE) For private network access to Cloud Services, for example Key Protect, Cloud Object Storage, and so on.
Cloud Internet Services (CIS) Public Load balancing and DDoS of web servers traffic across zones in the region
DNS Services Domain Naming System services
VPCs and subnets Network Segmentation/Isolation
Transit Gateway Connects across VPC, PowerVS, and Classic
IBM Cloud Application Load Balancer (ALB) Load balancing workloads across multiple workload instances over the private network
SAP Web Dispatcher
Security Block Storage encryption with provider keys Block Storage Encryption at rest
Cloud Object Storage Encryption Cloud Object Storage Encryption at rest
PowerVS Tier 1 or Tier 3 storage Power VS uses IBM FlashSystem Storage with AES-256 (Advanced Encryption Standard) hardware-based encryption
HANA Data Volume Encryption (DVE) HANA Database Encryption at rest
IAM IBM Cloud Identity & Access Management
Privileged Identity and Access Management BYO Bastion host (or Privileged Access Gateway) with PAM SW deployed in Edge VPC
BYO Bastion Host on VPC VSI with PAM SW Remote access with Privileged Access Management
Virtual Private Clouds (VPCs), Subnets, Security Groups, ACLs Core Network Protection and isolation
Isolated PowerVS LPARs
Cloud Internet Services (CIS) DDoS protection and Web App Firewall

Choose one of the following:

 IPS/IDS protection at all ingress/egress
Unified Threat Management (UTM) Firewall
Resiliency HANA System Replication (HSR) Provide 99.95% availability for HANA DB
IBM Storage Protect Backups and restores for images and file systems.
GRS
DBACOCKPIT, HANACOCKPIT, backint SAP HANA backups
Native database backup capabilities AnyDB backups
Service Management (Observability) IBM Cloud Monitoring Apps and operational monitoring
IBM Log Analysis Application and operational logs

As mentioned earlier, the Architecture Framework is used to guide and determine the applicable aspects and domains for which architecture decisions need to be made based on customer requirements. The following sections contain the considerations, and architecture decisions for the aspects and domains that are in scope for this solution pattern.