Connectivity to your SAP system landscape
IBM Cloud has many connectivity options, including low latency worldwide connections between your private internal network and IBM Cloud's private network backbone.
You can securely connect to your infrastructure in multiple ways by using various protocols and ports, based on the infrastructure chosen and the different network types:
-
Classic Infrastructure network (formerly Softlayer network)
- Intel Bare Metal
- Classic Intel Virtual Servers
- VMware solutions
-
VPC Infrastructure network
Intel Virtual Servers (Generation 1), formerly known as VPC on Classicno longer available, not SAP certified
- Intel Virtual Servers (Generation 2)
-
IBM Power Virtual Server network, connection through IBM Cloud®
- IBM Power Virtual Servers, connection through IBM Cloud®. This is a complementary offering from IBM Power Systems
Interconnectivity between IBM Cloud network
- Transit Gateway, handling interconnectivity across the IBM Cloud private backbone between the networks with defined and controlled communication between resources worldwide across the IBM Cloud network or across multiple IBM
Cloud accounts (useful for Managed Service Providers of SAP). Transit Gateways are used to support hybrid workloads, frequent data transfers, and private workloads by providing dynamic scalability, high availability, and private, in-transit
data between hosts on IBM Cloud.
- Local routing, connect VPCs in same region
- Global routing, connect VPCs across regions
- Classic Infrastructure routing, connect to VLANs on Classic Infrastructure network
- Cross-account connection (also known as account-to-account routing), connect VPCs across multiple IBM Cloud accounts. See Adding a cross-account connection (VPC only)
Connectivity options within the IBM Cloud Classic Infrastructure network
- Classic SSL VPN, basic SSL Tunnel with user/password to various PoP or Data centers, which is built in to IBM Cloud® Classic Infrastructure, enabled per user account and is a good option for administrators during initial stages of deployments to IBM Cloud. It is not for bulk users due to bandwidth caps.
- Classic IPSecVPN, service from the IBM Cloud catalog, which can be provisioned and has advanced configuration options available for the IPsec Tunnel
- IBM Cloud® Direct Link for Classic Infrastructure, the most robust connection available in varying types from your internal network to IBM Cloud's Availability Zones (also known as data centers) that use Network Service Providers,
Point of Presence (PoP), or directly between the data center colocation Room (also called a Meet Me Room). This option is available up to 10 Gbps network throughput as a Routed OSI Layer-2/3 connection, and is designed for enterprise workload
connections.
Note: If you are using VPC Infrastructure, this option is not necessary as IBM Cloud® Direct Link 2.0 can also connect to Classic Infrastructure
- More information on Direct Link 1.0. To find from a specified site location to IBM Cloud and which network service providers are available, use Cloud Pathfinder for IBM Cloud (powered by Cloudscene)
IBM Cloud® Classic Infrastructure offers firewalls that can provide your Bare Metal Servers with a layer of security that is provisioned on demand and designed to eliminate service interruptions.
Within the Classic Infrastructure network, there are many Gateway Appliance and Firewalls to help prevent unwanted traffic from hitting your server, help reduce your attack vulnerability, and let your server resource be dedicated for its use. Based on your specific performance and feature requirements, you can choose one of the following options:
- Shared firewall (multiple options, see Getting Started Hardware Shared Firewall),
- Dedicated firewall (multiple options, see Getting Started Hardware Dedicated Firewall),
- Fortinet FortiGate security appliance.
Connectivity options within the IBM Cloud VPC Infrastructure network
- Floating IP, a public internet IPv4 address, which can be configured with Security Groups to allow only certain network connection access on defined protocols and ports from specified source/target addresses. For initial tests option is often used, with more detail in the short guide on Connecting to your Linux Virtual Server instance.
- VPC IPSecVPN, service from the IBM Cloud catalog and deploys a VPN Gateway to a VPC and creating a VPN Connection with advanced configuration options available for the IPsec Tunnel; including integration with authentication strategies such as Microsoft Active Directory.
- IBM Cloud® Direct Link 2.0, the latest enhancement and the most robust connection available, now with access to both Classic Infrastructure network and VPC Infrastructure network simultaneously from your internal network to
IBM Cloud's Availability Zones (Data centers) that use Network Service Providers, Point of Presence (PoP), or directly between the data center colocation Room (also called a Meet Me Room). This is available up to 10 Gbps network throughput
as a Routed OSI Layer-2/3 connection, and is designed for enterprise workload connections.
- More information on Direct Link 2.0. To find from a specified site location to IBM Cloud and which network service providers are available, use Cloud Pathfinder for IBM Cloud (powered by Cloudscene)
VPC VPN Gateway
To connect to a virtual server on VPC through a secure IPsec tunnel, a VPN Gateway is created for the VPC. For a tutorial that describes the setup of connectivity to the VPC VPN Gateway using the open source strongSwan
IPSec-based
VPN client on an external network, refer to the tutorial "Use a VPC/VPN gateway for secure and private on-premises access to cloud resources".
IBM Cloud Direct Link 2.0
Network back-bone infrastructure of a customer site can be directly connected to IBM Cloud, by using IBM Cloud Direct Link. On-premises resources can be connected to multiple VPCs, and VPC can provide Bring-your-own-IP or other custom IP ranges.
Technical requirements and restrictions exist in the availability of IBM Cloud Direct Link in different regions. A detailed description of IBM Cloud Direct Link can be found in Getting started with IBM Cloud® Direct Link.
Accessing the classic infrastructure
Optional setup.
IBM Cloud VPC infrastructure can access other resources on IBM Cloud Classic Infrastructure, such as high-performance IBM Cloud® Bare Metal Servers designed for SAP HANA.
You have multiple options to achieve this access, notably a one-to-one association, or IBM Cloud® Transit Gateway with increased flexibility. This is described in the above section Interconnectivity between IBM Cloud network.
All options require upgrading the IBM Cloud account to be VRF-enabled.
For more information on VPC access to Classic Infrastructure, see Setting up access to classic infrastructure. For more information on Transit Gateway, see Getting started with IBM Cloud Transit Gateway.
Connectivity options within the IBM Power Virtual Server network, connection through IBM Cloud
This is a complementary offering from IBM Power Systems, with low latency access to IBM Cloud services
To arrange connection through to IBM Cloud or an on-premises network, a private subnet (and the allocated Private VLAN) must exist for the IBM Power Virtual Server; which is then connected to the subnet in the target network using IBM Cloud Direct Link.
On the target side (IBM Cloud networks or the on-premises network), it is required to perform the necessary configuration of the network security and permit connections to be established to/from IBM Power Virtual Servers. For example:
- With a connection to IBM Cloud Classic Infrastructure, the Gateway Appliance firewall for the Classic Private VLAN (and Primary Subnet, or any other Subnets) must permit the ports where traffic will flow to/from IBM Power Virtual Servers
- With a connection to an on-premises network, the outbound Firewall and DMZ should be configured to permit the ports where traffic will flow to/from IBM Power Virtual Servers
Depending on the subnet range used for the IBM Power Virtual Server private subnet and the default OS routing configuration, manual routes on both sides may be required (e.g. a route added to the NAT Gateway of the target in the on-premises network).