June 27, 2016 4m read

SAP HANA Migration: Turning your WAN Inside Out

Yishay Yovel
Yishay Yovel

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

For decades, SAP ERP is at the core of numerous enterprises across multiple verticals. SAP software runs manufacturing, logistics, sales, supply chain and other critical functions, which means availability, performance and scalability are all essential. Yet, maintaining business-critical application infrastructure is not a simple task. To address the challenge of reducing the integration and maintenance efforts of enterprise SAP instances, SAP created the pre-packaged SAP HANA. Instead of deploying the full SAP stack (software, application servers, databases) using on-premise, customer-owned, hardware, it is now possible to access a pre-packaged SAP instance in the SAP HANA Enterprise Cloud (HEC).

SAP-On-Prem-Network-Security
Figure 1: Backhauling all locations to on-premise global SAP instance in the datacenter

 

While the benefits of HEC are obvious, migrating SAP from the data center into a Cloud-based hosted instance isn’t trivial. Take for instance a global enterprise that runs SAP in a major datacenter in Spain (Figure 1). It is backhauling traffic to that data center from manufacturing and distribution facilities throughout the world. A decision has been made to move from the on-premise SAP instance to a HEC instance, which is hosted in Germany, a totally different geography.

HEC has two primary connectivity options. Using dual IPSEC tunnels into a private IP or placing the instance on the public Internet. In this case, the enterprise wanted to avoid exposing the instance to the Internet, so a firewall had to be used to establish the connectivity to HEC.

The WAN design must now address two key challenges. First, integrate the HEC instance into the corporate WAN using the IPSEC tunnels. Second, Create optimal, low-latency routing from every location to HEC.

 

What is the best way to connect HEC to the WAN?

 

Backhaul all sites, connect only data center firewalls to HEC

To keep it simple, legacy backhauling to the datacenter is kept, but another leg is added from the datacenter to HEC, adding latency. Depending on the distance and Internet routing, congestion and jitter between the datacenter and HEC, the user experience could be impacted.

SAP-HANA-Backhaul-Network-Security
Figure 2: SAP HANA migration is incompatible with legacy WAN, adds a leg to the backhaul

 

A full site-to-site mesh using firewalls

Ideally, traffic from each site will go directly to HEC instead of the datacenter. However, firewall-based site-to-site mesh is no longer available as there are only 2 IPSEC tunnels to connect to. An intermediate firewall has to be deployed in Germany, and connect to HEC. However, the enterprise has no datacenter or footprint in Germany, and the new firewall is a mission critical element for the enterprise, as it will become the global chokepoint for accessing HEC. 

 

A redundant, full site-to-site mesh using a Cloud Network

In this scenario, all sites and HEC connect to a Cloud-based network using IPSEC tunnels, and a full mesh is achieved in the Cloud. Backhaul and single chokepoint are eliminated as the Cloud network provides built in resiliency and optimal, low latency routing and secure connectivity between all sites and HEC. In addition, mobile users can connect to the Cloud Network from anywhere and directly access  HEC without the added latency of going through the datacenter firewalls.

 

Connecting offices to SAP HANA via Cloud Network
Figure 3: Cloud Network creates a global mesh, enables anywhere access to SAP HEC

 

If you are a SAP customer and are considering migrating your business to SAP HANA Enterprise Cloud, drop us a note. We’d love to tell you more about Cato Networks and our solutions.

Wondering where to begin your SASE journey?

We've got you covered!
Yishay Yovel

Yishay Yovel

Yishay drives Cato’s strategic communication to investors, partners, and customers. A Cato veteran, Yishay was the former CMO of Cato. Before Cato, Yishay held executive marketing positions at Trusteer, a financial fraud and advanced malware protection company, and at Imperva. Yishay has over 25 years of experience in marketing and product management in enterprise software companies in the areas of security, networking, IT infrastructure, and mobile computing. Yishay holds a bachelor degree in Law from Tel Aviv University.

Read More