top of page
Search

Hybrid Network Architecture: On-Premises to AWS for SAP S/4HANA

  • Writer: Kourosh Ghouchkhani
    Kourosh Ghouchkhani
  • Apr 17
  • 3 min read

Project Background

I recently completed the end-to-end design and implementation of a hybrid network architecture that connects an on-premises environment to AWS, supporting a fully operational SAP S/4HANA landscape. This project was particularly rewarding as it involved balancing high availability, performance, and security, while ensuring seamless connectivity between legacy infrastructure and modern cloud-native services. I led every phase of the design—from initial assessment through final implementation—tailoring the architecture to meet both business continuity and disaster recovery requirements.

Project Prerequisites

To ensure readiness, the following components were prepared or validated:

  • Existing on-premise network infrastructure (Palo Alto firewall, Active Directory, DNS)

  • AWS account and IAM roles for VPC provisioning and SAP deployment

  • AWS Direct Connect circuit for primary connectivity and VPN for failover

  • SAP S/4HANA installation media and licensing

  • AWS Transit Gateway planning for potential multi-VPC expansion

Source and Destination

This solution connects two critical environments:

  • Source (On-Premise):

    • Active Directory (authentication backbone)

    • Internal DNS (zone forwarding to AWS)

    • Palo Alto Firewall (North-South traffic inspection)

    • Enterprise Core Routing infrastructure

  • Destination (AWS Cloud):

    • Custom-designed AWS VPC with a tiered subnet architecture

    • Deployed SAP S/4HANA landscape across Web, Application, and Database tiers

    • Security services such as AWS WAF, GuardDuty, and centralized logging


      On-Premises Network ➝ Palo Alto Firewall ➝ VPN/Direct Connect ➝ AWS Transit Gateway ➝ VPC/Subnets


Network Architecture Components

On-Premise Network (Source)

  • Active Directory (Integrated via trust with AWS AD Connector)

  • DNS forwarding to Route 53 Resolver

  • Palo Alto Firewall handling secure outbound/inbound filtering

  • Routing domain connected to AWS via Direct Connect

AWS Cloud Environment (Destination)

  • VPC CIDR: 10.0.0.0/16

  • Subnet Distribution:

    • Web Tier: 10.0.1.0/24 and 10.0.2.0/24

    • Application Tier: 10.0.11.0/24 and 10.0.12.0/24

    • Database Tier: 10.0.21.0/24 and 10.0.22.0/24

  • Internet Gateway and NAT Gateway (for web/app tiers)

  • Route Tables with explicit route propagation

  • AWS Direct Connect Gateway and Transit Gateway

  • AWS WAF with CloudFront (edge security)

  • Application Load Balancers (ALB) for web and app redundancy

SAP S/4HANA Landscape in AWS

Web Tier

  • SAP Web Dispatcher deployed in Multi-AZ with ALB

  • Scalable to support growth and upgrades

Application Tier

  • SAP ASCS/ERS split across AZs for HA

  • Primary and additional application servers (PAS/AAS)

  • Auto Recovery enabled on EC2 instances

Database Tier

  • SAP HANA DB nodes in active-passive configuration

  • HANA System Replication with synchronous mode

  • Pacemaker cluster for failover automation

Implementation Steps

Step 1: Connectivity Setup

  1. Direct Connect Implementation:

    • Ordered a dedicated DX circuit

    • Configured private VIF to attach to Direct Connect Gateway

    • Routed on-prem prefixes into AWS

  2. VPN as Backup Path:

    • Configured CGW and VGW

    • Established IPsec tunnels as failover

Step 2: VPC and Subnet Configuration

  • Created VPC with carefully scoped CIDR

  • Subnets distributed across AZs by tier

  • Assigned route tables and subnet-specific security groups

Step 3: HA Architecture Design

  • Web/App layers configured behind ALBs

  • SAP ASCS/ERS and HANA replicated across zones

  • Failover scripts and heartbeat monitoring implemented

Step 4: Integration with On-Prem Services

  • DNS forwarding configured via Route 53 Inbound Endpoints

  • AD trust relationship established between on-prem AD and AWS

  • Time sync using NTP via chrony

Step 5: Security & Monitoring

  • WAF and Shield Advanced activated on web tier

  • CloudTrail, CloudWatch, and GuardDuty enabled

  • Automated backup of HANA and EC2 volumes using AWS Backup

HA/DR Strategy

  • High Availability (HA):

    • Multi-AZ deployments for app and database tiers

    • ALB and SAP Web Dispatcher for web tier redundancy

  • Disaster Recovery (DR):

    • Cross-region backup to S3 with lifecycle policies

    • Snapshot-based recovery for HANA

    • Warm standby VPC for DR readiness

Project Outcome

The project successfully enabled a production-grade hybrid environment supporting SAP S/4HANA with robust HA/DR. The hybrid connection ensures the customer can retain their on-prem identity and security models while embracing the flexibility and scalability of AWS. The tiered subnet design and automation-friendly deployment models make this solution easy to expand and maintain.

Next Steps and Recommendations

  • Automate future deployments using Infrastructure as Code (e.g., Terraform)

  • Evaluate AWS Outposts or Local Zones for latency-sensitive components

  • Schedule DR drills to validate recovery procedures

  • Continuously optimize cost by rightsizing EC2 and leveraging Savings Plans

This architecture is the result of hands-on design, troubleshooting, and tuning I personally led to completion—bridging legacy infrastructure with the agility of cloud, while preparing the SAP landscape for future transformation initiatives.

 
 
 

Recent Posts

See All
bottom of page