By Santhana Krishna K, Principal Cloud Architect – Tech Mahindra
By Srinivasan A C, Lead Cloud Architect – Tech Mahindra
By Paul Joseph Diraviam, Lead Cloud Architect – Tech Mahindra
By Nitin Chahar, Sr. Partner Solution Architect – AWS
The definition of success for most public sector organizations has expanded beyond achieving revenue milestones. Today, organizations are also measured by the level of impact they have economically and socially, by their capacity to respond to rapidly changing circumstances, and by their ability to deliver excellence in their outcomes.
A large public sector organization in India was looking for a solution that would address the key challenges in the existing Enterprise Resource Planning (ERP) and build systems. This customer wanted to have a unified solution that would enable them to get real-time insights from various workstreams.
Tech Mahindra worked closely with this customer to implement a unified solution that addresses the following key requirements:
- Integrated portal for internal and external stakeholders.
- Platform that meets the requirement around e-procurement.
- Enhanced user experience through user interface (UI) and mobility solutions.
- Technology platform that provides scalability and extensibility as a cloud-first strategy
Tech Mahindra chose SAP, an AWS ISV Partner, as its core solution to address these key requirements along with a few other solutions. The customer uses SAP S/4 HANA to help track operations and perform preventive maintenance using predictive analysis and enterprise-ready features.
This solution enables the customer to adopt new business models, manage business change at speed, orchestrate internal and external resources, and use the predictive power of artificial intelligence (AI).
Tech Mahindra chose to design and build the hosting platform for SAP on Amazon Web Services (AWS), which provides highly flexible and reliable cloud infrastructure solutions and a broad range of services to deploy enterprise-grade applications in the cloud.
Tech Mahindra is an AWS Advanced Consulting Partner and Managed Service Provider (MSP) that specializes in digital transformation, consulting, and business re-engineering solutions. They proposed an intelligent enterprise solution to the customer based on SAP S/4HANA along with third-party solutions for e-procurement, learning, and content management to meet their requirements.
The customer’s core business requirements are covered under the SAP S/4 HANA stack, which includes material management, financial accounting, funds management, sales and distribution, project system, commercial project management, real estate management, and a geographical enablement framework.
The following capabilities are provided by SAP:
- Enhanced user experience built around the SAP Mobility platform using Fiori UI
- SAP BW/4HANA for datawarehousing and analytics
- SAP DMS for the document management system
- SAP PI/PO systems for integration with non-SAP applications
- SAP BO for centralized reporting
The SAP solution for this customer was designed and built with scalable and secure architecture using AWS services.
Tech Mahindra designed the overall architecture considering the best practices recommended by AWS and in alignment with the five pillars of the AWS Well-Architected Framework. The Asia Pacific (Mumbai) Region was chosen to host the applications, and critical components were placed across two AWS Availability Zones (AZs) to achieve high availability.
The target landscape for this SAP application consists of three environments: development, quality assurance (QA)/user acceptance testing (UAT), and production. Each environment has its own dedicated virtual private cloud (VPC) that allows better security controls and segregation of responsibilities.
To isolate each environment for robust security and ease of management, four VPCs were created to segregate the network access. Below is the high-level environment classification:
- Management (transit)
- Production/Disaster Recovery (DR)
The overall AWS architecture is depicted in the diagram below and provides a high-level view of the various AWS services used in Tech Mahindra’s ERP solution.
Figure 1 – High level logical architecture (AWS Cloud).
All application-specific workloads are deployed within their designated VPCs. Apart from this, there is a dedicated management VPC designed to have the core network system enabled through a Network Load Balancer and AWS Transit Gateway.
For additional perimeter security, apart from AWS CloudHSM there are a few third-party security services included, such as Microsoft Active Directory, Anti-Virus Policy Server, and Check Point Firewall. All of the management components are provisioned in active/active mode across two AZs in the AWS Region.
AWS security services are leveraged to build a highly secure platform for the customer’s SAP platform on AWS.
AWS Identity and Access Management (IAM) is used to control the access to AWS resources that allows users to connect securely with given roles and privileges.
AWS Certificate Manager and AWS CloudHSM protect the data in transit and at rest.
AWS Certificate Manager (SSL/TLS encryption) plays a key role in managing and provisioning the SSL certificates for all applications that are exposed to the internet using AWS ELB. These certificates are required to secure the transactions while in transit.
All of the storage services (Amazon EBS, Amazon EFS, Amazon S3) have been designed to address encryption at rest, and to meet the customer requirement for a dedicated hardware module that provides secure key storage and cryptographic operations.
AWS CloudHSM is used to store all encrypted keys for AWS native resources (EBS, EFS, S3) and custom keys (application).
An AWS security group is configured as a host firewall to allow only the ports required by the business.
McAfee is used as an anti-virus/anti-malware/HIPS solution that protects every individual virtual machine that is deployed within the AWS environment.
Based on the customer’s requirement, additional perimeter-level security has been provided through Check Point Firewall that forms the central point for the traffic from the external world to AWS, and vice versa. Check Point is used to provide an intrusion prevention system to prevent and detect unauthorized activities and sessions.
All of the internet-facing applications and portals configured are processed via Check Point Firewall through an external load balancer and serve as the only entry points into the cloud platform.
AWS Managed Microsoft AD is a centralized solution for user, group, and system management. This gets tightly integrated with Active Directory Federated Service (ADFS) that provides single sign-on (SSO) functionality for multiple applications.
Amazon Route 53 is used primarily to address the domain naming service, and it forms the backbone for application routing between the customer’s DNS service and application hosted on AWS.
Elastic Load Balancer is used for load balancing of the traffic across various applications. It’s also secured with Transport Layer Security (TLS), thus encrypting the data in transit.
Amazon CloudWatch is the monitoring solution for all AWS resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Elastic Load Balancers, and all of the infra components.
AWS Managed Config Rules are used to assess, audit, and evaluate the configurations of all AWS resources. Certain rules will be configured with regular checks against the desired state.
AWS CloudTrail is used for governance, compliance, operational auditing, and risk auditing. This includes tracking the activities of the account users, monitoring AWS API activity, and setting the alarm to trigger the notification.
AWS Lambda is deployed to run health status reporting and schedule the stop and start of EC2 instances during off business hours.
SAP on AWS Solution
For SAP, the main components are SAP Central Services (ASCS), database, and application servers. The points of failure in this solution could be SAP ASCS or the database.
ASCS stands for ABAP SAP Central Service and consists of two parts: the Message Server and Enqueue Server. The Message Server acts as a communication channel between the application servers and handles the load distribution, while the Enqueue Server controls the lock mechanism.
For SAP ASCS, high availability is achieved by using the Enqueue Replication Server (ERS), which replicates locks from ASCS. Tech Mahindra’s solution leverages a certified SAP SUSE Linux Enterprise Server (SLES) for SAP OS instances that uses the Pacemaker service for the failover mechanism using Overlay IP. Routing to Overlay IP is achieved through AWS Transit Gateway and helps in failover of the cluster efficiently.
For the database—HANA in this case—the customer is using HANA System Replication (HSR) in synchronous mode to another AZ. If the primary database goes down, the database traffic is pointed to a secondary database in another AZ.
The availability needs for the SAP application server are achieved by using multiple SAP application servers (primary application server and additional application server) in the same AZ.
In the event that the primary AZ becomes unavailable, we will switch over the SAP operations to the secondary AZ. This is achieved by performing takeover of the secondary database from the primary database. Because the database replication is in synchronous mode, we achieve the RTO/RPO as per customer requirements.
For SAP ASCS and application servers, we will use customized Amazon Machine Images (AMIs) to bring up the services in the secondary AZ.
Although databases are configured in high-level availability mode, all databases are backed up at regular intervals. Backup copies are stored in Amazon S3 using the database native solution with AWS Backint Agent.
Figure 2 – SAP on AWS deployment architecture.
The above architecture is for SAP S/4 HANA deployment. Similarly, all of the other SAP applications are also deployed.
AWS Backint Agent is configured on the SAP HANA database nodes, which will enable backup to S3 storage at regular intervals.
AWS Backup is configured to schedule AMI backup for all of the SAP application servers. The snapshots can be used to restore the instance as required. Different SAP products are tested to recover from the snapshot taken using AMI backup.
User workflow for accessing the application:
- Users log in to the SAP Fiori UI exposed to them through AWS ELB, which routes the user traffic to the SAP web dispatcher.
- The SAP web dispatcher is configured to use SAML for connecting to the third-party ADFS service for user authentication.
- The third-party ADFS service uses AWS Managed Microsoft AD in the backend for user management.
- Authorization and user profiles are managed in the SAP application.
SAP functional (Power) users accessing the SAP GUI workflow:
- Users log in to SAP GUI through the SAP router string.
- The SAP router is exposed over the internet using AWS ELB.
- Functional users and groups are managed internally within the SAP S4 system.
Organizations need to continuously evolve and provide enhanced customer service.
In the scenario outlined above, customers could achieve agility by hosting enterprise applications in the cloud and addressing the high availability requirements without any restrictions on the required capacity.
In this post, we shared how different AWS components can help you host SAP applications on AWS. We also explored how high availability is achieved with a combination of SAP and AWS services.
Tech Mahindra – AWS Partner Spotlight
Tech Mahindra is an AWS Advanced Consulting Partner and MSP that specializes in digital transformation, consulting, and business re-engineering solutions.
*Already worked with Tech Mahindra? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.