# Connecting to RISE from your AWS account
<a name="rise-accounts"></a>

You can connect to RISE from your AWS account in the following ways.

**Topics**
+ [Amazon VPC peering](rise-connection-peering.md)
+ [AWS Transit Gateway](rise-connection-transit.md)
+ [AWS Direct Connect gateway](rise-connection-direct-connect-gateway.md)
+ [AWS Cloud WAN](rise-connection-cloud-wan.md)
+ [Connecting to RISE using your single AWS account](rise-connection-accounts.md)
+ [Connecting to RISE using a shared AWS Landing Zone](rise-landing-zone.md)

# Amazon VPC peering
<a name="rise-connection-peering"></a>

VPC peering enables network connection between two AWS VPCs using private IPv4 and IPv6 addresses. Instances can communicate over the same network. For more information, see [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) 

Before setting up a VPC peering connection, you need to create a request for SAP’s approval. For a successful VPC peering, the defined IPv4 Classless Inter-Domain Routing (CIDR) block must not overlap. Check with SAP for the CIDR ranges that can be used in RISE with SAP VPC.

VPC peering is one-on-one connection between VPCs, and is not transitive. Traffic cannot transit from one VPC to another via an intermediary VPC. You must setup multiple peering connections to establish direct communication between RISE with SAP VPC and multiple VPCs.

VPC peering works across AWS Regions. All inter-Region traffic is encrypted with no single point of failure or bandwidth bottleneck. Traffic stays on AWS Global Network and never traverses the public internet, reducing threats of common exploits and DDoS attacks.

![\[VPC peering connections between multiple accounts in multiple Regions\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-peering.jpg)


Data transfer for VPC peering within an Availability Zone is free, and for across Availability Zones is charged per-GB for "data in" to and "data out". Data transfer for VPC peering for across regions is charged for "out" per-GB. For more information, see [Amazon EC2 pricing](https://aws.amazon.com/ec2/pricing/on-demand/). In your AWS account, use the Availability Zone ID of AWS account managed by SAP to avoid cross-Availability Zone data transfer charges. You can ask for the Availability Zone ID from SAP. For more information, see [Availability Zone IDs for your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/working-with-az-ids.html).


|  | 
| --- |
|   **Pricing example - VPC peering across Availability Zones**  ![\[VPC peering across Availability Zones\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-peering-pricing.png) 100GB of data sent from the AWS account – managed by SAP via VPC Peering toward the AWS account – managed by Customer across AZs: 100GB \$1 \$10.01per-GB = \$11 (out - billed to AWS account – managed by SAP) and 100GB \$1 \$10.01per-GB = \$11 (IN - billed to AWS account – managed by Customer) As the cost for data transfer is included In the RISE subscription, the AWS account – managed by Customer will only incur the cost for traffic IN e.g. \$10.01 per-GB.  *[note: the cost example also applies when Sender is AWS account – managed by Customer and Receiver is AWS account – managed by SAP]*   | 
|   **Pricing example - VPC peering across Regions**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  ![\[VPC peering across Regions\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-peering-across-regions-pricing.png) 1). 100GB of data sent from the AWS account – managed by SAP via VPC Peering toward the AWS account – managed by Customer across Regions. 100GB \$1 (\$10.01-\$10.138per-GB) = \$11-\$113.8 (out - billed to AWS account – managed by SAP) As the cost for data transfer is included In the RISE subscription the AWS account – managed by Customer will not incur cost for this example. 2). 100GB of data sent from the AWS account – managed by Customer via VPC Peering toward the AWS account – managed by SAP across Regions. 100GB \$1 (\$10.01-\$10.138per-GB) = \$11-\$113.8 (out - billed to AWS account – managed by Customer) As the cost for data transfer is calculated for "data out" the AWS account – managed by Customer will incur the cost for this example.  | 

# AWS Transit Gateway
<a name="rise-connection-transit"></a>

 AWS Transit Gateway is a network transit hub to interconnect Amazon VPCs. It acts as a cloud router, resolving complex peering setup issues by acting as the central communication hub. You need to establish this connection with AWS account managed by SAP only once.

 **Transit Gateway in your own AWS account** 

To establish connection with AWS account managed by SAP, create and share AWS Transit Gateway via AWS Resource Access Manager (RAM) in your AWS account. SAP then creates an attachment to enable traffic flow through an entry in route table. As AWS Transit Gateway resides in your AWS account, you can retain control over traffic routing. For more information, see [Transit gateway peering attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html).

![\[Connections between multiple accounts in multiple Regions using Transit Gateway\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-transit-1.png)


 **Transit Gateway in AWS account managed by SAP** 

When you already have an Transit Gateway in another AWS Region, and cannot create another AWS account with Transit Gateway in the Region that has RISE with SAP account, then SAP can provide the Transit Gateway in the RISE with SAP account that will be managed by SAP. You can enable communication between your Transit Gateway and SAP managed Transit Gateway through Transit Gateway Peering. You cannot connect VPC attachments of VPCs outside of the RISE environment to the SAP-managed Transit Gateway.

For peering attachments, each Transit Gateway owner is billed hourly for the peering attachment with the other Transit Gateway, thus the hourly cost for the peering attachment of the Transit Gateway in the SAP account - managed by SAP (for the purpose of Inter Region Transit Gateway Peering) is part of the RISE subscription. However the hourly cost for the peering attachment of the Transit Gateway in the Customer account – Customer managed is billed to the Customer. For more information, see: [Transit Gateway pricing](https://aws.amazon.com/transit-gateway/pricing/) 


|  | 
| --- |
|   **Pricing example - Transit Gateway across VPCs in different Regions**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  ![\[Transit Gateway across VPCs in different Regions\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-transit-different-regions-pricing.png) 1). 100GB of data sent from a VPC in Region X in the AWS account – managed by SAP via the Transit Gateway that resided in the AWS account – managed by SAP, towards a peered Transit Gateway, in a different Region Y, that resided in the AWS account – managed by Customer ending at a VPC in the AWS account – managed by Customer: 100GB \$1 \$10.02per-GB = \$12 (Transit Gateway data processing) \$1 100GB \$1 (\$10.01-\$10.138per-GB) = \$11-\$113.8 (Region out) = \$13-\$115.8 (Total - billed to AWS account – managed by SAP) Data processing is charged to the VPC owner who sends the traffic to Transit Gateway. As the sending VPC is residing in the AWS account – managed by SAP and the cost for data transfer is included in the RISE Subscription, thus the AWS account – managed by Customer will not incur data transfer cost for this example. As data processing charges do not apply for data sent from a peering attachment to a Transit Gateway and inbound inter-Region data transfer charges are free, no further Data Transfer charges apply to the AWS account – managed by Customer. The AWS account – managed by Customer will only be billed for the price per Transit Gateway peering attachment per hour. Data out of an AZ will always go via Transit Gateway endpoint in that AZ to reach other VPC, so there is no cross AZ Data Transfer costs. 2). 100GB of data sent from a VPC in region Y in the AWS account – managed by Customer via the Transit Gateway that resided in the AWS account – managed by Customer, towards a peered Transit Gateway, in a different region X, that resided in the AWS account – managed by SAP ending at a VPC in the AWS account – managed by SAP: 100GB \$1 \$10.02per-GB = \$12 (Transit Gateway data processing) \$1 100GB \$1 (\$10.01-\$10.138per-GB) = \$11-\$113.8 (Region out) = \$13-\$115.8 (Total - billed to AWS account – managed by Customer) Data processing is charged to the VPC owner who sends the traffic to Transit Gateway. As the sending VPC is residing in the AWS account – managed by Customer all data transfer cost for this example are billed to the AWS account – managed by Customer. In addition, the AWS account – managed by Customer will be billed for the price per Transit Gateway peering attachment per hour.  | 

# AWS Direct Connect gateway
<a name="rise-connection-direct-connect-gateway"></a>

 [AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html) is a global service that enables you to establish private connectivity between your on-premises networks and multiple Amazon VPCs across different AWS regions. This centralized connection hub allows you to consolidate your network architecture, reduce complexity, and maintain secure, high-bandwidth connections while avoiding public internet for your mission-critical workloads.

 ** AWS Direct Connect gateway in your own AWS account** 

To establish connection with AWS account managed by SAP, create AWS Direct Connect gateway that routes traffic from Private VIF to VPC Private Gateway. As AWS Direct Connect gateway resides in your AWS account, you can retain control over traffic routing.

![\[Direct Connect gateway in your own account\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-direct-connect-gateway.png)


When you have a requirement for connectivity from multiple on-premises sites and/or are using multiple AWS regions for RISE with SAP (i.e. for long range DR), you can simplify the connectivity utilizing Direct Connect Gateway

![\[Direct Connect gateway in your own account with Multi Region\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-direct-connect-gateway-multi-regions.png)


 ** AWS Direct Connect gateway in AWS account managed by SAP** 

If you do not have any requirement to own and manage an AWS account, you can request for SAP to provide the AWS Direct Connect gateway that is part of AWS Account which is managed by SAP.

![\[Direct Connect gateway in your own account with Multi Region\]](http://docs.aws.amazon.com/sap/latest/general/images/rise-direct-connect-gateway-sap-provided.png)


There is no additional charges for AWS Direct Connect gateway itself. You can find out more from the [AWS Direct Connect FAQs](https://aws.amazon.com/directconnect/faqs/#Direct_Connect_Gateway).

# AWS Cloud WAN
<a name="rise-connection-cloud-wan"></a>

 [AWS Cloud WAN](https://aws.amazon.com/cloud-wan/) is a managed wide-area networking (WAN) service designed to simplify the process of building, managing, and monitoring unified global networks that connect cloud and on-premises resources. It enables organizations to centrally connect data centers, branch offices, remote sites, and Amazon Virtual Private Clouds (VPCs) across the AWS global backbone, using a centralized dashboard and policy-driven automation. For more information, see [AWS Cloud WAN documentation](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html).

 **Connecting to RISE from on-premises using AWS Cloud WAN in your AWS account** 

To establish a connection with RISE Environment (AWS account managed by SAP), create and share AWS Cloud WAN via AWS Resource Access Manager (RAM) in your AWS account. Afterwards, SAP will accept the shared Cloud WAN and create an VPC attachment to enable traffic flow through an entry in route table. As AWS Cloud WAN resides in your AWS account, you can retain control over traffic routing.

Here is high level step-by-step guide to create Cloud WAN global:

1. In AWS Network Manager, create a global network and associated core network.

1. Create a Core Network Policy (CNP) that defines segments, Autonomous System Number (ASN) range, AWS Regions and tags to be used to attach to segments.

1. Apply the network policy.

1. Share the core network using the resource access manager with SAP ECS that manages RISE with SAP Account.

1. Create and tag attachments.

1. Update routes in your attached VPCs to include the core network.

You can find out more details from these documentations:
+  [Quick start: Create an AWS Cloud WAN global network and core network](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-getting-started.html) 
+  [Configure the core network settings in an AWS Cloud WAN policy version](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-core-network-config.html) 
+  [Building a Scalable and Secure Multi VPC AWS Network Infrastructure – Cloud WAN](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-cloud-wan.html) 

![\[Cloud WAN\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-cloudwan-01.jpg)


1.  **Attaching AWS Site-to-Site VPN (S2S VPN) to AWS Cloud WAN** – Create a Site-to-Site VPN connection with Target Gateway Type set to Not Associated. You can create an AWS S2S VPN attachment for AWS Cloud WAN under Site-to-Site VPN connections from the Amazon VPC console. Once the AWS S2S VPN is created, you can [attach it to AWS Cloud WAN core network](https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-vpn-attachment-add.html). For more information, see [How Site-to-Site VPN connection can be created for AWS Cloud WAN](https://docs.aws.amazon.com/vpn/latest/s2svpn/create-cwan-vpn-attachment.html).

1.  **Attaching AWS Direct Connect gateway with AWS Cloud WAN** – Create a Direct Connect gateway with a transit virtual interface and attach Cloud WAN to Direct Connect gateway which exist in your AWS Account. For more information, see [AWS Cloud WAN attachment to a Direct Connect gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/simplify-global-hybrid-connectivity-with-aws-cloud-wan-and-aws-direct-connect-integration/). For detailed steps to create the transit virtual interface for Direct Connect Gateway, you can refer to AWS documentation - [Create a transit virtual interface to the AWS Direct Connect gateway](https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-transit-vif-dx.html).

You can estimate the costs of deploying AWS Cloud WAN from the [pricing documentation](https://aws.amazon.com/cloud-wan/pricing/). Below are pricing examples for you to consider.

 **Scenario A. AWS Cloud WAN connecting two VPCs in same Region** 

![\[Cloud WAN connecting two VPCs in same Region\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-cloudwan-02.jpg)



|  | 
| --- |
|   **Pricing example – AWS Cloud WAN connecting two VPCs in same Regions**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  100GB of data sent from a VPC in Region X in the AWS account – managed by SAP via Cloud WAN that resides in the AWS account – managed by customer ending at a VPC managed by customer. 100GB \$1 \$10.02 per-GB = \$12 (Cloud WAN data processing) (Billed to AWS account – managed by SAP) Apart from data processing there would be VPC attachment cost to AWS account – managed by SAP. [Cloud WAN pricing](https://aws.amazon.com/cloud-wan/pricing/) would vary depending upon region where SAP VPC is attached to Cloud WAN. For example, SAP VPC is in Region US East (N. Virginia). You pay \$10.065 per hour for VPC attachments in the US East (N. Virginia) Region. \$10.065 \$1 730 = \$147.45 (Monthly fixed cost billed to AWS account , managed by SAP) Hence the total cost = \$149.45 Data processing and VPC Attachment costs are charged to the VPC owner who sends the traffic to AWS Cloud WAN. As the sending VPC is residing in the AWS account – managed by SAP and the cost for data transfer is included in the RISE subscription, thus the AWS account – managed by Customer will not incur data transfer and attachment cost for this example. The AWS account - managed by customer will only be billed for the price Cloud WAN per VPC attachment per hour. Data out of an AZ will always go via Cloud WAN endpoint in that AZ to reach other VPC, so there is no cross AZ Data Transfer costs.  | 

 **Scenario B. AWS Cloud WAN connecting two VPCs in different Regions** 

![\[Cloud WAN connecting two VPCs in different Regions\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-cloudwan-03.jpg)



|  | 
| --- |
|   **Pricing example – AWS Cloud WAN connecting two VPCs in different Regions**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  100GB of data sent from a VPC in region Y in the AWS account - managed by Customer via AWS Cloud WAN to AWS Account - managed by SAP in different region X. 100GB \$1 \$10.02 per-GB = \$12 (Cloud WAN data processing) \$1 100GB \$1 (\$10.01 - \$10.138 per-GB) = \$11 - \$113.8 (Region out) = \$13 - \$115.8 (Total - billed to AWS account – managed by Customer) Data processing is charged to the VPC owner who sends the traffic to Cloud WAN. As the sending VPC is residing in the AWS account – managed by customer all data transfer costs for this example are billed to the AWS account – managed by Customer. In addition, the AWS account – managed by Customer will be billed for the price per VPC attachment per hour in region Y. VPC attachment charges in Region X would be charged to AWS account – managed by SAP and the charges are included in the RISE subscription.  | 

# Connecting to RISE using your single AWS account
<a name="rise-connection-accounts"></a>

You can establish connectivity between on-premises and RISE with SAP VPC using your AWS account. This method provides you with more control but also requires managing AWS services in your AWS account. You can use any one of the following options.
+  AWS Transit Gateway – Share AWS Transit Gateway resource in you AWS account with AWS account managed by SAP.
+  AWS VPN with AWS Transit Gateway – Create an IPsec VPN connection between your remote network and transit gateway over the internet. For more information, see [How AWS Site-to-Site VPN works](https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html) and [Transit gateway VPN attachments](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html).
+ Direct Connect gateway – Create a Direct Connect gateway with a transit virtual interface. For more information, see [Transit gateway attachments to a Direct Connect gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html).

  To strengthen the security, see [How do I establish an AWS VPN over an AWS Direct Connect connection?](https://repost.aws/knowledge-center/create-vpn-direct-connect) 

The following image shows this option within the same AWS Regions.

![\[Example connections in a single Region\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-own.jpg)


The following image shows this option across different AWS Regions.

![\[Example connections across Regions\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-own-regions.jpg)


When you choose AWS Site-to-Site VPN and/or AWS Direct Connect to establish connectivity between on-premises and RISE with SAP VPC using a Transit Gateway in the AWS account - managed by the Customer, either in the same AWS Region or a different AWS Region than the RISE with SAP VPC, the following applies.

 **Hourly cost:** 

As the AWS Site-to-Site VPN is residing in the AWS account – managed by Customer and is attached to the Transit Gateway that resides in the AWS account – managed by Customer, the cost for the VPN connection and the cost for the Transit Gateway attachment are billed to the AWS account – managed by Customer

As the Direct Connect and Direct Connect Gateway is residing in the AWS account – managed by Customer and is attached to the Transit Gateway that resides in the AWS account – managed by Customer the cost for the AWS Direct Connect ports hours and the cost for the Transit Gateway attachment are billed to the AWS account – managed by Customer.

For peering attachments, each Transit Gateway owner is billed hourly for the peering attachment with the other Transit Gateway.

 **Data processing charges:** 

Data processing charges apply for each gigabyte sent from a VPC, Direct Connect or VPN to/via the Transit Gateway.

Depending on the source and destination the data processing charges vary and will be billed to the AWS account – managed by Customer, or are already included in the RISE subscription (For a cost estimation example: see below)

For more information see:
+  [AWS Site-to-Site VPN Pricing](https://aws.amazon.com/vpn/pricing/) 
+  [AWS Direct Connect Pricing](https://aws.amazon.com/directconnect/pricing/) 
+  [Transit Gateway pricing](https://aws.amazon.com/transit-gateway/pricing/) 


|  | 
| --- |
|   **Pricing example – Transit Gateway in VPCs in the same region via VPN or Direct Connect**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  ![\[Transit Gateway in VPCs in the same region via VPN or Direct Connect\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-transit-same-regions-via-vpndxc-pricing.png) 1). 200GB of data sent from a VPC in the AWS account – managed by SAP via the Transit Gateway that resided in the AWS account – managed by Customer via a VPN or Direct Connect in the AWS account – managed by SAP towards On-Premises: 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 100 GB \$1 \$10.09per-GB = \$19 (VPN data transfer out, with the first 100 GB are free, then \$1 0.09 per-GB) = \$113 (Total data transfer out billed to AWS account – managed by SAP) or 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 200GB \$1 (\$10.02-\$10.19per-GB) = \$14-\$138 (Direct Connect data transfer out) = \$18-\$142 (Total data transfer out billed to AWS account – managed by SAP) Data processing is charged to the VPC owner who sends the traffic to Transit Gateway. As the sending VPC is residing in the AWS account – managed by SAP and the cost for data transfer is included in the RISE Subscription, therefore the AWS account – managed by Customer will not incur Data Transfer cost in this example. 2). 200GB of data sent from On-Premises via a VPN or Direct Connect in the AWS account – managed by Customer via the Transit Gateway that resided in the AWS account – managed by Customer towards VPC in the AWS account – managed by SAP: 200GB \$1 \$10.00per-GB = \$10 (VPN data transfer in) \$1 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 \$10 (VPN data transfer in) = \$14 (Total data transfer in billed to AWS account – managed by Customer) or 200GB \$1 \$10.00per-GB = \$10 (Direct Connect data transfer in) \$1 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) = \$14 (Total data transfer in billed to AWS account – managed by Customer) Data transfer into AWS is free and this also applies to VPN and Direct Connect therefore the only data processing charge is the data processing of the Transit Gateway. As Transit Gateway resides in the AWS account – managed by Customer the cost for data transfer is billed to the AWS account – managed by Customer  | 
|   **Pricing example – Transit Gateway in VPCs in the different regions via VPN or Direct Connect**   *[note: cost between AWS Regions vary. For more information see: [Amazon EC2 pricing Data Transfer](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)]*  ![\[Transit Gateway in VPCs in the different regions via VPN or Direct Connect\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-transit-different-regions-via-vpndxc-pricing.png) 1). 200GB of data sent from a VPC in the AWS account – managed by SAP via the Transit Gateway that resided in the AWS account – managed by SAP that is peered with an Transit Gateway in a different Region in the AWS account – managed by Customer via a VPN OR Direct Connect in the AWS account – managed by Customer towards On-Premises: 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 200GB \$1 (\$10.01-\$10.138per-GB) = \$12-\$127.6 (Region out) \$1 100GB \$1 \$10.09per-GB = \$19 (VPN data transfer out, with the first 100 GB are free, then \$1 0.09 per-GB) = \$115-\$140.6 (Total data transfer out billed to AWS account – managed by SAP) or 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 200GB \$1 (\$10.01-\$10.138per-GB) = \$12-\$127.6 (Region out) \$1 200GB \$1 (\$10.02-\$10.19per-GB) = \$14-\$138 (Direct Connect data transfer out) = \$110-\$169.6 (Total data transfer out billed to AWS account – managed by SAP) Data processing is charged to the VPC owner who sends the traffic to Transit Gateway. As the sending VPC is residing in the AWS account – managed by SAP and the cost for Data Transfer is included in the RISE subscription, therefore the AWS account – managed by Customer will not incur Data Transfer cost in this example. 2). 200GB of data sent from On-Premises via a VPN or Direct Connect in the AWS account – managed by Customer via the Transit Gateway that resided in the AWS account – managed by Customer via a peered Transit Gateway in a different region in the AWS account – managed by SAP towards a VPC in the AWS account – managed by SAP: 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 200GB \$1 \$10.00per-GB = \$10 (VPN data transfer in) \$1 200GB \$1 (\$10.01-\$10.138per-GB) = \$12-\$127.6 (Region out) = \$16-\$131.6 (Total data transfer in billed to AWS account – managed by Customer) or 200GB \$1 \$10.02per-GB = \$14 (Transit Gateway data processing) \$1 200GB \$1 \$10.00per-GB = \$10 (Direct Connect data transfer in) \$1 200GB \$1 (\$10.01-\$10.138per-GB) = \$12-\$127.6 (Region out) = \$16-\$131.6 (Total data transfer in billed to AWS account – managed by Customer) Data transfer into AWS in is free and this also applies to VPN and Direct Connect therefore the data processing charge is the data processing of the Transit Gateway and the inter-region data transfer charges. As Transit Gateway resides in the AWS account – managed by Customer, the cost for data transfer is billed to the AWS account – managed by Customer.  | 

# Connecting to RISE using a shared AWS Landing Zone
<a name="rise-landing-zone"></a>

Modern SAP landscapes have several connectivity requirements. Services are accessed across on-premises and AWS Cloud as well as across a variety of SaaS solutions and other cloud service providers.

Creating an [AWS Landing Zone](https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html) facilitates secure, scalable, and well-architected foundation for RISE with SAP connectivity. It provides the following benefits:
+ Streamlined SAP network integration with standardized architecture
+ Enhanced business continuity through redundant connectivity options
+ Strengthened security posture with layered network controls
+ Centralized management of network resources and policies
+ Ability to reuse [AWS Direct Connect](https://aws.amazon.com/directconnect/) connections across broader AWS solutions
+ Optimized network performance with reduced latency
+ Enhanced governance through AWS native services

A Landing Zone is designed to help organizations achieve their cloud initiatives by automating the set-up of an AWS environment that follows [AWS Well Architected](https://aws.amazon.com/architecture/well-architected/) framework. It provides scalability to cater to all scenarios, from the simplest connectivity, where only RISE with SAP connectivity to on-premises environments is required, to complex requirements with connectivity to multiple SaaS solutions, multiple CSPs and on-premises connectivity.

The key components and benefits of a Landing Zone include:
+  **Multi-account structure** – it sets up an organized hierarchy using [AWS Organizations](https://aws.amazon.com/organizations/) with separate accounts for production, development, and shared services, ensuring clear separation of concerns and improved security boundaries.
+  **Network Architecture** - it establishes a centralized [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/) as the network hub with standardized VPC configurations which connects the RISE with SAP account with other AWS accounts. It also supports integration with AWS Direct Connect and [AWS Site-to-Site VPN](https://aws.amazon.com/vpn/site-to-site-vpn/) to connect your on-premises with RISE with SAP account while maintaining network segmentation and security controls.
+  **Security Framework** - it implements comprehensive AWS security services integration with centralized logging and monitoring, including network firewall implementation and identity and access management controls.
+  **Automation and Management** - it uses Infrastructure as Code deployment through [AWS Control Tower](https://aws.amazon.com/controltower/) or [AWS CDK](https://aws.amazon.com/cdk/) and [Landing Zone Accelerator (LZA)](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/) for automated account provisioning, standardized configurations, and consistent policy enforcement across the environment.
+  **Logging and Monitoring** - it configures AWS services including [AWS Config](https://aws.amazon.com/config/), [AWS CloudTrail](https://aws.amazon.com/cloudtrail/), [Amazon GuardDuty](https://aws.amazon.com/guardduty/) for centralized logging, monitoring, and auditing of resource changes and security events.
+  **Security Controls** - it implements AWS security best practices through Config Rules, CloudTrail trails, and Security Hub standards while enabling network firewall capabilities.
+  **Customization Options** - it allows for customization based on specific organizational requirements, including integration with existing infrastructure and addition of AWS services through the Landing Zone Accelerator configuration.

We recommend using an AWS Landing Zone for RISE with SAP connectivity.

 **Choosing Your Implementation Approach** 

 AWS offers two solutions for implementing a Landing Zone for RISE with SAP connectivity, each designed to meet different organizational needs.

 [AWS Control Tower](https://aws.amazon.com/controltower/) provides a streamlined solution through its console-based interface, enabling quick deployment with standardized controls. This approach suits organizations seeking rapid implementation with built-in governance and compliance controls, particularly those starting their cloud journey or requiring straightforward SAP connectivity.

 [Landing Zone Accelerator (LZA)](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/) extends AWS Control Tower’s capabilities through Infrastructure as Code, offering extensive customization and automation. This solution serves enterprises with complex SAP networking requirements, multiple regions, or significant scaling plans. Organizations with established DevOps practices will benefit from LZA’s configuration-driven approach.

Both solutions deliver secure, scalable foundations for RISE with SAP connectivity. Choose Control Tower for rapid deployment and visual management, or LZA for enhanced customization and automation capabilities.

![\[Connecting to RISE with a shared landing zone\]](http://docs.aws.amazon.com/sap/latest/general/images/connectivity-rise-landing-zone.png)


 **Building an AWS Landing Zone** 

You can implement AWS Landing Zones using AWS Control Tower and the Landing Zone Accelerator, which provides an automated process for building a secure, scalable, multi-account environment, including management and governance services.

For detailed implementation steps or LZA, AWS provides the [Guidance for Building an Enterprise-Ready Network Foundation for RISE with SAP on AWS](https://aws.amazon.com/solutions/guidance/building-an-enterprise-ready-network-foundation-for-rise-with-sap-on-aws/). It includes validated architecture patterns, security configurations, and operational procedures specifically designed for RISE with SAP deployments. In a simple scenario, a Landing Zone contains a minimal footprint focused on network connectivity that is typically centred around AWS Transit Gateway. For more information, see [AWS Landing zone](https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-migration/aws-landing-zone.html).

The following is a general overview of the process:

1.  **Define requirement** – understand your organization’s security, compliance, and operational requirements. This will help determine the appropriate guardrails, controls, and services to be included in the Landing Zone. Review AWS Connectivity Questionnaire provided by SAP Enterprise Cloud Services (ECS) team.

1.  **Design architecture** – plan the overall architecture, including the number of accounts (management, shared services, workload accounts), network design (VPCs, subnets, routing), shared services (logging, monitoring, identity management), and security controls (IAM, service control policies, guardrails). For LZA implementations, include planning for [configuration file structure](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html) and customization needs.

1.  **Setup AWS Control Tower** – Control Tower helps in setting up and governing a multi-account AWS environment based on best practices. It allows you to create and provision new AWS accounts and deploy baseline security configurations across those accounts. For LZA implementations, this serves as the foundation for additional customization.

1.  **Deploy Landing Zone Accelerator (Optional)** - If implementing LZA, deploy the installer stack using either AWS CDK or [AWS CloudFormation](https://aws.amazon.com/cloudformation/). Implement standardized configuration files for networking, security, and RISE with SAP connectivity requirements.

1.  **Configure AWS Organizations** - Organizations enables you to centrally manage and govern your AWS accounts. Configure Organizations in Control Tower by creating the necessary organizational units (OUs) and service control policies (SCPs). For LZA implementations, ensure OUs align with [configuration file structure](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html).

1.  **Deploy Core and Shared Services Accounts** - create and configure the core accounts, such as the management account, shared services accounts (for logging, security tooling), and any other required shared accounts. Deploy shared services, such as CloudTrail, Config, and [AWS Security Hub](https://aws.amazon.com/security-hub/) in the shared services account.

1.  **Deploy Network Architecture** - set up the network architecture, including VPCs, subnets, route tables, and Transit Gateway for hub-spoke model. For LZA implementations, configure Direct Connect and/or Site-to-Site VPN through [network configuration files](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html). Include [AWS Network Firewall](https://aws.amazon.com/network-firewall/) setup if required.

1.  **Configure IAM** - establish IAM roles, policies, and groups for controlling access and permissions across the Landing Zone accounts.

1.  **Implement Security Controls** - deploy security services and guardrails, such as Security Hub, [AWS Network Firewall](https://aws.amazon.com/network-firewall/), [AWS GuardDuty](https://aws.amazon.com/guardduty/), and [AWS Config](https://aws.amazon.com/config/) Rules.

1.  **Configure Observability and Monitoring** - set up centralized logging and monitoring solutions, such as [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/), [AWS CloudTrail](https://aws.amazon.com/cloudtrail/), and AWS Config.

1.  **Share Transit Gateway Details with SAP** - using AWS connectivity questionnaire. Accept incoming transit gateway association requests and configure routing between RISE with SAP VPC and landing zone. Test connectivity and failover scenarios.

1.  **Deploy Workload Accounts** - deploy workload accounts with your Landing Zone. Create separate AWS accounts for different workload types such as separating development, test and production environments, or Generative AI workloads utilizing Amazon Bedrock, or Data Analytics workloads utilizing Amazon SageMaker.

1.  **Implement Operational Procedures** - establish monitoring, alerting, and backup procedures. Document operational procedures and implement change management processes. Given the complex nature of multi-account environments and the need to maintain consistent security and operational standards across the organization it is advised to set up automated testing and validation.

1.  **Automate and Maintain** - use CloudFormation templates or AWS CDK to automate deployment and maintenance. For LZA implementations, maintain configuration files and regularly update LZA version. Establish processes for ongoing maintenance, updates, and compliance checks. This includes keeping the LZA version up-to-date with latest releases and regular check to ensure compliance with security and compliance standards.

1.  **Manage Costs** - monitor network transfer costs, optimize connectivity paths, and implement cost allocation tags. Regularly review resource utilization and configure budgets and alerts.

Best Practices:
+ Start implementation at least 6-8 weeks before planned go-live
+ Implement redundant connectivity options for high availability
+ Use Landing Zone Accelerator for standardized deployment
+ Follow [AWS Well-Architected framework](https://aws.amazon.com/architecture/well-architected/) guidelines
+ Regularly review and update security controls
+ Maintain documentation and operational procedures
+ LZA implementations can automate most of this setup through [configuration files](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/using-configuration-files.html).

Costs associated to a Customer Managed AWS Landing Zone vary depending on the AWS Services that are used. The AWS Services as described in this paragraph have their own pricing model. For more information on price, see the dedicated pricing pages of the listed AWS Services. See [AWS Pricing Calculator](https://calculator.aws/#/) to configure a cost estimate that fits your business needs.

Regularly review and update the landing zone configuration to ensure it continues to meet evolving business needs and security requirements.