SAP Enterprise Cloud Services - Connectivity Support

AWS Connectivity Questionnaire

Customer Data (optional)

Customer Role Name Email Address

Project Contact
Technical Contact
Network Contact

AWS Administrative Data

Information can be fetched from https://sap.sharepoint.com/sites/116261/build/Lists/Customers%20HEC%20on%20A

Parameter Value
AWS Account Number
AWS Region
 Address
Phone Telefax Location (If different from above)

ustomers%20HEC%20on%20AWS/AllItems.aspx
SAP Enterprise Cloud Services - Connectivity Support
AWS VPN Connectivity Questionnaire
Note: If more than one connection is needed, simply copy this worksheet and name it "VPN Option <x>" and provide the
Sheet per VPN Connection). Generally the contracts includes 1 VPN package which allows 10 VPNs without redundant con
then only upto 5 VPNs are poissible per data center.
The AWS VPN connection consists of three components
1) Virtual Private Gateway(VGW) which is the router on the AWS side
2) Customer Gateway (CGW) which is the router on the customer side
3) A S2S VPN connection bonding the VGW and CGW together over two secure IP Sec tunnels in a active/passive configur

Connection Type 1 : VPN Connection

Section 1: To be filled by SAP (Information to be facilitated by SAP ECS Customer Facing unit (CFU))
Virtual Private Gateway (VGW) - A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site
gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection

Parameter Value

VPN Type
Route-based
Section 2 : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup. In c
before S2D or for subsequent setups,, the SAP ECS CFU will help collect the information)

Customer Gateway (CGW) - A customer gateway is a physical device or software application on the customer side of the
Parameter Value
Customer VPN Gateway Details

Customer VPN Gateway Internet facing

public IP Address

Type of Routing (static / dynamic)

BGP ASN for Dynamic Routing

(Customer gateway ASN for BGP. Only
16 bit ASN is supported.)
ASN for the AWS side of the BGP
session (16- or 32-bit ASN)

The default ASN is 64512

Customer Side BGP Peer IP-address (if
different from VPN peer IP provided)

Second Public IP Address (OPTIONAL:

only if active-active mode is used)

Customer On-Premises Network IP

ranges

Note: Pre-shared key need to be defined and exchanged separately If not shared with this questionnaire, SAP will create a
customer.
After VPN procedure is completed in AWS, SAP ECS network engineer will download the configuration information and se
customer gateway device or software application in opn-prem. The VPN tunnel will be UP only when traffic is initiated fro

For more details about VPN Connection refer the link

https://docs.aws.amazon.com/vpn/?id=docs_gateway
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
t

VPN Option <x>" and provide the details of additional connection in that sheet (One
ws 10 VPNs without redundant connections. If Redundant connection is chosen below,

unnels in a active/passive configuration

ng unit (CFU))
the Amazon side of the Site-to-Site VPN connection. You create a virtual private
onnection

Additional Data

Only router based VPN is supported.

system delivery for new setup. In case customer could not provide the info to CAA
n)

cation on the customer side of the Site-to-Site VPN connection

Additional Data
 Provide BGP Peer IP address (In some cases it could be different from
customer's VPN peer IP)

Second IP address from customer side if an active-active setup is

preferred by customer
This indicates Redundnat connection. If this is selected, only a total of 5
VPNs are possible per data center.

On-premise Network IP-Addresses that will be routed over VPN to SAP

ECS

this questionnaire, SAP will create a strong pre-shared key and securely send to the

e configuration information and send it customer to use it and configure the

UP only when traffic is initiated from the customer network to SAP ECS on AWS.
SAP Enterprise Cloud Services - Connectivity Support
AWS VPN Connectivity Questionnaire
Note: If more than one connection is needed, simply copy this worksheet and name it "VPN Option <x>" and provide the
Sheet per VPN Connection). Generally the contracts includes 1 VPN package which allows 10 VPNs without redundant con
then only upto 5 VPNs are poissible per data center.
The AWS VPN connection consists of three components
1) Virtual Private Gateway(VGW) which is the router on the AWS side
2) Customer Gateway (CGW) which is the router on the customer side
3) A S2S VPN connection bonding the VGW and CGW together over two secure IP Sec tunnels in a active/passive configur

Connection Type 1 : VPN Connection

Section 1: To be filled by SAP (Information to be facilitated by SAP ECS Customer Facing unit (CFU))
Virtual Private Gateway (VGW) - A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site
gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection

Parameter Value

VPN Type
Route-based
Section 2 : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup. In c
before S2D or for subsequent setups,, the SAP ECS CFU will help collect the information)

Customer Gateway (CGW) - A customer gateway is a physical device or software application on the customer side of the
Parameter Value
Customer VPN Gateway Details

Customer VPN Gateway Internet facing

public IP Address

Type of Routing (static / dynamic)

BGP ASN for Dynamic Routing

(Customer gateway ASN for BGP. Only
16 bit ASN is supported.)
ASN for the AWS side of the BGP
session (16- or 32-bit ASN)

The default ASN is 64512

Customer Side BGP Peer IP-address (if
different from VPN peer IP provided)

Second Public IP Address (OPTIONAL:

only if active-active mode is used)

Customer On-Premises Network IP

ranges

Note: Pre-shared key need to be defined and exchanged separately If not shared with this questionnaire, SAP will create a
customer.
After VPN procedure is completed in AWS, SAP ECS network engineer will download the configuration information and se
customer gateway device or software application in opn-prem. The VPN tunnel will be UP only when traffic is initiated fro

For more details about VPN Connection refer the link

https://docs.aws.amazon.com/vpn/?id=docs_gateway
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
t

VPN Option <x>" and provide the details of additional connection in that sheet (One
ws 10 VPNs without redundant connections. If Redundant connection is chosen below,

unnels in a active/passive configuration

ng unit (CFU))
the Amazon side of the Site-to-Site VPN connection. You create a virtual private
onnection

Additional Data

Only router based VPN is supported.

system delivery for new setup. In case customer could not provide the info to CAA
n)

cation on the customer side of the Site-to-Site VPN connection

Additional Data
 Provide BGP Peer IP address (In some cases it could be different from
customer's VPN peer IP)

Second IP address from customer side if an active-active setup is

preferred by customer
This indicates Redundnat connection. If this is selected, only a total of 5
VPNs are possible per data center.

On-premise Network IP-Addresses that will be routed over VPN to SAP

ECS

this questionnaire, SAP will create a strong pre-shared key and securely send to the

e configuration information and send it customer to use it and configure the

UP only when traffic is initiated from the customer network to SAP ECS on AWS.
SAP Enterprise Cloud Services - Connectivity Support
AWS VPN Connectivity Questionnaire
Note: If more than one connection is needed, simply copy this worksheet and name it "VPN Option <x>" and provide the
Sheet per VPN Connection). Generally the contracts includes 1 VPN package which allows 10 VPNs without redundant con
then only upto 5 VPNs are poissible per data center.
The AWS VPN connection consists of three components
1) Virtual Private Gateway(VGW) which is the router on the AWS side
2) Customer Gateway (CGW) which is the router on the customer side
3) A S2S VPN connection bonding the VGW and CGW together over two secure IP Sec tunnels in a active/passive configur

Connection Type 1 : VPN Connection

Section 1: To be filled by SAP (Information to be facilitated by SAP ECS Customer Facing unit (CFU))
Virtual Private Gateway (VGW) - A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site
gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection

Parameter Value

VPN Type
Route-based
Section 2 : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup. In c
before S2D or for subsequent setups,, the SAP ECS CFU will help collect the information)

Customer Gateway (CGW) - A customer gateway is a physical device or software application on the customer side of the
Parameter Value
Customer VPN Gateway Details

Customer VPN Gateway Internet facing

public IP Address

Type of Routing (static / dynamic)

BGP ASN for Dynamic Routing

(Customer gateway ASN for BGP. Only
16 bit ASN is supported.)
ASN for the AWS side of the BGP
session (16- or 32-bit ASN)

The default ASN is 64512

Customer Side BGP Peer IP-address (if
different from VPN peer IP provided)

Second Public IP Address (OPTIONAL:

only if active-active mode is used)

Customer On-Premises Network IP

ranges

Note: Pre-shared key need to be defined and exchanged separately If not shared with this questionnaire, SAP will create a
customer.
After VPN procedure is completed in AWS, SAP ECS network engineer will download the configuration information and se
customer gateway device or software application in opn-prem. The VPN tunnel will be UP only when traffic is initiated fro

For more details about VPN Connection refer the link

https://docs.aws.amazon.com/vpn/?id=docs_gateway
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
t

VPN Option <x>" and provide the details of additional connection in that sheet (One
ws 10 VPNs without redundant connections. If Redundant connection is chosen below,

unnels in a active/passive configuration

ng unit (CFU))
the Amazon side of the Site-to-Site VPN connection. You create a virtual private
onnection

Additional Data

Only router based VPN is supported.

system delivery for new setup. In case customer could not provide the info to CAA
n)

cation on the customer side of the Site-to-Site VPN connection

Additional Data
 Provide BGP Peer IP address (In some cases it could be different from
customer's VPN peer IP)

Second IP address from customer side if an active-active setup is

preferred by customer
This indicates Redundnat connection. If this is selected, only a total of 5
VPNs are possible per data center.

On-premise Network IP-Addresses that will be routed over VPN to SAP

ECS

this questionnaire, SAP will create a strong pre-shared key and securely send to the

e configuration information and send it customer to use it and configure the

UP only when traffic is initiated from the customer network to SAP ECS on AWS.
SAP Enterprise Cloud Services - Connectivity Support
AWS Connectivity Questionnaire
Note: If more than one connection is needed, simply copy this worksheet and name it "Direct Connect Option <x>" an
Connect Connection)

Connection Type 2: Direct Connect (DX)

Section 1: To be filled by SAP (Information to be facilitated by SAP ECS Customer Facing unit (CFU))
Parameter Value

Port Speed <SAP to enter based on referring to the contract>

Section 2 : To be filled by Customer.

(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup.
setups,, the SAP ECS CFU will help collect the information)

Parameter Value

Usage Scenario

Direct Connect
Provider/Partner

Direct Connect
Region/Location

Minimum Links

Subnet primary link [/30

CIDR]
Subnet secondary link [/30
CIDR]

VLAN ID

ASN of Customer Router

Customer On-Premises
Network IP ranges
Note: BGP shared key (will be defined and exchanged separately during setup). If not shared with this questionnaire,
setup.

For more details about VPN Connection refer the link

https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

MD5 Key

Direct Connect ID
(Resource ID of existing
Direct Connect)

Customer On-Premises
Network IP ranges

AWS Direct Connect links can also be shared across accounts by using separate VIFs as described here:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
https://aws.amazon.com/jp/blogs/aws/aws-direct-connect-more-connection-speeds-new-console-multiple-accounts/
upport

name it "Direct Connect Option <x>" and provide the details of additional connection in that sheet (One Sheet per Direct

mer Facing unit (CFU))

Additional Data

Refer to the signed contract

List the total value, For example 100MB*10 =1GB

efore the system delivery for new setup. In case customer could not provide the info to CAA before S2D or for subsequent

Additional Data

Customer router peer IP – i.e. BGP Peer IP

configured on the customer end
Amazon router IP - BGP Peer IP configured on the
AWS end

On-premise Network IP-Addresses that will be

routed over Direct Connect to SAP ECS.
This information is requested to adjust NSGs if
needed.
p). If not shared with this questionnaire, SAP network team will create strong key and share securely with customer for initial

ml

On-premise Network IP-Addresses that will be

routed over Direct Connect to SAP ECS.
This information is requested to adjust NSGs if
needed.

e VIFs as described here:

ml
speeds-new-console-multiple-accounts/
he details of additional connection in that sheet (One Sheet per Direct

Notes/Information

omer could not provide the info to CAA before S2D or for subsequent

Notes/Information
If New / Dedicated - Provide inputs to rows 13 to 20 only
If Shared - Provide Inputs to rows 22 to 24 only. Shared means
customer is planning to use an existing Direct Connect instead
of provisoning new one
If Physical then SAP will provide a LOA to the email address of
the customer network contact listed on the Customer Data
sheet

To be filled in case of Physical connect or through AWS partner.

IP address of the Edge router of customer AS (Autonomous

System)

IP address of the Edge router of customer AS (Autonomous

System)
k team will create strong key and share securely with customer for initial
SAP Enterprise Cloud Services - Connectivity Support
AWS VPC Peering Questionnaire
Note: If more than one connection is needed, simply copy this worksheet and name it "VPC Peering Option <x>" and p
additional connection in that sheet (One Sheet per VPC Peering Connection)

Connection Type 3: VPC Peering

Section : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup.
not provide the info to CAA before S2D or for subsequent setups, the SAP ECS CFU will help collect the information)

Customer VPC ID (Accepter)

Customer VPC Region

Customer AWS Account ID

Customer Network IP ranges

(IP ranges used in customer
VPC as well as on premise if
gateway transit is used)

Above details will be exchanged between HEC Delivery and Customer. Both parties have to follow the procedure given
establish VPC peering.
For more details about VPC peering scenarios please visit the following link for more details
https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html
y Support

and name it "VPC Peering Option <x>" and provide the details of
on)

ed before the system delivery for new setup. In case customer could
P ECS CFU will help collect the information)

oth parties have to follow the procedure given in the below link to

nk for more details

tml
urations.html
SAP Enterprise Cloud Services - Connection Support
AWS Transit Gateway attachment Questionnaire
Note:
If more than one connection is needed, simply copy this worksheet and name it "Transit Gateway Accept <x>" and pr
If this questionnaire is updated (Transit gateway ), then other connectivity type like VPN or Direct Connect are not poss

Connection Type 4: VPC Transit Gateway attachment

Section : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup.
the SAP ECS CFU will help collect the information)

Customer VPC ID

Customer Transit Gateway ID

Customer AWS Account ID

Customer Network IP ranges (IP

ranges used in customer VPC as
well as on premise if gateway
transit is used)

Above details will be exchanged between SAP ECS Delivery and Customer. Both parties have to follow the procedure g
For more details about VPC peering scenarios please visit the following link for more details
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html
upport
re

e it "Transit Gateway Accept <x>" and provide the details of additional connection in that sheet (One Sheet per Connection)
ype like VPN or Direct Connect are not possible.

before the system delivery for new setup. In case customer could not provide the info to CAA before S2D or for subsequent setups,,

oth parties have to follow the procedure given in the below link to establish VPC peering.
or more details
tional connection in that sheet (One Sheet per Connection)

ot provide the info to CAA before S2D or for subsequent setups,,

Provide the VPC ID of the your VPC in AWS which you

want to peer with SAP ECS VPC

Please provide the AWS account ID of your AWS

subscription which contains the above VPC
IP-Addresses that will be routed to SAP ECS
Subscription
(CIDR blocks in the format ___.___.___.___/___)
This information is requested to adjust NSGs if needed.

establish VPC peering.

SAP Enterprise Cloud Services - Connectivity Support
AWS Direct Connect Gateway
Note: If more than one connection is needed, simply copy this worksheet and name it "Direct Connect Gateway Option
details of additional connection in that sheet (One Sheet per Direct Connect Gateway Connection)

Connection Type 5: Direct Connect Gateway

Section : To be filled by Customer.
(CAA should facilitate this information to ensure connectivity is established before the system delivery for new setup.
not provide the info to CAA before S2D or for subsequent setups,, the SAP ECS CFU will help collect the information)

Customer DX Gateway ID

Customer AWS Account ID

Customer Network IP ranges

(IP ranges used in customer
VPC as well as on premise if
gateway transit is used)

Above details will be exchanged between SAP ECS Delivery and Customer. Both parties have to follow the procedure g
to establish VPC peering.
For more details about Direct Connect Gateway associations please visit the following link for more details:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/virtualgateways.html
y Support

and name it "Direct Connect Gateway Option <x>" and provide the
ect Gateway Connection)

ed before the system delivery for new setup. In case customer could
P ECS CFU will help collect the information)

r. Both parties have to follow the procedure given in the below link

the following link for more details:

teways.html