AWS re:Invent 2025 - Building a Secure Foundation for SAP RISE and Non-SAP Workload (NTA318)

Migrating SAP and Non-SAP Workloads to AWS: Building a Secure Foundation

Overview

• This presentation covers strategies and best practices for migrating SAP RISE and non-SAP workloads to AWS, with a focus on establishing a secure cloud foundation.
• Key topics include migration approaches, connectivity options, disaster recovery, security capabilities, and real-world customer examples.

Migrating to SAP RISE on AWS

• SAP RISE is a comprehensive business transformation offering that combines SAP S/4HANA private cloud, AWS infrastructure, and managed services into a single solution.
• Customers are looking to address various business challenges through SAP RISE, such as cost optimization, data center exits, system consolidation, and innovation with services like generative AI.
• The migration strategy involves transforming on-premises SAP ECC environments to SAP S/4HANA, replacing CRM and EWM components, and re-platforming or refactoring non-HANA workloads.
• Example: Mondly International, a food and beverage company, migrated its fragmented SAP infrastructure to SAP RISE on AWS, achieving consistent operational support, security, resiliency, and reliability.

Building a Secure AWS Cloud Foundation

• Best practice is to create individual AWS accounts for each team, rather than a few large accounts, to improve security, billing, and blast radius isolation.
• AWS Control Tower provides the initial multi-account structure, account provisioning, and governance controls for the landing zone.
• AWS Landing Zone Accelerator and professional services help customers establish a secure and compliant cloud foundation.
• AWS also provides guidance on SAP RISE-specific connectivity, security, and hybrid network design.

Connectivity Options for SAP RISE

• AWS offers four primary connectivity options for SAP RISE, each optimized for different requirements:
  1. AWS Direct Connect: Provides dedicated, high-bandwidth, low-latency network connections.
  2. AWS Site-to-Site VPN: A cost-effective, quick-to-deploy option using IPSec tunnels.
  3. AWS Transit Gateway: Enables scalable, centralized connectivity for multi-VPC and multi-account environments.
  4. Internet Connectivity: For external user and mobile access, with security provided by AWS Web Application Firewall and Application Load Balancer.
• The choice of connectivity option depends on factors like existing infrastructure, bandwidth requirements, security needs, and future growth plans.

Disaster Recovery and Resilience for SAP RISE

• SAP RISE on AWS supports two disaster recovery patterns:
  1. Short-distance DR: Synchronous replication between primary and secondary systems within the same AWS region.
  2. Long-distance DR: Asynchronous replication between primary and secondary systems across separate AWS regions.
• AWS Elastic Disaster Recovery provides continuous block-level replication and point-in-time recovery, with support for multi-account architectures.
• AWS offers extensive resilience capabilities, including highly secure private network interconnections, geographic footprint for data residency, and automated backups with compliance features.

Security and Compliance for SAP RISE and Non-SAP Workloads

• SAP RISE leverages the security benefits of Nitro-based EC2 instances, which provide hardware-based isolation and cryptographic validation.
• Data is encrypted at rest by default, and in-transit using mutual TLS encryption.
• AWS Network Firewall and AWS Web Application Firewall provide network-level and application-level security inspection and protection.
• AWS Security Hub unifies security findings, vulnerabilities, and sensitive data across the environment, enabling centralized monitoring and automated response workflows.
• Amazon GuardDuty continuously monitors for malicious or unauthorized activity across AWS accounts and resources.

Customer Example: Project Unifi by CSL

• CSL, a global biopharmaceutical company, is undergoing a three-phase transformation journey with SAP RISE on AWS:
  1. Lift and shift of existing SAP applications to the cloud.
  2. Modernization of SAP Ariba and SAP Fieldglass on AWS, leveraging SAP BTP services.
  3. Reimagining the business through automated document processing and ML-powered forecasting using Amazon SageMaker.
• CSL has been able to address data inconsistencies, fragmented governance, and unlock new insights and innovation through this partnership with AWS.

Key Takeaways

• Migrating to SAP RISE on AWS enables organizations to experience transformational change, connect to the latest innovations, and future-proof their business.
• Building a secure, compliant, and scalable AWS cloud foundation is crucial for the long-term success of SAP RISE and non-SAP workloads.
• AWS provides a range of connectivity options, disaster recovery patterns, and security capabilities to meet the diverse needs of enterprise customers.
• Leveraging the expertise of AWS and SAP competency partners can help accelerate the migration journey and ensure successful outcomes.