Edge Integration Cell on GCP

SAP Integration Suite – Edge Integration Cell (EIC) can be deployed on Google Cloud Platform (GCP) to leverage its scalable infrastructure while maintaining secure and controlled execution in a customer-managed environment. This architecture combines GCP-native services with EIC’s hybrid capabilities, ensuring a seamless integration experience.

Architecture

Solution Diagram Resources

You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.

Download

Edit

Overview

Deploying EIC on GCP requires a secure, scalable, and resilient infrastructure that adheres to enterprise compliance and hybrid cloud best practices. This setup ensures that sensitive data stays within a private GCP environment while leveraging SAP Integration Suite in the cloud for design, monitoring, and lifecycle management.

GCP Setup

1. VPC and Networking

To ensure a secure and private execution environment, create a Virtual Private Cloud (VPC) with multi-AZ redundancy for high availability (HA).

Multi-AZ Deployment:
- Distribute your EIC components across three Availability Zones (AZs) to ensure high availability. This setup helps maintain continuous service in case one AZ goes down, as the workload automatically fails over to another AZ.
Network Segmentation:
- Private Subnets: Deploy critical EIC runtime components in private subnets to prevent direct access from public internet.
- Public Subnets: These subnets are used for components like bastion hosts or Network Load Balancers (NLB), which handle external traffic and distribute the load across different AZs.
Internet Access Control for EIC:
- Cloud NAT: NAT allow components in private subnets to securely access external services without exposing internal EIC workloads to the internet.
- Cloud Router: For dynamic routing and connecting GCP VPCs to on-premises networks or other cloud environments, Cloud Router enables seamless communication with external networks and supports the use of VPNs and Interconnect connections.
- Firewall Rules: Firewall rules in GCP allow you to control inbound and outbound traffic to and from your VM instances, ensuring secure communication within your VPC. These rules are defined based on IP ranges, ports, and protocols, and can be applied to specific network tags or all resources in a VPC.

2. GKE Cluster

EIC workloads require a containerized runtime, making Google Kubernetes Engine (GKE) the preferred choice for managing and scaling integration flows.

Cluster Setup:
- The GKE control plane is fully managed by GCP, reducing operational overhead.
- Worker nodes are deployed in private subnets for enhanced security.
Security and Access Control:
- Use Workload Identity to grant least-privilege permissions to workloads in GKE, allowing secure and granular access to GCP services without long-lived credentials.
- Leverage Google Cloud IAM to manage access control for users, groups, and service accounts across GCP resources, ensuring proper permissions are granted.
For sizing recommendations, refer to this SAP Note

3. Storage and Databases

EIC requires multiple storage solutions for transaction logs, runtime data, and caching.

Amazon RDS
- Google Cloud SQL provides a fully managed relational database for storing EIC runtime data.
- Cloud SQL for PostgreSQL is recommended for EIC.
- Enable Multi-AZ replication for high availability.
Google Memorystore
- Google Memorystore helps reduce latency by caching frequently accessed EIC runtime data using Redis.
Google Filestore
- Google Filestore provides shared file storage with ReadWriteMany (RWX) access, allowing multiple EIC runtimes to read and write data concurrently.

SAP Setup

1. Activate EIC in your SAP BTP Subaccount

Activate Edge Integration Cell (EIC) in your SAP Business Technology Platform (BTP) subaccount.
Assign the necessary roles to enable access to Edge Lifecycle Management (ELM) for managing and monitoring Edge nodes.

2. Configure a Technical User and Set Up SSO

Create technical users (P-User and S-User) to interact with the SAP systems and to access SAP repository based shipment channel.
Set up Single Sign-On (SSO) for secure repository access, including monitoring and logging.

3. Add an Edge Node and Bootstrap to Kubernetes

Add an Edge Node in Edge Lifecycle Management (ELM) and bootstrap it to your GKE cluster running in your private GCP landscape.

Resources

You can find detailed, step-by-step instructions for both the basic and high availability (HA) setup, including SAP and GCP configuration and deployment steps, in the following GitHub repository:

Deploy SAP Integration Suite - Edge Integration Cell on Google Cloud Platform

Recommendation

The architecture and setup instructions in the GitHub repository above outline a small production deployment. Since deployments vary depending on business needs, these recommendations should be treated as a starting point.

Explore More

Setting Up and Managing Edge Integration Cell

Architecture​

Overview​

GCP Setup​

1. VPC and Networking​

2. GKE Cluster​

3. Storage and Databases​

SAP Setup​

1. Activate EIC in your SAP BTP Subaccount​

2. Configure a Technical User and Set Up SSO​

3. Add an Edge Node and Bootstrap to Kubernetes​

Resources​

Recommendation​

Explore More​