How to Separate Your SAP on AWS Application Layers for Maximum Security


Amazon Web Services (AWS) offers users advanced, dedicated networking solutions through their Virtual Private Cloud (VPC) services. VPCs are virtual networks within AWS that are similar to traditional networks in an on-premises data center but with the scalability that only AWS can offer.

When running SAP on AWS in a VPC, separating your various SAP application layers into different zones can provide exceptional scalability and security.

A traditional deployment model can look something like this:

  • Restricted Zone – This is the most secure zone, usually reserved for upper management, which hosts confidential data. This data could include databases for finance or HR, file servers with intellectual property, or other high value data.
  • Management Zone – Applications like Active Directory, SAP Solution Manager, or DNS servers, which are tapped by applications in other zones are hosted here
  • Intranet Zone – This is the enterprise-only zone for application servers hosting SAP as well as end-user devices that are connected to the corporate network.
  • Extranet Zone – This zone acts as an intermediate between external and internal zones. SAP middleware like SAP Process Orchestration or Process Integration, SSH File Transfer Protocol (SFTP) and other SAP internet-facing solutions will be hosted here.
  • Internet Zone – This zone is not controlled by you, but it is necessary for accessing data over the public internet or for interacting with business partners or SaaS providers.
  • Diagram of concentric rings of cloud zones
    Source: VPC Subnet Zoning Patterns for SAP on AWS, Part 2: Network Zoning

    Using AWS features like Network Access Control Lists (ACLs) and Security Groups, data transfer between zones can be made possible only from the zone above or other whitelisted sources. An AWS Web Application Firewall (WAF) and other AWS security services can be blanketed across the entire VPC to help in preventing attacks.

    Application zone separation for SAP on AWS should be the starting point for businesses looking to transition their SAP stack to the cloud. Starting with a backbone that prioritizes security will give you peace of mind to focus on scaling the business.

    Source for this article: VPC Subnet Zoning Patterns for SAP on AWS, Part 2: Network Zoning | AWS for SAP (

    By: Tim Bryan