This proof-of-concept (PoC) document outlines Solution 2 for securely accessing SAP HANA Private Cloud (PCE) resources through the xxxxx GCP Project, leveraging self-hosted VPN and DNS for centralized control and ease of management.
The solution enables both on-premise (office) and remote users to securely access SAP services over a private network, without exposing the SAP HANA environment publicly.
| Component | Description | Internal Users | Remote Users | GCP Project | SAP HANA PCE | Self-Hosted VPN | Bind9 DNS | VPC Peering |
|---|---|---|---|---|---|---|---|---|
| xxxxx Office | Internal users (user1, user2) who access SAP via VPN | Yes | No | No | No | No | Yes | No |
| Remote User | External users (e.g., support or consultants) connecting via VPN | No | Yes | No | No | No | Yes | No |
| xxxxx GCP Project | Acts as a transit hub and houses DNS + VPN services | Yes | Yes | Yes | No | Yes | Yes | Connects to SAP HANA PCE |
| SAP HANA PCE | Private SAP environment with DNS cluster and application stack | Yes | Yes | No | Yes | No | Yes | Connected to xxxxx GCP |
| Self-Hosted VPN | Runs on a GCP VM to handle all client-to-site VPN connections | Yes | Yes | Yes | No | Yes | No | No |
| Bind9 DNS | Custom DNS servers configured for internal name resolution | Yes | Yes | Yes | Yes | No | Yes | Used by both GCP & SAP PCE |
| VPC Peering | Connects xxxxx GCP with SAP HANA PCE (10.0.0.0/16 β 10.1.0.0/16) | Yes | Yes | Yes | Yes | No | Yes | Yes |
β Enable secure, client-to-site VPN connectivity for internal and remote users
β Establish VPC Peering between GCP and SAP PCE networks
β
Centralize DNS resolution in GCP for internal SAP domains (*.sap.xxxxx.team)
β Isolate accessβusers get access only via VPN, nothing exposed publicly
β
Test domain resolution and service access (e.g., abc.sap.xxxxx.team, def.sap.xxxxx.team)
Step-by-Step Breakdown
Users (office or remote) connect to a Self-Hosted VPN running in the xxxxx GCP project.
VPN clients receive the internal DNS IPs (e.g., 10.0.0.10, 10.0.0.20) via configuration. These DNS servers are configured using Bind9 to resolve SAP internal domains.
The GCP VPC (10.0.0.0/16) is peered with the SAP PCE VPC (10.1.0.0/16), allowing transparent routing between the environments.
Once connected, users can access internal SAP services like:
abc.sap.xxxxx.team
def.sap.xxxxx.team These resolve via DNS and route through the peered VPC.
Fill in these sections based on your specific setup.
VPN server deployment on a GCP VM
User key distribution and client config
Allowed IPs: 10.0.0.0/16, 10.1.0.0/16
Routing and NAT configuration
Custom zones for:
sap.xxxxx.team
Reverse DNS (PTR) for SAP IP ranges
Forwarders for internet or SAP DNS cluster
Access control based on VPN subnet
| Test Description | Expected Result |
|---|---|
| VPN client connects | Assigned IP from 10.0.0.0/16 |
| DNS lookup for abc.sap.xxxxx.team | Resolves to private SAP IP (10.1.x.x) |
| Access SAP HANA dashboard via browser | UI loads successfully |
| DNS lookup from VPN client | Uses 10.0.0.10/10.0.0.20 successfully |