Hi twenty_d_energizer ,

Giving a specific answer to your question requires a lot more context. However, I'm happy to share some of my experience on this topic with you:

• SAP Support connects via their support backbone through a SAProuter that needs to up and correctly configured to a customer's SAP system. At least at the time of the support activity the SAProuter needs to be exposed to the internet. Finally, the DIAG protocol is tunneled through RFC that's routed to the customer's system. The customer needs to provide the SAP support a user and credentials.
• In case you needs application-level access VPN's are typically not a good choice. As you recognized, the use of VPNs don't scale across organizations. In general VPN's provide IP-level and not service level access (even though those who are in control of VPN gateways can limit access to ports etc.). Most of the time a more secure and reliable solution is to access only the required services through encrypted network protocols (like SNC for RFC and DIAG). through strong authentication, at best in combination with network-level access control. There are some limitations with SAP-proprietary protocols, but it's a common use case for web-based service to work in combination with a WAF, or an identity aware proxy for pre-authentication before the actual service is accessed. But again, it depends on what your access use cases are.
• A common problem with remote access on scale is different firewall and network configurations at different clients. Specifically when the network access is via NAT. In this case, it can be necessary to work with peer-to-peer tunneling protocols, or reverse created tunnels. For example, when IP/host-level access is required, one option can be that your client's initiate a tunnel to a VPN gateway controlled by you and you access the environment of the client through this tunnel. Again, what technology and concept works for you depends on the use case and what your clients can operate.

Best

Marco