After you’ve procured a Microsoft Azure subscription, the next step is to determine how you’ll connect Microsoft Azure to your SAP system and how you'll configure the network within the subscription.
Architecture questions to consider include the following:
ExpressRoute is the preferred way to connect to Microsoft Azure because it supports higher bandwidth and is a private connection. ExpressRoute can take weeks to set up, so during the initial stages, setting a site-to-site Virtual Private Network (VPN) can get you going.
ExpressRoute connects on-premise systems’ resources to the Microsoft Azure subscription via the gateway that’s deployed in a VNet with its own dedicated subnet.
The VNet, similar to on-premise networks, is the foundational component of a network inside a subscription. Each VNet is bound to a region and a subscription, and VNets can be divided into smaller parts called subnets.
The factors to consider when determining the number of VNets are security model, available IP ranges (classless inter-domain routing [CIDR]), and cost. Because VNets are isolated by design, when you have multiple networks, you need to connect them using the peering process. VNet peering enables the communication and makes the network space bigger, but it comes at a cost; Microsoft Azure charges for inbound and outbound data transfer between peered VNets.
VNet Peering Isn’t Transitive. If VNet A is peered with VNet B, and B is peered with C, then A isn’t peered with C. If you need communication between A and C, then those VNets should be peered separately.
With cost optimization in mind, minimizing the number of VNets should be the target; however, because each VNet also requires a contiguous IP address range in CIDR format, depending on whether you have the range available, the number of VNets will change. Microsoft recommends using the IP range for private networks as recommended by the Internet Assigned Numbers Authority (IANA):
In addition, in Microsoft Azure, you can’t use the following ranges because they are reserved by the platform:
When you move SAP systems to Microsoft Azure, there are other supporting systems such as DNS, network virtual appliance, identity management systems, domain services, bastion hosts, and so on that may not be exclusively used by SAP systems, or security teams might want more control over those. It may make sense to put those systems in a separate VNet—we’ll call it hub network—that peers with SAP network (or spoke VNets). If you already have a hub network in another subscription, that can be used by peering to the SAP subscription as well. The figure below illustrates this hub and spoke approach.
Following a micro segmentation strategy, you can divide the SAP VNet into application and database subnets. By default, all the subnets (inside a VNet) can communicate with each other using automatically created system routes. If you need to restrict traffic flow in a certain way, you can create custom routes called user-defined routes. You can put further restrictions on subnets, and workload-specific VMs (e.g., databases) using network security groups and application security groups. At the subnet level, network security groups define the access policies for the subnet.
Depending on the setup and growth considerations, there are a minimum number of IPs that Microsoft Azure recommends for certain subnets, such as gateway, bastion, Microsoft Azure NetApp Files, and so on (because Microsoft Azure reserves five IPs for each subnet, the number of available IPs need to be considered, not the total as represented by CIDR notation).
The following IPs are reserved by Microsoft Azure:
At the time of publishing, following are the recommendations from Microsoft:
At the time of publishing, gateway and Microsoft Azure NetApp Files subnets don’t allow network security groups. Bastion subnets allow network security groups but don’t support user-defined routes.
Below shows the architecture we’ve discussed so far for regions, connectivity, and networks (VNet, subnet, network security groups).
SAP HANA components use different logical network zones for communication, that is, client, internal, and storage zone, which can be implemented using subnets in Microsoft Azure. Each zone may have different configurations for performance and security:
The network setups for the different zones are illustrated in this figure.
For database servers, traffic segregation is recommended in which you can have a subnet for application connectivity and another for operational activities and management such as backup traffic. You can also apply different security policies to these using network security groups. This can be achieved by creating multiple vNICs for each VM, as shown here.
The perimeter network, also called the demilitarized zone (DMZ), enables a secure connection using techniques such as packet sniffing, intrusion detection, policy enforcement, and so on between Microsoft Azure and the Internet.
In the SAP context, systems such as SAP Web Dispatcher (when external facing) and SAPRouter that have connections to and from the Internet should be protected. In addition, you can also use it for security between Microsoft Azure and on-premise systems.
The next figure shows the setup using network virtual appliance (or the Microsoft Azure firewall); it provides a secure network boundary by inspecting all Internet traffic. Network virtual appliance can be a single point of failure as well, so consider putting two network virtual appliances in an AS for a better SLA.
Note: Microsoft Azure doesn’t support the setup with network virtual appliance between SAP application and database servers.
Editor’s note: This post has been adapted from a section of the book SAP on Microsoft Azure: Architecture and Administration by Ravi Kashyap.