Guide to migrating SAP to the cloud: Day 2

This post gives an overview of the required infrastructure such as networking, identity and access management, monitoring and additional components that are part of a typical landing zone deployment.
Daniel Buenestado


Deploy SAP to the cloud

This article is a follow-up to a series where I provide a concise, pragmatic overview of the steps involved in deploying the required infrastructure for installing your first SAP system in the cloud. This post gives an overview of the required infrastructure such as networking, identity and access management, monitoring and additional components that are part of a typical landing zone deployment.

The previous step (Day 1. Planning. What is a Landing Zone) is the most important in any project, but the aim of this short article is to get us started, remember? So we will assume that all the planning activities and technical decisions have already been well taken care of, just to be on the safe side we will call our project PoC and finally it is time for us to do some resource provisioning!

Getting started: the “plumbing”

Before we go to the “Create Virtual Machine” tab in the Azure portal, we need to do some plumbing & wiring: just like building a house, there are things that you expect to be there and just work, and Microsoft does a tremendous job of making this happen for the hardware layer (server racks, networking, cooling, and so on), but you also need to do some work on your subscription to configure these elements according to your needs.

What are those pre-requisite plumbing elements? the main aspects you need to take in account before you can deploy something in Azure for it be usable are:

1. You need to deploy a virtual network or vnet:

  • Make sure IP address ranges do not overlap with any other networks you have.
  • Leave some space so it can grow later (e.g., do not chose only 8 IP addresses, better have 256 or 65536… they are free anyway).
  • Think about how you will connect to the servers for e.g., management and admin purposes:
    Do you need an Azure Bastion? Or perhaps you can enable just in time access so you can ssh or RDP to your servers?
  • Think about how your users will connect to the applications hosted in Azure:
    You may want to deploy a site-to-site VPN to your existing infrastructure or provide an external IP which can be protected with Azure Application Gateway, filtered by whitelists etc.
  • We will implement security using Network Security Groups to limit which connections are allowed and from where – as an alternative, an Azure Firewall allows central management of all network security matters.

2. You need to think about how you will monitor your infrastructure, in Azure this is done via Azure Monitor, which allows us to store logs and metrics, view insights and create alerts among other things.

3. You need to provide a reliable and efficient backup solution for Virtual Machines & SAP Hana databases (this would be Azure Backup) and a solution for patching your servers (Azure Update, or OS specific solutions like the ones provided by e.g., Suse or RedHat).

Notify me of any new publications

Your data are used to manage the sending of informative communications about job vacancies, news, news and/or articles, to those persons who have previously given their consent to this effect, through the corresponding forms integrated in our website, such as "Notifications Form". The legal basis for the processing of your data is your consent through the acceptance of the checkbox. No data will be passed on to third parties, unless legally obliged to do so. You have the right to access, rectify and delete your data, as well as other rights, as explained in the additional information. Further information can be found in the Privacy Policy on our website.

4. Identity & Access Management (IaM) needs to be defined so you can control who has access to what.

5. Additionally, you may want to consider adding a solution that helps you assess your security posture, remediate, and prevent security vulnerabilities, Azure Security Center will help you achieve this goal.

The previously mentioned points are part of a typical default Azure Landing Zone, these can be deployed easily via Microsoft’s provided landing zone accelerator:

Note: Although this environment can be considered a proof of concept, we should not (and will not) “relax” any requirements when it comes to infrastructure or data security, therefore points like IAM and secure network access to the application and servers should be top of your priority list.

One last remark regarding reliability: Azure offers for any single instance virtual machine using Premium SSD or Ultra Disk, for all operating system disks and data disks, a guaranteed SLA, defined as “virtual machine connectivity” of at least 99.9%. Higher SLAs can be achieved when using multiple virtual machines

In the next post of this series – Day 3. The infrastructure is ready, let us start deploying Virtual Machines!– we will investigate the pre-requisites (supported OS, virtual machines sizes and disk speeds, prices) and will create the virtual machines where the SAP workload will run.

Join our team to be a part of our story

Work with a passionate team and embark on a journey of professional growth and success.