Networking Support of Azure for SAP Workloads
Network Security
- It is required for any SAP production system installed on Azure to operate in Virtual Private Network(s) which is/are connected to your datacenters with Azure site-to-site or ExpressRoute connectivity. End-user access to the application should be routed through your company's intranet and the Azure's site-to-site or ExpressRoute connections to the applications hosted in Azure VM Services. This way, the network and other security policies defined for on-premises applications are extended to the application in the Azure VMs.
- A design that is NOT supported is the segregation of the SAP application and DBMS layers into different Azure VMs that are not peered with each other. It is recommended to segregate the SAP application and DBMS layers by using subnets within an Azure virtual network instead of using the different Azure virtual networks. But, if you segregate the two layers into the different virtual networks, the two virtual networks need to be peered. The network traffic between the two peered networks are subject of transfer cost and with the huge data volume in many Terabytes exchanged between the SAP application and DBMS layers, substantial costs can be accumulated if the SAP application as well as DBMS layers are segregated between the two peered Azure virtual networks.
Network Performance
- It is NOT supported at all to run a SAP application layer and DBMS layer split between on-premises and Azure. Both them should completely reside either on-premises or in Azure. SAP instances split between on-premises and Azure is also NOT supported and per individual SAP system, the DBMS as well as all SAP application instance(s) must be in the same location, i.e. either on-premise or in Azure.
- The location of the Azure data center or region relative to the own datacenter can impact the latency between the on-premises and Azure hosted SAP systems. It is advisable to select Azure regions which are close to the own location, to minimize the latency on-premises and Azure.
- It is not supported to configure Network Virtual Appliances (NVA) on Azure in the communication path between the SAP application and the DBMS layers of a SAP NetWeaver, or Hybris or S/4HANA based SAP system. The communication between both the layers should be a direct one. This restriction does not include Azure Security Group (ASG) as well as National Security Group (NSG) rules if those rules allows a direct communication.
Network Reliability
Customers should use a good quality (low latency, sufficient bandwidth, no packet loss) connection between their datacenter and Azure as well as verify and monitor that the bandwidth on-prmises and Azure is sufficient to handle the communication workload.
Azure VMs and SAP HANA on Azure (Large Instances) can benefit from the use of Accelerated Networking and Proximity Placement Group.
Comments
Post a Comment