Maintaining Azure for SAP Workloads (part 1)

By Ashwin Venugopal -

 


To read part 2 please click here


Remote Management of Azure VMs

The two basic methods for connecting into Azure VMs:
  • Connect through public endpoints on a Jumpbox VM.
  • Connect through a VPN or Azure ExpressRoute.

These connections are also required for non-production scenarios that feed into production scenarios where SAP software is being used.

Azure Automation

It provides the desired state configuration functionality via a cloud-based, managed DSC Pull Server in the Azure Cloud offeSAring rich reports while informing you of important events. The machine configuration can also be updated and monitored automatically across physical and VMs, Windows or Linux, in the cloud or on-premises. Azure Automation also provides a built-in solution that can start and stop Azure VMs on user-defined schedules.

SAP Landscape Management (LaMa)

SAP LaMa is used by the customers to operate, monitor, and refresh their SAP landscape. As by default SAP LaMa 3.0 SP05 can easily ship with a connector to Azure, it can deallocate and start VMs, copy and relocate managed disks, as well as delete managed disks. All these operations will help you to copy, relocate, clone, and refresh SAP systems using SAP LaMa.

Set-up Azure Connector for SAP LaMa

As the Azure connector is shipped (as of SAP LaMa 3.0 SP05), you should always install the latest support package and patch for SAP LaMa 3.0. The Azure connector uses a Service Principal to authorize against Microsoft Azure. You should also install the latest SAP Host Agent and the SAP Adaptive Extensions if you want to deploy the VMs manually or without Azure Resource Manager template from the quickstart repository.

Access Management

It is an important function for any organization using the cloud and Role-based Access Control (RBAC) allows you to determine who can access Azure resources, what they can do with those resources, and what areas they can access. The way of controlling the access to resources by using RBAC helps you to create role assignments which consists of three elements- security, principal, role definition, and scope.
  • Security Principal- it is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
  1. User- An individual who has a profile in Azure Active Directory.
  2. Group- A set of users created in Azure Active Directory.
  3. Service Principal- A security identity used by applications or services to access specific Azure resources. It can be considered as a user identity for an application.
  4. Managed Identity- An identity in Azure AD that can be automatically managed by Azure. It can generally be used while developing cloud applications to manage the credentials for authenticating to Azure services.   
  • Role Definition- It is a collection of permissions which can also be called a role. It can list the operations that can be performed, like read, write as well as delete and can be of high-level, like owner, or specific, like VM reader. There are following four built-in roles, among which first three can be implemented to all resource types:

  1. Owner- Has full access to all resources including the right to delegate access to others.
  2. Contributor- Can create and manage all types of Azure resources but can't grant access to others.
  3. Reader- Can view existing Azure resources.
  4. User Access Administrator- Allows you to manage user access to Azure resources.

The remaining built-in roles helps you to manage specific Azure resources.

  • Scope- It is a set of resources that the access applies to. whenever you assign a role, you are alos allowed to limit the actions allowed by defining a scope. In Azure, scope can be defined at multiple levels- management groups, subscription, resource group or resource. Scope can also be structured as a parent-child relationship.




To read part 2 please click here



Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more