Maintaining Azure for SAP Workloads (part 1)
To read part 2 please click here
Remote Management of Azure VMs
The two basic methods for connecting into Azure VMs:
- Connect through public endpoints on a Jumpbox VM.
- Connect through a VPN or Azure ExpressRoute.
These connections are also required for non-production scenarios that feed into production scenarios where SAP software is being used.
Azure Automation
It provides the desired state configuration functionality via a cloud-based, managed DSC Pull Server in the Azure Cloud offeSAring rich reports while informing you of important events. The machine configuration can also be updated and monitored automatically across physical and VMs, Windows or Linux, in the cloud or on-premises. Azure Automation also provides a built-in solution that can start and stop Azure VMs on user-defined schedules.
SAP Landscape Management (LaMa)
SAP LaMa is used by the customers to operate, monitor, and refresh their SAP landscape. As by default SAP LaMa 3.0 SP05 can easily ship with a connector to Azure, it can deallocate and start VMs, copy and relocate managed disks, as well as delete managed disks. All these operations will help you to copy, relocate, clone, and refresh SAP systems using SAP LaMa.
Set-up Azure Connector for SAP LaMa
As the Azure connector is shipped (as of SAP LaMa 3.0 SP05), you should always install the latest support package and patch for SAP LaMa 3.0. The Azure connector uses a Service Principal to authorize against Microsoft Azure. You should also install the latest SAP Host Agent and the SAP Adaptive Extensions if you want to deploy the VMs manually or without Azure Resource Manager template from the quickstart repository.
Access Management
It is an important function for any organization using the cloud and Role-based Access Control (RBAC) allows you to determine who can access Azure resources, what they can do with those resources, and what areas they can access. The way of controlling the access to resources by using RBAC helps you to create role assignments which consists of three elements- security, principal, role definition, and scope.
- Security Principal- it is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
- User- An individual who has a profile in Azure Active Directory.
- Group- A set of users created in Azure Active Directory.
- Service Principal- A security identity used by applications or services to access specific Azure resources. It can be considered as a user identity for an application.
- Managed Identity- An identity in Azure AD that can be automatically managed by Azure. It can generally be used while developing cloud applications to manage the credentials for authenticating to Azure services.
- Role Definition- It is a collection of permissions which can also be called a role. It can list the operations that can be performed, like read, write as well as delete and can be of high-level, like owner, or specific, like VM reader. There are following four built-in roles, among which first three can be implemented to all resource types:
- Owner- Has full access to all resources including the right to delegate access to others.
- Contributor- Can create and manage all types of Azure resources but can't grant access to others.
- Reader- Can view existing Azure resources.
- User Access Administrator- Allows you to manage user access to Azure resources.
The remaining built-in roles helps you to manage specific Azure resources.
- Scope- It is a set of resources that the access applies to. whenever you assign a role, you are alos allowed to limit the actions allowed by defining a scope. In Azure, scope can be defined at multiple levels- management groups, subscription, resource group or resource. Scope can also be structured as a parent-child relationship.
To read part 2 please click here
Comments
Post a Comment