Edit

Share via

Prepare a network for infrastructure deployment

Azure Center for SAP solutions lets you deploy and manage SAP systems on Azure. When you deploy S/4HANA infrastructure through the service, you need a virtual network that provides outbound connectivity and allows communication between application and database subnets. Without a properly configured network, the infrastructure deployment and SAP software installation can fail.

In this article, you create and configure a virtual network, set up connectivity and security rules, and allow list the endpoints that the deployment requires. Your specific network settings depend on your environment and use case.

If you already have a network that's ready to use with Azure Center for SAP solutions, go to the deployment guide instead.

Prerequisites

  • An Azure subscription.

  • Sufficient quotas for your Azure subscription. If the quotas are low, create a support request before creating your infrastructure deployment. Otherwise, you might experience deployment failures or an Insufficient quota error.

  • Have multiple IP addresses in the subnet or subnets before you begin deployment. For example, it's better to have a /26 mask instead of /29.

  • The names AzureFirewallSubnet, AzureFirewallManagementSubnet, AzureBastionSubnet, and GatewaySubnet are reserved names within Azure (don't use these names as subnet names).

  • Knowledge of the SAP Application Performance Standard (SAPS) and database memory size that you need so that Azure Center for SAP solutions can size your SAP system. If you're not sure, you can also select the virtual machines (VMs). The following VM types are used:

    • A single Advanced Business Application Programming Central Services (ASCS) VM or a cluster of ASCS VMs, which make up a single ASCS instance in the VIS.
    • A single database VM or a cluster of database VMs, which make up a single database instance in the VIS.
    • A single Application Server VM, which makes up a single Application instance in the VIS. Depending on the number of Application Servers being deployed or registered, there can be multiple application instances.

Create a network

Create a network for the infrastructure deployment on Azure. Make sure to create the network in the same region where you want to deploy the SAP system.

Some of the required network components are:

  • A virtual network
  • Subnets for the Application Servers and Database Servers. Your configuration needs to allow communication between these subnets.
  • Azure network security groups
  • Route tables
  • Firewalls (or NAT Gateway)

For more information, see Configure an example network.

Connect the network

At a minimum, the network must have outbound internet connectivity for successful infrastructure deployment and software installation. The application and database subnets must also be able to communicate with each other.

If internet connectivity isn't possible, allow list the IP addresses for the following areas:

Then, make sure all resources within the virtual network can connect to each other. For example, configure a network security group to allow resources within the virtual network to communicate by listening on all ports.

  • Set the Source port ranges to *.
  • Set the Destination port ranges to *.
  • Set the Action to Allow

If it's not possible to allow the resources within the virtual network to connect to each other, allow connections between the application and database subnets, and open important SAP ports in the virtual network instead.

Allow list SUSE or Red Hat endpoints

If you're using SUSE for the VMs, allow list the SUSE endpoints. For example:

  1. Create a VM with any OS by using the Azure portal or by using Azure Cloud Shell. Or, install openSUSE Leap from the Microsoft Store and enable Windows Subsystem for Linux.
  2. Install pip3 by running zypper install python3-pip.
  3. Install the pip package susepubliccloudinfo by running pip3 install susepubliccloudinfo.
  4. Get a list of IP addresses to configure in the network and firewall by running pint microsoft servers --json --region with the appropriate Azure region parameter.
  5. Allow list all these IP addresses on the firewall or network security group where you plan to attach the subnets.

If you're using Red Hat for the VMs, allow list the Red Hat endpoints as needed. The default allow list is the Azure Global IP addresses. Depending on your use case, you might also need to allow list Azure US Government or Azure Germany IP addresses. Configure all IP addresses from your list on the firewall or the network security group where you want to attach the subnets.

Allow list storage accounts

Azure Center for SAP solutions needs access to the following storage accounts to install SAP software correctly:

  • The storage account where you store the SAP media required during software installation.
  • The storage account created by Azure Center for SAP solutions in a managed resource group, which Azure Center for SAP solutions also owns and manages.

There are multiple options to allow access to these storage accounts:

  • Allow internet connectivity
  • Configure a Storage service tag
  • Configure Storage service tags with regional scope. Make sure to configure tags for the Azure region where you're deploying the infrastructure, and where the storage account with the SAP media exists.
  • Allow list the regional Azure IP ranges.

Allow list a Key Vault

Azure Center for SAP solutions creates a key vault to store and access the secret keys during software installation. This key vault also stores the SAP system password. To allow access to this key vault:

Allow list a Microsoft Entra ID

Azure Center for SAP solutions uses Microsoft Entra ID to get an authentication token for obtaining secrets from a managed key vault during SAP installation. To allow access to Microsoft Entra ID:

Allow list an Azure Resource Manager

Azure Center for SAP solutions uses a managed identity for software installation. Managed identity authentication requires a call to the Azure Resource Manager endpoint. To allow access to this endpoint:

Open important SAP ports

If you're unable to allow connections between all resources in the virtual network as previously described, you can open important SAP ports in the virtual network instead. This method allows resources within the virtual network to listen on these ports for communication. If you're using more than one subnet, these settings also allow connectivity between the subnets.

Open the SAP ports listed in the following table. Replace the placeholder values (xx) in applicable ports with your SAP instance number. For example, if your SAP instance number is 01, then 32xx becomes 3201.

SAP service Port range Allow incoming traffic Allow outgoing traffic Purpose
Host Agent 1128, 1129 Yes Yes HTTP/S port for the SAP host agent.
Web Dispatcher 32xx Yes Yes SAPGUI and RFC communication.
Gateway 33xx Yes Yes RFC communication.
Gateway (secured) 48xx Yes Yes RFC communication.
Internet Communication Manager (ICM) 80xx, 443xx Yes Yes HTTP/S communication for SAP Fiori, WEB GUI
Message server 36xx, 81xx, 444xx Yes No Load balancing; ASCS to app servers communication; GUI sign-in; HTTP/S traffic to and from message server.
Control agent 5xx13, 5xx14 Yes No Stop, start, and get status of SAP system.
SAP installation 4237 Yes No Initial SAP installation.
HTTP and HTTPS 5xx00, 5xx01 Yes Yes HTTP/S server port.
Internet Inter-ORB Protocol (IIOP) 5xx02, 5xx03, 5xx07 Yes Yes Service request port.
P4 5xx04-6 Yes Yes Service request port.
Telnet 5xx08 Yes No Service port for management.
SQL communication 3xx13, 3xx15, 3xx40-98 Yes No Database communication port with application, including Advanced Business Application Programming (ABAP) or JAVA subnet.
SQL server 1433 Yes No Default port for MS-SQL in SAP; required for ABAP or JAVA database communication.
HANA XS engine 43xx, 80xx Yes Yes HTTP/S request port for web content.

Configure an example network

The configuration process for an example network might include:

  1. Create a virtual network, or use an existing virtual network.

  2. Create the following subnets inside the virtual network:

    1. An application tier subnet.

    2. A database tier subnet.

    3. A subnet for use with the firewall, named AzureFirewallSubnet.

  3. Create a new firewall resource:

    1. Attach the firewall to the virtual network.

    2. Create a rule to allow list RHEL or SUSE endpoints. Make sure to allow all source IP addresses (*), set the source port to Any, allow the destination IP addresses for RHEL or SUSE, and set the destination port to Any.

    3. To allow service tags, create a rule. Make sure to allow all source IP addresses (*), set the destination type to Service tag. Then, allow the tags Microsoft.Storage, Microsoft.KeyVault, AzureResourceManager, and Microsoft.AzureActiveDirectory.

  4. Create a route table resource:

    1. Add a new route of the type Virtual Appliance.

    2. Set the IP address to the firewall's IP address, which you can find on the Overview page of the firewall resource in the Azure portal.

  5. Update the subnets for the application and database tiers to use the new route table.

  6. If you're using a network security group with the virtual network, add the following inbound rule. This rule provides connectivity between the subnets for the application and database tiers.

    Priority Port Protocol Source Destination Action
    100 Any Any virtual network virtual network Allow

  7. If you're using a network security group instead of a firewall, add outbound rules to allow installation.

    Priority Port Protocol Source Destination Action
    110 Any Any Any SUSE or Red Hat endpoints Allow
    115 Any Any Any Azure Resource Manager Allow
    116 Any Any Any Microsoft Entra ID Allow
    117 Any Any Any Storage accounts Allow
    118 8080 Any Any Key vault Allow
    119 Any Any Any virtual network Allow

Next step

Deploy S/4HANA infrastructure

  • Last updated on