Rise Con Azure is a powerful cloud solution that's revolutionizing the way businesses operate. It offers a range of benefits, including scalability, flexibility, and cost savings.
With Azure, you can store and process vast amounts of data, making it ideal for large-scale applications. This is particularly useful for businesses with high data storage needs.
Azure's scalability is one of its key advantages, allowing you to quickly scale up or down to meet changing demands. This flexibility is a major advantage over traditional on-premises infrastructure.
By leveraging Azure, businesses can significantly reduce their IT costs and improve overall efficiency.
Azure Connectivity Options
You have several connectivity options to choose from when working with SAP RISE on Azure. Virtual network peering is the most performant way to connect securely between two virtual networks, all in a private network address space.
For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with your existing Azure environment, minimizing network latency and maximizing throughput between the SAP RISE landscape and your own applications and services running in Azure.
You can establish a vnet-to-vnet connection between virtual networks using virtual private network (VPN) gateways, deployed both in the SAP RISE/ECS subscription and your own. This can potentially simplify a complex virtual peering between your and SAP RISE/ECS virtual networks.
Virtual network peering can be set up within the same region as your SAP managed environment, but also through global virtual network peering between any two Azure regions. The region should match with workload running in your virtual networks due to latency and peering cost considerations.
To set up virtual network peering between different tenants, you need to set up the peering with the SAP provided network's Azure resource ID and have SAP approve the peering. Add a user from the opposite Microsoft Entra tenant as a guest user, accept the guest user invitation and follow the process documented at Create a virtual network peering - different subscriptions.
Here are the main benefits of virtual network peering with SAP RISE/ECS:
- Minimized network latency and maximum throughput between SAP RISE landscape and own applications and services running in Azure
- No extra complexity and cost with a dedicated on-premises communication path for SAP RISE workload
- Communication between the peered virtual networks is secured through Network Security Groups (NSG), limiting communication to and from your SAP environment
Note that virtual network peering charges apply, so be sure to consider the costs involved in your decision-making process.
Azure Networking Features
Azure Networking Features offer a range of options for secure and high-performance connectivity between virtual networks, subscriptions, and regions. Virtual network peering is the most performant way to connect securely between two virtual networks, all in a private network address space.
This feature allows applications to communicate directly, regardless of their location within Azure, and is the preferred way to establish connectivity with customer's existing Azure environment for SAP RISE/ECS deployments. With virtual network peering, network traffic remains in a private address space and doesn't traverse the internet.
Some key benefits of virtual network peering include minimized network latency and maximum throughput between SAP RISE landscape and own applications and services running in Azure, as well as no extra complexity and cost with a dedicated on-premises communication path for SAP RISE workload.
Here are some key Azure networking features used in SAP RISE/ECS deployments:
- Virtual network peering
- Network security groups (NSGs)
- Application Gateway with Web Application Firewall (WAF)
- Proxy servers
- NAT Gateway
- Azure Firewall
- Azure Application Gateway
Virtual Network Peering
Virtual network peering is the most performant way to connect securely between two virtual networks, all in a private network address space.
This approach allows applications to talk to each other, and applications running in different virtual networks, subscriptions, Azure tenants or regions can communicate directly.
Virtual network peering can be set up within the same region as your SAP managed environment, but also through global virtual network peering between any two Azure regions.
For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Primary benefits are minimized network latency and maximum throughput between SAP RISE landscape and own applications and services running in Azure.
Virtual network peering can be used to connect SAP RISE and customer's hub virtual networks through cross-tenant virtual network peering.
Both the SAP and customer virtual network(s) are protected with network security groups (NSG), permitting communication on SAP and database ports through the peering.
The following ports are available for communication between the SAP landscape and the customer virtual network: https, RFC, and JDBC/ODBC protocols can be used through private network address ranges.
Additionally, applications can access through https on a publicly available IP, exposed by SAP RISE managed Azure application gateway.
To set up virtual network peering, you need to set up the peering with the SAP provided network’s Azure resource ID and have SAP approve the peering.
DNS Integration with ECS
DNS integration with ECS is a crucial aspect of a successful project implementation. Custom DNS configuration for SAP-owned virtual networks is required.
Two VMs inside the RISE/PCE Azure virtual network host DNS servers. These servers hold all DNS entries and are capable of resolving DNS requests from on-premises clients, customer’s Azure services, and SAP managed environments.
Customers must provide and delegate to SAP a subdomain/zone to assign names and create forward and reverse DNS entries for the virtual machines that run SAP managed environment. For example, a customer might delegate the subdomain "ecs.contoso.com" to SAP.
DNS zone transfer from SAP DNS server to customer’s DNS servers is the primary method to replicate DNS entries from RISE/PCE environment. This method is applicable for designs when customers operate custom DNS solution within their hub virtual network.
Both Azure provided DNS and Azure private zones do not support DNS zone transfer capability, hence, can't be used to accept DNS replication from SAP RISE/PCE/ECS DNS servers. This limitation makes custom DNS solutions necessary for seamless name resolution.
A private DNS forwarder can be set up within customer’s Azure virtual networks to push DNS requests coming from Azure services to SAP DNS servers. This forwarder is targeted to the delegated zone, such as "ecs.contoso.com".
Security and Compliance
Microsoft Azure's security system is excellent, powerful, and robust, featuring a two-way authentication feature that's an example of its high standards.
RISE, with SAP's security system, has been top-notch since the beginning, taking care of sensitive data and creating a backup.
Even in the event of a data breach, you can get your data back shortly with both Microsoft Azure and RISE's security systems.
Both Microsoft Azure and RISE follow government compliance closely, ensuring your data is secure and up to date.
Microsoft Azure's BCDR solution provides hourly replication to the secure Datto Cloud, daily backup verification, and optimal recovery time and point objectives, keeping your workloads protected and easily recoverable.
RISE's security system can save your sensitive data constructively and create a backup, giving you peace of mind knowing your data is safe.
Benefits and Cost Savings
Using RISE with SAP on Azure can simplify your migration process and deployment, making it a breeze to get started.
The collaboration between SAP and Microsoft has been ongoing since 2021, continually improving their services to offer an unparalleled experience.
One of the main reasons people choose Azure is because of its simplicity and ease of use.
The flat-fee solution offered by Datto Backup for Microsoft Azure eliminates the confusion of calculating your monthly cloud bill, covering all your BCDR expenses at 30% lower cost than native solutions.
With Azure, you can enjoy predictable margins and lower costs, giving you more room to grow your business.
Azure Integration and Solutions
SAP and Microsoft are partnering to simplify the automation and integration of SAP S/4HANA on the Microsoft Cloud, accelerating customers' business transformation.
Their focus is on addressing the needs of various SAP users, making it easier for businesses to achieve their goals.
The partnership puts both SAP and Microsoft in a strong position to drive the best outcomes for customers with solutions from SAP in the public cloud.
You can start exploring Azure AI solutions, envisioning your next great AI app with the latest technologies, and get started with Azure.
The innovation for SAP developers includes improvements in SAP Business Technology Platform (SAP BTP) to increase availability and accelerate the development of SAP extensions.
SAP BTP on Azure is now available in six regions, with more to be added in the coming months, as part of their global expansion plan.
This integration will greatly facilitate the integration of event-based architectures between Microsoft's and SAP's technology stacks.
The upcoming integration between SAP Event Mesh capability and Azure Event Grid will enable scenarios such as Azure Logic App to be triggered by an event in SAP S/4HANA or an SAP software workflow triggered by an event in the Azure platform.
Improved integration of SAP Cloud Identity Services and Azure Active Directory will allow for easier identity flows.
They will continue to build and share joint SAP and Microsoft reference architectures so customers can access best practices and guidance on how to deploy their new capabilities.
Azure Migration and Backup
Migrating to SAP RISE on Azure requires careful planning to ensure connectivity during the process. This involves multiple phases, with some systems already migrated and in use, while others are still being prepared.
You'll need to allocate ample bandwidth for data migration or database replication to avoid impacting the network path of users accessing already productive RISE environments. This is crucial for business-critical systems that are migrated later in the project.
Temporary VPN connections should be avoided without considering how SAP data will be migrated for these critical systems. This ensures a seamless transition and minimizes disruptions.
To protect against cybersecurity threats, it's essential to have a secure backup and recovery plan in place. Azure's immutable Datto Cloud provides a robust solution with features like Cloud Deletion Defense and geographically distributed locations.
This setup guarantees data sovereignty and increases resilience against ransomware and other threats. By choosing a secure cloud infrastructure, you can rest assured that your data is protected and easily recoverable.
Azure Networking Tools
Azure Networking Tools are a crucial part of setting up a successful SAP RISE/ECS deployment with Azure. With virtual network peering, you can connect your SAP landscape securely and directly to your existing Azure environment.
Virtual network peering is the most performant way to connect between two virtual networks, keeping network traffic private and secure. It's the preferred way to establish connectivity with your customer's existing Azure environment.
The primary benefits of virtual peering include minimized network latency and maximum throughput between your SAP RISE landscape and your applications and services running in Azure. No extra complexity or cost is required with a dedicated on-premises communication path for SAP RISE workload.
For global SAP landscapes, we recommend using multi-region network architecture within your own Azure environment, with SAP RISE peering locally in each geography to your network hubs. This approach helps minimize latency and peering costs.
Here are the key steps to set up virtual network peering between your SAP and customer virtual networks:
- Set up the peering with the SAP provided network’s Azure resource ID.
- Have SAP approve the peering.
- Add a user from the opposite Microsoft Entra tenant as a guest user.
- Accept the guest user invitation and follow the process documented at Create a virtual network peering - different subscriptions.
By following these steps and using virtual network peering, you can establish a secure and direct connection between your SAP landscape and your existing Azure environment.
Frequently Asked Questions
How to get Azure 200 credit?
Sign up for an Azure free account to receive a $200 credit that can be used to try additional services or exceed free service limits. This credit is valid for 30 days.
Sources
- https://learn.microsoft.com/en-us/azure/sap/workloads/rise-integration-network
- https://www.datto.com/products/azure-backup/
- https://community.atlassian.com/t5/Questions/Integrate-Azure-AD-with-Atlassian-Cloud/qaq-p/1852575
- https://www.cbs-consulting.com/us/rise-with-sap-on-azure/
- https://azure.microsoft.com/en-us/blog/rise-with-sap-on-the-microsoft-cloud-a-year-in-review/
Featured Images: pexels.com