AZ-120 Microsoft Azure SAP – Build and Deploy Azure for SAP Workloads

1. Introduction

Nicole hello and welcome back to the Microsoft Azure for SAP workloads course. In this section, we will be looking at the build and deploy pieces in order to ensure that our environment on Azure is ready for an SAP workload. So let’s get started. I’m your host, Nikolay Caprice, founder of Reteam Labs. This course is brought to you in partnership with Samkanjar, senior Azure Cloud Solution Architect at Microsoft. There are six sections in total covering the AZ 120 exam objectives. This course will be focusing on the Azure and SAP related topics and any fundamental or prior knowledge will be assumed and referenced where appropriate. This section of this course will cover necessary toolings and functionality which need to be implemented for SAP workloads on Azure. We will work according to the Microsoft and SAP design principles to ensure we can deploy a production like workload together with the necessary pillars of security, identity and access management, including monitoring and alerting. So let’s get started.

This section will build on previous sections of the course, so please make sure you understand the previous sections before continuing with this one. This is a lighter section, but contains some very important aspects such as automations and toolings, which are important for scale and agility when it comes to provisioning resources. It also covers identity and security as a core part of your SAP landscape, and we will go through how you would use Azure to track activities on the platform, configure identity for users and trace what they do on the platform for compliance and governance purposes. In addition, we will show you how to monitor the platform and any component that you would provision as part of your SAP landscape. It’s important to understand the way your organization or client operates to be able to provision the right security controls that follow their standards without all the complexity.

2. Tools for Provisioning Azure Infrastructure

In this first part, we will look at different ways and tools in provisioning infrastructure on Azure. Scripting and automation have become part of the requirements when designing cloud resources, and this will give you agility, flexibility and errorfree deployment. This takes out the human factor from manually deploying and configuring the environment. Let’s look at how you can use code in deploying some of these infrastructure components to Azure. The native language of Deploying to Azure is JSON which stands for JavaScript Object Notation. JSON defines the infrastructure and configuration for your project. The template uses declarative syntax which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.

This is the opposite to an imperative syntax in which you would have had to state how to create each of the components. Such an example is PowerShell. When you write a PowerShell statement, you define your intent through a programming procedure or procedures, rather than just telling it your intent. In the case of JSON, writing and deploying code requires a development environment or a set of tools to enable you to deploy and organize your code. Such environments like Visual Studio and Visual Studio code are called ides, which are text editors that can help you write code through syntax helpers, and to debug and deploy your code to either a local or cloud environment. There are many manners nowadays that can help you write code to deploy to Azure, such as JSON TerraForm created by HashiCorp. Also, there is a new release from Microsoft for a new language called Bicep.

This is still in preview at the time of producing this course. Bicep is an abstraction layer over JSON that adds simplicity, improved type safety, and better support for code reuse. Please note this isn’t required for the exam, but it’s good to know because as this language becomes more popular, microsoft might start introducing it in these exams to ensure people understand the differences. VM Extension as the name suggests, it’s an extension to the VM deployment in our SAP scenario. We can deploy Azure enhanced monitoring extension for SAP, which we will get into further detail later in this section, or a particular software configuration through desired state configuration extension or a custom script extension. So let’s talk about the Arm schema. You need to understand how Arm templates are structured and you will be asked questions in the exam around formation and syntax. Please note you need to have a good understanding of the template file.

The template file is split into the following sections parameters provide values during deployment that allow the same template to be used with different environments. Variables Defined values that are reused in your templates. They can be constructed from parameter values. userdefined functions Create customized functions that simplify your template resources specify the resources to deploy outputs return values from the deployed resources you can have multiple Arm templates, especially if you are using Nested templates, which means you are splitting each part of your landscape into a separate file that can be called in the main script. This is a more common approach for large deployments or deployments that reuse large blocks of code.

3. Automation with Azure

There are many ways you can deploy code to Microsoft Azure. I will take you through some of the methods you could use in your approach depending on your expertise level and or expert resources available to you. For Azure Automation. Azure DevOps is normally used. It is also called continuous integration. Continuous deployment, also known as CI CD. Azure DevOps gives you access to a Git repository which you can use to host your deployment scripts which are to be used in your deployment pipelines.

This method of deployment will give you agility as you debug and deploy different parts of the code without deploying the environment all from scratch. Azure DevOps gives you more than just CI CD tooling’s, but can also be the collaboration tool for your projects and teams where you can track activities and bugs and assign tasks to different members of the team. Azure Automation provides you the ability to automate frequent, time consuming and error prone cloud management tasks.

Automation helps you focus on work that adds business value by reducing errors and boosting efficiency. It also helps to lower your operational costs. You can integrate Azure Services and other public systems that are required in deploying, configuring and managing your EndToEnd processes. This service allows you to offer run books graphically in PowerShell or Python. In order to automate VM deployment, we can use an Arm template as described previously, or if you are a conventional administrator, then possibly through the Azure Portal or via PowerShell and Azure CLI. All these methods are valid, but in order to make your deployment repeatable, then using Arm or other scripted languages such as TerraForm is the way to go. You also need to remember that deploying a Windows VM or a Linux VM is the same.

Various configurations can be brought out as variables. In practice, you can use the same scripts to deploy any flavor of a VM in any size, in any region, and in any high availability configuration. It makes this approach more powerful, especially if you are deploying a three tier system such as SAP with infrastructure deployments such as VNETs NSGs, Azure Firewalls, internal and external connections including load balancers and application gateways. These can be deployed via the same method as a VM. However, these components are rarely changed unless there is a fundamental change to the landscape such as adding new back end servers to application gateways and load balancers or changing their rule sets. Otherwise, these components are static and don’t tend to change much.

The same deployment methods still stand and this would provide good documentation through code of your environment which can be used to check compliance and skewed. Configuration using Azure Policies automating application configuration has many benefits. These configurations are tried and tested in nonproduction environments and they provide a good approach to consistency when it comes to configuring multiple nodes in a single application. With the same configuration, we could use VM extensions such as a custom script extension which can be deployed as part of the VM deployment to kickstart an installation and configuration. Or we could be using the desired state configuration in case of windows to ensure applications are configured in a certain way. This method monitors against configuration rifts and it can report it to the administrator or even correct it automatically if you’ve set it to do that. It is a very powerful tool that can help manage your environment, keeping it clean against any misconfiguration.

4. VNET Security

Next we will look at identity options and security controls necessary for SAP systems. When you start looking at network security, there is more than just segmentations and NSGs. We get a lot of questions when we touch on intrusion detection and intrusion prevention systems, also known as Ipsids on Azure. Microsoft is continually adding and extending their platform security capabilities within their native Azure security stack by introducing functionalities such as Distributed Denial of Service or DDoS to their VNet configuration.

A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. There are two tiers to this service Basic, which comes at no cost to the consumer and can provide. And it’s not advised to have a firewall between your application and database tears because it would impact user experience greatly. Make sure your NSGs are configured appropriately to only allow the required traffic and mitigate against lateral movement.

5. Managing Identity

Now, let’s talk about how we manage identity across onpremise the clouds and SAP in our scenario. For on premise, the majority of organizations have adopted Active Directory domain services. Adds adds protected our Onpremise identities when accessing resources and data or when logging into Onpremise services. In order to utilize Azure Active Directory, then we need to extend our on premise identity infrastructure to Azure by replicating our identity to AAD using Azure Ad Connect. Now that our identities are in the clouds, especially if we have replicated our password hashes, then we can use multifactor authentication as yet another layer of protection. If you need to deploy Addsdependent, workloads in Azure, but you want to minimize the overhead associated with deploying and managing Active Directory domain controllers hosted on Azure VMs, you should consider implementing Azure Adds instead.

Azure Ads is a Microsoft managed Adds service that provides the standard active directory features such as Group Policy Domain join and support for protocols such as Kerberos, NTLM and LDAP. The service consists of two Active Directory domain controllers in a new single domain forest. When you provision the service, the Azure platform automatically deploys these two domain controls to an Azure virtual network that you designate.

In addition, the managed Adds automatically synchronizes its users and groups from the Azure ad tenant associated with the Azure subscription, which is hosting the Virtual network effectively. The Azure Ads domain will contain the same users and groups as its Azure ad counterpart. aadds provides you with the following capabilities you can join Azure VMs to the managed IDDS domain if they reside on the same virtual network or on Azure Virtual Network connected to it. Azure ad users can use their existing credentials to sign in to these Azure VMs. If you have an on premise Adds domain that synchronizes with the same Azure ad tenant, your on premises Adds users will be able to sign in to the Azure Adds domain by using their existing credentials. However, in this scenario, the on premises Active Directory domain is separate from the Active Directory domain that Azure Ads implements.

The two Active Directory domains have different domain names and separate sets of users, groups, and computer objects. Although the user and group objects within the scope of Azure Ad Connect synchronization have matching attributes, Azure Adds offers support for the same set of protocols as onpremises adds. With Azure Adds, you can migrate applications that depend on Adds to Azure VMs without having to deploy and maintain additional domain controllers or establish connectivity with the on premises infrastructure. There are some important differences between Adds and Azure Ads. For example, Azure Adds does not allow you to create trust relationships or extend the schema.

Depending on their origin, user and group objects might have to be managed on premises or in the corresponding Azure ad tenant. Support for group policy is limited, with only two previously created Group policy objects one containing computer settings and another containing user settings. In addition, while it is possible to perform LDAP binds and LDAP reads against Azure adds, there is no support for LDAP writes Azure’s Service Principle is an identity created for use with applications, hosted services and automated tools to access Azure resources. Access can be managed using normal RBAC rule sets that govern standard Azure users. It is recommended to use service principles with automated tools such as Azure DevOps or any other tools that require access to an Azure Resource for security purposes.

6. Managing Identity (Part Two)

One other feature that brings privileged access under even more control is just in Time access JIT. This feature is generated via Azure Security Center or Azure ad privileged Identity Management pim. A user sends a request to the administrator to be approved in order to elevate their permissions, and the request is time and place is bound. This means the user will have elevated permissions for a certain amount of time which is only originated from a known IP. If using PIM to manage JIT, it will give you greater visibility and auditing over more role activations, while Security Center is used for RDP or SSH access. We continue our discussion around identity and authentication for SAP.

SAP Cloud Platform identity authentication tenant is configured as a trusted application in Azure Active Directory. All SAP applications and services that you want to protect this way are subsequently configured in the SAP Cloud Platform Identity Authentication Management Console. Therefore, the authorization for granting access to SAP applications and services needs to take place in SAP Cloud Platform Identity Authentication as opposed to Azure Active Directory. By configuring SAP Cloud Platform identity authentication as an application through the Azure Active Directory marketplace. You don’t need to configure individual claims or SAML assertions.

The SAP Cloud Platform Identity Authentication can be added to Azure ad as a managed SAS, which would give you the ability to implement SSL across applications or services that are protected by Azure Ad as an identity provider with SAP applications and services that are protected by SAP Cloud Platform Identity Authentication. SAP Cloud Platform Identity Authentication acts as a proxy Identifier provider to SAP applications. Azure Active Directory, in turn, acts as the leading identity provider in this setup. With AAD, conditional access can become a powerful tool to protect your user’s identity, especially with remote staff. It is beneficial to take advantage of AAD and SAP Cloud platform integration to enable MFA conditional access and SSO to your s four Hana fiery Launchpad, SAP, Hana and SAP netweaverbased applications.

Please note SAP Hana also supports Justin time user provisioning. Azure Ad can also be integrated with the SAP Cloud Platform SAP to provide single sign on to your SAP services, which can also be run on Azure. We can control access to resources by using a centralized identity management system at all levels. We can provide access to Azure resources through role based access control. We can grant access to Azure VMs through LDAP, Azure Active Directory, Kerberos, or another system, and we can support access within the apps themselves through the services that SAP provides. Or we can use 200 and Azure Active Directory.

7. Managing Identity (Part Three)

Active Directory can be integrated with SAP single signon by configuring your SAP system with SNC secure Network Communication The primary purpose of SNC is to secure connections between the NetWeaver ABAP application server and external applications, including SAP GUI. SNC provides an interface for external security products which can be used to enable single sign on. To integrate SAP SSO with ad, you need to do the following Configure the SAP system with Secure Network Communication configure user mapping for SSO configure SAP GUI for SNC Communication the other piece of integration is linking SAP with logic apps. Logic Apps lets you create a workflow for the messages between different SAP systems or between one SAP system and another application. This integration leverages SSO and RBAC policies from AAD. The SAP connector is compatible with the following types of SAP systems on premises and cloud based Hana based SAP systems such as S Four, Hana Classic on premises SAP systems such as R Three and ECC.

The SAP connector supports the following message and data integration types from SAP Net Weaver based Systems Intermediate Documents IDOC, business Application, programming interface RFC and transactional RFC. Please visit Azure Documentation for further details on logic app integrations and the SAP connector. AAD comes with auditing alerting and protection against identity tests. To enhance your Azure ad implementation. You can also add paid capabilities by upgrading to Azure Active Directory basic Premium P One or Premium P Two licenses. Azure Ad paid licenses are built on top of your existing free directory. They provide self service, enhanced monitoring, security reporting, and secure access for your mobile users. In order to understand each SKUs capabilities, please consult the formal Azure Docs. Those features will mitigate against the following risks impossible travel anonymous IP address Unfamiliar sign in properties Malware linked to IP address Leaked credentials AAD Threat Intelligence Identified attack pattern AAD Join is another feature which can enable bring your own device. This includes iPads, personal laptops, and any devices to be used for work purposes. By registering the device in Azure Ad and applying company security policies with Windows Ten, Azure ad users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device.

Enterprise State Roaming offers separation of corporate and consumer data in order to ensure organizations are in control of their data and that there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account. Enhanced security where data is automatically encrypted before leaving the user’s Windows Ten device by using Azure Rights Management data stays encrypted at rest in the cloud.

All content stays encrypted at rest in the cloud except for the namespaces like settings names and Windows app names. Better management and monitoring by providing control and visibility over who syncs settings in your organization and on which devices through the Azure Ad Portal integration. Enterprise state roaming is available to any organization with a premium Azure Ad subscription or Enterprise mobility and security license. When enabling Enterprise State Roaming, your organization organization is automatically granted a free, limited use license for Azure Rights Management protection from Azure information Protection this is limited to encrypting and decrypting settings and application data is synced by Enterprise State Roaming.

8. Monitoring

Let’s now have a look at how we can monitor our environment. SAP Early Watch Alert is an automatic service for monitoring and analyzing the essential administrative areas of an SAP system. Alerts indicate critical situations and provides solutions to enhance performance and stability. It also reports detailed information related to system status such as configuration, duration, performance, and system processing, together with database administration and trend analysis. All of these get sent to SAP Solution manager. SAP Early Watch Alert is included in your maintenance agreement with SAP, and it gets activated via the SAP Solution Manager.

The SAP Solution Manager covers the complete application lifecycle of your It solution. Running on premise, hybrid, or in the cloud. It provides functionalities like integrated content, methodologies, tools, et cetera to implement, operates, monitor, and support an enterprise. SAP Solution the SAP Solution Manager manages the SAP and Nonsap solutions in the It landscape of an organization. It supports both the underlying

It infrastructure and business processes. It is a powerful tool for SAP basis administrators. SAP Cloud Cockpit is a web based user interface for administrators, providing access to a number of functions for configuring and managing applications and for connecting them to services on the cloud platform. Use the cockpits to manage resources, services, security, monitor application metrics, and performance actions on cloud applications.

SAP Hana Cockpit is another web based admin tool tailored for monitoring and maintenance of SAP Hana systems. It monitors configuration error, diagnostics, performance optimizations, business continuity, and security. It also has the SAP Hana Database Explorer integrated for use to query information about the Hana DB form system views. For the exam, please make sure you remember what each of the tools described does and what role they play in SAP systems. It’s important to remember that HLI doesn’t have direct access to the Internet. However, tools such as SAP Hana Studio SAP Hana Cockpit, SAP Solution Manager in addition to native Linux tools, still work in the same way with regards to gathering stats such as CPU and memory usages and space usage.

9. Azure Enhanced Monitoring

SAP Note 199-9351 describes the process of troubleshooting issues with Azure enhanced monitoring. As the Note states, in order to ensure full supportability of Azure for SAP workloads, it is crucial that the Azure Enhanced monitoring service is correctly configured and that the Azure Performance Counters show up in in the SAP OS monitor. In case there are no counters, supportability cannot be guaranteed. Some of the issues that you might encounter with the extensions include, but not limited to, a warning message that standard manage disks are not supported when running either set or test AZ vmaeme extension.

Also, if none of the Windows Performance Counters are showing, then it’s a good indication that the extension isn’t installed properly, or perhaps not installed at all. You can check the install directory for any binaries, or can look for the Azure enhanced monitoring service and check if it’s running. If it is stopped, please make sure that you can start it and that it enters the running mode. If it fails, then please attempt to reinstall the extension. The Azure Enhanced Monitoring Windows service collects performance metrics in Azure.

The service gets data from several sources. Some configuration data is collected locally, and some performance metrics are read from Azure Diagnostics Storage Counters are used from your logging on the storage subscription level. If troubleshooting by using SAP Note 199-9351 doesn’t resolve the issue, then please reinstall the extension for Linux VMs. If you are missing all of your Performance Counters, these are collected by a demon. If the demon is not running, no performance metrics can be collected, so please ensure that the install directory contains the extension binaries. If they do exist, check your proxy settings and make sure there is no routing issue. Performance metrics in Azure are collected by a demon, which gets data from several sources.

Some configuration data is collected locally, while some performance metrics are read from Azure Diagnostics Storage Counters come from the logs in your storage subscription. For a complete and up to date list of known issues, it’s best to check SAP Note 199-9351, which has additional troubleshooting information for enhanced Azure monitoring. For SAP.

10. Troubleshooting

You can use the Azure Monitor, including log analytics, to monitor Azure VMs hosting. SAP workloads as well as any components of your SAP environment in Azure. You might want to also consider leveraging third party SAP monitoring solutions that are available from the Azure Marketplace and that integrate with Azure Monitor, such as Bloomadora’s SAP Monitoring. In addition, Security Center protects no azure servers and Virtual machines in the cloud or onpremises for both Windows and Linux servers by installing the Log Analytics agent on them. Azure Virtual machines are also provisioned in the Security Center. The Azure Monitor for SAP Solutions is an Azure native monitoring product for customers running their SAP landscapes on Azure. The product works with both SAP on Azure Virtual Machines and SAP on Azure. Large Instances with Azure Monitor for SAP Solutions, customers can collect telemetry data from Azure infrastructure and databases in one central location and can visually correlate telemetry data for faster troubleshooting.

Azure monitor for SAP Solutions is offered through Azure marketplace. It provides a simple, intuitive setup experience and takes only a few clicks to deploy the resource. For Azure Monitor for SAP solutions known as SAP Monitor resource customers can monitor different components of an SAP landscape such as Azure Virtual Machines, High Availability, Cluster, SAP, Hana Database and so on by adding the corresponding provider for that component. Specifically, for HLI, Microsoft provides built in monitoring for CPU, memory, network bandwidth, and disk space. Also, for type two Skew, the server comes with the Preloaded system diagnostic tools. Please have a look at SAP Notes 201-5533 for further detail. The Azure Monitor constitutes one of the core components of the Microsoft strategy to provide comprehensive cloud based monitoring functionality.

Other Azure Manageability features that belong in the same category include azure Advisor uses Resource Usage Telemetry to provide recommendations regarding optimizing resource configuration from the standpoint of performance, security, and availability. Azure Service Health reports platform related issues that might affect your resources. Azure Activity Log tracks events representing operations that alter the state of your resources, such as configuration changes, service health incidents, and auto scale operations. Azure Monitor, Azure Advisor, Azure Service Health, and Azure Activity Log complement several other services that deliver more focused indepth monitoring capabilities. Deep Infrastructure Monitoring In addition to detailed monitoring, these services also provide analytics capabilities targeting Azure infrastructure.

Some of the prime examples include log analytics combined with management solutions as container monitoring or service map, as well as a number of network monitoring tools. Example of such tools are network watcher, network performance monitor, express route monitor, DNS, analytics and service endpoint monitor. Deep application monitoring. This category includes Azure application Insight, which facilitates monitoring of performance, availability and usage of Web applications. Regardless of their location, both the core and deep monitoring services share a number of capabilities that provide a consistent approach to configuring alerts. This involves common action groups, designating alerts, triggered actions, and recipients. Designing custom dashboards and analyzing metrics by leveraging tools like Metrics explorer or Power Bi.

These capabilities allow you to configure and view performance related settings such as monitoring, diagnostics, and auto scaling for a wide range of Azure resources in the same consistent manner. With Azure Monitor, you have a single point of reference for the majority of relevant configuration settings and monitoring data, which not only improves user experience, but also helps maintain consistent configuration across your entire subscription. To troubleshoot SAP Hana as a first step, please check the current SAP Hana alert logs in the SAP Hana studio.

You can go to the Administration Console Alerts show All Alerts this tab will show you all SAP Hana alerts for specific values such as memory and CPU utilizations that fall outside of the set minimum and maximum thresholds. One of the most important checks for SAP Hana on Linux is to make sure that transparent huge pages are disabled. For more details about this important check, please see SAP note 213-1662. You can then evaluate network latency and packet loss by doing the following Analyzing round trip time between server and client analyzing intern node communication running the Linux command if config, the output shows if any packet losses are occurring running the Linux command TCP dump and checking SAP Note 208-1065 for further troubleshooting.

Tips separately, you can also monitor storage utilization and performance from an end user perspective. An application or the system as a whole can run sluggishly, can be unresponsive, or can even seem to stop responding if there are issues with IO performance. In the Volume tab in SAP Hana studio, you can see the attached volumes and what volumes are used by each service. Finally, you can perform an SAP Hana health check through Hana Configuration minichacks. This tool returns potentially critical technical issues that should have already been raised as alerts in SAP Hana Studio.

• Category: Uncategorized