Blog Post

Running SAP Applications on the Microsoft Platform
4 MIN READ

SAPRouter configuration with Azure Firewall

jitendrasingh's avatar
jitendrasingh
Icon for Microsoft rankMicrosoft
May 03, 2022

Overview 

 

It is imperative to safeguard SAP applications deployed within a virtual network from the outside world, at the same time, there will be necessities where applications deployed within a Virtual Network will have connectivity with the outside world/Internet.

This document discusses one of the options to configure SAPRouter with Azure Firewall, where SAPRouter deployed on the Azure needs connectivity to SAP Network via internet connectivity. SAPRouter works as a proxy, and the traffic leaves Azure Network. The requirement is to ensure we have a Firewall between SAPRouter on Azure Cloud and SAP External Network.

This blog points to two scenarios for SAPRouter configuration (customer side) with Azure Firewall,

  1. Single SAPRouter configuration
  2. Cascade SAPRouter configuration

Reference Network Architecture

Scenario#1 with single SAP Router to manage the connectivity between SAP(side)Router & Customer SAPRouter.

SAPRouter Reference Architecture

 

Key components of the Architecture

SAP Router:

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks to protect your SAP network against unauthorised access.

Azure Firewall:

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall service with built-in high availability and unrestricted cloud scalability.

 

Pre-requisite

  1. Landing Zone deployed on Azure with Virtual Network, SubNet with SAP systems.

The document assumes the network architecture Hub-Spoke or customer preferred as part of Azure Enterprise Scale Landing Zone already exists on Microsoft Azure Platform.

 

Deploy SAPRouter Virtual Machine

  1. Deploy a virtual machine Windows/Linux

Windows/Linux VM, preferably, dedicated for hosting SAPRouter required for the installation and configuration of SAPRouter.

  1. Download SAPRouter Software 30374 - SAProuter installation - SAP ONE Support Launchpad
  2. Install SAPRouter Software on the Virtual Machine.
  3. Review the status of SAPRouter Service.

Register SAPRouter with SAP

  1. Create an SAP OSS Case --> Raise an OSS under component XX-SER-NET-NEW for registering the New SAP Router in SAP premises.
  2. Capture details to update SAPRouttab file --> follow the SAP standard document to create the saprouttab entries. Below link to be followed SAProuter.

Example of SAPRouttab file

 

 

 

 

 

 

# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <firewall load balancer IP 1> 3299
# SNC connection to local systems
# * is optional, the rule can be further restrcited by using specific ports value & IP address of VM hosting SAP application
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <internal hosts (SAP Server) IP> *
# Access from the local Network to SAP
# deny all other connections
D * * 1.65535

 

 

 

 

 

 

 

 

Azure Firewall Configuration

  1. Create/Review Azure Firewall

 

  1. Create/Review Public I.P Assignment

 

  1. Update NAT’in on Azure Firewall

Go to Firewall Manager and select the Azure Policy

or select it from Overview page

 

 

  1. Add rule collection group

 

 

Update SAP SAPRouter Configuration

  1. Review & update the SAPRouttab file as per point 2 of section Register SAPRouter with SAP. 
  2. Allow azure firewall IP addresses in the SAPRouttab file. Once these steps are completed, perform sap backbone connectivity setup from SAP ABAP system and perform the test.

Example SAPRouttab file

 

 

 

 

 

 

# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <firewall load balancer IP 1> 3299
# SNC connection to local systems
# * is optional, the rule can be further restrcited by using specific ports value & IP address of VM hosting SAP application
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <internal hosts (SAP Server) IP> *
# Access from the local Network to SAP
# deny all other connections
D * * 1.65535

 

 

 

 

 

 

 

 

Scenario#2 with cascade SAPRouter to manage the connectivity between SAP(side)Router & Customer SAPRouter, where customer deployment will host two SAPRouter's [External + Internal].

 

Option#1

 

Option#2

SAPRouter Cascade Reference Architecture

 

example SAPRouttab file:

External SAPRouttab example for cascade configuration

 

 

 

 

 

 

# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 3299
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <Azure internal firewall IP> 3299
# SNC connection to local systems
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <internal router IP> 3299
# Access from the local Network to Internal SAPRouter
P <Azure internal firewall IP> <internal router IP> 3299
P <internal router IP> 194.39.131.34 3299
# deny all other connections
D * * 1.65535

 

 

 

 

 

 

 

Internal SAPRouttab example for cascade configuration

 

 

 

 

 

 

# Access from the local Network to Internal SAPRouter
P <External SAPRouter IP> <SAP R/3 server IP> <Port>
# From SAP Server to External SAPRouter
P  <SAP R/3 server IP> <External SAPRouter ip> 3299
# deny all other connections
D * * *

 

 

 

 

Update the Azure firewall policy as scenario#1

 

 

Test the connectivity 

SAP OSS connection from satellite system to SAP (with the help of SAP)

 

 

Remote log on from SAP to managed system through R3

 

Updated Apr 28, 2023
Version 2.0

6 Comments

Sort By
  • ramakrishnanv's avatar
    ramakrishnanv
    Copper Contributor
    Sep 21, 2023

    Hi ChrisClarke-swo, As far as I know there is no mandate to place SAP router on Mgmt/Sharedservice subscription. I have deployed SAP router in SAP subscription [viz. spoke vnet]. And Yes no significant benefit I could see one over to another, but as long as you have tightened NSG rule at SAP router VM[Over NIC level], plus if you have micro-segementation to ensure spk to spk traffic will be screened by a firewall [East-West traffic] 

     

  • ChrisClarke-swo's avatar
    ChrisClarke-swo
    Copper Contributor
    Sep 21, 2023

    I'm interested in why there is a need for the SAP router in the management subscription at all?  What is the benefit from this approach as to DNAT'ing the connection through to a SAP router within the SAP subscription and Vnet and protecting it with an NSG around the NIC or a dedicated subnet only allowing outbound connectivity to specified SAP resources?

  • ramakrishnanv's avatar
    ramakrishnanv
    Copper Contributor
    Aug 10, 2022

    Thanks  Jitendar , we planned to create the outbound rule on EXT LB, which will makes our life easier. So that traffic will from/to on the same path.
    (Inbound: SAP Cloud system > [Internet] > EXT LB  > NVA  > SAP systems)

    (Outbound: SAP system > NVA > EXT LB(by outbound is allowing) > [Internet] > SAP Cloud system)

  • ramakrishnanv's avatar
    ramakrishnanv
    Copper Contributor
    May 11, 2022

    Hi Jitendra, 

    This artical really need of an hour for me. I am working on a solution to implement SAP RT on Azure. 

    As per our architecuture we have two different set of firewalls one is for Inbound and another outboud. 

    I can have NAT'd on Palo Alto firewall like below:

     

    SAP>EXTLB>(Inbound)FW>SAP RTR. For Outbound SAP RTR>(Outbound )FW[NAT'd]>SAP cloud. 

    Can we use two different flow

    Note : this flow is not for return traffic. When traffic initiate form SAP RTR we wanted to go different firewall. SAP will honor to whitelist  two public IPs for this SAP RTR communications?

    your swift response much appreciated.