Workload zone configuration in the SAP automation framework
Article
An SAP application typically has multiple development tiers. For example, you might have development, quality assurance, and production tiers. SAP Deployment Automation Framework calls these tiers workload zones. See the following diagram for an example of a workload zone with two SAP systems.
The workload zone provides shared services to all of the SAP Systems in the workload zone. These shared services include:
Azure Virtual Network
Azure Key Vault
Shared Azure Storage Account for installation media
Azure NetApp Files account and capacity pool (optional)
The workload zone is typically deployed in a spoke subscription and the deployment of all the artifacts in the workload zone is done using unique service principal.
Workload zone deployment configuration
The configuration of the SAP workload zone is done via a Terraform tfvars variable file. You can find examples of the variable file in the samples/WORKSPACES/LANDSCAPE folder.
The following sections show the different sections of the variable file.
Environment parameters
This table contains the parameters that define the environment settings.
Variable
Description
Type
Notes
environment
Identifier for the workload zone (max five characters)
Mandatory
For example, PROD for a production environment and QA for a Quality Assurance environment.
A dictionary of tags to associate with all resources.
Optional
Resource group parameters
This table contains the parameters that define the resource group.
Variable
Description
Type
resourcegroup_name
Name of the resource group to be created
Optional
resourcegroup_arm_id
Azure resource identifier for an existing resource group
Optional
resourcegroup_tags
Tags to be associated with the resource group
Optional
Network parameters
The automation framework supports both creating the virtual network and the subnets (green field) or using an existing virtual network and existing subnets (brown field) or a combination of green field and brown field:
Green-field scenario: The virtual network address space and the subnet address prefixes must be specified.
Brown-field scenario: The Azure resource identifier for the virtual network and the subnets must be specified.
Ensure that the virtual network address space is large enough to host all the resources.
This table contains the networking parameters.
Variable
Description
Type
Notes
network_logical_name
The logical name of the network, for example, SAP01
Required
Used for resource naming
network_name
The name of the network
Optional
network_arm_id
The Azure resource identifier for the virtual network
Optional
For brown-field deployments
network_address_space
The address range for the virtual network
Mandatory
For green-field deployments
admin_subnet_address_prefix
The address range for the admin subnet
Mandatory
For green-field deployments
admin_subnet_arm_id
The Azure resource identifier for the admin subnet
Mandatory
For brown-field deployments
admin_subnet_name
The name of the admin subnet
Optional
admin_subnet_nsg_name
The name of the adminnetwork security group
Optional
admin_subnet_nsg_arm_id
The Azure resource identifier for the admin network security group
Mandatory
For brown-field deployments
db_subnet_address_prefix
The address range for the db subnet
Mandatory
For green-field deployments
db_subnet_arm_id
The Azure resource identifier for the db subnet
Mandatory
For brown-field deployments
db_subnet_name
The name of the db subnet
Optional
db_subnet_nsg_name
The name of the db network security group
Optional
db_subnet_nsg_arm_id
The Azure resource identifier for the db network security group
Mandatory
For brown-field deployments
app_subnet_address_prefix
The address range for the app subnet
Mandatory
For green-field deployments
app_subnet_arm_id
The Azure resource identifier for the app subnet
Mandatory
For brown-field deployments
app_subnet_name
The name of the app subnet
Optional
app_subnet_nsg_name
The name of the app network security group
Optional
app_subnet_nsg_arm_id
The Azure resource identifier for the app network security group
Mandatory
For brown-field deployments
web_subnet_address_prefix
The address range for the web subnet
Mandatory
For green-field deployments
web_subnet_arm_id
The Azure resource identifier for the web subnet
Mandatory
For brown-field deployments
web_subnet_name
The name of the web subnet
Optional
web_subnet_nsg_name
The name of the web network security group
Optional
web_subnet_nsg_arm_id
The Azure resource identifier for the web network security group
Mandatory
For brown-field deployments
This table contains the networking parameters if Azure NetApp Files is used.
Variable
Description
Type
Notes
anf_subnet_arm_id
The Azure resource identifier for the ANF subnet
Required
When using existing subnets
anf_subnet_address_prefix
The address range for the ANF subnet
Required
When using ANF for deployments
anf_subnet_name
The name of the ANF subnet
Optional
anf_subnet_nsg_name
The name of the anf network security group
Optional
anf_subnet_nsg_arm_id
The Azure resource identifier for the anf network security group
Optional
For brown-field deployments
This table contains the networking parameters if iSCSI devices are hosted from this workload zone.
Variable
Description
Type
Notes
iscsi_subnet_address_prefix
The address range for the iscsi subnet
Mandatory
For green-field deployments
iscsi_subnet_arm_id
The Azure resource identifier for the iscsi subnet
Mandatory
For brown-field deployments
iscsi_subnet_name
The name of the iscsi subnet
Optional
iscsi_subnet_nsg_arm_id
The Azure resource identifier for the iscsi network security group
Mandatory
For brown-field deployments
iscsi_subnet_nsg_name
The name of the iscsi network security group
Optional
This table contains the networking parameters if Azure Monitor for SAP is hosted from this workload zone.
Variable
Description
Type
Notes
ams_subnet_address_prefix
The address range for the iscsi subnet
Mandatory
For green-field deployments
ams_subnet_arm_id
The Azure resource identifier for the iscsi subnet
Mandatory
For brown-field deployments
ams_subnet_name
The name of the iscsi subnet
Optional
ams_subnet_nsg_arm_id
The Azure resource identifier for the iscsi network security group
Mandatory
For brown-field deployments
ams_subnet_nsg_name
The name of the iscsi network security group
Optional
This table contains additional networking parameters.
Variable
Description
Type
Notes
use_private_endpoint
Are private endpoints created for storage accounts and key vaults.
Optional
use_service_endpoint
Are service endpoints defined for the subnets.
Optional
peer_with_control_plane_vnet
Are virtual networks peered with the control plane virtual network.
Optional
Required for the SAP Installation
public_network_access_enabled
Is public access enabled on the storage accounts and key vaults