Workload zone configuration in the SAP automation framework

Article
09/24/2024

An SAP application typically has multiple development tiers. For example, you might have development, quality assurance, and production tiers. SAP Deployment Automation Framework calls these tiers workload zones. See the following diagram for an example of a workload zone with two SAP systems.

Diagram that shows SAP workflow zones and systems.

The workload zone provides shared services to all of the SAP Systems in the workload zone. These shared services include:

Azure Virtual Network
Azure Key Vault
Shared Azure Storage Account for installation media
Azure NetApp Files account and capacity pool (optional)

The workload zone is typically deployed in a spoke subscription and the deployment of all the artifacts in the workload zone is done using unique service principal.

Workload zone deployment configuration

The configuration of the SAP workload zone is done via a Terraform tfvars variable file. You can find examples of the variable file in the samples/WORKSPACES/LANDSCAPE folder.

The following sections show the different sections of the variable file.

Environment parameters

This table contains the parameters that define the environment settings.

Variable	Description	Type	Notes
`environment`	Identifier for the workload zone (max five characters)	Mandatory	For example, `PROD` for a production environment and `QA` for a Quality Assurance environment.
`location`	The Azure region in which to deploy	Required
`name_override_file`	Name override file	Optional	See Custom naming.
`tags`	A dictionary of tags to associate with all resources.	Optional

Resource group parameters

This table contains the parameters that define the resource group.

Variable	Description	Type
`resourcegroup_name`	Name of the resource group to be created	Optional
`resourcegroup_arm_id`	Azure resource identifier for an existing resource group	Optional
`resourcegroup_tags`	Tags to be associated with the resource group	Optional

Network parameters

The automation framework supports both creating the virtual network and the subnets (green field) or using an existing virtual network and existing subnets (brown field) or a combination of green field and brown field:

Green-field scenario: The virtual network address space and the subnet address prefixes must be specified.
Brown-field scenario: The Azure resource identifier for the virtual network and the subnets must be specified.

Ensure that the virtual network address space is large enough to host all the resources.

This table contains the networking parameters.

Variable	Description	Type	Notes
`network_logical_name`	The logical name of the network, for example, `SAP01`	Required	Used for resource naming
`network_name`	The name of the network	Optional
`network_arm_id`	The Azure resource identifier for the virtual network	Optional	For brown-field deployments
`network_address_space`	The address range for the virtual network	Mandatory	For green-field deployments

`admin_subnet_address_prefix`	The address range for the `admin` subnet	Mandatory	For green-field deployments
`admin_subnet_arm_id`	The Azure resource identifier for the `admin` subnet	Mandatory	For brown-field deployments
`admin_subnet_name`	The name of the `admin` subnet	Optional
`admin_subnet_nsg_name`	The name of the `admin`network security group	Optional
`admin_subnet_nsg_arm_id`	The Azure resource identifier for the `admin` network security group	Mandatory	For brown-field deployments

`db_subnet_address_prefix`	The address range for the `db` subnet	Mandatory	For green-field deployments
`db_subnet_arm_id`	The Azure resource identifier for the `db` subnet	Mandatory	For brown-field deployments
`db_subnet_name`	The name of the `db` subnet	Optional
`db_subnet_nsg_name`	The name of the `db` network security group	Optional
`db_subnet_nsg_arm_id`	The Azure resource identifier for the `db` network security group	Mandatory	For brown-field deployments

`app_subnet_address_prefix`	The address range for the `app` subnet	Mandatory	For green-field deployments
`app_subnet_arm_id`	The Azure resource identifier for the `app` subnet	Mandatory	For brown-field deployments
`app_subnet_name`	The name of the `app` subnet	Optional
`app_subnet_nsg_name`	The name of the `app` network security group	Optional
`app_subnet_nsg_arm_id`	The Azure resource identifier for the `app` network security group	Mandatory	For brown-field deployments

`web_subnet_address_prefix`	The address range for the `web` subnet	Mandatory	For green-field deployments
`web_subnet_arm_id`	The Azure resource identifier for the `web` subnet	Mandatory	For brown-field deployments
`web_subnet_name`	The name of the `web` subnet	Optional
`web_subnet_nsg_name`	The name of the `web` network security group	Optional
`web_subnet_nsg_arm_id`	The Azure resource identifier for the `web` network security group	Mandatory	For brown-field deployments

This table contains the networking parameters if Azure NetApp Files is used.

Variable	Description	Type	Notes
`anf_subnet_arm_id`	The Azure resource identifier for the `ANF` subnet	Required	When using existing subnets
`anf_subnet_address_prefix`	The address range for the `ANF` subnet	Required	When using `ANF` for deployments
`anf_subnet_name`	The name of the `ANF` subnet	Optional
`anf_subnet_nsg_name`	The name of the `anf` network security group	Optional
`anf_subnet_nsg_arm_id`	The Azure resource identifier for the `anf` network security group	Optional	For brown-field deployments

This table contains the networking parameters if iSCSI devices are hosted from this workload zone.

Variable	Description	Type	Notes
`iscsi_subnet_address_prefix`	The address range for the `iscsi` subnet	Mandatory	For green-field deployments
`iscsi_subnet_arm_id`	The Azure resource identifier for the `iscsi` subnet	Mandatory	For brown-field deployments
`iscsi_subnet_name`	The name of the `iscsi` subnet	Optional
`iscsi_subnet_nsg_arm_id`	The Azure resource identifier for the `iscsi` network security group	Mandatory	For brown-field deployments
`iscsi_subnet_nsg_name`	The name of the `iscsi` network security group	Optional

This table contains the networking parameters if Azure Monitor for SAP is hosted from this workload zone.

Variable	Description	Type	Notes
`ams_subnet_address_prefix`	The address range for the `iscsi` subnet	Mandatory	For green-field deployments
`ams_subnet_arm_id`	The Azure resource identifier for the `iscsi` subnet	Mandatory	For brown-field deployments
`ams_subnet_name`	The name of the `iscsi` subnet	Optional
`ams_subnet_nsg_arm_id`	The Azure resource identifier for the `iscsi` network security group	Mandatory	For brown-field deployments
`ams_subnet_nsg_name`	The name of the `iscsi` network security group	Optional

This table contains additional networking parameters.

Variable	Description	Type	Notes
`use_private_endpoint`	Are private endpoints created for storage accounts and key vaults.	Optional
`use_service_endpoint`	Are service endpoints defined for the subnets.	Optional
`peer_with_control_plane_vnet`	Are virtual networks peered with the control plane virtual network.	Optional	Required for the SAP Installation
`public_network_access_enabled`	Is public access enabled on the storage accounts and key vaults	Optional

Minimum required network definition

network_logical_name = "SAP01"
network_address_space = "10.110.0.0/16"

db_subnet_address_prefix = "10.110.96.0/19"
app_subnet_address_prefix = "10.110.32.0/19"

Authentication parameters

This table defines the credentials used for defining the virtual machine authentication.

Variable	Description	Type	Notes
`automation_username`	Administrator account name	Optional	Default: `azureadm`
`automation_password`	Administrator password	Optional
`automation_path_to_public_key`	Path to existing public key	Optional
`automation_path_to_private_key`	Path to existing private key	Optional
`use_spn`	If defined the deployment will be performed using a Service Principal, otherwise an MSI	Optional

Minimum required authentication definition

automation_username = "azureadm"

Key vault parameters

This table defines the parameters used for defining the key vault information.

Variable	Description	Type	Notes
`spn_keyvault_id`	Azure resource identifier for existing deployment credentials (SPNs) key vault	Optional
`user_keyvault_id`	Azure resource identifier for existing system credentials key vault	Optional
`additional_users_to_add_to_keyvault_policies`	A list of user object IDs to add to the deployment key vault access policies	Optional
`enable_purge_control_for_keyvaults`	Disables the purge protection for Azure key vaults	Optional	Use only for test environments.
`enable_rbac_authorization_for_keyvault`	Enables RBAC on key vaults	Optional
`soft_delete_retention_days`	The number of days that items should be retained in the soft delete period	Optional
`keyvault_private_endpoint_id`	Azure resource ID of the key vault's private endpoint	Optional

Private DNS

Variable	Description	Type
`dns_label`	If specified, is the DNS name of the private DNS zone	Optional
`dns_resource_group_name`	The name of the resource group that contains the private DNS zone	Optional
`register_virtual_network_to_dns`	Controls if the SAP Virtual Network is registered with the private DNS zone	Optional
`dns_server_list`	If specified, a list of DNS Server IP addresses	Optional

NFS support

Variable	Description	Type	Notes
`create_transport_storage`	If defined, create storage for the transport directories.	Optional
`export_install_path`	If provided, export mount path for the installation media.	Optional
`export_transport_path`	If provided, export mount path for the transport share.	Optional
`install_always_create_fileshares`	Always create file shares.	Optional
`install_private_endpoint_id`	Azure resource ID for the `install` private endpoint.	Optional	For existing endpoints
`install_volume_size`	Defines the size (in GB) for the `install` volume.	Optional
`NFS_provider`	Defines what NFS back end to use.	Optional	The options are `AFS` for Azure Files NFS or `ANF` for Azure NetApp Files, `NONE` for NFS from the SCS server, or `NFS` for an external NFS solution.
`transport_private_endpoint_id`	Azure resource ID of the key vault's private endpoint	Optional
`transport_volume_size`	Defines the size (in GB) for the `transport` volume.	Optional
`use_AFS_for_installation_media`	If provided, uses AFS for the installation media.	Optional

Azure Files NFS support

Variable	Description	Type	Notes
`install_storage_account_id`	Azure resource identifier for the `install` storage account	Optional	For brown-field deployments
`transport_storage_account_id`	Azure resource identifier for the `transport` storage account	Optional	For brown-field deployments
`Storage account replication type`	Storage account replication type, default ZRS	Optional

Minimum required Azure Files NFS definition

NFS_provider              = "AFS"
use_private_endpoint      = true

Azure NetApp Files support

Variable	Description	Type	Notes
`ANF_account_name`	Name for the Azure NetApp Files account	Optional
`ANF_service_level`	Service level for the Azure NetApp Files capacity pool	Optional
`ANF_pool_size`	The size (in GB) of the Azure NetApp Files capacity pool	Optional
`ANF_qos_type`	The quality of service type of the pool (auto or manual)	Optional
`ANF_use_existing_pool`	Use existing for the Azure NetApp Files capacity pool	Optional
`ANF_pool_name`	The name of the Azure NetApp Files capacity pool	Optional
`ANF_account_arm_id`	Azure resource identifier for the Azure NetApp Files account	Optional	For brown-field deployments

`ANF_transport_volume_use_existing`	Defines if an existing transport volume is used	Optional
`ANF_transport_volume_name`	Defines the transport volume name	Optional	For brown-field deployments
`ANF_transport_volume_size`	Defines the size of the transport volume in GB	Optional
`ANF_transport_volume_throughput`	Defines the throughput of the transport volume	Optional
`ANF_transport_volume_zone`	Defines the availability zone of the transport volume	Optional

`ANF_install_volume_use_existing`	Defines if an existing install volume is used	Optional
`ANF_install_volume_name`	Defines the install volume name	Optional	For brown-field deployments
`ANF_install_volume_size`	Defines the size of the install volume in GB	Optional
`ANF_install_volume_throughput`	Defines the throughput of the install volume	Optional
`ANF_install_volume_zone`	Defines the availability zone of the install volume	Optional

Minimum required ANF definition

NFS_provider              = "ANF"
anf_subnet_address_prefix = "10.110.64.0/27"
ANF_service_level         = "Ultra"

DNS support

Variable	Description	Type
`dns_label`	DNS name of the private DNS zone.	Optional
`management_dns_resourcegroup_name`	Resource group that contains the private DNS zone.	Optional
`management_dns_subscription_id`	Subscription ID for the subscription that contains the private DNS zone.	Optional
`use_custom_dns_a_registration`	Use an existing private DNS zone.	Optional

NAT support

Variable	Description	Type
`deploy_nat_gateway`	If set, deploys a NAT gateway.	Optional
`nat_gateway_name`	The name of the NAT Gateway.	Optional
`nat_gateway_arm_id`	The Azure resource identifier of the NAT Gateway.	Optional
`nat_gateway_public_ip_zones`	The zones for the NAT Gateway public IP address	Optional
`nat_gateway_public_ip_arm_id`	TThe Azure resource identifier for the NAT Gateway public IP address	Optional
`nat_gateway_idle_timeout_in_minutes`	The idle timeout in minutes for the NAT Gateway (default=4)	Optional
`nat_gateway_public_ip_tags`	Tags for the public IP resource	Optional

Other parameters

Variable	Description	Type	Notes
`diagnostics_storage_account_arm_id`	The Azure resource identifier for the diagnostics storage account.	Required	For brown-field deployments.
`place_delete_lock_on_resources`	Places delete locks on the key vaults and the virtual network	Optional
`witness_storage_account_arm_id`	The Azure resource identifier for the witness storage account.	Required	For brown-field deployments.
`Agent_IP`	IP address of the agent.	Optional
`add_Agent_IP`	Controls if Agent IP is added to the key vault and storage account firewalls	Optional
`enable_firewall_for_keyvaults_and_storage`	Restrict access to selected subnets.	Optional

iSCSI parameters

Variable	Description	Type	Notes
`iscsi_authentication_type`	Defines the default authentication for the iSCSI virtual machines	Optional
`iscsi_authentication_username`	Administrator account name	Optional
`iscsi_count`	The number of iSCSI virtual machines	Optional
`iscsi_size`	The size of iSCSI virtual machines	Optional
`iscsi_image`	Defines the virtual machine image to use (next table)	Optional
`iscsi_nic_ips`	IP addresses for the iSCSI virtual machines	Optional	Ignored if `iscsi_use_DHCP` is defined
`iscsi_use_DHCP`	Controls whether to use dynamic IP addresses provided by the Azure subnet	Optional
`iscsi_vm_zones`	Availability zones for the iSCSI Virtual Machines	Optional

Utility VM parameters

Variable	Description	Type	Notes
`utility_vm_count`	Defines the number of utility virtual machines to deploy	Optional	Use the utility virtual machine to host SAPGui
`utility_vm_image`	Defines the virtual machine image to use	Optional	Default: Windows Server 2019
`utility_vm_nic_ips`	Defines the IP addresses for the virtual machines	Optional
`utility_vm_os_disk_size`	Defines the size of the OS disk for the Virtual Machine	Optional	Default: 128
`utility_vm_os_disk_type`	Defines the type of the OS disk for the Virtual Machine	Optional	Default: Premium_LRS
`utility_vm_size`	Defines the SKU for the utility virtual machines	Optional	Default: Standard_D4ds_v4
`utility_vm_useDHCP`	Defines if Azure subnet provided IPs should be used	Optional
`user_assigned_identity_id	User assigned identity to assign to the virtual machines	Optional

The virtual machine and the operating system image are defined by using the following structure:

{
  os_type         = "linux"
  type            = "marketplace"
  source_image_id = ""
  publisher       = "SUSE"
  offer           = "sles-sap-15-sp5"
  sku             = "gen2"
  version=        " latest"
}

Azure Monitor for SAP parameters

Variable	Description	Type
`create_ams_instance`	Defines if an Azure Monitor for SAP instance should be created	Optional
`ams_instance_name`	Defines the name of the instance	Optional
`ams_laws_arm_id`	Defines the ARM resource ID for the Log Analytics Workspace	Optional

Terraform parameters

This table contains the Terraform parameters. These parameters need to be entered manually if you're not using the deployment scripts.

Variable	Description	Type
`tfstate_resource_id`	The Azure resource identifier for the storage account in the SAP library that contains the Terraform state files.	Required
`deployer_tfstate_key`	The name of the state file for the deployer.	Required

Next step

About SAP system deployment in automation framework

Share via