Workload zone configuration in the SAP automation framework

An SAP application typically has multiple development tiers. For example, you might have development, quality assurance, and production tiers. SAP Deployment Automation Framework calls these tiers workload zones. See the following diagram for an example of a workload zone with two SAP systems.

Diagram that shows SAP workflow zones and systems.

The workload zone provides shared services to all of the SAP Systems in the workload zone. These shared services include:

  • Azure Virtual Network
  • Azure Key Vault
  • Shared Azure Storage Account for installation media
  • Azure NetApp Files account and capacity pool (optional)

The workload zone is typically deployed in a spoke subscription and the deployment of all the artifacts in the workload zone is done using unique service principal.

Workload zone deployment configuration

The configuration of the SAP workload zone is done via a Terraform tfvars variable file. You can find examples of the variable file in the samples/WORKSPACES/LANDSCAPE folder.

The following sections show the different sections of the variable file.

Environment parameters

This table contains the parameters that define the environment settings.

Variable Description Type Notes
environment Identifier for the workload zone (max five characters) Mandatory For example, PROD for a production environment and QA for a Quality Assurance environment.
location The Azure region in which to deploy Required
name_override_file Name override file Optional See Custom naming.
tags A dictionary of tags to associate with all resources. Optional

Resource group parameters

This table contains the parameters that define the resource group.

Variable Description Type
resourcegroup_name Name of the resource group to be created Optional
resourcegroup_arm_id Azure resource identifier for an existing resource group Optional
resourcegroup_tags Tags to be associated with the resource group Optional

Network parameters

The automation framework supports both creating the virtual network and the subnets (green field) or using an existing virtual network and existing subnets (brown field) or a combination of green field and brown field:

  • Green-field scenario: The virtual network address space and the subnet address prefixes must be specified.
  • Brown-field scenario: The Azure resource identifier for the virtual network and the subnets must be specified.

Ensure that the virtual network address space is large enough to host all the resources.

This table contains the networking parameters.

Variable Description Type Notes
network_logical_name The logical name of the network, for example, SAP01 Required Used for resource naming
network_name The name of the network Optional
network_arm_id The Azure resource identifier for the virtual network Optional For brown-field deployments
network_address_space The address range for the virtual network Mandatory For green-field deployments
admin_subnet_address_prefix The address range for the admin subnet Mandatory For green-field deployments
admin_subnet_arm_id The Azure resource identifier for the admin subnet Mandatory For brown-field deployments
admin_subnet_name The name of the admin subnet Optional
admin_subnet_nsg_name The name of the adminnetwork security group Optional
admin_subnet_nsg_arm_id The Azure resource identifier for the admin network security group Mandatory For brown-field deployments
db_subnet_address_prefix The address range for the db subnet Mandatory For green-field deployments
db_subnet_arm_id The Azure resource identifier for the db subnet Mandatory For brown-field deployments
db_subnet_name The name of the db subnet Optional
db_subnet_nsg_name The name of the db network security group Optional
db_subnet_nsg_arm_id The Azure resource identifier for the db network security group Mandatory For brown-field deployments
app_subnet_address_prefix The address range for the app subnet Mandatory For green-field deployments
app_subnet_arm_id The Azure resource identifier for the app subnet Mandatory For brown-field deployments
app_subnet_name The name of the app subnet Optional
app_subnet_nsg_name The name of the app network security group Optional
app_subnet_nsg_arm_id The Azure resource identifier for the app network security group Mandatory For brown-field deployments
web_subnet_address_prefix The address range for the web subnet Mandatory For green-field deployments
web_subnet_arm_id The Azure resource identifier for the web subnet Mandatory For brown-field deployments
web_subnet_name The name of the web subnet Optional
web_subnet_nsg_name The name of the web network security group Optional
web_subnet_nsg_arm_id The Azure resource identifier for the web network security group Mandatory For brown-field deployments

This table contains the networking parameters if Azure NetApp Files is used.

Variable Description Type Notes
anf_subnet_arm_id The Azure resource identifier for the ANF subnet Required When using existing subnets
anf_subnet_address_prefix The address range for the ANF subnet Required When using ANF for deployments
anf_subnet_name The name of the ANF subnet Optional
anf_subnet_nsg_name The name of the anf network security group Optional
anf_subnet_nsg_arm_id The Azure resource identifier for the anf network security group Optional For brown-field deployments

This table contains the networking parameters if iSCSI devices are hosted from this workload zone.

Variable Description Type Notes
iscsi_subnet_address_prefix The address range for the iscsi subnet Mandatory For green-field deployments
iscsi_subnet_arm_id The Azure resource identifier for the iscsi subnet Mandatory For brown-field deployments
iscsi_subnet_name The name of the iscsi subnet Optional
iscsi_subnet_nsg_arm_id The Azure resource identifier for the iscsi network security group Mandatory For brown-field deployments
iscsi_subnet_nsg_name The name of the iscsi network security group Optional

This table contains the networking parameters if Azure Monitor for SAP is hosted from this workload zone.

Variable Description Type Notes
ams_subnet_address_prefix The address range for the iscsi subnet Mandatory For green-field deployments
ams_subnet_arm_id The Azure resource identifier for the iscsi subnet Mandatory For brown-field deployments
ams_subnet_name The name of the iscsi subnet Optional
ams_subnet_nsg_arm_id The Azure resource identifier for the iscsi network security group Mandatory For brown-field deployments
ams_subnet_nsg_name The name of the iscsi network security group Optional

This table contains additional networking parameters.

Variable Description Type Notes
use_private_endpoint Are private endpoints created for storage accounts and key vaults. Optional
use_service_endpoint Are service endpoints defined for the subnets. Optional
peer_with_control_plane_vnet Are virtual networks peered with the control plane virtual network. Optional Required for the SAP Installation
public_network_access_enabled Is public access enabled on the storage accounts and key vaults Optional

Minimum required network definition

network_logical_name = "SAP01"
network_address_space = "10.110.0.0/16"

db_subnet_address_prefix = "10.110.96.0/19"
app_subnet_address_prefix = "10.110.32.0/19"

Authentication parameters

This table defines the credentials used for defining the virtual machine authentication.

Variable Description Type Notes
automation_username Administrator account name Optional Default: azureadm
automation_password Administrator password Optional
automation_path_to_public_key Path to existing public key Optional
automation_path_to_private_key Path to existing private key Optional
use_spn If defined the deployment will be performed using a Service Principal, otherwise an MSI Optional

Minimum required authentication definition

automation_username = "azureadm"

Key vault parameters

This table defines the parameters used for defining the key vault information.

Variable Description Type Notes
spn_keyvault_id Azure resource identifier for existing deployment credentials (SPNs) key vault Optional
user_keyvault_id Azure resource identifier for existing system credentials key vault Optional
additional_users_to_add_to_keyvault_policies A list of user object IDs to add to the deployment key vault access policies Optional
enable_purge_control_for_keyvaults Disables the purge protection for Azure key vaults Optional Use only for test environments.
enable_rbac_authorization_for_keyvault Enables RBAC on key vaults Optional
soft_delete_retention_days The number of days that items should be retained in the soft delete period Optional
keyvault_private_endpoint_id Azure resource ID of the key vault's private endpoint Optional

Private DNS

Variable Description Type
dns_label If specified, is the DNS name of the private DNS zone Optional
dns_resource_group_name The name of the resource group that contains the private DNS zone Optional
register_virtual_network_to_dns Controls if the SAP Virtual Network is registered with the private DNS zone Optional
dns_server_list If specified, a list of DNS Server IP addresses Optional

NFS support

Variable Description Type Notes
create_transport_storage If defined, create storage for the transport directories. Optional
export_install_path If provided, export mount path for the installation media. Optional
export_transport_path If provided, export mount path for the transport share. Optional
install_always_create_fileshares Always create file shares. Optional
install_private_endpoint_id Azure resource ID for the install private endpoint. Optional For existing endpoints
install_volume_size Defines the size (in GB) for the install volume. Optional
NFS_provider Defines what NFS back end to use. Optional The options are AFS for Azure Files NFS or ANF for Azure NetApp Files, NONE for NFS from the SCS server, or NFS for an external NFS solution.
transport_private_endpoint_id Azure resource ID of the key vault's private endpoint Optional
transport_volume_size Defines the size (in GB) for the transport volume. Optional
use_AFS_for_installation_media If provided, uses AFS for the installation media. Optional

Azure Files NFS support

Variable Description Type Notes
install_storage_account_id Azure resource identifier for the install storage account Optional For brown-field deployments
transport_storage_account_id Azure resource identifier for the transport storage account Optional For brown-field deployments
Storage account replication type Storage account replication type, default ZRS Optional

Minimum required Azure Files NFS definition

NFS_provider              = "AFS"
use_private_endpoint      = true

Azure NetApp Files support

Variable Description Type Notes
ANF_account_name Name for the Azure NetApp Files account Optional
ANF_service_level Service level for the Azure NetApp Files capacity pool Optional
ANF_pool_size The size (in GB) of the Azure NetApp Files capacity pool Optional
ANF_qos_type The quality of service type of the pool (auto or manual) Optional
ANF_use_existing_pool Use existing for the Azure NetApp Files capacity pool Optional
ANF_pool_name The name of the Azure NetApp Files capacity pool Optional
ANF_account_arm_id Azure resource identifier for the Azure NetApp Files account Optional For brown-field deployments
ANF_transport_volume_use_existing Defines if an existing transport volume is used Optional
ANF_transport_volume_name Defines the transport volume name Optional For brown-field deployments
ANF_transport_volume_size Defines the size of the transport volume in GB Optional
ANF_transport_volume_throughput Defines the throughput of the transport volume Optional
ANF_transport_volume_zone Defines the availability zone of the transport volume Optional
ANF_install_volume_use_existing Defines if an existing install volume is used Optional
ANF_install_volume_name Defines the install volume name Optional For brown-field deployments
ANF_install_volume_size Defines the size of the install volume in GB Optional
ANF_install_volume_throughput Defines the throughput of the install volume Optional
ANF_install_volume_zone Defines the availability zone of the install volume Optional

Minimum required ANF definition

NFS_provider              = "ANF"
anf_subnet_address_prefix = "10.110.64.0/27"
ANF_service_level         = "Ultra"

DNS support

Variable Description Type
dns_label DNS name of the private DNS zone. Optional
management_dns_resourcegroup_name Resource group that contains the private DNS zone. Optional
management_dns_subscription_id Subscription ID for the subscription that contains the private DNS zone. Optional
use_custom_dns_a_registration Use an existing private DNS zone. Optional

NAT support

Variable Description Type
deploy_nat_gateway If set, deploys a NAT gateway. Optional
nat_gateway_name The name of the NAT Gateway. Optional
nat_gateway_arm_id The Azure resource identifier of the NAT Gateway. Optional
nat_gateway_public_ip_zones The zones for the NAT Gateway public IP address Optional
nat_gateway_public_ip_arm_id TThe Azure resource identifier for the NAT Gateway public IP address Optional
nat_gateway_idle_timeout_in_minutes The idle timeout in minutes for the NAT Gateway (default=4) Optional
nat_gateway_public_ip_tags Tags for the public IP resource Optional

Other parameters

Variable Description Type Notes
diagnostics_storage_account_arm_id The Azure resource identifier for the diagnostics storage account. Required For brown-field deployments.
place_delete_lock_on_resources Places delete locks on the key vaults and the virtual network Optional
witness_storage_account_arm_id The Azure resource identifier for the witness storage account. Required For brown-field deployments.
Agent_IP IP address of the agent. Optional
add_Agent_IP Controls if Agent IP is added to the key vault and storage account firewalls Optional
enable_firewall_for_keyvaults_and_storage Restrict access to selected subnets. Optional

iSCSI parameters

Variable Description Type Notes
iscsi_authentication_type Defines the default authentication for the iSCSI virtual machines Optional
iscsi_authentication_username Administrator account name Optional
iscsi_count The number of iSCSI virtual machines Optional
iscsi_size The size of iSCSI virtual machines Optional
iscsi_image Defines the virtual machine image to use (next table) Optional
iscsi_nic_ips IP addresses for the iSCSI virtual machines Optional Ignored if iscsi_use_DHCP is defined
iscsi_use_DHCP Controls whether to use dynamic IP addresses provided by the Azure subnet Optional
iscsi_vm_zones Availability zones for the iSCSI Virtual Machines Optional

Utility VM parameters

Variable Description Type Notes
utility_vm_count Defines the number of utility virtual machines to deploy Optional Use the utility virtual machine to host SAPGui
utility_vm_image Defines the virtual machine image to use Optional Default: Windows Server 2019
utility_vm_nic_ips Defines the IP addresses for the virtual machines Optional
utility_vm_os_disk_size Defines the size of the OS disk for the Virtual Machine Optional Default: 128
utility_vm_os_disk_type Defines the type of the OS disk for the Virtual Machine Optional Default: Premium_LRS
utility_vm_size Defines the SKU for the utility virtual machines Optional Default: Standard_D4ds_v4
utility_vm_useDHCP Defines if Azure subnet provided IPs should be used Optional
`user_assigned_identity_id User assigned identity to assign to the virtual machines Optional

The virtual machine and the operating system image are defined by using the following structure:

{
  os_type         = "linux"
  type            = "marketplace"
  source_image_id = ""
  publisher       = "SUSE"
  offer           = "sles-sap-15-sp5"
  sku             = "gen2"
  version=        " latest"
}

Azure Monitor for SAP parameters

Variable Description Type Notes
create_ams_instance Defines if an Azure Monitor for SAP instance should be created Optional
ams_instance_name Defines the name of the instance Optional
ams_laws_arm_id Defines the ARM resource ID for the Log Analytics Workspace Optional

Terraform parameters

This table contains the Terraform parameters. These parameters need to be entered manually if you're not using the deployment scripts.

Variable Description Type
tfstate_resource_id The Azure resource identifier for the storage account in the SAP library that contains the Terraform state files. Required
deployer_tfstate_key The name of the state file for the deployer. Required

Next step