In my documentation, I will explain and detail how to manage SAP Hana 2.0 SP2 instance with SAP LaMa 3.0 SP5 in the context of hybrid landscape between on-premise and Microsoft Azure.
In order to monitor my hybrid solution i will explain how to configure Solution Manager 7.2 accordingly.
Aside of the SAP components, I will also covert the network implication to realize such type of configuration, which include the IPSec connection between my lab and Azure by using pfSense and the DNS portion for the naming resolution between both site.
For my setup, I will use my own lab on VMware VSphere 6.5 U1, use SAP LaMa 3.0 SP5, SAP Solution Manager 7.2, Pfsense 2.4.2 and use my own Microsoft Azure subscription.
Disclaimer: My deployment is only for test purpose; I make the security simple from a network perspective to realize this configuration and use open source software.
Best practice: Before to start anything make sure to read all necessary note relevant to your deployment, read the product guide for each component that you intend to deploy and make sure that you have done the sizing exercise properly.
Be careful on restriction and what is supported or not, this will avoid unnecessary hiccup.
In order execution
- Configure the IPSec VPN with Azure
- Setup DNS for mutual FQDN resolution
- Configure Microsoft Azure connector for SAP LaMa
- Register SAP Hana 2.0 from Azure in SAP LaMa
- Setup Replication between On-Premise and Azure with SAP LaMa
- Configure Solution Manager monitoring
- Perform SAP Hana takeover with SAP LaMa
SAP LaMa 3.0
- SAP Landscape Management 3.0, Enterprise Edition
SAP Hana Platform SP2.0
- SAP HANA Administration Guide
- SAP HANA Technical Operations Manual
- SAP HANA Application Lifecycle Management
- pfSense Deployment and Installation Guide
- 2585259 – SAP Landscape Management 3.0 SP05 Patch02
- 2343511 – Microsoft Azure connector for SAP Landscape Management (LaMa)
- 1709155 – System Provisioning with SAP Landscape Virtualization Management
- 2050537 – Support for SAP HANA in SAP Landscape Management
- 2488113 – Discover SAP HANA Multitenant Database Containers in SAP LaMa 3.0
- 2039615 – Managing system landscapes with SAP Landscape Management Enterprise Edition
- 1438774 – New profile parameter system/uuid and system/description
- SAP Landscape Management 3.0, Enterprise Edition
- SAP Help Portal – The central place for SAP documentation
- Microsoft Azure Documentation
- Netgate pfSense
This picture shows in detail the components deploy on each server such as add-on as well as product version, the protocol of communication is showed too but I intentionally omit to provide any port.
From a detail components point of view, in order to ensure a transparent and secure connectivity between my on-premise environment and Azure I will use and configure PFsense and Azure Gateway to create a VPN IPsec tunnel.
The management of my SAP Hana instance is done through SAP LaMa 3.0 SP5, which will include the Azure Connector to interact with Azure VMs.
Solution Manager 7.2 SP6 is used for advanced integration monitoring for my hybrid solution.
To ensure reliability in term of naming resolution, two DNS are configured and replicated as read-only to each other.
Configure the IPsec VPN with Azure
From a topology point of view my picture below show how my network is setup on a high-level standpoint
On the left side of the picture, I have configured my VMware DvSwitch which operate for 2 different subnets, one is configured for vLan (Local) for my local server network, and the other one for vWan (Firewall) for internet access.
In order to setup my vpn, I have installed pfSense which act as a virtual firewall/router.
My pfSense is configured with 2 NIC card, one for WAN network to provide internet access to my VMs within my vLan network through the second NIC card LAN which act as a gateway.
On the right side of the picture, on Azure I will configure multiple component to create the vpn connection associate such as, virtual network and subnet, virtual network gateway and the local network gateway.
Let start with Azure configuration by creating the virtual network and subnet
My vNet range is 10.0.0.0/23 and my subnet range is 10.0.0.0/24
Once create, I select my new create vnet and select “Subnet” to create the gateway subnet
And define my Gateway subnet as 10.0.1.0/24
Now let’s create my virtual network gateway, select virtual gateway from the service marketplace
I specify the name of my gateway and choose VPN with Route-based vpn type, because I don’t need high bandwidth I select the basic SKU. I map my gateway to my virtual network created earlier and create the public IP
Note: the creation of the gateway can take up to 45 min
Finally, I will create my local network gateway
I provide a name for my local gateway, enter my public IP and gives my internal local address space where the vm needs to be reached out
Once created, I select my newly created local network gateway and click on connection to assign the virtual network gateway and set my shared key which will be use with my pfsense.
Now completed, I will configure my pfsense. On the web interface I select VPN –> IPsec
Click on Add P1
In the general information, I use WAN for Interface option and provide the Azure Gateway public ip address
For authentication method I select Mutual PSK and provide the Pre-Shared Key setup in Azure while creating the local gateway
And finally, for the algorithms, I specify AES 256 with SHA256 and save the configuration
Once done, one the created connection I click AddP2
In the general information, I choose LAN subnet for local network and for remote network I specify the address range configure previously for my Azure vNet
And finally, on the SA/Key Exchange, I define the protocol as ESP with encryption algorithms AES256 and hash algorithms SHA1 and save my configuration
My setup is done
Let’s have a look at the IPsec status first from pfsense
And from the Azure site and see the status of my connection
My vpn connection is fully configured, I will do a quick check from my local network to azure
It works I can RDP from my local network to Azure by using the private IP, this first part completed I will configure my DNS in order to resolve mutual domain and hostname.
Setup DNS for mutual name resolution
My hybrid scenario consists of using Azure as a DR site, to do so I have install two DNS with two distinguish FQDN.
My local FQDN is mtl.will.lab and Azure is us.will.lab
To make the resolution both ways, on the primary DNS I right click on my primary zone and click on property, then I select Zone Transfers and add the ip of my Azure DNS server
And do the same for the reverse lookup zone
Now on Azure, I go on my secondary DNS server and proceed the same way
Now I go back on my primary DNS (local) and define a secondary Forward Lookup Zones to match my Azure domain
And do the same in the Reverse Lookup Zone
I have proceeded with the same step on the Azure DNS server
So now from my local network I will try to resolve the Azure FQDN, to do so i have add a temporary entry to make a quick test
Now from my local server I will nslookup and it’s working
My DNS resolution is working on both side, now I can configure SAP LaMa Azure connector
Configure Microsoft Azure connector for SAP LaMa
The Azure connector for SAP LaMa will allow me to perform several operations directly onto Azure such as activate or power off VMs, do SAP system relocate or perform SAP system copy/clone.
However, not all Azure resources are supported, only VMs deployed by ARM with managed disks are supported, VMs deployed in availability zone are currently not supported.
That thing says, let’s proceed with the setup. From Azure I will start to register a new app from AAD
Note that the url can be random since the sign-on url is not used
My new app created I will click on setting and select the keys to create a new key, I will note the Application ID since it use as user name of the service principal used.
Once saved my key value appear so I save it
Let’s now give my service principal user access to my entire Azure subscription, from the subscription list I choose my subscription and click on IAM to add user
AS a permission I provide “Owner” in order for the user to have full control on my subscription resources and as username I provide the application ID
I’m done for the Azure side, now I will configure the SAP LaMa part. On the Infrastructure panel select “Cloud Manager” and click Add
Select Microsoft and click Next
Note: Before SAP LaMa .30 SP5 the adapter needs to be enable manually
Enter the necessary information such as username is the application ID and the password the key generated earlier.
You will also need to provide your Subscription ID and tenant ID which can be retrieved from PowerShell after login in Azure
Now if I check under virtual host I can see the template option available for me in order to deploy vm based on my personal one on Azure
And if I move further, I can now see all my resources group as well for me to deploy my template into
We are done for this part, I will explain later on the Azure specific part, for now I will install SAP Hana on Azure and show how to proceed with the registration on LaMa.
Register SAP Hana 2.0 from Azure in SAP LaMa
Before to deal with installation of SAP Hana it is important to make sure to set the VM properly, I have created a dedicated resource group to store all my object in order to not mix then with other artifact
Now the most important thing, make sure to select manage disk since this only the supported type of disk by SAP on Azure, you can also see that I have select my specific VNet attached to the VPN which lead to the auto selection of the subnet.
If have also disable the public ip since I don’t want my server to be accessed directly from outside.
Once my server is up and running, I register it into my Azure DNS so it will be replicated in my on-premise DNS
I do a quick test from my SAP LaMa server at the OS layer, the name is resolve and I can ssh in my server on Azure from on-premise
My Hana on Azure installed I can connect to it
So now that my Hana on Azure is up, before to add it into SAP LaMa, the necessary Adaptive Extension needs to be installed.
Note that because I’m running on cloud the EXT version needs to be used
Once download run the following command from the hostcontrol folder
Final step register my instance in SAP LaMa, from the configuration tab I will my hostname and domain
My two Hana system shows up
All set for this part, my two instances are managed and ready for HSR configuration
Setup Replication between On-Premise and Azure with SAP LaMa
Before to start the replication, setup make sure to perform all necessary prerequisite, such as back all primary database (system & tenant), have the log_mode set in “normal”, copy the PKI SSF.key from the primary Hana system to the secondary.
Note: I have intentionally not created any tenant database on my second instance in order to replicate them from my on-premise environment.
The replication setup can be performed at many place, Hana studio, Hana cockpit, OS layer with hdbnsutil tool or SAP LaMa. I will show you how to proceed with SAP LaMa.
From the dashboard, go on the operations action and select the systemdb from my primary site, then select SAP Hana Replication to be enable
Provide a Site name and enable it
LaMa will proceed with the enablement
Once done we can see this
I have shutdown my Azure instance before to proceed with the registration, so now I can register it as secondary tier
On this step I specify the necessary option I want to work with
Once the system restart, you can now see that take over action is available
Let’s do some check, first I look at the hana studio, I see my 2 servers and the replication initialized
From the cockpit something
Once done the replication is active
Ok so my replication between my on-premise environment and Azure is running, I will then include my system is Solution Manager
Configure Solution Manager monitoring
The monitoring portion in Solution Manager, what ever the version involves several steps as well as component that needs to be deployed and/or configured.
Because of such, I will convert it in a light way and highlight the base line part. The first part will consist to register my both Hana instance in my SLD in order to be replicated in LMDB.
From the cockpit, select the system database and form Lifecycle Management choose SLD registration
Provide the SLD information and click next to proceed
When the operation is done from both Hana system check the entries in SLD
Now done, I install the diagnostic agent on both sever and register them into the SLD as well
And check into my sld the registration
As well as agent registration from the administration side
When diagnostic agents are register, from the Solution Manager Configuration, i need to configure every Hana system as a manage system
Once the system is configured, they need to be assigned to a monitoring template in order to read system information’s and generate metrics
When all my system has an associate template, from the workcenter I can see them now
You probably noticed, red light and yellow … it’s normal because I did not push all the setup and just wanted to provide the major step to process the monitoring.
Now done with my monitoring setup, I will perform my Hana failed-over process within SAP LaMa.
Perform SAP Hana takover with SAP LaMa
SAP LaMa 3.0 allows you to perform various task from a replication point of view, to my takeover task, I go on the Operation dashboard and select the secondary instance in Azure
Expend operation, select SAP Hana Process and choose “Take over”
While it’s happening, I can the lock on the instance because it’s processing it
To see what is going on in term of process, from the Monitoring dashboard I select activities and select my task associated
Once the takeover is completed, make sure to discover the new tenant replicated from the primary site, as well as process with Solution Manager monitoring setup for them.
My configuration is now completed for the simple replication and takeover process in SAP LaMa for SAP Hana, in my next document I will elaborate more scenario with HSR as well as dedicated Microsoft Azure resource deployment.