One important aspect of an SAP landscape is the numerous communication flows that can occur between the different SAP systems. The landscape consists of production and multiple non-production environments (QA, development, testing, etc..). Each environment comprises multiple SAP systems and each system can have multiple tiers (web, application and database). In the Software Defined Data Center (SDDC) where all these components are running in virtual machines (VMs) the network traffic between VMs can be complex due to multiple use cases, for example:
- Business processes require data transfer between different SAP systems running different supply chain modules.
- Data transfer between SAP and non-SAP systems.
- Communication between the different tiers: client; web; application; and database.
- Data load to/from NFS services.
- Communication between the different SAP HANA network zones .
The following diagram from SAP shows the example data flows that can occur between different SAP systems.
Source: SAP
In the above diagram the SAP systems are: ECC – ERP Central Component; PI = Process Integration which handles application integration; CRM – Customer Relationship Management; SCM – Supply Chain Management. One of the data transfer protocols is SAP’s proprietary Remote Function Call (RFC) interface which is based on TCP/IP.
The data transfers described above impact the sizing and performance of SAP systems. Hence part of managing the SAP SDDC includes locating and understanding the communication patterns within the network. This can be achieved automatically with a VMware solution called VMware vRealize Network Insight .
vRealize Network Insight can perform discovery to provide network flow mappings, SAP application dependencies and a topology of the virtual network environment. This in turn can help in defining a micro-segmentation strategy and with hybrid cloud migration projects. Next, we show a demonstration of vRealize Network Insight with an SAP environment.
Here we show an example discovery of SAP data flows with vRealize Network Insight. The following SAP environment was installed and configured.
SAP Environment – Lab Setup
A custom SAP program was created and executed in SAP system 2 that remotely called a function module in SAP system 1 via the SAP RFC interface (function modules consist of program code that provide an interface for data exchange).
vRealize Network Insight consists of two virtual appliances, platform and proxy. Both are downloaded as an OVA. For installation instructions see here. Once installed we added vCenter as a data source and enabled IPFIX on the virtual distributed switch. vRealize Network Insight gathers VMware vCenter objects and performance metrics and network flows between all the available VMs and hosts. For application-centric analysis vRealize Network Insight allows the creation of application groups – this helps us to narrow down the analysis to the SAP environment. We created an application group and assigned all the SAP specific VMs defined in the diagram above – this is shown in the following screenshot.
vRealize Network Insight Screenshot – Create Application for SAP VMs
After creating the SAP application, vRealize Network Insight can provide analysis specific to the VMs defined in the application – a summary of an analysis is shown in the following figure.
vRealize Network Insight Screenshot – Analysis of SAP Environment
The results above show discovery of the SAP ports used and the values correspond to the typical port numbers used by SAP, for port descriptions see here. Further drill-down from the above screen enables more detailed view of the network traffic between VMs – this is shown next.
Traffic Flows Between SAP VMs
The above shows some of the traffic flows. For example, we see traffic flow between two SAP systems via port 3300 – this is the SAP gateway port and is the port used by RFCs for data communication between two separate SAP systems. In this case we know the flow is between two different SAP systems by the naming standards used in the VM names. A complete understanding of these communication flows and application impact requires collaboration between the VMware and SAP administrators. Based on the analysis vRealize Network Insight can provide recommendations for firewall rules that can be used for micro-segmentation. This is show in the next figure.
Recommended Firewall Rules based on Analysis of SAP Environment
The firewall rules suggested above are dependent on the application definition. In this example we assigned all the SAP VMs to one tier. If we had defined separate tiers in the application definition e.g. application and database tier, the suggested firewall rules may be different. In actual implementations, the design phase should determine the granularity of protection required based on the security objectives. The recommended firewalls rules can be exported to VMware’s Network and Security Virtualization Software, NSX for micro-segmentation deployment.
In the Software Defined Data Center (SDDC) the network traffic between SAP VMs can be complex and can impact the sizing and performance of SAP systems. Part of managing the SAP SDDC includes locating and understanding the communication patterns within the network. This can be achieved automatically with VMware vRealize Network Insight. Analysis with vRealize Network Insight provides the following features:
- Discovery of application dependencies between the different SAP components.
- Insights into workload patterns e.g. increased batch activity is reflected by increased network data transfer between the application and database tier.
- Ability to track any potentially unwanted behavior e.g. data transfer between a production and non-production system.
- Provides a starting point to define and implement firewall rules for a micro-segmentation strategy.
- Facilitates planning in hybrid cloud deployments where SAP landscapes may be split between on-premise and a public cloud. This requires an understanding of network dependencies between SAP systems to minimize performance issues.
