Service offering

SAP on Azure

Running SAP workloads on Azure demands more than raw compute — it requires a precisely architected, SAP-certified infrastructure that is secure, automated, and operations-ready from day one. We deliver the full stack: SAP-certified VM sizing and storage, Terraform-driven provisioning, HA clustering, RISE VNet connectivity, ACSS operations integration, and a structured go-live assessment before any system goes live.

SAP-Certified VM SizingTerraform IaCHA Clustering (Pacemaker)Azure NetApp FilesRISE VNet ConnectivityExpressRouteAzure Center for SAP (ACSS)Azure Backup · BackintGo-Live Assessment

How SAP on Azure is Architected

SAP workloads on Azure are deployed in a hub-and-spoke landing zone: a shared hub VNet carries network egress, DNS, ExpressRoute connectivity, and security appliances, while a dedicated SAP spoke VNet isolates all SAP workloads behind a strictly controlled NSG boundary. This separation allows the corporate network team to govern connectivity without touching SAP-specific subnets.

SAP on Azure landing zone — hub-and-spoke topology with RISE peering and on-premise ExpressRoute

SAP-Managed (RISE) / SAP BTP

SAP S/4HANA Cloud, Private Edition (RISE)SAP BTP Connectivity ServiceSAP BTP Private Link Service

↕ VNet Peering (customer-initiated · SAP-approved) · Private DNS zone forwarding

Azure Landing Zone — Hub VNet (Customer-managed)

Azure Firewall / NVAExpressRoute GatewayAzure BastionPrivate DNS ResolverAzure Center for SAP (ACSS)Azure Monitor · Backup Center

↕ VNet Peering · spoke subnet routing · NSG enforcement

SAP Spoke VNet — Workload Subnets

SAP App Server VMs (M-series · E-series)SAP HANA VMs (Mv2 · Memory-Optimised)Azure NetApp Files (HANA shared · data · log)Internal Load Balancers (ASCS/ERS · HSR)Recovery Services Vault · Azure Backup

No SAP VM has a public IP. All administrative access is through Azure Bastion. All SAP-to-SAP traffic stays within the spoke VNet. All external connectivity — to on-premise, to RISE, to BTP — passes through the hub where it can be inspected and governed.

Core Capabilities

VM & Storage

SAP-Certified Compute & HANA Storage

We select and configure SAP-certified Azure VM families (M-series, Mv2, E-series) sized to your HANA memory and SAPS benchmarks. Storage layout follows SAP HANA TDI guidelines — separate volumes for data, log, shared, and backup, using Premium SSD, Ultra Disk, or Azure NetApp Files depending on throughput requirements. Proximity placement groups keep latency between HANA and app server VMs within SAP’s bounds.

M-series · Mv2 · E-series · Ultra Disk · Premium SSD v2 · ANF · Write Accelerator · Proximity Placement Groups · HANA TDI storage layout

Infrastructure as Code

Terraform — Repeatable, Auditable, Drift-Free

All Azure infrastructure is provisioned through a modular Terraform codebase — resource groups, VNets, subnets, NSGs, VMs, managed disks, load balancers, NAT gateways, private endpoints, and DNS zones. Environment-specific variable files (dev, qas, prod) share a common module library. Remote state is stored in Azure Storage with state locking. GitHub Actions drives plan and apply with mandatory approval gates before production changes.

Terraform · Azure Provider · Remote state (Azure Storage) · GitHub Actions CI/CD · plan/apply approval gates · SAP Deployment Automation Framework compatible

Networking & HA

Segmented Subnets, ILB, Pacemaker Clustering

SAP landscapes require strict subnet segmentation (app, db, management, ANF, gateway) and carefully configured Azure Internal Load Balancers for cluster failover. We configure ILBs for ASCS/ERS and HANA System Replication with Floating IP enabled and idle timeout set to 30 minutes — both mandatory for SAP on Azure. Pacemaker/Corosync clusters with Azure Fence Agent (STONITH) provide automatic failover for HANA and SAP Central Services.

Azure ILB · Floating IP · HA port rules · Pacemaker / Corosync · Azure Fence Agent · STONITH · HANA System Replication (HSR) · ASCS/ERS cluster

RISE Connectivity

Landing Zone ↔ SAP RISE VNet Peering

SAP RISE runs in an SAP-managed Azure subscription with a closed network perimeter. Connecting your Landing Zone requires a VNet Peering initiated from your subscription and approved by SAP, combined with routing table design, NSG alignment to SAP’s required port matrix, and Private DNS zone forwarding for RISE hostnames. We handle the full process — including coordinating the technical peering request with your SAP RISE contact — and validate all routing post-activation.

VNet Peering (cross-subscription) · Private DNS zones · Route tables · NSG (SAP RISE port matrix) · ExpressRoute hybrid extension · Azure Network Watcher validation

Azure Center for SAP Solutions & Go-Live Readiness

Most Azure infrastructure teams handle the cloud layer but leave SAP-specific readiness gaps that only surface under load or at go-live. CNBS combines ACSS operational integration with a structured infrastructure readiness assessment — so your SAP landscape is visible, validated, and production-ready before cutover.

CNBS Full-Stack Delivery

Infrastructure + ACSS Operations + Go-Live Assessment — End to End

We provision and harden the infrastructure, register your SAP systems in ACSS for unified operations, and run a structured go-live assessment against SAP’s and Microsoft’s readiness checklists — delivering a written report with Blocker / Major / Minor findings and remediation guidance before your system goes live.

ACSS Virtual Instance for SAP (VIS) registration

ACSS Quality Checks — continuous best-practice validation

SAP system stop/start automation (cost optimisation)

Azure Monitor integration for HANA, OS, and app metrics

Azure Workbooks for SAP Basis operations dashboards

VM compute, storage, and HA configuration validation

ILB floating IP and health probe verification

HANA HSR status, log mode, and backup schedule check

OS kernel parameters and SAP Notes compliance check

Security review — no public IPs, Bastion, Key Vault

Written assessment report with go/no-go recommendation

Optional remediation sprint to close all blockers

What We Deliver

SAP-Certified VM Deployment

Selection and deployment of SAP-certified Azure VM families sized to your HANA memory and SAPS requirements. Storage layout per SAP HANA TDI guidelines — data, log, shared, and backup volumes with appropriate disk types and striping. Accelerated networking, write accelerator, and proximity placement groups configured. OS baseline (SLES for SAP or RHEL for SAP) aligned with SAP Notes and Azure-specific tuning guides.

Terraform Infrastructure as Code

Modular Terraform codebase covering all Azure resources — VNets, subnets, NSGs, VMs, managed disks, load balancers, private endpoints, and DNS zones. Environment-specific variable files for dev, qas, and prod sharing a common module library. Remote state in Azure Storage with locking. GitHub Actions pipelines with plan/apply approval gates. Full module documentation and input variable reference.

Network Architecture & Load Balancers

Hub-and-spoke VNet topology with purpose-specific subnets (app, db, management, ANF delegated, gateway). Azure Internal Load Balancers for ASCS/ERS and HANA System Replication — Floating IP enabled, idle timeout 30 minutes, HA port rules, and correctly scoped health probes. NSG rules scoped per subnet, permitting only required SAP ports. Pacemaker/Corosync cluster with Azure Fence Agent for automatic STONITH-based failover.

RISE Landing Zone Connectivity

End-to-end RISE VNet connectivity: peering request from your subscription, SAP approval coordination, routing table design, NSG alignment to SAP’s required port matrix, and Private DNS zone forwarding for RISE hostnames. Connectivity validated with Azure Network Watcher and SAP’s connection test tooling. On-premise hybrid access via ExpressRoute or Site-to-Site VPN extended through the hub.

ACSS Integration & Monitoring

Registration of SAP systems as Virtual Instances for SAP (VIS) in ACSS. ACSS Quality Checks enabled for continuous infrastructure best-practice validation. Azure Monitor agents, HANA metrics, and OS telemetry surfaced through ACSS and Azure Workbooks. SAP system stop/start automation for non-production cost control. Alerting rules configured for disk latency, HANA memory, cluster health, and certificate expiry.

Backup, ANF & Go-Live Assessment

Azure NetApp Files provisioning for HANA shared, data, and log volumes with snapshot policies and optional Cross-Region Replication for DR. Azure Backup for VMs and HANA Backint configuration with full, incremental, and log backup schedules. Go-live assessment covering VM, storage, network, HA, HANA, OS, security, monitoring, and backup layers — written report with Blocker / Major / Minor findings and remediation guidance.

How Customers Benefit

Certified

SAP & Microsoft Best Practices from Day One

Every VM family, disk configuration, and network setting is validated against SAP’s hardware directory, SAP Notes, and Microsoft’s SAP on Azure documentation. Your infrastructure passes SAP’s readiness checks because it was built to them — not retrofitted afterwards.

Automated

No Configuration Drift, No Snowflakes

Terraform-provisioned infrastructure is reproducible by definition. Every resource is declared in version-controlled code. New environments take hours, not days. Production changes go through PR review and a mandatory approval gate — accidental configuration drift is structurally prevented.

Automatic Failover at Every Layer

Pacemaker clusters with Azure Fence Agent provide automatic STONITH-based failover for SAP Central Services and HANA. ILBs with Floating IP route traffic to the new primary without DNS changes or manual intervention. HANA System Replication keeps the standby node synchronised and ready to take over within seconds.

Secure

Zero Public IPs on SAP VMs

No SAP VM has a public IP address. All administrative access is through Azure Bastion. All secrets are stored in Azure Key Vault — no credentials in Terraform state or pipeline variables. NSG rules enforce a deny-by-default posture at every subnet boundary.

Visible

Full SAP Landscape Visibility via ACSS

Azure Center for SAP Solutions gives your Basis and operations team a single pane of glass across all registered SAP systems — health status, HANA metrics, quality check findings, and system inventory. No separate monitoring tool required for the infrastructure layer.

Protected

Validated Backup & Recovery at Every Layer

HANA Backint with Azure Backup covers full, incremental, and 15-minute log backups. VM snapshots cover OS and data disks. ANF snapshots provide volume-level recovery. Every backup configuration is tested — we validate an actual restore as part of the go-live assessment, not just check that the backup job runs green.

How We Work

Architecture & Sizing Assessment

We review your SAP workload inventory, HANA memory requirements, SAPS benchmarks, HA and DR requirements, and existing network topology. We design the landing zone architecture, subnet layout, VM families, storage configuration, and RISE connectivity approach before any infrastructure is provisioned.

Terraform Foundation & Network Deployment

We build the Terraform module library, configure remote state, and deploy the landing zone network layer — hub VNet, spoke VNet, subnets, NSGs, route tables, ExpressRoute gateway, Bastion, and DNS resolver. GitHub Actions pipelines with approval gates established before any VM work begins.

VM Deployment & Storage Configuration

SAP-certified VMs provisioned via Terraform across availability zones with proximity placement groups. Storage layout deployed — Ultra Disk or ANF volumes for HANA data/log, Premium SSD for shared and backup. OS baseline applied: kernel parameters, SAP Notes compliance, NTP, swap, and host-based firewall. OpenJDK for Java-based SAP components configured and tuned.

HA Clustering, RISE Connectivity & Backup

Pacemaker/Corosync clusters configured for ASCS/ERS and HANA with Azure Fence Agent — failover tested by deliberately stopping the primary and confirming automatic promotion. RISE VNet peering requested, approved, and validated. Azure Backup configured for VMs and HANA Backint. ANF snapshot policies and optional CRR for DR enabled.

ACSS Integration & Monitoring Setup

SAP systems registered in ACSS as Virtual Instances. Quality Checks enabled and initial findings remediated. Azure Monitor agents deployed, HANA metrics and OS telemetry wired into Workbooks. Alert rules configured for cluster health, disk latency, HANA memory, and certificate expiry. Stop/start automation enabled for non-production systems.

Go-Live Assessment & Handover

Structured go-live assessment covering all infrastructure layers against SAP’s and Microsoft’s readiness checklists. Written report with Blocker / Major / Minor findings and Terraform/CLI remediation snippets. Operational runbooks for common tasks: adding an app server, replacing a failed node, renewing certificates, running a failover test. CNBS available for managed operations post-go-live under a retained arrangement.

Ready to run SAP workloads on Azure?

Let’s build your SAP Azure foundation — certified, automated, and production-ready.

Tell us about your SAP landscape, HANA sizing requirements, and connectivity needs — we’ll design and deliver an infrastructure that is built to SAP’s and Microsoft’s standards from the ground up.

Get in touch →