Best Practice 6.1 – Ensure that security and auditing are built into the SAP network design - SAP Lens

Best Practice 6.1 – Ensure that security and auditing are built into the SAP network design

Protecting access to the network that hosts your SAP workloads is the first line of defense against malicious activity. Evaluate your business requirements and the specific SAP solution to determine the ports, protocols, and traffic patterns that need to be enabled. Consider the security standards of your organization and the tools and patterns available to simplify network design. Audit on a regular basis or as changes occur.

Suggestion 6.1.1 – Understand network traffic flows for SAP

Start by understanding your traffic flows. Network traffic patterns for SAP workloads can be categorized as inbound traffic, outbound traffic, and internal traffic. You should identify whether the source and destination fall within your trusted network boundary to assist with defining your rule sets.

In addition to known inbound traffic and outbound traffic flows such as user access and interface connections, consider SAP-specific requirements, including connections to SAP Support (via SAProuter) and SAP SaaS offerings that restrict access based on source IP addresses.

For internal traffic, consider traffic between components and systems, as well as AWS and shared services. Tools such as VPC Flow Logs and VPC Reachability Analyzer can help you understand traffic flows into and out of your Amazon VPC.

For more details, refer to the following information:

Suggestion 6.1.2 – Evaluate options to permit and restrict traffic flows

First, understand how you connect users and systems in your on-premises network to the AWS account in which your SAP systems are running. This is covered in Network-to-Amazon VPC connectivity options.

Two primary methods for controlling the flow of network traffic into and out of your VPC include the use of security groups and network access control lists (network ACL). A security group acts as a virtual firewall at the EC2 instance level to control inbound and outbound traffic and is stateful. A network ACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets, and — unlike security groups — a network ACL is stateless.

Also consider the dependencies of network components outside of your VPC. This can include external network components provided by AWS such as CloudWatch endpoints. This also can include internet hosted services such as software repositories for operating system patches.

In addition to the standard options in AWS, SAP itself provides additional network security options, including the use of the SAProuter, the SAP Web Dispatcher, and SAP Gateway network-based access control lists. These work in tandem with AWS services and configurations to permit or restrict network access to SAP systems.

For more details, refer to the following information:

Suggestion 6.1.3 – Use design guidelines and AWS tooling to simplify network security

SAP systems often have complex integration requirements, and the cloud offers additional ways to simplify network security management. Consider the following approaches:

  • Avoid referring to individual IP addresses or IP ranges where possible to simplify management.

  • Use a standard set of SAP system numbers across all your SAP workloads to reduce the range of network ports required.

  • AWS PrivateLink removes the requirement for outbound internet access from your VPC to access AWS services such as Amazon S3 and CloudWatch. Where possible and not mandated by business requirements, you can prevent SAP traffic to and from these services from traversing the internet, routing all traffic through AWS managed network components.

  • Simplify security groups by the use of VPC Prefix Lists and/or security group rules that reference other security groups rather than IP address ranges.

  • Use automation to create, update, and manage security groups to avoid configuration drift.

  • Consider the use of AWS Firewall Manager to provide centralized management of security groups across VPCs and AWS accounts.

  • Consider the use of SAProuter, SAP Web Dispatcher, and Elastic Load Balancing to obfuscate the entry points to backend systems.

  • Consider the use of multiple SAP Internet Communication Manager (ICM) entry points to provide finer grain access control.

  • Consider AWS Shield, a managed Distributed Denial of Service (DDoS) protection service, to safeguard applications running on AWS. Use to protect public-facing SAP Fiori or API endpoints.

  • Consider AWS WAF, a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. Use to protect public-facing user interfaces and APIs, for example, SAP Fiori applications.

For more details, refer to the following information: