OL3: Network Setup (private)

Network Setup for Private Connectivity

Configure the network connection for SAP ABAP/DB layer hosted in private subnet

Navigate to AWS Console -> All Services -> Compute -> Lambda and select the Lambda service that you created on previous step to execute the following steps.

Step 1: Request your SAP BASIS Admin to provide the SAP HTTPS port from transaction SMICM -> Goto -> Services.

Preparation menu

Step 2: In your AWS console, go to EC2, locate your SAP instance and make sure the HTTPS ports in the defined AWS Security Group are opened. In the example above HTTPS port 44300.

Preparation menu

Work with your Security team to provide fine-grained access to your security ports

Step 3: Ensure Lambda role has enough access permissions to talk to other services:

Navigate to AWS Console -> All services-> Compute -> Lambda and select the Lambda service that you created during the deployment via CDK and scroll to the ‘Execution role’ section.

Preparation menu

Open the role attached in the Lambda service to ensure Lambda role have enough access permissions to talk to other services.

AWS CDK should have attach the following managed and inline policies

  • AWSLambdaExecute,
  • SAPLambdaRoleDefaultPolicy

Attach AWSLambdaVPCAccessExecutionRole by selecting the policy and clicking attach service option to configure the private access to extract the data. Lambda creates network eni to enable access to other AWS resources.

Preparation menu

Step 4: Establish connectivity between Lambda and the SAP system. You can either use VPC private endpoints or deploy a NAT Gateway.

Several services offer VPC endpoints. You can use VPC endpoints to connect to AWS services from within a VPC without public internet access.

Go to your console: AWS Console -> All Services -> Networking & Content Delivery -> VPC -> Enpoints.

  • Click Create Endpoint
  • From Service category choose AWS service category-> Dynamo DB as service -> Select the VPC of your SAP instance and matching subnet. For simplicity you can also select all subnets as well as Full Access to allow all traffic. Finish the wizard to create DynamoDB Gateway endpoint.

Preparation menu

Follow the previous steps to select Amazon S3 as service and create an S3 Gateway endpoint

Follow the previous steps to select AWS Secrets Manager as service.

For simplicity reasons, choose all subnets and the default security group as well as Full Access.

Preparation menu

Validate below endpoints configured using this path AWS Console -> All Services -> Networking & Content Delivery -> VPC -> Enpoints

Preparation menu

Continue with Step 5!

NAT Gateway Approach (alternative to VPC Endpoints Approach)

  • You need NAT Gateway attached to your VPC Private Subnet where you have hosted the SAP instance. See this documentation for the Nat Gateways configuration step.

Attach NAT Gateway to your Private Subnet where you have hosted the SAP instance. Lambda and EC2 connects to AWS Secrets, Amazon S3 and Dynamo DB. So these are managed services outside your network which needs internet access.

Step 5: Validate your SAP Instance private subnet routes. You should see private gateway endpoints. Interface endpoints will not been shown here.

You can open the subnet from AWS Console -> All Services -> Compute -> EC2 and select the Instance and choose your SAP Instance.

Preparation menu

Click route table section from the VPC private subnet to verify the gateway routes

Preparation menu

Step 6: Updating the Lambda Network variables: AWS Console -> All services -> Compute -> Lambda and select the ODP Lambda service and scroll to the network section to update:

  • VPC : Choose your SAP Instance VPC
  • Subnet: Choose your SAP Instance Subnet - for simplicity reasons, you can also select all
  • Security Group: For this lab choose the default Security Group

Preparation menu