Help
Fortinet for SAP Knowledge Base
MattCzwi
Staff
Staff

Created on ‎02-01-2023 07:42 AM Edited on ‎07-11-2023 06:25 AM By Staff

Article Id 263372

Fortinet Reference Architecture for SAP

High-Level Summary of This Section

 

Each public cloud provider referenced below offers SAP reference architectures based on their best practices. These formed a baseline together with the Fortinet best practices to secure public cloud. The resulting architectures provide added security and optimized connectivity of an SAP landscape in the public cloud toward other SAP landscapes, users, and third parties on-premises as well as in the cloud.

 

Reference Architectures for SAP S/4HANA in Public Cloud

 

SAP S/4HANA on Microsoft Azure

 

Microsoft Azure's architecture starts from a Hub-Spoke setup where each SAP landscape can be segmented and inspected at a hub location. This setup aligns well with the Fortinet Cloud Security Service Hub concept. In the central hub, a FortiGate and FortiWeb installation is set up to scan the traffic. Both FortiGate and FortiWeb can be deployed as an Active/Passive High Availability setup, an Active/Active setup, or an Autoscaling setup. Depending on the environment requirements, these setups are the most optimal based on throughput, uptime, and complexity requirements. To take a head start, templates in ARM and Terraform are available on our github.

 

Fortinet_Reference_Architecture_for_SAP_S4HANA_on_Microsoft_Azure.jpg

 

SAP S/4HANA on Amazon Web Services (AWS)

 

AWS provides Quick Start reference architectures in both single AZ and multi-AZ environments. These reference architectures include a DMZ/Public subnet where the FortiGate and FortiWeb instances are deployed. The FortiGate provides the connectivity security entry point into the network. Over Direct Connect as well as via Internet Protocol security (IPsec) over the internet, inbound connections are controlled and passed on to the back-end systems after inspection.

 

For any HTTP(S) related services such as SAP Fiori, we direct the traffic toward the FortiWeb for inspection at the Layer 7, including machine learning of a model of your traffic as well as authentication and protection against different common web vulnerabilities.

 

Fortinet_Reference_Architecture_for_SAP_S4HANA_on_AWS.png

 

SAP S/4HANA on Google Cloud

 

Google Cloud offers specific SAP architectures and advisories to their customers. Based on these architectures, we can start adding additional security and optimize the connectivity of an SAP landscape toward other SAP landscapes, users, and third parties.

 

Google Cloud SAP Architectures:

For Google Cloud, the architecture includes protection and traffic inspection for both north-south and east-west traffic flows between the different virtual private cloud (VPC) networks containing an SAP landscape or shared services. The diverse SAP landscapes can be either in a different stage in the production (development, test, production) or SAP landscapes that are unrelated to each other and performing various functions for different parts of the operations.

 

In this design, traffic between the shared services such as the SAP Router and the Application Server in the production VPC is inspected using the FortiGate. All inbound traffic, as depicted in Figure 22 (Fortinet Reference Architecture for SAP S/4HANA on Google Cloud) is examined by FortiGate (TCP 39xx, NI RCP/DIAG/…, HTTPS) or by the FortiWeb (HTTPS). Once inside the VPC, traffic between the SAP landscapes can be allowed or blocked using the ACLs in Google Cloud.

 

Fortinet_Reference_Architecture_for_SAP_S-4HANA_on_Google_Cloud.png

 

SAP landscapes are an essential part of the business engine driving your company. As such, it is important to have a disaster recovery strategy for these environments. Various components in the SAP landscape can be replicated as suggested by Google in this link

 

The FortiGate and FortiWeb can be deployed in the DR environment either with a backup config using cloud-init or linked to a central management system.

 

Fortinet_Reference_Architecture_for_SAP_S4HANA_on_Google_Cloud_with_disaster_recovery.jpg

Reference Architecture for Hybrid Environment

 

Fortinet_Reference_Architecture_for_SAP_S4HANA_in_Hybrid_Environment.png

 

Integration with Cloud Providers

 

Fortinet integrates with all major cloud providers to provide deployment flexibility for organizations as they begin planning their SAP S/4HANA conversions. Fortinet reference architectures for SAP S/4HANA can be found for Microsoft Azure, Amazon Web Services (AWS), and Google Cloud in our Fortinet Security Solutions for SAP S/4HANA white paper.

 

SAP product version

 

Support for older versions of SAP including SAP ECC, SAP NetWeaver, SAP Business Suite, ERP, CRM, SCM, Solution Manager and SRM.

Labels:
2023
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.