Fortinet for SAP Knowledge Base
Article Id 263372
High-Level Summary of This Section


Each public cloud provider referenced below offers SAP reference architectures based on their best practices. These formed a baseline together with the Fortinet best practices to secure public cloud. The resulting architectures provide added security and optimized connectivity of an SAP landscape in the public cloud toward other SAP landscapes, users, and third parties on-premises as well as in the cloud.


Reference Architectures for SAP S/4HANA in Public Cloud


SAP S/4HANA on Microsoft Azure


Microsoft Azure's architecture starts from a Hub-Spoke setup where each SAP landscape can be segmented and inspected at a hub location. This setup aligns well with the Fortinet Cloud Security Service Hub concept. In the central hub, a FortiGate and FortiWeb installation is set up to scan the traffic. Both FortiGate and FortiWeb can be deployed as an Active/Passive High Availability setup, an Active/Active setup, or an Autoscaling setup. Depending on the environment requirements, these setups are the most optimal based on throughput, uptime, and complexity requirements. To take a head start, templates in ARM and Terraform are available on our github.




SAP S/4HANA on Amazon Web Services (AWS)


AWS provides Quick Start reference architectures in both single AZ and multi-AZ environments. These reference architectures include a DMZ/Public subnet where the FortiGate and FortiWeb instances are deployed. The FortiGate provides the connectivity security entry point into the network. Over Direct Connect as well as via Internet Protocol security (IPsec) over the internet, inbound connections are controlled and passed on to the back-end systems after inspection.


For any HTTP(S) related services such as SAP Fiori, we direct the traffic toward the FortiWeb for inspection at the Layer 7, including machine learning of a model of your traffic as well as authentication and protection against different common web vulnerabilities.




SAP S/4HANA on Google Cloud


Google Cloud offers specific SAP architectures and advisories to their customers. Based on these architectures, we can start adding additional security and optimize the connectivity of an SAP landscape toward other SAP landscapes, users, and third parties.


Google Cloud SAP Architectures:

For Google Cloud, the architecture includes protection and traffic inspection for both north-south and east-west traffic flows between the different virtual private cloud (VPC) networks containing an SAP landscape or shared services. The diverse SAP landscapes can be either in a different stage in the production (development, test, production) or SAP landscapes that are unrelated to each other and performing various functions for different parts of the operations.


In this design, traffic between the shared services such as the SAP Router and the Application Server in the production VPC is inspected using the FortiGate. All inbound traffic, as depicted in Figure 22 (Fortinet Reference Architecture for SAP S/4HANA on Google Cloud) is examined by FortiGate (TCP 39xx, NI RCP/DIAG/…, HTTPS) or by the FortiWeb (HTTPS). Once inside the VPC, traffic between the SAP landscapes can be allowed or blocked using the ACLs in Google Cloud.




SAP landscapes are an essential part of the business engine driving your company. As such, it is important to have a disaster recovery strategy for these environments. Various components in the SAP landscape can be replicated as suggested by Google in this link


The FortiGate and FortiWeb can be deployed in the DR environment either with a backup config using cloud-init or linked to a central management system.



Reference Architecture for Hybrid Environment




Integration with Cloud Providers


Fortinet integrates with all major cloud providers to provide deployment flexibility for organizations as they begin planning their SAP S/4HANA conversions. Fortinet reference architectures for SAP S/4HANA can be found for Microsoft Azure, Amazon Web Services (AWS), and Google Cloud in our Fortinet Security Solutions for SAP S/4HANA white paper.


SAP product version


Support for older versions of SAP including SAP ECC, SAP NetWeaver, SAP Business Suite, ERP, CRM, SCM, Solution Manager and SRM.