OL2b: Network Setup (private)
Network Setup for Private Connectivity
Configure the network connection for SAP ABAP/DB layer hosted in private subnet
Navigate to AWS Console -> All Services -> Compute -> Lambda and select the Lambda service that you created on previous step to execute the following steps.
Step 1: Request your SAP BASIS Admin to provide the SAP HTTPS port from transaction SMICM -> Goto -> Services.
Step 2: In your AWS console, go to EC2, locate your SAP instance and make sure the HTTPS ports in the defined AWS Security Group are opened. In the example above HTTPS port 44300.
Work with your Security team to provide fine-grained access to your security ports
Step 3: Ensure Lambda role has enough access permissions to talk to other services:
Navigate to AWS Console -> All services-> Compute -> Lambda and select the Lambda service that you created during the deployment via CDK and scroll to the ‘Execution role’ section.
Open the role attached in the Lambda service to ensure Lambda role have enough access permissions to talk to other services.
AWS CDK should have attach the following managed and inline policies - AWSLambdaExecute, - SAPLambdaRoleDefaultPolicy
Attach AWSLambdaVPCAccessExecutionRole by selecting the policy and clicking attach service option to configure the private access to extract the data. Lambda creates network eni to enable access to other AWS resources.
Step 4: Establish connectivity between Lambda and the SAP system. You can either use VPC private endpoints or deploy a NAT Gateway.
VPC Endpoints Approach (recommended)
Several services offer VPC endpoints. You can use VPC endpoints to connect to AWS services from within a VPC without public internet access. - Create S3 and DynamoDB as Gateway VPC endpoints - Create AWS Secrets Manager Interface Enpoints
Go to your console: AWS Console -> All Services -> Networking & Content Delivery -> VPC -> Enpoints.
- Click Create Endpoint
- From Service category choose AWS service category-> Dynamo DB as service -> Select the VPC of your SAP instance and matching subnet. For simplicity you can also select all subnets as well as Full Access to allow all traffic. Finish the wizard to create DynamoDB Gateway endpoint.
Follow the previous steps to select Amazon S3 as service and create an S3 Gateway endpoint
Follow the previous steps to select AWS Secrets Manager as service.
For simplicity reasons, choose all subnets and the default security group as well as Full Access.
Validate below endpoints configured using this path AWS Console -> All Services -> Networking & Content Delivery -> VPC -> Enpoints
Continue with Step 5!
NAT Gateway Approach (alternative to VPC Endpoints Approach)
- You need NAT Gateway attached to your VPC Private Subnet where you have hosted the SAP instance. See this documentation for the Nat Gateways configuration step.
Attach NAT Gateway to your Private Subnet where you have hosted the SAP instance. Lambda and EC2 connects to AWS Secrets, Amazon S3 and Dynamo DB. So these are managed services outside your network which needs internet access.
Step 5: Validate your SAP Instance private subnet routes. You should see private gateway endpoints. Interface endpoints will not been shown here.
You can open the subnet from AWS Console -> All Services -> Compute -> EC2 and select the Instance and choose your SAP Instance.
Click route table section from the VPC private subnet to verify the gateway routes
Step 6: Updating the Lambda Network variables: AWS Console -> All services -> Compute -> Lambda and select the ODP Lambda service and scroll to the network section to update:
- VPC : Choose your SAP Instance VPC
- Subnet: Choose your SAP Instance Subnet - for simplicity reasons, you can also select all
- Security Group: For this lab choose the default Security Group
