Hybrid multi-cloud network security aspects are an essential part of the SAP Cloud Architecture overview with Hybrid Multi-Cloud Architecture, Cloud Computing and Extensibility, Cloud Integration components. This overview page describes some network and security best practices for SAP BTP, Microsoft Azure and Amazon AWS business technology platforms.
Secure networks on hybrid multi-cloud platforms shall be implemented with multiple layers and Defense in Depth strategies. Hyperscaler platforms like Azure or AWS offer cloud services to implement security best practices with comparable concepts.
Design examples of virtual networks on Azure (VNet) and AWS (VPC) are visualized in the blueprint architectures below:
The table below compares some Azure and AWS virtual network components roughly, which are described detailed in the section Azure AWS Virtual Network Components section.
| Multi-Cloud Components | Azure VNet | AWS VPC |
|---|---|---|
| Default Network | not provided | the default structure visualized in the AWS diagram above |
| High Availability | ||
| Region level | one region owns at least 3 availability zones | most regions with at least 3 availability zones |
| Subnet Level | Subnets span across availability zones of region | each subnet must reside entirely within one availability zone and cannot span zones |
| Firewall | ||
| Traffic control | Network and Application Security Groups | Network Access Control Lists (NACL) and Security Groups |
| Routing Tables direct traffic with rules | associated with subnets, enable to limit default internet access | associated with subnets or gateways (VPN, Internet) |
| Gateways | NAT as default outbound internet route | NAT (private subnet), Internet (public subnet) |
| Connections | ||
| Network Services | Service Endpoints | VPC Endpoints |
| Other Virtual Networks | VNet Peering | VPC Peering |
| Network Interface | 1 default or more per VNet | 1 default or more per VPC |
| Hybrid | VPN Gateway, Azure Express | Point-to-Site and Site-to-Site VPN, AWS Direct Connect |
Azure load balancing options Elastic Load Balancing Features
Load balancers increase the resilience, performance and availability of cloud architectures on different communication layers (OSI levels 3-7) with defined rules or health checks to route traffic to targets.
The table below compares AWS and Azure load balancing options on different OSI layers with related communication protocols and transferred objects.
| OSI Layer Transfer Object with Protocols | Routing Method | Azure | AWS |
|---|---|---|---|
| Application (layer 7) data with HTTP(S) | based on application URL or CDN Origin, for HTTPS traffic with SSL offload | Application Gateway, Front Door CDN | Application Load Balancer, Classic Load Balancer |
| Presentation (6) / Session (5) layer data with DNS | geo-located routing with high availability and failover capabilities for hybrid multi-cloud scenarios | Traffic Manager | Route53 |
| Transport (layer 4) segments with TCP | route traffic based on source and target IP address and port, with availability zone support | Azure Load Balancer | Network Load Balancer, Classic Load Balancer |
| Network (layer 3) packets with IP | route tables | Gateway Load Balancer |
AWS Elastic Load Balancer facilitates L3-L7 load balancing with availability zones with Application, Network, Gateway and Classic load balancer support.
Azure VNet get created with default route 0.0.0.0/0 and next hop type internet to route any traffic, not addressed to a specific range within the virtual network or as destination address of an Azure service, to the Internet.
Azure Network Watcher provide tools to monitor network traffic within a VNet like IP Flow verify to find denied and allowed packages sent to or from a VM.
Microsoft Azure offers load balancing options for different OSI communication layers.
Azure Application Gateways are web traffic load balancer (OSI layer 7) which allow routing based on URLs or HTTP request attributes, support SSL termination and round robin routing for traffic load balancing. Web Application Firewalls (WAF) protect against common vulnerabilities and exploits like SQL injection attempts, XSS, DDoS
Azure Load Balancer (basic or standard) distribute incoming internet TCP / UDP traffic on OSI layer 4. Standard load balancer with two healthy endpoints support high-availability with 99.99% SLA. Public load balancers provide outbound connections with endpoints for VMs or VMSS. Internal load balancers provide private IPs, but can also be accessible in hybrid scenarios from on-premise.
Azure Traffic Manager is a DNS based load balancer to direct client requests to specific service endpoints across regions, with high availability and responsiveness. The Azure Traffic Manager traffic routing method determines one IP address endpoint out of one or more IP addresses assigned to a domain name.
Traffic routing methods follow different strategies like e.g. priority, weighted, performance using closest endpoint with lowest latency or geographical. Active-Active routing methods offer two parallel clusters, available for traffic routing available, to support high availability.
In Active-Passive routing scenarios, priority traffic routing can route traffic to active regions unless this region fails. The Azure Traffic Manager monitors the health of endpoints and decides based on threshold settings with available healthy endpoints limits when to fail over to passive regions.
SAP hybrid multi-cloud environments shall follow security best practices, standards like ISO/IEC and regulations like GDPR or BSI Cloud Computing with shared responsibilities for customers and cloud providers. GDPR (General Data Protection Regulation) defines shared responsibilities for personal data processing between data controllers, which determine means and purposes, and data processors, processing data on behalf of data controllers.
Customers act as GDPR data controllers and have to implement security on different levels with application related responsibilities:
Customers have to define secure processes which follow legal requirements with reviews of application logs and third party audit logging of personal data access. They have to implement data life cycle requirements and data protection with access and change control. Hybrid customer cloud environments shall be connected securely between on-premise and cloud.
Cloud providers act as GDPR data processers with responsibilities for system level security like separation of tenant data and encryption of data on rest or transit. Secure cloud provider data centers have to implement redundancy of critical components (like two separately connected power supply grid sectors), monitoring of key work components (e.g. cooling or power supply), multiple firewalls to divide networks into protected segments and multiple internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks.
RISE S/4HANA Cloud security management is supported by tools like:
The diagram below presents an overview about the protection layers of Defense in Depth cloud security strategies.
Cloud data security strategies have to be implemented for data in rest and transit on multiple OSI (Open System Interconnection) layers.
Cloud providers implement different data encryption strategies for network traffic:
Cloud customers are responsible to encrypt data in transit on application level (OSI layer 7) by using TLS (SSL) with TLS handshakes to establish sessions (OSI layer 5) for encrypted communication (OSI layer 6).
Services to manage secrets, certificates or keys, with custom key management (BYOK - bring your own key) strategies like AWS KMS or CloudHSM, AWS SecretsManager, Azure Key Vault or SAP BTP Credential Store.
Dynamic Data Masking prevents unauthorized access to sensible data in databases like e.g. SAP HANA, Azure (SQL Database, SQL Managed Instance, Synapse Analytics) or AWS Redshift. Implement Row Level Security to control database row access with rules.
Identity Authentication Management (IAM)
Cloud IAM solutions manage digital entities of cloud-based software services (SaaS) to ensure compliant processes in hybrid multi-cloud environments.
Some IAM security areas are Identity Governance, Provisioning and Federation.
Secure Cloud Application Programming
Cloud Application Programming models have to support the OAuth2 standard to implement SaaS applications as service providers (SP) with SAML2 or OpenID authentication protocols. OAuth2 defines authorization grants between clients (SP) and servers (IdP) to limit access securely to cloud resources.
OAuth Authorization Code Grant allows to exchange login information to SAML or JWT formatted access tokens and Bearer Token Grant (SAML or JWT) enables to access OAuth protected resources. The OpenID protocol implements decentralized authentication with identity providers (IdP) with OpenID connect (OIDC) as OAuth authentication layer.
External identity providers (IdP) have to be explicitly trust enabled for SAML authentication on cloud platforms.
The following diagram visualizes how authentication standards are offered on the SAP Business Technology Platform (BTP) with the SAP Cloud Application Model (CAP) to propagate cloud identities across hybrid multi-cloud environments (5) integrated with Cloud Connector and to exchange user tokens (2) and access resources on behalf of authenticated principals (3).
Protection on virtual network level is implemented with separated public and private network segments, limited public access and secure connections between virtual networks. Hyperscaler virtual network peering uses private traffic within backbone network without the need of public internet, gateways and encryption.
Network Security Attack Protection
Some DDoS (Distributed Denial of Service) attack examples on different OSI layers are listed below:
| OSI Layer | DDoS Attack Vector Example |
|---|---|
| Application (7) | HTTP, DNS query floods |
| Presentation (6) | TLS abuse |
| Transport (4) | SYN floods: client sends large number of synchronization (SYN) packets, server acknowledges (SYN-ACK), but client doesn't complete handshake with ACK |
| Network (3) | UDP reflection attacks: client sends request to intermediate server which forwards an amplified, several times larger response to attacked servers |
Hyperscaler services to protect against DDoS attacks are:
| Protection Layer | Azure Services | AWS Services |
|---|---|---|
| Layers 3-4 | Azure DDoS Protection | AWS Shield |
| Layers 6-7 | WAF (Traffic Manager, Front Door) | WAF (Route 53, CloudFront) |
Virtual Network Operational Security
AWS Config and Azure Resource Graph enable continuous monitoring and assessment of resource configurations. AWS Organizations and Azure Policies help to enforce organizational standards and to assess compliance.
Vulnerability Assessment Penetration Testing (VAPT) improves cloud security and helps to identify cyber security vulnerabilities.
Azure Active Directory is not a cloud version of on-premise AD and offers, in contrast to on-premise AD, application management and no domain services.
 |
Description |
|---|---|
| Azure Active Directory | Azure AD is a cloud based store for users, groups and applications, using OAuth and SAML for authentication. One Azure AD tenant is associated with one Azure Subscription |
| Features | Conditional Access policies enable decisions, e.g.
about MFA usage, based on signals like trusted named locations for
countries or IP ranges, device type, user or group
membership. Hybrid Identity Management with shared user management (on-premise, cloud) and synchronized (Azure AD authenticates) or federated (on-premise domain controller authenticates) identities. AD Connect synchronizes Azure AD and AD DS and offers hybrid identities with authentication methods (password hash synchronization, pass-through authentication, federation) to enable single sign-on (SSO). Activity Logs can be routed to different targets like Event Hubs to be stored persistently in Cosmos DB event stores. Identity Protection automates risk identification and threat protection. |
| Premium Features | Azure AD P2 Licenses offer Privileged Identity Management (PIM) features like access reviews with automatic revoke of permissions, permission grants only when needed, country specific MFA logins and temporary administrator access. Further P2 license features are identity protection with automated risk investigation and detection, Audit history for AD roles and on-premise MFA |
| Domain Services | |
 AD DS |
Active Directory Domain Services (AD DS) is Microsoft's on-premise services to access or manipulate objects stored in the directory. AD DS offer features like federation with SSO, LDAP services or manage certificates and rights. AD DS are hosted by domain controllers |
 |
Azure Active Directory Domain Services (Azure AD DS) support group policies, domain joins and protocols such as Kerberos, NTLM or LDAP. Suitable to deploy AD DS dependent workloads, without the need to deploy and manage AD domain controllers in the cloud |
The Microsoft Identity Management implements access control based on security principals, roles and policies.
Security Principals allow users or applications to access resources secured by an Active AD tenant. Azure applications have to be registered in the App Registration to be listed with Service Principals in the Enterprise Application area, where applications offered by other companies (like SAP IAS) are registered.
Managed identies are service principals which eliminate the need to manage credentials for application accessing Azure AD secured resources. Virtual Machines can request access tokens from the Azure Instance Metadata Service (IMDS) to authenticate to Azure services like Key Vault.
On-Premise applications can be integrated with Application Proxies as Enterprise Applications with Azure AD security features like Conditional Access or MFA. Shared Access Signatures (SAS) allows for limited-time fine grained access control to resources.
Role based access control (RBAC) is an authorization system based on Azure Resource Manager (ARM). Owner and Contributor built-in roles allow full access to manage resources. Owner and User Access Administrator roles enable to grant access to others. Custom roles can grant or deny access on management group, subscription, resource group or resource level to users, groups, services or principal identities. DevTest Lab users have view access and DevTest owners can additionally modify e.g. policies, VMs or virtual networks.
Azure Policies are used to implement governance, to enforce organizational standards, to assess compliance with resource properties checks and enable to apply alerts e.g. when new subscriptions are added. Policies can be assigned on management group, subscription or resource group level.
The table below offers some basic information about AWS services for Single Sign On (SSO) and Identity Authentication Management (IAM).
| Service | Short Description |
|---|---|
 |
AWS SSO
allows to centrally manage access to multiple AWS accounts or cloud
business applications like Salesforce. AWS SSO provides users single
sign-on access to all their assigned accounts and applications.
AWS SSO supports automatic provisioning (synchronization) of user and group information from Azure AD. AWS SSO can be integrated with Microsoft AD using the AWS Directory Service. |
 |
AWS Directory Service (AWS Managed Microsoft Active Directory) extends your on-premises Microsoft Active Directory domain to the cloud without the need to synchronize or replicate data |
 |
AWS Cognito secures access to applications with user pools, which can be integrated with external ID providers like Facebook or Google |
 |
Identity Access Management (IAM) grants access to AWS services and resources with execution roles and policies within an AWS account |
 |
Lambda Authorizer is a API Gateway feature that uses Lambda function to control access to your API with a bearer token authentication strategy such as OAuth or SAML |
Encryption together with key management are important features to secure workloads and store data confidential in multi-cloud environments. Customers can use BYOK (Bring your own key) and BYOE (Bring your own encryption engine) features to keep full control over the encryption.
Azure supports various encryption models with client-side encryption outside of Azure, customer managed keys or server-side encryption.
Below you can find a selection and summary of some encryption capabilities with Azure, for more details please visit the encryption overview.
| Capabilities | Description |
|---|---|
| Key Vault | Service to store and access secrets securely e.g. for authentication management with managed identities for Azure resources, Service Principals for applications or self generated keys to encrypt data at rest in Azure Blob or File Storage |
| TDE | Transparent Data Encryption to encrypt data files from SQL Server, Azure SQL Database and Azure SQL Data Warehouse |
| Always Encrypted | to encrypt sensitive data in client applications and to store the data in Azure SQL or SQL Server databases. Protects even against unauthorized access by administrators |
| Azure Disk Encryption | for VM standard tier with managed disks to encrypt always data at rest with self managed encryption keys and audited usage |
| BYOK | Azure supports several HSM (hardware security modules) to generate encryption keys and bring your own key (BYOK) with import into Azure Key Vault |
Encryption is one layer of the AWS defense-in-depth security strategy. With KMS and CloudHSM services, you can store data and keys separately at rest. TLS is used to encrypt data in motion.
| Capabilities | Short Description |
|---|---|
|
KMS is a multitenant Key Management Service, managed by AWS, to create and manage cryptographic keys and with usage control |
 |
CloudHSM is under full customer control in a separated VPC, and allows to generate and use own encryption keys in the AWS Cloud |
Standardized best practices for Amazon AWS network security architectures can be implemented with CloudFormation Architecture Templates. CloudFormation templates enable the design of cloud infrastructures as code with network and security components.
| Components | Short Description |
|---|---|
 |
Virtual Private Clouds (VPC) are logically isolated virtual networks on AWS accounts. VPC span over all availability zones of a region, with a range of IPv4 addresses as CIDR block |
 |
Availability Zones contain one or more discrete data centers to enable high availability |
 |
Local Zones reduce latency and allow to fulfill data residency requirements with portions of application local to end users or resources |
 |
Subnets separate public external-facing network segments from private segments for internal resources |
 |
NAT Gateways provide outbound internet access for instances in private subnets, but prevents them from public internet access. NAT Gateways offer better availability and bandwidth than NAT instances |
 |
Network Access Control Lists (NACL) act as firewall
to control inbound and outbound traffic on subnet level. Per default all ports (in-/outbound) are open and configuration is done with rules (allow/deny). The return traffic has to be explicitly allowed (stateless behavior) with random ports from the ephemeral port range (1024-65535) as client source port |
 |
AWS Network Security Groups act as firewall on
EC2 instance level. All inbound traffic from other
hosts is denied and all outbound traffic is allowed by default.
Security group rules are always permissive, with filters for protocols and ports. The stateful behavior allows response in-/outbound traffic after allowed out-/inbound traffic. |
The Microsoft Azure Resource Manager allow to define network security components with infrastructure as code templates. Azure blueprints offer a declarative way to orchestrate the environment setup (deployment) of various resource templates on management or resource group level.
| Component | Short Description |
|---|---|
 |
Azure VNet is the basic private network building block with own address space limited to one region and subscription |
| Availability Zones | AZs are geographically distributed within a region to enable high availability |
| Subnet | subnets are part of the VNet, secured separately with Network Security Groups |
 NSG |
Network
Security Group (NSG) allow or deny in-/outbound traffic, from or to
resources with rules (custom or default), specifying source,
destination, port and protocol. Source and destination attributes are
specified with VNet service tags like VirtualNetwork, Internet or Azure
Load Balancer. Default NSG rules enable communication within the VNet, but deny all external in-/outbound traffic, except load balancer inbound and internet outbound NSGs can be assigned to subnets or network interface cards (NIC) n:n. Subnet NSGs are processed first for inbound traffic, for outbound traffic NIC NSG rules are processed before subnet NSG rules. |
| Proximity Placement Groups | Proximity Placement Group group Azure compute resources, deployed in availability or virtual machine scale set, physically located as close as possible to each other to reduce latency |
Per default outbound traffic is allowed. For inbound traffic a public IP address or load balancer has to be assigned. Please also take a look at the related Azure Network Documentation.
| Resources | Short Description |
|---|---|
| Azure | |
|
VNet get created with a private IP range and 1 or more subnets as segmention. Resources deployed in subnets can communicate with each other via private IP addresses. Web, application and database application tiers can be separated on VNet or subnet level |
 |
VNet Service Endpoints secure and direct connection to Azure services through an optimized route within the Azure backbone network. They limit and protect services without additional charge. For internal service traffic the access to resources switches to private IP addresses of the virtual network. |
 |
VNet Peering connects virtual networks with each other also enables communication of resources across the VNets |
 |
Private Link enables access to Azure PaaS services, customer or partner services hosted on Azure with a private virtual endpoint and traffic over the Microsoft backbone network. Private Link introduces a private IP for a given instance of the PaaS Service. The service gets accessed via the private IP from peered VNets or on-premise networks |
| Local | |
 |
Point-to-Site VPNs are connections between local single computer and VNet |
 |
Site-to-Site VPNs are connections between local VPN device and VPN gateway deployed in VNet. Forced Tunneling redirects all internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing |
 |
ExpessRoute Circuits are private connections between local networks and Azure or Office 365, using Layer 3 connectivity with Border Gateway Protocol (BGP). ExpressRoute circuits can be cross connected to multiple peered VNets. |