AWS Certified Solutions Architect – Associate

Hybrid multi-cloud network security aspects are an essential part of the SAP Cloud Architecture overview with Hybrid Multi-Cloud Architecture, Cloud Computing and Extensibility, Cloud Integration components. This overview page describes some network and security best practices for SAP BTP, Microsoft Azure and Amazon AWS business technology platforms.

SAP BTP AWS Azure Hybrid Multi-Cloud Platform Network Security

Secure networks on hybrid multi-cloud platforms shall be implemented with multiple layers and Defense in Depth strategies. Hyperscaler platforms like Azure or AWS offer cloud services to implement security best practices with comparable concepts.

Azure AWS Virtual Network Architecture

Design examples of virtual networks on Azure (VNet) and AWS (VPC) are visualized in the blueprint architectures below:

Azure Virtual Network Architecture
AWS Virtual Private Cloud Default Network Architecture

The table below compares some Azure and AWS virtual network components roughly, which are described detailed in the section Azure AWS Virtual Network Components section.

Multi-Cloud Components Azure VNet AWS VPC
Default Network not provided the default structure visualized in the AWS diagram above
High Availability
Region level one region owns at least 3 availability zones most regions with at least 3 availability zones
Subnet Level Subnets span across availability zones of region each subnet must reside entirely within one availability zone and cannot span zones
Firewall
Traffic control Network and Application Security Groups Network Access Control Lists (NACL) and Security Groups
Routing Tables direct traffic with rules associated with subnets, enable to limit default internet access associated with subnets or gateways (VPN, Internet)
Gateways NAT as default outbound internet route NAT (private subnet), Internet (public subnet)
Connections
Network Services Service Endpoints VPC Endpoints
Other Virtual Networks VNet Peering VPC Peering
Network Interface 1 default or more per VNet 1 default or more per VPC
Hybrid VPN Gateway, Azure Express Point-to-Site and Site-to-Site VPN, AWS Direct Connect

Public Network Load Balancer Options

Azure load balancing options Elastic Load Balancing Features

Load balancers increase the resilience, performance and availability of cloud architectures on different communication layers (OSI levels 3-7) with defined rules or health checks to route traffic to targets.

The table below compares AWS and Azure load balancing options on different OSI layers with related communication protocols and transferred objects.

OSI Layer Transfer Object with Protocols Routing Method Azure AWS
Application (layer 7) data with HTTP(S) based on application URL or CDN Origin, for HTTPS traffic with SSL offload Application Gateway, Front Door CDN Application Load Balancer, Classic Load Balancer
Presentation (6) / Session (5) layer data with DNS geo-located routing with high availability and failover capabilities for hybrid multi-cloud scenarios Traffic Manager Route53
Transport (layer 4) segments with TCP route traffic based on source and target IP address and port, with availability zone support Azure Load Balancer Network Load Balancer, Classic Load Balancer
Network (layer 3) packets with IP route tables Gateway Load Balancer

AWS Elastic Load Balancer facilitates L3-L7 load balancing with availability zones with Application, Network, Gateway and Classic load balancer support.

Azure Virtual Networks (VNet)

Azure VNet get created with default route 0.0.0.0/0 and next hop type internet to route any traffic, not addressed to a specific range within the virtual network or as destination address of an Azure service, to the Internet.

Azure Network Watcher provide tools to monitor network traffic within a VNet like IP Flow verify to find denied and allowed packages sent to or from a VM.

Azure Load Balancing Options

Microsoft Azure offers load balancing options for different OSI communication layers.

Azure Application Gateways are web traffic load balancer (OSI layer 7) which allow routing based on URLs or HTTP request attributes, support SSL termination and round robin routing for traffic load balancing. Web Application Firewalls (WAF) protect against common vulnerabilities and exploits like SQL injection attempts, XSS, DDoS

Azure Load Balancer (basic or standard) distribute incoming internet TCP / UDP traffic on OSI layer 4. Standard load balancer with two healthy endpoints support high-availability with 99.99% SLA. Public load balancers provide outbound connections with endpoints for VMs or VMSS. Internal load balancers provide private IPs, but can also be accessible in hybrid scenarios from on-premise.

Azure Traffic Manager is a DNS based load balancer to direct client requests to specific service endpoints across regions, with high availability and responsiveness. The Azure Traffic Manager traffic routing method determines one IP address endpoint out of one or more IP addresses assigned to a domain name.

Traffic routing methods follow different strategies like e.g. priority, weighted, performance using closest endpoint with lowest latency or geographical. Active-Active routing methods offer two parallel clusters, available for traffic routing available, to support high availability.

In Active-Passive routing scenarios, priority traffic routing can route traffic to active regions unless this region fails. The Azure Traffic Manager monitors the health of endpoints and decides based on threshold settings with available healthy endpoints limits when to fail over to passive regions.

SAP Cloud Security Best Practices

SAP hybrid multi-cloud environments shall follow security best practices, standards like ISO/IEC and regulations like GDPR or BSI Cloud Computing with shared responsibilities for customers and cloud providers. GDPR (General Data Protection Regulation) defines shared responsibilities for personal data processing between data controllers, which determine means and purposes, and data processors, processing data on behalf of data controllers.

Customers act as GDPR data controllers and have to implement security on different levels with application related responsibilities:

Customers have to define secure processes which follow legal requirements with reviews of application logs and third party audit logging of personal data access. They have to implement data life cycle requirements and data protection with access and change control. Hybrid customer cloud environments shall be connected securely between on-premise and cloud.

Cloud providers act as GDPR data processers with responsibilities for system level security like separation of tenant data and encryption of data on rest or transit. Secure cloud provider data centers have to implement redundancy of critical components (like two separately connected power supply grid sectors), monitoring of key work components (e.g. cooling or power supply), multiple firewalls to divide networks into protected segments and multiple internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks.

RISE S/4HANA Cloud security management is supported by tools like:

Cloud Architecture Security Best Practices

The diagram below presents an overview about the protection layers of Defense in Depth cloud security strategies.

Cloud Architecture Security Best Practices - SAP Multi-Cloud Security Defense in Depth

Cloud Data Security Layer

Cloud data security strategies have to be implemented for data in rest and transit on multiple OSI (Open System Interconnection) layers.

Cloud providers implement different data encryption strategies for network traffic:

Cloud customers are responsible to encrypt data in transit on application level (OSI layer 7) by using TLS (SSL) with TLS handshakes to establish sessions (OSI layer 5) for encrypted communication (OSI layer 6).

Services to manage secrets, certificates or keys, with custom key management (BYOK - bring your own key) strategies like AWS KMS or CloudHSM, AWS SecretsManager, Azure Key Vault or SAP BTP Credential Store.

Dynamic Data Masking prevents unauthorized access to sensible data in databases like e.g. SAP HANA, Azure (SQL Database, SQL Managed Instance, Synapse Analytics) or AWS Redshift. Implement Row Level Security to control database row access with rules.

SAP Cloud Application Layer Security

Identity Authentication Management (IAM)

Cloud IAM solutions manage digital entities of cloud-based software services (SaaS) to ensure compliant processes in hybrid multi-cloud environments.

Some IAM security areas are Identity Governance, Provisioning and Federation.

Secure Cloud Application Programming

Cloud Application Programming models have to support the OAuth2 standard to implement SaaS applications as service providers (SP) with SAML2 or OpenID authentication protocols. OAuth2 defines authorization grants between clients (SP) and servers (IdP) to limit access securely to cloud resources.

OAuth Authorization Code Grant allows to exchange login information to SAML or JWT formatted access tokens and Bearer Token Grant (SAML or JWT) enables to access OAuth protected resources. The OpenID protocol implements decentralized authentication with identity providers (IdP) with OpenID connect (OIDC) as OAuth authentication layer.

External identity providers (IdP) have to be explicitly trust enabled for SAML authentication on cloud platforms.

The following diagram visualizes how authentication standards are offered on the SAP Business Technology Platform (BTP) with the SAP Cloud Application Model (CAP) to propagate cloud identities across hybrid multi-cloud environments (5) integrated with Cloud Connector and to exchange user tokens (2) and access resources on behalf of authenticated principals (3).

Cloud Architecture Security Best Practices Multi-Cloud Principal Propagation

Cloud Virtual Network Security

Protection on virtual network level is implemented with separated public and private network segments, limited public access and secure connections between virtual networks. Hyperscaler virtual network peering uses private traffic within backbone network without the need of public internet, gateways and encryption.

Network Security Attack Protection

Some DDoS (Distributed Denial of Service) attack examples on different OSI layers are listed below:

OSI Layer DDoS Attack Vector Example
Application (7) HTTP, DNS query floods
Presentation (6) TLS abuse
Transport (4) SYN floods: client sends large number of synchronization (SYN) packets, server acknowledges (SYN-ACK), but client doesn't complete handshake with ACK
Network (3) UDP reflection attacks: client sends request to intermediate server which forwards an amplified, several times larger response to attacked servers

Hyperscaler services to protect against DDoS attacks are:

Protection Layer Azure Services AWS Services
Layers 3-4 Azure DDoS Protection AWS Shield
Layers 6-7 WAF (Traffic Manager, Front Door) WAF (Route 53, CloudFront)

Virtual Network Operational Security

AWS Config and Azure Resource Graph enable continuous monitoring and assessment of resource configurations. AWS Organizations and Azure Policies help to enforce organizational standards and to assess compliance.

Vulnerability Assessment Penetration Testing (VAPT) improves cloud security and helps to identify cyber security vulnerabilities.

Azure Active Directory - Identity Access Management (IAM)

Azure Active Directory is not a cloud version of on-premise AD and offers, in contrast to on-premise AD, application management and no domain services.

Multi-Cloud with Azure Active Directory Description
Azure Active Directory Azure AD is a cloud based store for users, groups and applications, using OAuth and SAML for authentication. One Azure AD tenant is associated with one Azure Subscription
Features Conditional Access policies enable decisions, e.g. about MFA usage, based on signals like trusted named locations for countries or IP ranges, device type, user or group membership.
Hybrid Identity Management with shared user management (on-premise, cloud) and synchronized (Azure AD authenticates) or federated (on-premise domain controller authenticates) identities. AD Connect synchronizes Azure AD and AD DS and offers hybrid identities with authentication methods (password hash synchronization, pass-through authentication, federation) to enable single sign-on (SSO).
Activity Logs can be routed to different targets like Event Hubs to be stored persistently in Cosmos DB event stores.
Identity Protection automates risk identification and threat protection.
Premium Features Azure AD P2 Licenses offer Privileged Identity Management (PIM) features like access reviews with automatic revoke of permissions, permission grants only when needed, country specific MFA logins and temporary administrator access. Further P2 license features are identity protection with automated risk investigation and detection, Audit history for AD roles and on-premise MFA
Domain Services
Active Directory Domain Services (AD DS)
AD DS
Active Directory Domain Services (AD DS) is Microsoft's on-premise services to access or manipulate objects stored in the directory. AD DS offer features like federation with SSO, LDAP services or manage certificates and rights. AD DS are hosted by domain controllers
Azure Active Directory Domain Services Azure Active Directory Domain Services (Azure AD DS) support group policies, domain joins and protocols such as Kerberos, NTLM or LDAP. Suitable to deploy AD DS dependent workloads, without the need to deploy and manage AD domain controllers in the cloud

Azure Identity Management Access Control

The Microsoft Identity Management implements access control based on security principals, roles and policies.

Security Principals allow users or applications to access resources secured by an Active AD tenant. Azure applications have to be registered in the App Registration to be listed with Service Principals in the Enterprise Application area, where applications offered by other companies (like SAP IAS) are registered.

Managed identies are service principals which eliminate the need to manage credentials for application accessing Azure AD secured resources. Virtual Machines can request access tokens from the Azure Instance Metadata Service (IMDS) to authenticate to Azure services like Key Vault.

On-Premise applications can be integrated with Application Proxies as Enterprise Applications with Azure AD security features like Conditional Access or MFA. Shared Access Signatures (SAS) allows for limited-time fine grained access control to resources.

Role based access control (RBAC) is an authorization system based on Azure Resource Manager (ARM). Owner and Contributor built-in roles allow full access to manage resources. Owner and User Access Administrator roles enable to grant access to others. Custom roles can grant or deny access on management group, subscription, resource group or resource level to users, groups, services or principal identities. DevTest Lab users have view access and DevTest owners can additionally modify e.g. policies, VMs or virtual networks.

Azure Policies are used to implement governance, to enforce organizational standards, to assess compliance with resource properties checks and enable to apply alerts e.g. when new subscriptions are added. Policies can be assigned on management group, subscription or resource group level.

Amazon AWS Identity Authentication Management SSO

The table below offers some basic information about AWS services for Single Sign On (SSO) and Identity Authentication Management (IAM).

Service Short Description
AWS SSO AWS SSO allows to centrally manage access to multiple AWS accounts or cloud business applications like Salesforce. AWS SSO provides users single sign-on access to all their assigned accounts and applications.

AWS SSO supports automatic provisioning (synchronization) of user and group information from Azure AD. AWS SSO can be integrated with Microsoft AD using the AWS Directory Service.
AWS Directory Service AWS Directory Service (AWS Managed Microsoft Active Directory) extends your on-premises Microsoft Active Directory domain to the cloud without the need to synchronize or replicate data
AWS Cognito AWS Cognito secures access to applications with user pools, which can be integrated with external ID providers like Facebook or Google
AWS IAM Identity Access Management (IAM) grants access to AWS services and resources with execution roles and policies within an AWS account
AWS Lambda Authorizer Lambda Authorizer is a API Gateway feature that uses Lambda function to control access to your API with a bearer token authentication strategy such as OAuth or SAML

Azure AWS Cloud Encryption

Encryption together with key management are important features to secure workloads and store data confidential in multi-cloud environments. Customers can use BYOK (Bring your own key) and BYOE (Bring your own encryption engine) features to keep full control over the encryption.

Microsoft Azure Encryption Models

Azure supports various encryption models with client-side encryption outside of Azure, customer managed keys or server-side encryption.

Below you can find a selection and summary of some encryption capabilities with Azure, for more details please visit the encryption overview.

Capabilities Description
Key Vault Service to store and access secrets securely e.g. for authentication management with managed identities for Azure resources, Service Principals for applications or self generated keys to encrypt data at rest in Azure Blob or File Storage
TDE Transparent Data Encryption to encrypt data files from SQL Server, Azure SQL Database and Azure SQL Data Warehouse
Always Encrypted to encrypt sensitive data in client applications and to store the data in Azure SQL or SQL Server databases. Protects even against unauthorized access by administrators
Azure Disk Encryption for VM standard tier with managed disks to encrypt always data at rest with self managed encryption keys and audited usage
BYOK Azure supports several HSM (hardware security modules) to generate encryption keys and bring your own key (BYOK) with import into Azure Key Vault

Amazon AWS Encryption

Encryption is one layer of the AWS defense-in-depth security strategy. With KMS and CloudHSM services, you can store data and keys separately at rest. TLS is used to encrypt data in motion.

Capabilities Short Description
AWS KMS KMS is a multitenant Key Management Service, managed by AWS, to create and manage cryptographic keys and with usage control
AWS CloudHSM CloudHSM is under full customer control in a separated VPC, and allows to generate and use own encryption keys in the AWS Cloud

Azure AWS Virtual Network Components

Amazon AWS Virtual Network Components

Standardized best practices for Amazon AWS network security architectures can be implemented with CloudFormation Architecture Templates. CloudFormation templates enable the design of cloud infrastructures as code with network and security components.

Components Short Description
AWS Virtual Private Cloud Virtual Private Clouds (VPC) are logically isolated virtual networks on AWS accounts. VPC span over all availability zones of a region, with a range of IPv4 addresses as CIDR block
AWS Availability Zone Availability Zones contain one or more discrete data centers to enable high availability
AWS Local Zone Local Zones reduce latency and allow to fulfill data residency requirements with portions of application local to end users or resources
AWS Subnet Subnets separate public external-facing network segments from private segments for internal resources
VPC NAT Subnet NAT Gateways provide outbound internet access for instances in private subnets, but prevents them from public internet access. NAT Gateways offer better availability and bandwidth than NAT instances
Network Access Control List (NACL) Network Access Control Lists (NACL) act as firewall to control inbound and outbound traffic on subnet level.
Per default all ports (in-/outbound) are open and configuration is done with rules (allow/deny). The return traffic has to be explicitly allowed (stateless behavior) with random ports from the ephemeral port range (1024-65535) as client source port
AWS Network Security Group AWS Network Security Groups act as firewall on EC2 instance level. All inbound traffic from other hosts is denied and all outbound traffic is allowed by default.
Security group rules are always permissive, with filters for protocols and ports. The stateful behavior allows response in-/outbound traffic after allowed out-/inbound traffic.

Microsoft Azure Virtual Network Components

The Microsoft Azure Resource Manager allow to define network security components with infrastructure as code templates. Azure blueprints offer a declarative way to orchestrate the environment setup (deployment) of various resource templates on management or resource group level.

Component Short Description
Azure Virtual Networks Azure VNet is the basic private network building block with own address space limited to one region and subscription
Availability Zones AZs are geographically distributed within a region to enable high availability
Subnet subnets are part of the VNet, secured separately with Network Security Groups
Network Security Groups
NSG
Network Security Group (NSG) allow or deny in-/outbound traffic, from or to resources with rules (custom or default), specifying source, destination, port and protocol. Source and destination attributes are specified with VNet service tags like VirtualNetwork, Internet or Azure Load Balancer.
Default NSG rules enable communication within the VNet, but deny all external in-/outbound traffic, except load balancer inbound and internet outbound
NSGs can be assigned to subnets or network interface cards (NIC) n:n. Subnet NSGs are processed first for inbound traffic, for outbound traffic NIC NSG rules are processed before subnet NSG rules.
Proximity Placement Groups Proximity Placement Group group Azure compute resources, deployed in availability or virtual machine scale set, physically located as close as possible to each other to reduce latency

Azure Virtual Network Communication

Per default outbound traffic is allowed. For inbound traffic a public IP address or load balancer has to be assigned. Please also take a look at the related Azure Network Documentation.

Resources Short Description
Azure
Azure Virtual Networks VNet get created with a private IP range and 1 or more subnets as segmention. Resources deployed in subnets can communicate with each other via private IP addresses. Web, application and database application tiers can be separated on VNet or subnet level
Azure Service Endpoint VNet Service Endpoints secure and direct connection to Azure services through an optimized route within the Azure backbone network. They limit and protect services without additional charge. For internal service traffic the access to resources switches to private IP addresses of the virtual network.
Azure VNet Peering VNet Peering connects virtual networks with each other also enables communication of resources across the VNets
Azure Private Link Private Link enables access to Azure PaaS services, customer or partner services hosted on Azure with a private virtual endpoint and traffic over the Microsoft backbone network. Private Link introduces a private IP for a given instance of the PaaS Service. The service gets accessed via the private IP from peered VNets or on-premise networks
Local
Azure Point-to-Site VPN Point-to-Site VPNs are connections between local single computer and VNet
Azure Site-to-Site VPN Site-to-Site VPNs are connections between local VPN device and VPN gateway deployed in VNet. Forced Tunneling redirects all internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing
Azure ExpessRoute Circuits ExpessRoute Circuits are private connections between local networks and Azure or Office 365, using Layer 3 connectivity with Border Gateway Protocol (BGP). ExpressRoute circuits can be cross connected to multiple peered VNets.