Integration of Signavio with SAP Solution Manager hosted on Azure using Azure Application Gateway.

Overview

Several businesses are exploring and enabling Signavio Process Manager integration with SAP Solution Manager to activate greater collaboration between IT and business leadership. This blog is to share one of the ways to configure & secure the integration of the SAP Solution Manager system hosted on Azure Platform with Signavio using Application Gateway and Azure Firewall. Refer here for more information on SAP Solution Manager 7.2 and Signavio.

Courtesy Signavio documentation SAP Signavio Process Manager and SAP® Solution Manager 7.2 integration

Reference Network Flow Architecture

Reference Architecture

Key components of the Architecture

Application gateway: Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your applications. For Signavio Integration, in this case, we are using the Application gateway WAF V2 sku. The v2 SKU offers performance enhancements, and it adds support for critical new features like autoscaling, zone redundancy, and support for static VIPs.

WAF Policy: A Web Application Firewall (WAF) policy allows you to control access to your web applications by a set of custom and managed rules. WAF policy configured to allow IPs used by Signavio, associated with Azure Application Gateway.

Azure Firewall: Azure Firewall is a fully stateful, centralized network firewall "as-a-service" that provides network- and application-level protection across different subscriptions and virtual networks. In this scenario, the security design principle is to pass all incoming/outgoing traffic via Azure Firewall. It is achieved by implementing UDR in the Virtual Network [VNet], where the Application gateway is hosted to route traffic to the Azure firewall.

Pre-requisites

1. Landing Zone deployed on Azure with Virtual Network, SubNet with SAP systems.
   

The document assumes the network architecture Hub-Spoke or customer preferred as part of Azure Enterprise Scale Landing Zone already exists on Microsoft Azure. Refer Landing Zone - SAP best practices for best practices around Landing Zone.

1. Signavio already exists and connectivity details are capture [i.P address, and URL]
   
2. SAP Solution Manager 7.2 Installed and configured on Microsoft Azure.
   
3. SAP Web-Dispatcher and SAP Solution Manager configured to support HTTPS communication.
   

Deploy Application gateway

1. Application Gateway can be created either in Hub or Spoke subscription. It is a general recommendation to deploy the Application Gateway in Hub subscription. In this case, Application Gateway deployed in Hub subscription.
   

Select Tier as WAF V2 to leverage WAF features & instance count as 2 for added resiliency.

Select the Virtual Network & respective Subnet for deployment of Application Gateway.

1. When you select Virtual network and subnet, ensure you use a dedicated Subnet for the application gateway. An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a given application gateway deployment in a subnet. You can also deploy other application gateways in the subnet. Refer here for more info. On the next page, ensure that we use the Front-end type as shown below.
   

We should also reserve a private IP address.

1. Under the Backends tab, add servers to the backend pool. In this case, SAP web dispatcher nodes are added to the backend pool. Please provide full FQDN of the web dispatcher server.
   

1. Under the configuration tab, add a routing rule. Provide Rule name along with Listener name with the protocol will be HTTPS and port 443.
   

If application gateway is used for hosting multiple URL than choose multiple sites.

Add a routing rule

NOTE:

To configure end-to-end TLS communication, a TLS/SSL certificate is required to be added to the listener to enable the Application Gateway to derive a symmetric key as per TLS/SSL protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. The TLS/SSL certificate needs to be in Personal Information Exchange (PFX) format. This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic. To generate the CSR, you can use IIS or other third-party utility. Once the CSR is generated, you can get it signed from trusted CA authority. For reference, you can follow this article Using Microsoft IIS to generate CSR and Private Key to generate CSR.

For testing purposes, you can use a self-signed certificate. However, this is not advised for production workloads, because they're harder to manage and aren't completely secure. For more info, see create a self-signed certificate.

Select Backend targets

1. Backend Target setting can look like below. The HTTP setting will determine the behavior of the routing rule. In the Add an HTTP setting window that opens, enter myHTTPSetting for the HTTP setting name and 443 [or customer port] for the Backend port. Accept the default values for the other settings in the Add an HTTP setting window, then select Add to return to the Add a routing rule window.
   

1. Backend Setting should be like below.
   

NOTE:

For v2 SKU, you need trusted root certificate of backend server. In this example, our backend server is web dispatcher, so we will export the root certificate of web dispatcher in (.cer) format.

1. Make Sure that we configure path-based routing under Routing rules which allow connectivity to absolute path where Process is actually running.
   
2. To achieve Signavio connectivity, ensure that we create a WAF policy with Custom rule to allow only Signavio IPs. Below is the reference of rule created
   

Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions.

9. At Signavio end, we need to configure with entire URL to perform connectivity test.

https://<hostname>.<Domain>.com/sap/opu/odata/sap/processmanagement

Azure Firewall

Based on business security posture, Azure Firewall can be a resource that passes all incoming/outgoing traffic to Microsoft Azure. In this scenario, to place Azure Firewall as a central resource for incoming/outgoing traffic, we created a UDR that passes all traffic originating in "Application Gateway" Subnet to Azure Firewall. Consider Azure Firewall deployment based on the customer's security design principles.

Azure Firewall with Azure Application Gateway supports zero trust. The application gateway operates at Layer 7, and Azure Firewall operates at Layer 4 & 7. Based on Business security posture, Azure Firewall & Azure Application Gateway use-cases must be reviewed to align with the Business requirement. Refer here for comparison and options to secure workload deployments.

For further reference:

SAP Signavio Process Manager and SAP® Solution Manager 7.2 integration

Whitepaper-EN-Signavio-and-SAP-Solution-Manager.pdf

Zero-trust network for web applications with Azure Firewall and Application Gateway - Azure Architecture Center | Microsoft Docs

Firewall, App Gateway for virtual networks - Azure Example Scenarios | Microsoft Docs

Continue reading...