Deploying the SAP bastion server – SAP media storage repository
This topic describes how to do an automated deployment of SAP bastion and storage setup on Red Hat Enterprise Linux 8.4. It shows how to deploy an IBM Cloud Virtual Private Cloud (VPC) with a bastion host with secure remote SSH access. In SAP Terraform and Ansible deployments, the bastion host is used to give external administrative access to the other servers and applications. The bastion server is accessed through the Floating IP. The bastion server includes a customizable security group and subnet to enable access to the same region zones on its dedicated SAP/DBs and the VSI's IPs and ports. The floating IP also allows the bastion host access to the internet so the sap and DB kits can be downloaded. Also, a dedicated client-to-site VPN solution will be created automatically to provides direct access to the private IP address for future SAP servers, using an OpenVPN software client.
Before you decide which SAP automated solution you want to deploy in IBM Cloud VPC, run the bastion server automated deployment. You need to specify the amount of dedicated storage that is needed to download and store the SAP kits. The SAP kits are used to deploy wanted SAP solution from the IBM Cloud VPC automated SAP solutions pool. The bastion server in IBM Cloud is primarily used for SAP solution deployment. It can be used as a Jump Host, for example, to maintain and administer all SAP solutions within its respective IBM Cloud VPC region.
Each customer is given an SAP S-user that reflects their contractual details with SAP, including:
- SAP support
- SAP Notes
- System maintenance
- Generate and maintain SAP and DB licenses
- Migrations keys
It is the customers responsibility to download and prepare the necessary SAP kits from SAP launchpad support and store them on the dedicated and customizable storage. The SAP kits are used during automated deployment when Ansible is called.
Solution implemented
The Bastion server is used for remote software installation by using Terraform remote-exec and Ansible playbooks run by Schematics.
The Terraform modules implement a 'reasonable' set of best practices for bastion host configuration only. Your own Organization might have more requirements that you must apply before the deployment.
It contains:
- Terraform scripts for deploying a VPC, Subnet, Security Group with default and custom rules, a VSI with a volume, a Secrets Manager service instance and a VPN client-to-site solution.
- Bash scripts to install the prerequisites for SAP BASTION&STORAGE VSI and other SAP solutions.
VPC Configuration
The Security Rules are:
- Allow all traffic in the Security group
- Allow all outbound traffic
- Allow inbound DNS traffic (UDP port 53)
- Allow inbound SSH traffic (TCP port 22)
- Option to Allow inbound TCP traffic with a custom port or a range of ports.
VSI Configuration
The VSI is configured with Red Hat Enterprise Linux 8.4 (amd64), has a minimal of two SSH keys that are configured to be accessed by the root user and one storage volume.
VPN Configuration
For the VPN solution, a Secrets Manager instance will be provisioned. Two secrets are provisioned, the server certificate and the client certificate; both will be used during the VPN creation and also to generate the ovpn
file
for the connection. You can see these secrets under the Secrets Managers page > Secrets and select View secret option.
The VPN server will have a dedicated Security Group. The Security Group will open the UDP port 443 for all source IP addresses. This can be later customized according to the customers needs.
A rule is added for the bastion's Security Group to allow all the traffic from the VPN's Security Group. Later, if other Security Groups are added to the VPC and you want to allow access to their attached resources through the VPN connection, then the same rule should be configured for those as well.
The automation script will generate on the bastion server an ovpn profile file for your OpenVPN client. You need to download from the bastion and import in your OpenVPN client.
Software configuration
- Terraform - an open source infrastructure as code software tool created by HashiCorp.
- Ansible - an open source software provisioning and configuration management tool.
- The IBM Cloud Command Line Interface provides commands for managing resources in IBM Cloud.
Bastion input variables
Parameter | Description |
---|---|
IBMCLOUD_API_KEY | IBM Cloud API key (Sensitive* value). |
PRIVATE_SSH_KEY | The id_rsa private key content from your local system (Sensitive* value). |
REGION | The cloud region to deploy the resources. For more information about regions and zones for VPC, see Locations. Review the supported locations in IBM Cloud Schematics that are listed in Locations and endpoints. Sample value: eu-de. |
ZONE | The cloud zone where to deploy the solution. Sample value: eu-de-2. |
VPC_EXISTS | Specify whether the chosen VPC exists (enter 'yes' or 'no'). If you choose 'no', the VPC is created. |
SUBNET_EXISTS | Specify whether the chosen SUBNET/SECURITYGROUP exist (use 'yes' or 'no'). If you choose 'no', a SUBNET/SECURITYGROUP with OPEN PORTS is created in the specified VPC. |
ADD_OPEN_PORTS_IN_NEW_SUBNET | Create a new port/s only if a NEW SUBNET is created, use 'yes' or 'no'. |
OPEN_PORT_MINIMUM (Required, Integer) | The TCP port range that includes the minimum value. Valid values are 1 - 65535. |
OPEN_PORT_MAXIMUM (Required, Integer) | The TCP port range that includes the maximum value. Valid values are 1 - 65535. |
VPC | The name of the VPC. View the list of available VPCs on the IBM Cloud Console Virtual private clouds page. |
SUBNET | The name of the Subnet. View the list of available Subnets on the IBM Cloud Console [Subnets] (https://cloud.ibm.com/infrastructure/network/subnets) page. |
SECURITYGROUP | The name of the Security Group. View the list of available Security Groups on the IBM Cloud Console Security groups for VPC page. |
HOSTNAME | The hostname for the VSI. The hostname must have up to 13 characters. |
PROFILE | The profile used for the VSI. For more information about profiles, see Instance profiles. Default value: "bx2-2x8". |
IMAGE | The OS image used for the VSI. For more information about available images, see Virtual server images. Default value: ibm-redhat-8-4-minimal-amd64-1. |
SSH_KEYS | List of SSH Key IDs that are allowed to SSH as root to the VSI. This can contain one or more IDs. View the list of available SSH Keys on the IBM Cloud Console SSH keys for VPC page. Sample input (use your own SSH IDs from IBM Cloud): [ "r010-57bfc315-f9e5-46bf-bf61-d87a24a9ce7a", "r010-3fcd9fe7-d4a7-41ce-8bb3-d96e936b2c7e" ] |
VOL1 [ number ] | The size for the disk in GB to be attached to the BASTION VSI as storage for the SAP deployment kits. The mount point for the new volume is: "/storage". Default value: 100 GB. |
VPN_CREATE | Specifies if you want a VPN solution to be added to your bastion setup. If 'yes' a VPN solution will be automatically deployed for you, allowing you access to the private ip addressing space of your VPC. |
VPN_PREFIX | The prefix to use for the VPN-related elements. The prefix set under this variable will be added to the Secrets Manager instance created, also used as a prefix for the VPN's Security Group and it will be used as a name for the VPN server created. |
VPN_NETWORK_PORT_PROTOCOL | The protocol to be used for the VPN solution. (must be either 'tcp' or 'udp') |
VPN_NETWORK_PORT_NUMBER | The port number to be used for the VPN solution. (must be between 1 and 65535) |
SM_PLAN | The pricing plan to be used for the Secrets Manager instance, provided as a plan ID. Use 869c191a-3c2a-4faf-98be-18d48f95ba1f for trial or 7713c3a8-3be8-4a9a-81bb-ee822fcaac3d for standard. |
VPN_CLIENT_IP_POOL | Optional variable to specify the CIDR for VPN client IP pool space. This is the IP space that will be used by systems connecting with the VPN. You should only need to change this if you have a conflict with your local network. |
DESTROY_BASTION_SERVER_VSI | For the initial deployment, should remain set to false. After the initial deployment, in case there is a wish to destroy the Deployment Server (Bastion Server) VSI, but preserve the rest of the Cloud resources (VPC, Subnet, Security Group, and VPN Solution), in Schematics, the value must be set to true and then the changes must be applied by pressing the "Apply plan" button. |
Sensitive* - The variable value is not displayed in your workspace details after it is stored. Make sure to select Sensitive on the Settings page for all fields marked "Sensitive".
VOL1 [ number ] variable represents the defined customer size of the storage that is needed to store downloaded SAP kits before you run the automated SAP deployment. The storage size can be customized when you deploy the bastion SAP VPC and VSI. The default storage that is allocated is 100 GB.
Before you begin
-
To complete this procedure, you need a general understanding of IBM Cloud VPC and VSIs. To run the example in IBM Cloud Schematics, you need an IBM Cloud account. The deployed resources are chargeable.
-
Create or retrieve an IBM Cloud API key. The API key is used to authenticate with the IBM Cloud platform and to determine your permissions for IBM Cloud services.
-
Be sure that you have the required IBM Cloud IAM permissions to create and work with VPC infrastructure and you are assigned the correct permissions to create the workspace and deploy resources.
-
Generate an SSH key. The SSH key is required to access the provisioned VPC virtual server instances through the bastion host. After you create your SSH key, make sure to upload this SSH key to your IBM Cloud account in the VPC region and resource group where you want to deploy the bastion server.
-
Verify that you can access the URL used for this solution Automation script for SAP solutions using a BASTION & STORAGE setup deployment through Terraform and IBM Schematics.
-
Create an IAM service-to-service authorization for your VPN server and IBM Cloud Secrets Manager. This will allow the client-to-site VPN service to access and use the secrets created under the Secrets Manager instance.
Procedure
-
From the IBM Cloud menu, select Schematics.
-
Click Create workspace.
-
On the Specify template page:
- Enter the URL of bastion setup folder.
- Select the Terraform version.
- Click Next.
-
On the Workspace details page:
- Enter a name for the workspace.
- Select a Resource group.
- Select a Location for your workspace. The workspace location does not have to match the resource location.
- Select Next.
-
Select Create to create your workspace.
-
On the workspace Settings page, in the Input variables section, review the default input variables and provide values that match your solution:
- Your API key
- Your private SSH key from your local system.
- The ID for the SSH key that you created and uploaded to IBM Cloud
- The Region for your resources
- The Zone for your resources
- Whether to use an existing VPC or create one
- Whether to use an existing subnet
- Whether to create new port only when a new subnet is created
- TCP port range, minimum and maximum
- VPC name
- Subnet name
- Security group name
- Hostname
- Profile
- Image
- Minimal recommended disk sizes.
- Click Save changes.
-
On the workspace Settings page, click Generate plan. Wait for the plan to complete.
-
Click View log to review the log files of your Terraform execution plan.
-
Apply your Terraform template by clicking Apply plan.
-
Review the log file to make sure that no errors occurred during the provisioning, modification, or deletion process.
-
At the end of the log is information that you need to deploy different SAP products and databases. Copy and save this information for your deployments. For example:
2024/09/16 12:01:08 Terraform refresh | FLOATING_IP = " xxx.xxx.xxx.xxx " 2024/09/16 12:01:08 Terraform refresh | HOSTNAME = "myhost" 2024/09/16 12:01:08 Terraform refresh | OVPN_FILE = "/root/OpenVPN.ovpn" 2024/09/16 12:01:08 Terraform refresh | PRIVATE_IP = " xxx.xxx.xxx.xxx " 2024/09/16 12:01:08 Terraform refresh | REGION = "eu-de" 2024/09/16 12:01:08 Terraform refresh | SECURITY_GROUP = "secgrp-myhost " 2024/09/16 12:01:08 Terraform refresh | SUBNET = [ 2024/09/16 12:01:08 Terraform refresh | "myvpc-subnet-1", 2024/09/16 12:01:08 Terraform refresh | "myvpc-subnet-2", 2024/09/16 12:01:08 Terraform refresh | "myvpc-subnet-3", 2024/09/16 12:01:08 Terraform refresh | VPC = "myvpc" 2024/09/16 12:01:08 Terraform refresh | VPN_HOSTNAME = "xxxxxx.eu-der.vpn-server.appdomain.cloud"
-
Your OpenVPN client profile file is on the bastion server under
OVPN_FILE
path displayed in the output. Copy the file and share with the required users. Import this file in your OpenVPN client. Once the OpenVPN client connects, you are able to reach the private IP addressing space of the bastion server.
This automation is offered at no cost; however, the provisioned infrastructure comes at cost.