Last week we finished the Multi SAP HANA VM and NUMA Node Sharing (CPU socket sharing) tests with vSphere 6. Due to the good results, SAP granted full production level support for multiple SAP HANA systems deployed on a single SAP HANA certified server virtualized with vSphere 6.
With this, customers can get now better TCO results by SAP HANA system consolidation and better utilizing their hardware assets.
For details please review SAP note 2315348 – SAP HANA on VMware vSphere 6 in production.
What is allowed by now with vSphere 6?
- Consolidation of multiple SAP HANA production level VMs on a single SAP HANA certified server based on Intel Xeon E7-v3 (Haswell).
- Possibility to share a NUMA node with two production level SAP HANA VMs. Example: 4 socket Haswell server is now able to support up to 8 SAP HANA VMs, and an 8 socket Haswell based server supports up to 16 SAP HANA VMs in production.
- SAP HANA sizing rules must get applied and followed.
- When sharing a NUMA node minimal 8 CPU cores (16 threads) must get assigned to the VMs, RAM must get assigned accordingly the latest SAP HANA sizing rules.
- Enough network and storage IO capacity must be available for all running production SAP HANA VMs (SAP HANA TDI storage KPIs).
- Enable VMware HA to protect the consolidated SAP HANA workload and ensure that enough failover capacity is available in the vSphere cluster.
What is not allowed as of today with vSphere 6?
- No Intel E7-v4 (Broadwell) based system and vSphere 6.5 support. Validation and tests are ongoing but not finished.
- Running more than two SAP HANA VMs on a single NUMA node (CPU socket)
- Over-subscription of CPU and RAM resources
Many companies deploying SAP systems run business processes that incorporate credit card payment transactions. Credit cards are subject to strict security standards developed by the PCI Security Standards Council, which is a consortium of the largest international payment card issuers. These standards require security settings within the SAP application and in the case where SAP is deployed on the VMware SDDC, PCI standards affects the VMware layer with requirements such as “Install and maintain a firewall configuration to protect cardholder data”. This is addressed by micro-segmentation which makes the data center network more secure by isolating each related group of virtual machines onto a distinct logical network segment, allowing the administrator to firewall traffic traveling from one segment of the data center to another (east-west traffic). This limits attackers’ ability to move laterally in the data center. Micro-segmentation is powered by the Distributed Firewall (DFW) – a component of NSX. DFW operates at the ESXi hypervisor kernel layer and offers control at the vNIC level, which is very close to a guest VM operating system without being in the operating system.
For SAP micro-segmentation means we can create flexible security policies that align to: the multi-tier architecture of an individual SAP system (presentation, application and database tiers); the landscape of the SAP environment (separate production from non-production). The diagram below shows a SAP micro segmentation example based on the Netweaver ABAP stack with a backend database. The different tiers/components of the SAP architecture are:
- Presentation tier – in this example I am using the SAP client “SAPGUI” to access the application tier. (note: customer environments would include browser based access, load balancers and a web tier)
- Application tier – application servers based on the Netweaver ABAP stack
- Central Services / Global Host – handles SAP locking services, messaging between the app servers and a NFS share required by all the application servers
- Database tier – services are database dependent
- The components are isolated into their own NSX security groups. A NSX security group, in this example (other classifications are possible), is a definition in NSX and corresponds to a logical grouping of VMs within which there is free communication flow. Communication flow in/out of a security group from/to another group depends on the firewall rules.
Security policies in the above design provide the following controls:
- Controlled communication path limited to specific services and protocols between tiers
- External access only permitted to the application tier via the SAP presentation service
- Access between application and database VMs via specific database services
- SAP services ports vary depending on the “Instance Number” assigned to the application servers and Central Services. Some values are shown here.
- In this example I have included external access from a monitoring tool – vRealize Operations (vROps) with the Blue Medora SAP Management pack. This needs access to the application tier via certain ports.
The top right of the diagram above shows a NSX screenshot of the security group definition for the application tier – it shows how VM membership can be dynamically assigned to a security group, for example based on the VM naming convention. This way you can provision new application server VMs and the new VMs will automatically inherent the security policies of the application tier security group.
The following diagram shows the high level architecture that makes all this happen.
The following screenshot shows an example configuration of the NSX communication paths based on the micro-segmentation design shown above (note: actual implementations will differ based on customer security requirements).
You can see a recorded demo of the configuration at the URL below. The demo starts in vRealize Operations where the Blue Medora SAP Management Pack has been configured to monitor the SAP system. Data collection fails due to activation of the NSX firewall. The NSX configuration is shown and tested and the services are configured to re-establish communication between vROps and the SAP system.
DEMO URL: https://www.youtube.com/watch?v=qdPhejVCG3s&t=82s&index=1&list=PLCED9FDF31C7C0562