Creating Secure AWS VPN with Hybrid Cloud Authentication for SAP 

Creating Secure AWS VPN with Hybrid Cloud Authentication for SAP 

Industry: IT
Client since: 2016
Secure VPN connection
Cloud authentication
Substantial cost-saving
Services used
Cloud & DevOps Managed Infrastructure
Technologies used
IT

Background

SAP requested HPE to provide their client with a custom solution to run cloud services with all cloud-native benefits, such as pay-as-you-go for cost efficiency, high scalability and flexibility, on the client’s on-premises infrastructure to ensure maximum data confidentiality and security. 

The client’s main equipment was installed in two racks with HP servers, HP 3PAR datastores, Fiber Channel, and Ethernet switches. To reduce vendor lock, VMware software has been widely used. 

The client has been looking for an Agile and reliable partner, who could work in tight collaboration with their in-house engineering team and other subcontractors in a more efficient, almost instinctual manner. The expected solution would require to allow the client to focus on their business initiatives and less on IT infrastructure management.

Logo-frame-HPE.svg

Client

HPE is a global edge-to-cloud company that provides premier cloud services and cloud migration software for enterprises. It transforms businesses through its data-first modernization approach, mitigating data disarrays, securely connecting data, and helping turn insights into outcomes. 

HPE Greenlake has been working with Symphony Solutions on creating the most prominent services in its cloud transformation offerings. 

Challenges

The client required the following implementations: 

  • Secure VPN connection between the customer’s on-premises infrastructure and their hybrid managerial information system, based on AWS public cloud services.  
  • Cloud authentication services between on-premises applications/systems and the client’s public cloud-based applications/solutions, working as a part of their hybrid information system. 

HPE approached Symphony Solutions to support them with the implementation of the following solutions: 

  • Secure authorization for AWS VPN connection with the use of private certificates. 
  • Authentication mechanisms between Okta centralized authentication provider and VMware hosted software. 

It was important to provide the customer with the most secure way to connect and manage their HPE GreenLake Private cloud infrastructure from their AWS services. 

Solution 

Symphony Solutions offered DevOps services to implement the solution to set up the AWS infrastructure and issue custom HP certificates, required to establish an AWS VPN connection between the customer’s on-premises infrastructure and an external managerial system in AWS public cloud. 

Research revealed that AWS doesn’t allow the use of public key infrastructure certificates or self-signed certificates to establish the secure connections, which the client required, and the use of the pre-shared private key wouldn’t provide enough level of security and would go against the general system architecture. 

Symphony Solutions’ team implemented private keys infrastructure (PKI) inside of AWS, configured to issue HP-affiliated certificates. This allowed ensuring secure and reliable connectivity between on-premises infrastructure running SAP HANA services and VMware hosted applications. The client’s new PKI has been integrated with the root certificate authority and subordinate certificate authority certificates, issued for this purpose, have been attached to VPN connection. 

Symphony Solutions DevOps team worked on the solution implementation as follows: 

  • Terraform and Terragrunt have been used to configure and manage all AWS infrastructure, which ensured high maintainability and fast deployment.  
  • AWS S3 buckets have been used to store Terraform infrastructure settings.  
  • AWS Key Management System (KMS) provided rotation keys feature, which enabled very secure and reliable secrets storing. 
  • EC2 containers, with load balancers and public certificates assigned to them, provided proxying capabilities for the network traffic.  
  • Okta Identity Provider integrated with VMware user authentication as a service. 
  • Okta client, installed on AWS MMAD, allowed to propagate users and user groups to integrated Active Directory, which was used by VMware hosted applications. 
  • AWS’s Managed Microsoft Active Directory (MMAD) used for authentication/authorization by all virtualized software. 
  • All client’s connections have been configured to use this VPN connection for administrative and infrastructure managerial tasks. 

Thorough testing has been done to ensure that the system works as expected. 

Result 

Symphony Solutions team has created a substantial and secure AWS infrastructure: 

  • Enabled the use of HPE GreenLake cloud features, required by the client. 
  • The substantial cost-saving solution can be easily adopted by other system components. 
  • The client’s DevOps team can successfully run all required administrative and infrastructure management operations while using a reliable and secure AWS VPN connection. 

The client has been impressed with Symphony Solutions’ customer-centric culture and its flexibility. 

Share