SAP API Integration with Azure Cloud (100% Remote)

Hanu Software

We are looking PAAS Security Architect with SAP API Integration and 100% Remote work

Externally exposed endpoints proxied by SAP API Gateway

•SAP API Gateway enforces authentication for externally exposed endpoints. For Depot SaaS endpoints mutual TLS will be used

•Access to function apps will be whitelisted to only include IPs of SAP API Gateway and necessary internal IPs.

•Require API key in http header for all functions. SAP API Gateway will add the key for externally exposed endpoints

•Leverage SSL for all requests

Cosmos document DB

•Limit access to specific IPs using built in firewall settings

•Define access control model utilizing AAD accounts and groups to control specific collection access

SQL Database

•Limit access to specific IPs using built in firewall settings

•Define access control model utilizing AAD accounts and groups for specific SQL DB access

Azure event hub

•Obtain token using Secure Access key for adding events to event hub

•Use IP filtering rules to only allow access from within the function app

Blob storage

•Limit access to specific IPs using built in firewall settings

•Require a storage account access key for access to blob storage

Key vault

•Limit access to specific IPs using built in firewall settings

•Define access control model utilizing AAD accounts and groups

•Assign access policy to only access from specific users and function apps

Repeat below resources within Dev, QA, and Prod resource groups

Consider naming conventions to include region, environment, etc.

Raise question about other required setting that must be specified

Azure functions

•Create function app in East and West region. Functions will be published to a function app in each region

•Functions are based on the consumption model and will therefore be inactive in the West region unless the east region is down

Cosmos document DB

•Geo replicate with R/W in East and R in West

•Session consistency

•SQL API

SQL Database

•Create in East. Geo replicate to West

•Gen4 - General Purpose | 2 vCores | 5 GB (Expand later)

Azure event hub

•Standard - No Kafka

•Primary in East. Paired secondary namespace in West with alias

•One event hub - 32 partitions

Blob storage

•General purpose v2 | Hot access | Standard performance tier | Secure transfer required: Yes

•GRS Replication

Key vault

•East region - Assume region failover is default behavior

  • provided by Dice Linux, RHEL, BASH, AZURE
View this job on