Solved: Inquiry on Supported Network Architecture (Dual NI...

SAPSupport · 3 weeks ago

Dear SAP Support,

We are planning to implement a network separation for security compliance. However, due to internal constraints, we are not migrating the AP (Application) server to a new system.

Instead, we plan to add a second NIC (Network Interface Card) to the current physical server, which currently hosts both the SAP Application (AP) and Database (DB) components. This configuration aims to physically separate internal and external network communication by assigning different IPs/subnets to each NIC.

Details:
- SAP Application and Database run on the same physical server.
- No re-installation or new SAP instance will be created.
- Only OS-level network configuration will be changed (NIC addition, IP/subnet segmentation).
- SAP landscape remains functionally unchanged.

We would like to confirm the following:
1. Is this type of architecture (dual NIC, same physical server for AP and DB) officially supported by SAP?
2. Are there any known restrictions or considerations SAP recommends in such configurations?
3. Does SAP provide a recommended approach or best practice for implementing network separation (especially AP network isolation)?

Our System Environment:
- OS: RHEL 8
- SAP Product: SAP NetWeaver 7.4
- Database: Oracle
- Deployment Type: On-premise

We appreciate your guidance and confirmation on whether this architecture complies with SAP’s supported and recommended network designs.

Thank you in advance for your support.

Best regards,

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

SAPSupport

Implementing network separation by adding a second NIC to the current physical server hosting both the SAP Application and Database components is a common approach to enhance security. However, it is crucial to ensure that this configuration aligns with SAP's supported and recommended practices. Here are the answers to your questions based on SAP's general guidelines:

Official Support by SAP:
- SAP generally supports configurations where multiple NICs are used on the same physical server, provided that the operating system and network settings are correctly configured. However, it is essential to verify this with your SAP account representative to ensure that there are no specific restrictions or requirements for your particular SAP version and deployment.
Known Restrictions or Considerations:
- Network Configuration: Ensure that the network configuration is correctly set up to avoid any routing issues or conflicts between the internal and external networks.
- Performance: Monitor the performance to ensure that the addition of a second NIC does not introduce any latency or bottlenecks.
- Security: Properly configure firewall rules and access controls to ensure that the separation effectively enhances security.
- SAP Kernel and Network Settings: Verify that the SAP kernel and network settings are compatible with dual NIC configurations. This may involve checking SAP notes or documentation specific to your SAP NetWeaver version.
Recommended Approach or Best Practice:
- Segmentation: Ensure that the IP/subnet segmentation is correctly implemented to achieve the desired network isolation.
- Testing: Thoroughly test the configuration in a non-production environment to identify and resolve any issues before deploying it in production.
- Monitoring: Implement monitoring tools to continuously monitor network traffic and performance to ensure that the separation is functioning as intended.

By following these steps, you can ensure that your network separation strategy aligns with SAP's supported and recommended practices, thereby maintaining compliance and enhancing security.

Inquiry on Supported Network Architecture (Dual NIC / Network Separation)

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)