After the retirement of the SAP Managed Backing Services on SAP Cloud Platform. We are now moving toward the consumption of Hyperscaler managed backing services on SAP Cloud Platform by adding new capabilities to support multiple Hyperscalers. These capabilities of creating and managing Hyperscaler services now make it easier for our customers and stakeholders to use of the services in their applications on SAP Cloud Platform.
In August, consumption of Amazon PostgreSQL on SAP Cloud Platform was unveiled. In line with the roadmap, we now have the ability to consume PostgreSQL service from Microsoft Azure on SAP Cloud Platform Cloud Foundry environment. Through this blog we will understand the prerequisites and the steps involved in consuming Azure Database for PostgreSQL .
SAP Cloud Platform Cloud Foundry account on Azure with a Sub-account and Space.
Microsoft Azure Subscription
Azure Active Directory Tenant connected with your Azure Subscription
Setup on Azure :
Step 1: Application Registration with Active Directory
Create a new "Application Registration" under the Active Directory with the type "Web". Provide a name to the application and we will be provided with a new Application(Client) ID. This would be required for role based access to create and manage the resources on Azure.
Note: You would need Active Directory Admin Privilege to perform the above steps. Contact your subscription administrator if you get an error while creating a new Application Registration.
Once created, you could see the Application Registration listed along with the Application(Client) ID.
Click on the Application that we created in the above step to open the Application Overview screen.
Make note of the following values that are available on this screen. These values will be required for the configuration of Resource Provider on SAP Cloud Platform later.
Application (client) ID
Directory (tenant) ID
Step 2:Assign Role to the Application on Subscription Account
You will now need to add this Application Client ID as a Contributor in our subscription account.
Navigate to the Subscriptions from "All Services" menu option and click on your subscription from the list of subscriptions.
Choose on the "Access control (IAM)" menu and click on "Add" under Add a role assignment section on the right.
Select "Contributor" role and choose the Application(client) Id created in Step 1 from the Select search field and click on "Save".
Step 3: Create a Client-Secret for the Application
Once the new Application is created, we will create the required credentials to access this application by creating a Client Secret key.
Choose "Certificates & secrets" menu option and click on "New client secret" button to create a new client secret.
Provide a name to the client secret and choose appropriate expiry duration and click on Add button to create the client secret.
Now you should be seeing the newly created Client Secret under the list of secrets. Make note of the secret value, as we will use this value later for the configuration of Resource Provider on SAP Cloud Platform.
Note: Ensure you make note of this Client Secret value, as you would not be able retrieve it later.
Step 4: Create Resource Group
A Resource Group is a container that holds related resources for an Azure solution, that you want to manage as a group. All the PostgreSQL instances launched from the SAP Cloud Platform will be contained with in this resource group that you create.
Choose "Resource groups" option from the left hand side menu.
In the Resource Groups overview screen, click "Create Resource Group" button and create a new Resource Group by selecting the right Subscription, Name and the Region of your preference. (Region could be the same as the SAP Cloud Platform, all the PostgreSQL instances created from SAP Cloud Platform will be created in this region by default)
Review the values provided and click on "Create" to create a new Resource Group. Once created, click on the Resource Group created to open the overview screen and make note of the Resource Group name and the Subscription ID displayed here. We will use these values later during the Resource Provider configuration on SAP Cloud Platform.
Step 5:Add the IAM Role to the Resource Group
Now that we have created a Resource Group, we need to provide access to create/manage the resources in this resource group by providing access to the Application (Service Principal) we created in Step 1. We will provide the Application Registration "Contributor" role in our Resource Group.
From the Resource Group overview screen, click on the "Access control (IAM)" menu option. Under the "Add a role assignment" section click on the "Add" button.
Select the role "Contributor", and choose the Application ID that was created in Step 1 and click Save.
With this the setup required on the Azure portal is complete.
Resource Provider Configuration on SAP Cloud Platform:
Login to SAP Cloud Platform Cloud Foundry account and at the Global Account level click on “Resource Providers” option on the navigation menu. Here you would be configuring your Azure subscription credentials which will be required subsequently to create & manage the Azure PostgreSQL instances. The Azure account credentials shared with SAP will be saved in a secure store.
Click on the “New Provider”. This opens a pop-up dialog where you would have to provide the Hyperscaler Account Credentials. In this case, we would be keying in the Azure account details.
Key in the values for the above parameters as per the following:
Provider: Choose among the supported Hyperscalers, in this case we will go with Azure as the Hyperscaler.
Display Name: Provide a suitable display name for the provider for identification on the cockpit.
Technical Name: Provide a unique technical name. This name would be required by the application developers as a parameter when creating service instances from this provider.
Description: Provide an optional description for this resource provider.
Azure Client (Application) ID: Make use of the Application (client) ID that was created as part of the Azure Setup Step 1.
Azure Tenant ID: Make use of the Application (tenant) ID that was noted down as part of the Azure Setup Step 1.
Azure Client Secret (Key):Make use of the Client Secret value that was created as part of the Azure Setup Step 3.
Azure Subscription ID: Make use of the Subscription ID that was noted down as part of the Azure Setup Step 4.
Azure Resource Group: Make use of the Resource Group name that was created during the Azure Setup Step 4.
Azure Region:Make use of the Resource Group region that was used to create the resource group during the Azure Setup Step 4.
NOTE: Due to Microsoft VNET service endpoint restrictions on Azure Database for PostgreSQL, if you wish to use the dbinstance type “B_Gen5_1” or “B_Gen5_2”, we recommend you to create your resource provider (database) with a region other than the region in which your Cloud Platform Cloud Foundry account resides.
Once you have all the values above, provide that in the dialog pop-up to create a new Resource Provider.
Once the new Resource Provider is created, we need to assign the entitlements to the sub-accounts where you wish to create Azure PostgreSQL instances. Click on “Entitlements” -> “Sub-account Assignments” and choose the Sub accounts for which you wish to provide this service entitlement. Click on “Add Service Plans”.
You will now have to choose the “PostgreSQL on Microsoft Azure” service from the catalog and choose the service plans from the resource provider created in Step 4. Click on “Add Service Plan” to assign the services to the Sub-account.
Now once the entitlement is made available to a sub-account you can also limit the number of PostgreSQL instances that can be instantiated on that sub-account. So now you can provide that limit on entitlements screen and click ‘Save’.
Azure PostgreSQL service creation on SAP Cloud Platform:
Login to the sub-account which was given the entitlement and go to the ‘Service Marketplace’ tab. You should now be able see “PostgreSQL on Microsoft Azure” service.
Click on the “PostgreSQL on Microsoft Azure” service tile and see the available plans and respective documentation. Click on the “Instances” option on the navigation menu and click “New Instance”.
Choose the appropriate service plan and provide the instance parameters in the json format. You could also choose to not provide any values, in which case the default parameters are set and db credentials are auto-generated. (More detailed information on the parameters along with the default configuration can be obtained here)
Choose a service plan as per the requirement and click “Next”
If you do not wish to provide any additional configuration parameters, you can leave the additional parameters blank. Although, if you have more than one Resource Providers in your account, you would have to specify which resource provider should be used in creation of the PostgreSQL instance (resourceTechnicalName parameter). Additional Parameters that can be configured are as below:
"adminPassword": "<Your Password>", //Atleast 8 characters long
"adminUsername": "", //Atleast 8 characters long
"backupRetentionPeriod": 14, //Backup Retention Period in days
"dbEngineMajorVersion": "9.6", //PostgreSQL DB Engine Version (9.6, 10, 11)
"dbInstanceType": "B_Gen5_1", // Instance type more options can be found in help
"dbName": "newDB", //Name of the Database Instance
"resourceTechnicalName":"azure_demo_provider", //Technical name of the resource provider
"storageGb": 20 //Storage required in GB
You could leave the application blank for now and confirm the service instance creation with a suitable instance name and click ‘Finish’.
Instance creation will be started and might take sometime to get created.
You can now verify the instance creation by logging into your Azure Portal and navigate to Azure Database for PostgreSQL and you should see a new instance created.
With this approach we can now create and consume PostgreSQL DB from Microsoft Azure on SAP Cloud Platform. This service will soon be enhanced with more features to make the consumption and management of PostgreSQL instances lot more easier.
SAP Cloud Platform now supports consumption of PostgreSQL Database services from AWS and Azure.
Known Issue: Where the CF account and the instance cannot run in the same region for Gen5_1 and Gen5_2 PostgreSQL Instances on Azure.
Unable to create service instance. We are sorry, but we have encountered an internal error. If the problem persists, please create a support ticket.
Service broker error: Azure PostgreSQL instance: <INSTANCE ID> of dbInstanceType:B_Gen5_2 cannot be created in the <REGION> region.
Service broker error: Azure PostgreSQL instance: <INSTANCE ID> of dbInstanceType:B_Gen5_1 cannot be created in the <REGION> region.
Create the resource provider in a region other than the region in which the SAP Cloud Platform Cloud Foundry resides.