Case Study: Secure and Scalable Microsoft Azure Infrastructure Deployment for a Mining Company’s SAP Environment

Project Overview

The objective of this project was to build a secure, highly available, and scalable infrastructure in Microsoft Azure to host the Mining Company’s SAP landscape, including development, quality assurance, and production environments. The design needed to ensure seamless hybrid connectivity with on-premises systems, secure user access, and controlled internet exposure.

This project served a global enterprise environment requiring scalable performance, multi-layer security, and seamless integration with on-premises infrastructure. The cloud solution was intended to provide flexibility, reduce on-premises hardware dependency, and improve resilience for business-critical SAP systems. The architecture was specifically tailored to meet the evolving needs of a digitally transforming organization while minimizing risk and maximizing uptime.

Business Requirements

To meet the strategic and operational needs of the business, the following requirements were defined:

• Host critical SAP workloads (DEV, QAS, PRD) in Azure. The SAP landscape had to be replicated in the cloud with development, quality assurance, and production systems operating independently yet cohesively.
• Ensure secure access for on-prem users. Hybrid connectivity was essential to allow access for staff and vendors across various geographical locations, particularly through dual ISP links.
• Enable centralized traffic control through a firewall. All ingress and egress traffic was to be funneled through a single firewall instance to manage threats and enforce corporate security policy.
• Provide data protection through backup and logging. Critical workloads had to be backed up with versioning and point-in-time recovery capabilities.
• Maintain segregation of duties and resource zones. Different environments and components needed logical isolation to enforce policy compliance and operational efficiency.

Additionally, the infrastructure had to meet internal compliance mandates, support business continuity planning, and provide visibility into the health and performance of each workload.

Azure Components Used

• Azure Virtual Network (VNet): VNET and VNET-FIREWALL for segmentation.

 — These were created to logically separate the SAP application infrastructure from security appliances. VNET hosts the core SAP systems, while VNET-FIREWALL isolates firewall-related resources, ensuring clear demarcation and enhanced security control.

• Azure Virtual Machines (VMs): Various VMs, including SAP systems, Jump Server, ADC.

 — These hosted key SAP roles, such as application servers, database servers, and utility servers like the Jump Server. Each VM was provisioned with availability, sizing, and performance tuning based on its workload class (DEV/QAS/PRD). They were deployed in availability zones where applicable to enhance fault tolerance.

• Azure Firewall (FortiGate from Marketplace): Deployed for all inbound/outbound traffic inspection.

 — Used as the central point for traffic inspection and routing. It enforced internet access restrictions and provided advanced threat protection and NAT policies. In FortiGate, a NAT (Network Address Translation) policy configures how the FortiGate translates source or destination IP addresses when traffic flows through it, defining the rules for converting private IP addresses within the network to public IP addresses and vice versa when accessing the internet. Logging and policies were tightly integrated with Azure Log Analytics for visibility and alerts.

• Azure Virtual Network Gateway: For Site-to-Site VPN with dual ISP setup.

 — Enabled hybrid connectivity through encrypted S2S tunnels, with dual ISP failover configurations (Airtel and TATA) to maintain uptime even if one provider fails. This helped to ensure continuous access from on-prem environments.

• Azure Storage Account: For diagnostics and backup data.

 — Utilized to collect diagnostic logs, retain VM boot data, and store backup snapshots, with lifecycle rules to optimize storage costs. It was also leveraged to support monitoring telemetry from other services.

• Azure Backup: For automated VM backup.

 — An automated and centralized backup solution across environments. Included policies for daily backups with retention, secure vaulting, and support for long-term retention to meet regulatory requirements.

• Azure Log Analytics: For centralized monitoring and logging.

 — Aggregated telemetry from all components for performance insights and troubleshooting. Dashboards and alert rules were created to monitor activity patterns and flag anomalies. Integration with Microsoft Defender for Cloud, a multicloud security solution, was configured to enable threat detection and recommendations.

Architecture Highlights

• Hybrid Connectivity:

Dual ISP S2S VPN using Azure Virtual Network Gateway.

— Redundancy and failover ensured uninterrupted user access via encrypted tunnels from on-premises environments.

• Security:

All internet traffic was routed through the FortiGate Firewall with explicit allow/block rules. Access to the SAP VMs was only permitted via a hardened Jump Server, protected with Azure Network Security Group (NSG) rules that control network traffic to and from Azure resources based on source/destination IP address, port, and protocol as well as just-in-time access policies.

• Network Segmentation & Peering:

VNets (Virtual Networks) act as a fundamental building block for creating private networks, similar to a traditional network within a datacenter, were carefully designed and peered at to maintain secure and efficient communication between the SAP and Firewall segments, enforcing traffic separation and policy-based routing.

• Data Protection:

Azure Backup and diagnostics logs in the Storage Account.

— The automated backup solution ensured reliable and restorable snapshots. Critical logs were centralized for compliance audits.

• Monitoring & Insights:

Integrated with Azure Log Analytics.

— Custom queries and dashboards were built to monitor key metrics like CPU usage, disk I/O, login attempts, and firewall activity.

Challenges and Solutions

The project also encountered latency challenges during initial testing, which were resolved by optimizing routing and moving DNS resolution to Azure. Firewall policy testing was performed in a staging environment before final go-live.

Results and Impact

• Security:

No direct exposure of critical SAP systems to the internet.

The firewall-centric design significantly reduced the attack surface by blocking all unsolicited inbound connections and enabling full business visibility

• Performance:

Indefectible access for stoners (individuals who are experts or enthusiasts in the field of cloud computing, particularly within the Microsoft Azure ecosystem) via VPN. The VPN setup and optimized routing assured low-quiescence, high-outturn communication between stoners and systems, indeed during peak hours

• Manageability:

Centralized access and monitoring. Admins used the Jump server to securely manage all systems without the need for direct VM exposure. This centralized model streamlined conservation and checks.

• Compliance:

Architecture supports future integration with security tools. Prepared the foundation for security auditing, log retention, and compliance assessments analogous as ISO 27001 and GDPR.

• Scalability:

Easily extendable to new workloads. With VNet peering and modular deployment, future expansion to new regions, SAP modules, or enterprise operations can be done with minimal redesign.

Conclusion

This project delivered a robust, enterprise-grade infrastructure in ​Microsoft Azure tailored for hosting mission-critical SAP workloads. The use of native Azure components combined with a marketplace FortiGate firewall ensured a secure, connected, and resilient environment with centralized control and observability.

The success of this deployment sets a precedent for future cloud adoption projects within the organization. The combination of strategic planning, modern tooling, and robust execution ensured a seamless transition from on-prem to cloud while meeting all business, operational, and compliance goals.