|
| 1 | +--- |
| 2 | +title: Enable TLS 1.2 or higher |
| 3 | +description: Learn what is secure communication with TLS 1.2 or higher in Azure Monitor for SAP solutions. |
| 4 | +author: sameeksha91 |
| 5 | +ms.service: virtual-machines-sap |
| 6 | +ms.subservice: baremetal-sap |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 12/14/2022 |
| 9 | +ms.author: sakhare |
| 10 | +#Customer intent: I am a SAP BASIS or cloud infrastructure team memever, i want to deploy Azure Monitor for SAP solutions with secure communication. |
| 11 | +--- |
| 12 | + |
| 13 | +# Enable TLS 1.2 or higher in Azure Monitor for SAP solutions (preview) |
| 14 | + |
| 15 | +[!INCLUDE [Azure Monitor for SAP solutions public preview notice](./includes/preview-azure-monitor.md)] |
| 16 | + |
| 17 | +In this document, learn about secure communication with TLS 1.2 or higher in Azure Monitor for SAP solutions. |
| 18 | + |
| 19 | +> [!NOTE] |
| 20 | +> This section applies to only Azure Monitor for SAP solutions. |
| 21 | +
|
| 22 | +## Introduction |
| 23 | +Azure Monitor for SAP solution resource and associated manager resource group components are deployed within Virtual Network in customers’ subscription. Azure Functions is one specific component in managed resource group. Azure Functions connects to appropriate SAP system using connection properties provided by customers, pulls required telemetry data and pushes it into Log Analytics. |
| 24 | + |
| 25 | +To ensure security, Azure Monitor for SAP solutions provides encryption of monitoring telemetry data in transit using approved cryptographic protocol and algorithms. This means traffic between Azure Functions and SAP systems are encrypted with TLS 1.2 or higher. By choosing this option the customer can enable secure communication. |
| 26 | +> [!NOTE] |
| 27 | +> Enabling TLS 1.2 or higher for telemetry data in transit is an optional feature. Customer can choose to enable/disable this feature per their requirements. This option can be selected during creation of providers in Azure Monitor for SAP solutions. |
| 28 | +
|
| 29 | +## Supported certificates |
| 30 | +To enable secure communication in Azure Monitor for SAP solutions, customers can choose to use either **Root** certificate or upload **Server** certificate. |
| 31 | + |
| 32 | +> [!Important] |
| 33 | +> Use of Root certificate is highly recommended. For root certificates, only Microsoft included CA certificates are supported. Please see list [here](https://learn.microsoft.com/security/trusted-root/participants-list). |
| 34 | +
|
| 35 | +> [!Note] |
| 36 | +> Certificates must be signed by a trusted root authority. Self-signed certificates are not supported. |
| 37 | +
|
| 38 | +## How does it work? |
| 39 | +During deployment of Azure Monitor for SAP solutions resource, a managed resource group and its components are automatically deployed. Managed resource group components include Azure Functions. Log Analytics, Key Vault, and Storage account. This storage account is the place holder for certificates that are needed to enable secure communication with TLS 1.2 or higher. |
| 40 | + |
| 41 | +During ‘create’ experience of provider instances in Azure Monitor for SAP Solutions, customers choose to enable or disable secure communication. If enable is selected, customers can then choose which type of certificate they want to use. The options are root certificate or server certificate. |
| 42 | + |
| 43 | +If root certificate is selected, customers need to verify that CA authority is supported by Microsoft. See full list [here](https://learn.microsoft.com/security/trusted-root/participants-list). Once verified, customers can continue with provider instance creation. Subsequent data in transit is encrypted using this root certificate. |
| 44 | + |
| 45 | +If server certificate is selected, customers need to upload the certificate signed by a trusted authority. Once uploaded, this certificate is stored in storage account within the managed resource group in Azure Monitor for SAP solutions resource. Subsequent data in transit is encrypted using this certificate. |
| 46 | + |
| 47 | +> [!Note] |
| 48 | +> Enabling secure communication is highly recommended. |
| 49 | +
|
| 50 | +> [!Note] |
| 51 | +> Please refer to the Provider configuration pages to learn about pre-requisites for each provider type, as needed. Pre-requisites must be fulfilled to enable secure communication. |
| 52 | +
|
| 53 | +## Next steps |
| 54 | +> [Configure Azure Monitor for SAP solutions provider](configure-netweaver-azure-monitor-sap-solutions.md) |
0 commit comments