Successful work team

When moving workloads to any cloud it is important to think about how this will affect your organization, and how you leverage partners to support you in this journey. As described earlier in this chapter, while many of the responsibilities remain unchanged, in a software-defined data centre individual roles may need to change if you are to take full advantage of the flexibility and agility provided by Azure. These roles and responsibilities will also be different when considering consuming IaaS, PaaS, and SaaS offerings.

In the case of running SAP on Azure we are mostly considering the use of Azure IaaS services, but most customers will also need to consider how these integrate with native Azure PaaS services, such as AKS for hybris, SAP PaaS services such as SAP Cloud Platform (SCP), as well as SAP SaaS services such as Ariba, Concur, Fieldglass, and SuccessFactors.

For most of you, it is unlikely that you have all the skills in-house to manage the migration of SAP to Azure. Most projects are delivered by a combination of customer, partner, and Microsoft resources. While some tasks can only really be performed by internal resources, such as user acceptance testing, others may be better oursourced to partners who have experience in such migrations. Most customers will only ever perform one SAP migration to Azure, while some partners will have completed tens or hundreds of such migrations. We will now look at some of the roles and responsibilities for each group in more detail.

Internal resources

It is important to realize that when running SAP on Azure you are primarily using Azure IaaS offerings. This removes the need for you to be concerned with the physical assets such as data centres, servers, storage arrays, network switching, and cabling, and replaces all those with virtual assets that are fully software defined, and configured through a portal, command-line, scripts, or automation. You remain fully responsible for configuring the required resources, ensuring data and applications are secure, and configuring and managing backup/restore, high availability, and business continuity/disaster recovery. In that sense there is very little change to your responsibilities.

The first and most important question is, who in your organization owns responsibility for Azure? While the technical responsibilities may not have changed, the financial governance is potentially totally different. If your users are to take full advantage of the agility provided by Azure, they will need to be empowered to consume what they need when they need it. However, giving them this freedom will impact your costs and without good financial governance the costs of Azure can quickly exceed expectations. Historically those responsible for provisioning infrastructure were not typically responsible for the financial governance; they would simply provision what someone else in the organization had procured. In Azure they have access to essentially limitless capacity, and you need to decide who can provision what and when.

Azure has built-in capabilities to provide the required financial governance. Azure Cost Management provides a complete solution to monitor resource usage and manage costs across Azure and other clouds, implement financial governance policies with budgets, and cost allocation and chargeback, and supports continuous cost optimization.

However, it still requires you to plan how you want to use financial governance and then implement a strategy to deliver it. The main question is, who within your organization owns responsibility for this?

After financial governance the other big area of change is the use of automation in Azure. You may already be using tools such as Ansible, Chef, or Puppet to automate software deployment and configuration, in which case you are well placed to adopt automation of Azure and to deliver end-to-end solutions using Infrastructure as Code (IaC). You will have people with the required skill set to embrace technologies such as Azure Resource Manager (ARM) templates to automate Azure deployments, or to use other tools such as Terraform.

However, if you are not using any automation tools today then this is a big area of change and you will need to identify people with the right skills to handle automation. In general, they require good programming skills as they will essentially be modifying or developing code to automate deployments. It may be tempting to take the view that with only a few hundred VMs to build for SAP on Azure, and with a wide variance of configurations, it is hardly worth investing in automation. For all the reasons given previously this tends to lead to poor-quality deployments with lots of variance between VMs that should be similar, and many configuration errors. As an example, Microsoft recommends enabling Azure Accelerated Networking (AN) for VMs running SAP, but much of the value is lost if AN is enabled on the database server VMs but not on the application server VMs, or worse still on some application server VMs but not others. You might not believe it, but these mistakes are made.

When it comes to security it is likely that you already have a team responsible for security within your existing data centres. They will need to extend their existing security model to encompass Azure and define the policies that are to be implemented. These policies can be instantiated through the Azure Policy Service and monitored using Azure Security Center. Arguably there are far better tools available natively in Azure than you probably have available on-premises today, but if you don't use them then you won't gain the benefit. The security team will also need to consider when and where to use technologies such as firewalls, and whether to use native solutions such as Azure Firewall, or to continue with the same products as used today on-premises but implemented in Azure as Network Virtual Appliances (NVA). Their responsibilities do not change significantly, but some of the tools they use will.

The biggest area of change is within core infrastructure management. The role of server, storage, or network administrator will change significantly; there are no physical assets to manage, but there are their virtual equivalents. Their role becomes one of defining policies as to what resources should be configured when and how, and is closely linked to the topic of automation.

As an example, when a user requires a new SAP application server VM the automation should ensure that only SAP-certified VMs can be chosen, that the disk storage is configured appropriately for SAP, that the VM is joined to the correct VNet, and that the VM uses the correct OS image. The code to create the VM will configure all these aspects, which means the server, storage, and network teams must work together to define these and implement the policies. This team may have the skills and ambition to take on responsibility for all aspects of automation.

Unless you have been lucky enough to recruit a team with previous experience of Azure, then training needs to be factored into your plans. However willing and able your staff may be, best practice in Azure is not the same as best practice in the on-premises world. There are differences in how things are done in Azure, and if your project teams are to be effective then they need to understand these differences. As you might imagine, Microsoft, in conjunction with its training partners, offers a variety of Azure training and certifications³³. It is highly advised that you ensure that staff that will be involved with the migration to Azure receive the necessary training and certification.

Partners

Of course, you may decide that rather than try and take on all this work in-house you would rather entrust it to partners. In this case you will need to decide whether to work with your existing incumbent partners if you have any, or look to new partners. The key question needs to be, do your existing partners have the required skills? As Azure becomes more pervasive skills in both Azure IaaS and SAP on Azure are becoming more common; however, you still need to ensure that the resources allocated to your project have these skills. In most cases by definition the partner team currently managing your on-premises environment are unlikely to have the required Azure skills.

Microsoft is by its nature a partner-centric company and relies on its partners to deliver customer projects. For this reason, Microsoft has been encouraging its traditional partners to develop the core Azure skills required to deliver the Azure cloud foundations, and at the same time working with the GSI, NSI, and local SAP Services Partners to build the skills around SAP on Azure. Where SAP is the lead project migrating to Azure then some customers will use one partner to build the Azure cloud foundations because of their deep expertise and experience in core Azure, and use a separate partner to handle the SAP migration to Azure, based on their expertise and experience of SAP migrations. There is no right or wrong solution; it is a question of leveraging the right skills at the right time in the project.

Microsoft

Whether or not you choose to use a partner to deliver your project, you will have access to certain Microsoft resources. The first level of assistance is FastTrack for Azure³⁴, which provides you with access to Azure engineering resources with real-world customer experience to help you and your partners. These engineers cover a wide range of Azure areas from the basic Azure cloud foundations through to SAP on Azure. The FastTrack service is delivered remotely using Teams.

For larger projects it is likely you will have access to Microsoft Cloud Solution Architects (CSAs). They provide similar capabilities to the FastTrack engineers but generally support a smaller number of concurrent projects and will provide support both remotely and on-site. As with FastTrack there are CSAs who specialize in the core aspects of Azure and also those with specific SAP on Azure skills. It is important to understand that both FastTrack engineers and Cloud Solutions Architects act in a purely advisory capacity: they are not a consulting organization and are not indemnified to carry out work within the customer's own Azure subscriptions.

Finally, if what you really want is a one-stop shop then Microsoft Consulting Services (MCS) can provide this capability. They are the consulting services division of Microsoft and can deliver whole cloud migration projects. Unlike some software companies Microsoft does not see consulting services as a major revenue-generating arm; MCS exists primarily to enable customers to adopt and deploy Microsoft technologies. MCS will provide overall program management and have the required skills in-house to deliver the Azure cloud foundations, but will leverage accredited partners to deliver the SAP migration to Azure.