Go to the SAP client library:


Click, get started, create an account:



You will need to activate your account, SAP will send you a mail confirmation:


Once activated you have to accept the terms and conditions.


Then you need to whitelist the subscription in which you are going to work with SAP. Provide a name for the account, then select the Cloud Provider and then provide the Subscription ID related. Click on Authorize




You have to provide access to SAP:





Then go to the solutions and Select the SAP Express edition





Then provide the instance details:






Thenk click on left-bottom pag "advanced mode":




Do not change the default values and proceed to step 4



Mark the checkbox for the Static IP Address:



Access Points:

Then provide the Port range: this includes the SAP web dispatcher, SAP Host agent, ports for statistic connections, IDE for XSA Deployment, ID Core Service, Default DP Server port, Custom tenant ports, Custom HTTP, SSH

Please review the following table for Port Specification:






Note: we will review in detail the Network Security Group access to allow inbound/outbound traffic.

 Then provide the password for this solution:



Finally, review the schedule details for your instance. Click review



Then click create.


Click OK



SAP will assign a private key for your solution, click Store




Download and save the private key locally as a privacy enhanced mail file (.PEM file extension).



Click Download:


Then you need to wait for some minutes to use the solution.


The process might take a while:




After some minutes you will notice that the solution is up and running:



Click on the solution and  you will see the related details:





Now go to the Azure Portal,  you will see the VM up and running:





To connect to your VM you can do so by SSH using Putty or another client, you could also use the  Azure Serial Console  feature:




If you want to try the  Azure Serial Console Preview, you can do so by going to your VM blade, scroll down and you will select the Console Access Option:





TIP: Please note that Access to the Azure Serial Console is in preview and is NOT recommended for use with any production systems. The preview is focused on West Central US, West Europe, and Azure Canary regions, use with VMs outside these regions may yield varying results. For more information see https://aka.ms/serialconsolehelp.

Be sure to enable Boot diagnostics:



Go to Boot diagnostics and click ON, then select your storage account to store all the logs



Click Save.



Check your Networking configuration!


If you have troubles connecting to your VM please review your networking settings, go to your Network Security Group(NSG) and review the traffic rules:




Click on Inbound security rules, then click on Add:



Change to Basic:



Add the SSH rule, click OK.



Then we will add the Custom HTTP rule:


Click add, select advanced and select Custom, then type the following port range: 59013-59014



Click OK.


Now we will add the custom tenants port rules, type the parameters as shown below:



Click OK.


Now we will add the Default_DPServer_Port custom rule:



Click OK.


Now we will add the DICore Service Rule:



Click OK


Now we will add the IDE for XSA Development rule:



Click OK.


Now we will add the Port for statistics server connections rule:




Click OK.


Now we will add the SAP Host Agent Rule:



Click OK.


Now we will add the SAP Web Dispatcher (HANA) rule:




Click OK.


Now we will add the SAP Web Dispatcher (HANA) rule:



Click OK.


Now we will add the SQL and MDX access port to the SYSTEM database rule:




Click OK.


Now we will add the SQL and MDX access to the first tenant of a HANA system rule:




Click OK.


Now we will add the XSA rule:



Now we will add the second XSA rule:



Click OK.


Now we will add the last Custom HTTP rule:




Click OK.


Now please assure you have attached the NSG to the NIC - Network Interface Card, Go to your NICs and select the SAP NIC, Then Select Network Security Group from the blade and click Edit:

Then select your NSG for SAP:




Then Click Save:



Notes: you need to shutdown the VM in order to apply any NIC configurations. You can also spin up the VM again from the SAP Cloud Appliance Library or from the Azure Portal.


I suggest you verify your instance from the SAP Portal:



You can enable OS processes monitoring from the SAP Cloud Appliance Library Portal:





If you can´t connect to your VM, enable the Network Watcher capability, you can do so by typing "Network watcher " on the Search tab of the Azure Portal and enable it on a specific region or for the entire regions, then click enable:





Then go back to the VM then, go to the VM blade and select Diagnostics and Solve problems:




Then you can verify if you are receiving packets through the NSG:



Put your IP address and remote port, then click Check. You will see the detail on whether if there is any rule blocking the traffic:



In this case you could add another inbound rule to test the inbound traffic:






Ensure you have the same Static IP address assigned to your SAP VM on SAP Cloud Appliance Library and the Azure Portal.


  1.  Generate a second IP Address in your NIC and assign the Correct Static IP address.
  2. Generate a temporary "NIC-temporary"
  3.  Then dissociate the "NIC2-original" from the VM,
  4.  Now make the second IP Address primary so that you can assure you have the right IP address associated.

If you need to change /update the ip address in the Azure Portal, you can do it vía Azure Shell with the following cmd:


$ az network nic ip-config update --name "SAP-PublicIP" --nic-name "SAP-Nic2" --resource-group "SAPCAL-Network-westeurope" --make-primary

** Be sure to stop your VM before




Now go back to the NIC2-original and associate it to the VM:



Now disassociate and delete the Nic-temporary.


Finally go back to the NIC2 and attach the NSG related to the ports we previously assigned, click Save




Now go back to your VM, and start it.