# SAP ASE for SAP NetWeaver on AWS Deployment and Operations Guide for Linux SAP ASE database This guide provides information about configuring SAP ASE database for SAP NetWeaver on AWS. ## Prerequisites The following information is required to deploy SAP Adaptive Server Enterprise (ASE) for SAP NetWeaver applications on AWS. This pertains to your existing resources, using AWS CLI to create Amazon EC2 and Amazon EBS resources. **Information** | | | | --- |--- | | **Information** | **Description** | | AWS Region | Region where you want to deploy your AWS resources. | | Availability Zone (AZ) | Availability Zone within your target Region where you want to deploy your resources. | | Amazon VPC id | Amazon VPC where you want to deploy your Amazon EC2 instances for SAP installation. | | VPS subnet id | Subnet where you want to deploy your Amazon EC2 instances. | | Linux AMI id | Amazon Machine Image (AMI) that will be used to launch your Amazon EC2 instances. You can find the latest Linux AMIs on [AWS Marketplace](https://aws.amazon.com/marketplace). | | Key pair | Make sure that you have generated the key pair in your target Region and that you have access to the private key. | | Security group id | Name of the security group that you want to assign to your Amazon EC2 instances. | | Access key ID | Access key for your AWS account that will be used with AWS CLI tools. | | Secret access key | Secret key for your AWS account that will be used with AWS CLI tools. | + Create security groups and open ports to enable communication. For existing security groups, ensure that the required ports are open. For a list of ports, refer to [TCP/IP ports of all SAP products](https://help.sap.com/viewer/ports). + Ensure that you have installed and configured AWS CLI with required credentials, if you plan to use it to launch instances. For more information, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). + If you plan to use the AWS Management Console, ensure that you have the essential credentials and permissions to launch and configure AWS services. For more information, see [Access management for AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html). + Ensure that you have the software files required for installation readily available. You can stage these in [Amazon S3](https://aws.amazon.com/s3/) or [Amazon Elastic File System](https://aws.amazon.com/efs/) (Amazon EFS). Amazon EFS can be easily shared on all of your installation hosts. For more information, see [Create your Amazon EFS file system](https://docs.aws.amazon.com/efs/latest/ug/gs-step-two-create-efs-resources.html). + You can request a service limit increase by creating a support ticket. For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). ## References You can refer to the following resources before deploying SAP ASE on AWS. If you are new to AWS, see [Get started with AWS](https://aws.amazon.com/getting-started/). + [What is Amazon EC2?](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html) + [Amazon Elastic Block Store (Amazon EBS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) + [What is Amazon S3?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) + [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) + [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) + [SAP on AWS Overview and Planning](https://docs.aws.amazon.com/sap/latest/general/sap-on-aws-overview.html) + [SAP Lens - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/sap-lens/sap-lens.html) + [Storage options for Oracle Database](https://docs.aws.amazon.com/whitepapers/latest/determining-iops-needs-oracle-db-on-aws/storage-options-for-oracle-database.html) *The storage options for Oracle are also valid for ASE.* + [Performance and Tuning Series: Basics](https://help.sap.com/docs/SAP_ASE/91d32d977a174c68829880bc020fc352/a661e18fbc2b10148eebfecec028c474.html) + [Installation of SAP Systems Based on the Application Server ABAP of SAP NetWeaver 7.3 EHP1 to 7.52 on UNIX: SAP Adaptive Server Enterprise](https://help.sap.com/docs/SLTOOLSET/e345db692e3c43928199d701df58c0d8/0889d5d70cf24c3a82d7cda898ec3545.html?version=CURRENT_VERSION) + [Installation of SAP Systems Based on the Application Server Java of SAP NetWeaver 7.5 and SAP Solution Manager 7.2 SR2 Java of SAP NetWeaver 7.5 on UNIX: SAP Adaptive Server Enterprise](https://help.sap.com/docs/SLTOOLSET/01f04921ac57452983980fe83a3ce10d/0889d5d70cf24c3a82d7cda898ec3545.html?version=CURRENT_VERSION) + [SAP Note 2922454 - SAP Adaptive Server Enterprise (SAP ASE) on Cloud Platforms (requires SAP portal access)](https://me.sap.com/notes/2922454) + [SAP Note 1941500 - Certification information for Linux and other Operating Systems - SAP ASE (requires SAP portal access)](https://me.sap.com/notes/1941500) # Planning Plan your SAP system landscape according to the SAP Master Guide for your version of SAP system running ASE on Linux. We recommend referring to the following SAP Notes (require SAP portal access). + [SAP Note 1748888 - SYB: Inst.Systems Based on NW 7.3 and Higher: SAP ASE](https://me.sap.com/notes/1748888) + [SAP Note 1554717 - SYB: Planning information for SAP on SAP ASE](https://me.sap.com/notes/1554717) + [SAP Note 1656250 - SAP on AWS: Support prerequisites](https://me.sap.com/notes/1656250) # Deployment options To install SAP ASE for SAP NetWeaver, you have four deployment options: ## Standalone deployment In standalone deployment (also known as single host installation), all components of the SAP NetWevaer, ABAP SAP Central Services (ASCS), and database Primary Application Server (PAS) run on one Amazon EC2 instance using a single Availability Zone in an AWS Region. This option is recommended for non-production workloads. You can use [Amazon EC2 auto recovery](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) feature to protect your instance against infrastructure issues like loss of network connectivity or system power. This solution is not database state aware, and does not protect your database against storage failure, OS issues, Availability Zone or Region failure. ![\[SAP PAS and DB on a single EC2 instance.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-standalone.jpg) ## Distributed deployment In distributed deployment, every instance of SAP NetWeaver (ASCS/SCS, database, PAS, and optionally AAS) can run on a separate Amazon EC2 instance. This system also deploys SAP ASE database in a single Availability Zone. You can use [Amazon EC2 auto recovery](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) feature to protect your instance against infrastructure issues like loss of network connectivity or system power. This solution is not database state aware, and does not protect your database against storage failure, OS issues, Availability Zone or Region failure. ![\[SAP ASCA, SAP PAS, and DB on separate EC2 instances in a single Availability Zone.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-distributed.jpg) ## High availability deployment In a high availability deployment, you deploy two Amazon EC2 instances across two Availability Zones within a Region, and the SAP ASE database with a combination of the Data Movement Component and Database Fault Manager. All Availability Zones within an AWS Region are connected with high-bandwidth over fully redundant and dedicated metro fiber, providing high-throughput and low-latency networking between Availability Zones. For a high availability configuration, you can set up a primary and standby relationship between two SAP ASE databases with synchronous replication, running on Amazon EC2 instances in different Availability Zones within the same Region. The SAP ASE always-on option is a high availability/disaster recovery system that contains two or more SAP ASE servers – the primary server where all of the transaction processing takes place, and the warm standby (companion) server. The primary and standby nodes are deployed in different Availability Zones, providing protection against zonal failures. You can also integrate Fault Manager to automatically failover the system in case of failures. You can learn more about this on the SAP Help Portal’s [SAP Adaptive Servers Enterprise HADR Users Guide](https://help.sap.com/docs/SAP_ASE/efe56ad3cad0467d837c8ff1ac6ba75c/a6645e28bc2b1014b54b8815a64b87ba.html). ![\[SAP ASE servers on EC2 instances in multiple Availability Zones.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-ha.jpg) *We recommend referring to the following SAP Notes (SAP portal access required) for a high availability deployment.* + * [SAP Note 1650511 – SYB: High Availability Offerings with SAP Adaptive Server Enterprise](https://me.sap.com/notes/1650511) * + * [SAP Note 2808173 – Special Instructions when Installing and Upgrading HADR with SAP Business Suite on SAP ASE](https://me.sap.com/notes/2808173) * ## Disaster recovery deployment You can increase business continuity with disaster recovery deployment of your SAP systems on AWS Cloud. Based on recovery time objective, recovery point objective, and cost, you can set up disaster recovery deployment with one of the following three options. ### Option 1 – disaster recovery using the SAP ASE HADR feature You can use the SAP ASE HADR feature to replicate your database in a secondary AWS Region or Availability Zone, based on your business and audit requirements. You can also integrate this DR node in an existing HADR landscape. This setup enables you to increase the overall system resiliency. With this option, you can either choose pilot light, where the recovery instance is smaller than the current instance, or hot standby, where the recovery instance is of the same size as the current instance. You must consider your recovery time objectives and manual effort required when choosing between pilot light or hot standby. The recovery instance for the pilot light option must be resized before assuming disaster recovery. *For more details, check the following SAP resources.* + * [HADR System with DR Node Users Guide](https://help.sap.com/doc/f0a13ab3128b4eb0a5042281050c95d8/16.0.3.6/en-US/HADR_System_with_DR_Node_Users_Guide.pdf) * + * [2934459 - HADR support of two ASE servers on Primary and Companion machines - SAP ASE](https://me.sap.com/notes/2934459) (requires SAP portal access)* ![\[SAP ASE servers on EC2 instances in multiple Availability Zones of one Region with replication to another Region.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-dr-1.jpg) ### Option 2 – passive disaster recovery using backup and recovery You can store database backups in Amazon S3 and use Amazon S3 Cross-Region Replication (CRR) to replicate your backup in target Region. This method enables automatic, asynchronous copying of objects across Amazon S3 buckets in different AWS Regions. To save costs, you can install and configure SAP ASE database on an Amazon EC2 instance in your disaster recovery Region, and shut the instance. Restart the instance to restore and recover database from the replicated Amazon S3 bucket as needed. Alternatively, you can use AWS CloudFormation, AWS Cloud Development Kit (AWS CDK) or third-party automation tools to launch an Amazon EC2 instance and to install and configure the SAP ASE database when needed. This helps save costs on Amazon EC2 and Amazon EBS. You must create and test automations before implementation. We recommend performing frequent disaster recovery drills on automations. The time to recover the database is dependent on the size of the database. Any log files that are not copied over to the disaster recovery Regions are lost and cannot be used for recovery. This option has higher recovery time and point objectives but offers lower costs in comparison to other options. You can use Amazon S3 Replication Time Control to reduce your recovery point objective. For more information, see [Using Amazon S3 Replication Time Control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-time-control.html#enabling-replication-time-control). ![\[SAP ASE data and log backups replicated across Regions.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-dr-2.1.jpg) You can also recover the SAP ASE database backups in the same AWS Region, in case of an Availability Zone failure. Amazon EBS snapshots and Amazon S3 bucket data is automatically replicated within the Region. In the event of an Availability Zone failure, an Amazon EC2 instance can be created in a different Availability Zone of the same Region. It is created from the Amazon EBS snapshots of the source Amazon EC2 instance. The SAP ASE database is restored from the backups in the Amazon S3 bucket. Amazon S3 One Zone-IA is the only exception to automatic replication. For more information, see [Amazon S3 Storage Classes](https://aws.amazon.com/s3/storage-classes/). ![\[SAP ASE data and log backups in a single Region with recovery across Availability Zones.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-dr-2.2.jpg) ### Option 3 – disaster recovery using AWS Elastic Disaster Recovery You can use AWS Elastic Disaster Recovery to replicate source servers from the primary Region to a secondary Region. Elastic Disaster Recovery uses block-level replication, and is not application-aware. Elastic Disaster Recovery is only used for disaster recovery. You can use Amazon S3 Cross Region Replication for backup. For more information, see [Disaster recovery for SAP workloads on AWS using AWS Elastic Disaster Recovery](https://docs.aws.amazon.com/sap/latest/general/dr-sap.html). ![\[Continuous real-time data replication traffic across Regions to staging area replication servers.\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/ase-dr-3.jpg) # Sizing Sizing applies to three key areas - compute, network, and storage. ## Compute AWS has certified multiple instance families with different sizes to run SAP workloads. For more details, see [Amazon EC2 Instance Types for SAP](https://aws.amazon.com/sap/instance-types/). To provision instances based on your requirements, you can use the [Right sizing](https://docs.aws.amazon.com/whitepapers/latest/cost-optimization-right-sizing/cost-optimization-right-sizing.html#introduction-section) process. This process can help you optimize costs. Although it is ideal to use the right sizing approach when you move your SAP workloads to AWS Cloud, it is an [ongoing process](https://docs.aws.amazon.com/whitepapers/latest/cost-optimization-right-sizing/right-sizing-ongoing-process.html). We recommend you to use the latest generation of your selected instance family. For a greenfield (new) deployment of SAP workloads, you can use the [Quick Sizer tool](https://help.sap.com/viewer/22bbe89ef68b4d0e98d05f0d56a7f6c8/2020.000/en-US/067579ee1f7f4ffba00c4abd9bc6f832.html) to calculate the compute requirement in SAPS. This helps you to select the closest matching Amazon EC2 instance for a price that is most economical for you. Before completing your selection, ensure that the selected Amazon EC2 instance provides enough Amazon EBS and overall network throughput to meet your application requirements. For migrations, you can use any of the following data sources to decide the right size of your instance: + Source system utilization and workload patterns, such as EarlyWatch alert reports. + Source system specification: CPU, memory, storage size \$1 throughput \$1 IOPS, network. + Source system SAPS rating. ## Network Network performance is often not explicitly stated as a requirement in SAP sizing. AWS enables you to check the network performance of all [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/). Ensure that you have your network components setup to deploy resources related to your SAP workload. If you haven’t already setup network components like Amazon VPC, subnets, route tables etc., you can use the, [AWS Quick Start Modular and Scalable VPC Architecture](https://aws.amazon.com/quickstart/architecture/vpc/) to most effectively deploy scalable Amazon VPC architecture in minutes. After setting up your Amazon VPC, you must set up Amazon EC2 instances within the Amazon VPC for your SAP workloads. ## Storage Amazon Elastic Block Store (Amazon EBS) volumes are designed to be highly available and reliable. Amazon EBS volume data is replicated across multiple servers in an Availability Zone to prevent the loss of data from the failure of any single component. Owing to this built-in protection, you can skip configuring `RAID 1` for these volumes. You must check that the storage required is enough to provide sufficient I/O performance. The new `gp3` volume is ideal for SAP ASE workloads that require smaller volume size. With `gp3`, the storage throughput and IOPS are decoupled from the size and can scale independently. The io2 volume is well-suited for I/O-intensive database workloads that require sustained IOPS performance or more than 16,000 IOPS. The `io2 Block Express` is another provisioned IOPS SSD volume for workloads that require sub-millisecond latency, sustained IOPS performance, and more than 64,000 IOPS or 1,000 MiB/s of throughput. **Note** `io2 Block Express` is only supported on select Amazon EC2 instance types. For more information, see [Provisioned IOPS SSD volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/provisioned-iops.html#io2-block-express). The following table lists the main directories for SAP ASE database. | | | | --- |--- | | Usage | Directory | | Database instance root files | /sybase/ | | Database data files | /sybase//sapdata\$11 /sybase//sapdata\$1X | | Database log files | /sybase/saplog\$11 | | Database temporary tablespace | /sybase//saptmp | | Diagnostic tablespace for SAPTOOLS | /sybase//sapdiag | | Directory for ASE backup | /sybasebackup | # Operating system You can deploy your SAP ASE workload on SLES, SLES for SAP, RHEL for SAP with High Availability and Update Services (RHEL for SAP with HA and US) or RHEL for SAP Solutions. SLES for SAP and RHEL for SAP with HA and US products are available on AWS Marketplace under an hourly or an annual subscription model. ## SLES for SAP SLES for SAP provides additional benefits, including Extended Service Pack Overlap Support (ESPOS), configuration and tuning packages for SAP applications, and High Availability Extensions (HAE). For details, see the [SUSE Linux Enterprise Server for SAP Applications](https://www.suse.com/products/sles-for-sap/) product page to learn more about the benefits of using SLES for SAP. We strongly recommend using SLES for SAP instead of SLES for all your SAP workloads. If you plan to use Bring Your Own Subscription (BYOS) images provided by SUSE, ensure that you have the registration code required to register your instance with SUSE to access repositories for software updates. ## RHEL for SAP RHEL for SAP with High Availability and Update Services provides access to Red Hat Pacemaker cluster software for High Availability, extended update support, and the libraries that are required to run SAP HANA. For details, see [Red Hat Enterprise Linux for SAP offerings on Amazon Web Services FAQ](https://access.redhat.com/articles/3671571) in the Red Hat Knowledgebase. If you plan to use the BYOS model with RHEL, either through the Red Hat Cloud Access program or other means, ensure that you have access to a RHEL for SAP Solutions subscription. For details, see [Red Hat Enterprise Linux for SAP Solutions](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_sap_solutions) in the Red Hat documentation. # Security and compliance The following are additional AWS security resources to help you achieve the optimum level of security for your SAP NetWeaver environment on AWS: + [AWS Cloud Security](https://aws.amazon.com/security/) + [CIS AWS Foundations Benchmark](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) + [AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) ## Infrastructure hardening In some cases, you can further lock down the operating system configuration. For instance, to avoid sharing the credentials of your AWS account with an SAP administrator who needs to log on to an Amazon EC2 instance. Refer to [Security in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html) and [Best Practice 6.2 – Build and protect the operating system](https://docs.aws.amazon.com/wellarchitected/latest/sap-lens/best-practice-6-2.html) to learn more. You can also use an automated solution provided by AWS – [Amazon Inspector](https://aws.amazon.com/inspector/). ## Encryption The important aspect of securing your workloads is encrypting your data, both at rest and in transit. For more details, refer to the following resources. + [Amazon EBS encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) + [Data encryption in Amazon EFS](https://docs.aws.amazon.com/efs/latest/ug/encryption.html) + [Data encryption in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) + [Protect your SAP data at rest and in transit](https://docs.aws.amazon.com/wellarchitected/latest/sap-lens/design-principle-8.html) *You can also refer to the following SAP resources.* + * [SAP Note 2481596 – SYB: Encrypted data transfer between SAP system and SAP ASE database](https://me.sap.com/notes/2481596) (requires SAP portal access)* + [SAP Adaptive Server Enterprise – Database Encryption](https://help.sap.com/docs/SAP_ASE/833788dd3e9c413799014a0fd002d0b2/a7b86bb3bc2b1014b9b08178723a5ee2.html) ## Security group A [security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level. SAP system is often separated into multiple subnets, with the database in a separate subnet to the application servers, and other components, such as a web dispatcher in another subnet, possibly with external access. If workloads are scaled horizontally, or high availability is necessary, you may choose to include multiple, functionally similar, Amazon EC2 instances in the same security group. In this case, you must add a rule to your security groups. If Linux is used, some configuration changes may be necessary in the security groups, route tables, and network ACLs. For more information, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html). ## Network ACL A [network access control list (ACL)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets (they’re stateless firewalls at the subnet level). You may set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your Amazon VPC. See [Amazon VPC Subnet Zoning Patterns for SAP on AWS](https://aws.amazon.com/blogs/awsforsap/vpc-subnet-zoning-patterns-for-sap-on-aws/) to understand the network considerations for SAP workloads. ## API call logging AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the caller, time of the call, source IP address, request parameters, and response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as, AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. For more information, see [What Is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) ## Notification on access You can use [Amazon SNS](https://aws.amazon.com/sns) or any third-party application to set up notifications on SSH login to your email address or mobile phone. # Deployment This section provides information about example deployments. # Standalone deployment In this example, we set up a sample environment for installation. It includes a public subnet for RDP and SSH access via the internet. We use the [AWS Quick Start for Modular and Scalable Amazon VPC Architecture](https://aws.amazon.com/quickstart/architecture/vpc/) in a single Availability Zone deployment to create the Amazon VPC, subnets, security groups, and IAM roles. You can refer to this example set up but should also follow your own network layout and comply with security standards, such as the following: + Using a Landing Zone solution like [AWS Control Tower](https://aws.amazon.com/controltower/). + Working with a cloud team like Cloud Center of Excellence to use existing standards. ## Step 1: Prepare your AWS account Check the Region where you want to deploy your AWS resources: + You pick your region for deployment during the planning phase. + Display the AWS Command Line Interface configuration data: ``` $ aws configure list ``` Ensure that the default region listed in the command output is the same as the target region where you want to deploy your AWS resources and install SAP workloads. In this deployment, we provision an Amazon EC2 instance. **Note** In this section, the syntax used for the AWS CLI and Linux commands is specific to the scope of this document. Each command supports many additional options. To learn more, use the `aws help` command. ## Step 2: Create a `JSON` file for Amazon EBS storage Create a `JSON` file containing the storage requirements for SAP ASE database server volumes. The following is an example `JSON` file with two Amazon EBS volumes for swap and installation directories. You can add more volumes as per your storage design. ``` [ { "DeviceName": "/dev/nvme2n1", "Ebs": { "VolumeSize": 32, "VolumeType": "gp3", "DeleteOnTermination": true } }, { "DeviceName": "/dev/nvme3n1", "Ebs": { "VolumeSize": 50, "VolumeType": "gp3", "DeleteOnTermination": true } } ] ``` **Note** In the preceding example, the device name `/dev/nvme2n1` is for Nitro based hypervisors. It differs for non-Nitro based hypervisors. For more information, see [Storage configuration](https://docs.aws.amazon.com/sap/latest/sap-hana/hana-ops-storage-config.html). ## Step 3: Launch the Amazon EC2 instance Launch the Amazon EC2 instance for the SAP ASE database installation in your target AWS Region, using the information gathered in Step 1. You must create the required storage volumes and attach them to the Amazon EC2 instance for the SAP installation, based on the `JSON` file you created in the Amazon EBS storage (Step 2). ``` $ aws ec2 run-instances \ --image-id \ --count \ --instance-type \ --key-name= \ --security-group-ids \ --subnet-id \ --block-device-mappings file://\.json \ --region ``` Use this command in a single line format, as shown in the following example. ``` aws ec2 run-instances --image-id ami-xxxxxxxxxxxxxxx --count 1 --instance-type m5.large --key-name=my_key --security-group-ids sg-xxxxxxxx --subnet-id subnet-xxxxxx --block-device-mappings file://\.json ``` In this example, *m5.large* is the value for the `instance-type` parameter. You must select an Amazon EC2 instance type based on your business requirements. You can also launch Amazon EC2 instances using the AWS Management Console. For more information, see [Launch an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance). ## Step 4: Prepare the Linux Operating System Before starting the installation, you need to perform Linux specific prerequisite tasks. For more information, refer to the following SAP Notes (requires SAP portal access). + [SAP Note 1554717 – SYB: Planning information for SAP on ASE](https://me.sap.com/notes/0001554717) + [SAP Note 1748888 – SYB: Inst.Systems Based on NW 7.3 and Higher: SAP ASE](https://me.sap.com/notes/1748888) ## Step 5: Prepare each Amazon EC2 instance for SAP ASE installation Download the SAP installation media as per the SAP installation guide, for the version of SAP NetWeaver you want to install on your Amazon EBS volumes. Locate your installation guide on the [Guide Finder for SAP NetWeaver and ABAP Platform](https://help.sap.com/docs/SAP_NETWEAVER/9e41ead9f54e44c1ae1a1094b0f80712/576f5c1808de4d1abecbd6e503c9ba42.html?language=en-US). You can store the SAP installation media using Amazon EFS or an Amazon S3 bucket for later reuse. If you choose to install the SAP ASE database with high availability deployment across two Availability Zones, repeat the preceding steps for SAP ASE database standby high availability instance in the second Availability Zone. If you choose to install SAP ASE database with high availability and disaster recovery deployment across two AWS Regions, repeat the preceding steps in the second AWS Region in which you want to run the ASE database standby disaster recovery instance. ## Step 6: Installing SAP ASE on Amazon EC2 instances You are now ready to install the SAP ASE software on your Amazon EC2 instances. For more information, see the SAP ASE Database Software Installation section of your SAP NetWeaver installation guide. Locate your installation guide on the [Guide Finder for SAP NetWeaver and ABAP Platform](https://help.sap.com/docs/SAP_NETWEAVER/9e41ead9f54e44c1ae1a1094b0f80712/576f5c1808de4d1abecbd6e503c9ba42.html?language=en-US). The following is a non-exhaustive list of post-installation tasks for your SAP ASE database. + Updating to the most recent patch available + Installation of additional components + Configure the SAP ASE backup For more information, see the [Operations](ase-operations.md) section. # High availability disaster recovery deployment Create an additional Amazon EC2 instance and perform the installation in a secondary Availability Zone. The steps for creating a high availability or disaster recovery instance in a secondary Availability Zone are the same as described in Standalone deployment. You can simplify this step by using the following methods. + If you have built any automation using AWS CloudFormation or other tools to create the primary Amazon EC2 instance and install database software, you can use the same automation to build the HA instance. + You can create an [Amazon Machine Image](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) of the primary Amazon EC2 instance and launch another instance in the secondary Availability Zone. The configuration of high availability or disaster recovery depends on the tools you use. See the next sections for more details. **Note** You must configure cross-regional [Amazon VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) or [Transit Gateway](https://aws.amazon.com/transit-gateway/) to enable SAP ASE asynchronous replication between two Regions. # Operations ## Tagging AWS resources A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both defined by you. Adding tags to various AWS resources will make managing SAP environments more efficient, and help you search for resources quickly. Many Amazon EC2 API calls can be used in conjunction with a special tag filter. For more information, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html). The following are some examples of how you can use tags for your operational needs. | | | | --- |--- | | **Tag name** | **Tag value** | | Name | SAP server’s virtual (host) name | | Environment | SAP server’s landscape role; for example: SBX, DEV, QAT, STG, PRD. | | Application | SAP solution or product; for example: ECC, CRM, BW, PI, SCM, SRM, EP | | Owner | SAP point of contact | | Service level | Known uptime and downtime schedule | After tagging your resources, you can apply specific security restrictions, such as access control (as seen in the following example policy), based on tag values. ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "LaunchEC2Instances", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:RunInstances" ], "Resource": [ "*" ] }, { "Sid": "AllowActionsIfYouAreTheOwner", "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:TerminateInstances" ], "Condition": { "StringEquals": { "ec2:ResourceTag/PrincipalId": "${aws:userid}" } }, "Resource": [ "*" ] } ] } ``` IAM only allows specific permissions based on the tag value. In this scenario, the current ID must match the tag value to enable permissions for the user. For more information, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ## Monitoring AWS provides multiple native services to monitor and manage your SAP environment. [CloudWatch](https://aws.amazon.com/cloudwatch/) and [CloudTrail](https://aws.amazon.com/cloudtrail/) can be used to monitor your underlying infrastructure and APIs. CloudWatch provides ready-to-use KPIs for CPU, disk utilization, and enables you to create custom metrics for KPIs that you want to monitor. CloudTrail allows you to log the API calls made to your AWS infrastructure components. ## Operating system maintenance In general, operating system maintenance across large estates of Amazon EC2 instances can be managed by using: + Third-party products, such as those available on AWS Marketplace. + AWS Systems Manager *The following are some key operating system maintenance tasks.* ### Patching You can follow SAP recommended patching process to update your landscape on AWS. With [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html), you can roll out OS patches according to your corporate policies. It has multiple benefits: + Scheduling based on tags + Defining patch baselines + Auto-approving patches with lists of approved and rejected patches AWS Systems Patch Manager integrates with IAM, CloudTrail, and CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage. For details about the process, see [How Patch Manager operations work](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works.html). Third-party products are available on [AWS Marketplace](https://aws.amazon.com/marketplace). ### Maintenance Windows [AWS Systems Manager Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-maintenance.html) lets you define a schedule to perform potentially disruptive actions on your instances, such as patching an operating system, updating drivers, installing software or patches. ### Administrator access For administrative purposes, you can access the backend of your SAP systems via SSH or [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). ## Automation AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon EC2 instances and other AWS resources. For more information, see [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html). **Automation using Infrastructure-as-Code with AWS CloudFormation** We recommend following the principle of Infrastructure-as-Code (IaC) for automating and maintaining your workloads on AWS. [AWS CloudFormation](https://aws.amazon.com/cloudformation/) provides a common language for you to describe and provision all the infrastructure resources in your cloud environment in a repeatable and automated manner. ## Cost optimization We recommend cost optimization as an ongoing process. There are many AWS services that help with budgeting, cost control and optimization. For more details, see [Cost Optimization Pillar - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html) and [Cost Optimization Pillar -SAP Lens](https://docs.aws.amazon.com/wellarchitected/latest/sap-lens/cost-optimization.html). # Compute & storage ## Compute Amazon EBS volumes are exposed as NVMe block devices on [Instances built on the Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances). When changing Amazon EC2 instance types from a previous generation to a Nitro generation, NVMe device IDs associated with the volume can change. To avoid mount errors during change of instance type or instance reboots, you need to create a label for your file systems and mount it by the label, *and not* the NVMe IDs. For more details, see [support article](https://aws.amazon.com/premiumsupport/knowledge-center/boot-error-linux-nitro-instance/). Aside from operating system maintenance, you should consider maintenance for your Amazon EC2 instances. It can be driven by using [Creating your own runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). The following are some examples. + Use ` AWS-StopEC2InstanceWithApproval` to request one or more IAM users approve the instance stop action. After the approval is received, runbook stops the instance. + Use ` AWS-StopEC2Instance` to automatically stop instances on a schedule, using CloudWatch Events or a Maintenance Window task. For example, you can configure an Automation workflow to stop instances every Friday evening and restart on Monday mornings. Note that this automation will only stop and start the Amazon EC2 instance. You must create additional document to gracefully stop and start SAP applications and database and then use the AWS Systems Manager to run such automations. + Use ` AWS-UpdateCloudFormationStackWithApproval` to update resources that were deployed using AWS CloudFormation template. The update applies a new template. You can configure the Automation to request approval by one or more IAM users before the update begins. You can also use [AWS Instance Scheduler](https://aws.amazon.com/solutions/implementations/instance-scheduler/) to configure custom start and stop schedules for Amazon EC2 and Amazon RDS instances. ## Storage The following are the storage services used across this guide. + Amazon EBS provides persistent storage for SAP applications and database. Amazon EBS volumes can be resized and even have the volume type changed without disrupting the applications. For more details, see [Amazon EBS Elastic Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html). After modifying the Amazon EBS volume, you need to extend the file system to match the extended volume size. For more details, see [Extend a Linux file system after resizing a volume](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html). + Amazon EFS does not require you to explicitly provision storage, you pay only for your usage. It is built to scale on demand, without disrupting applications, growing and shrinking automatically as you add and remove files. This ensures that your applications have the required storage. + Amazon S3 also does not require you to explicitly provision storage, you pay only for your usage. You can use Object lifecycle management to set rules that define when objects are transitioned or archived to colder storage (Amazon S3 IA or S3 Glacier) and when they expire. For more information, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html). # Backup & restore ## Snapshots and AMIs A common approach for backing up your SAP NetWeaver application servers is using snapshots and AMIs. The SAP application data is stored on Amazon EBS volumes attached to the SAP NetWeaver application servers. You can back up the data on these volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups of Amazon EBS volumes, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see [Create Amazon EBS snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html). An Amazon Machine Image (AMI) provides the information required to launch an instance along with a block device mapping of all Amazon EBS volumes attached to it. Amazon EC2 powers down the instance before creating the AMI to ensure that everything on the instance is stopped and in a consistent state during the creation process. If you’re confident that your instance is in a consistent state appropriate for AMI creation, you can check the *No Reboot* option. You can use [AWS Backup](https://aws.amazon.com/backup) to centrally configure backup policies and monitor backup activity for these snapshots. Once you have completed the SAP installation and post-installation steps, create an image of the instance. ``` aws ec2 create-image --instance-id i-1234567890abcdef0 --name "My server" --description "An AMI for my server" ``` AWS provides a very simple and quick way to copy an SAP system. You can use the [AWS Console Home](https://console.aws.amazon.com/ec2) or the AWS CLI to create a new AMI of an existing SAP system. You can then launch exact copies of the original system from the new AMI. For more details, see [Amazon Machine Images (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html). ## Backup to Amazon S3 You can perform traditional file-based backup to Amazon S3 from your Amazon EBS volumes. One way to take backup is to use AWS CLI and initiate it by using AWS Systems Manager `Run` command, so that you can centrally manage the backups. ## Backup with third-party products Many third-part products for AWS services are certified by SAP. For more information, see [AWS SAP Competency Partners](https://aws.amazon.com/sap/partner-solutions/). ## Amazon EFS backup Using AWS Backup, you can centrally configure backup policies and monitor backup activity for AWS resources, including Amazon EFS file systems. Alternatively, you can perform a file-level backup of your Amazon EFS file system to Amazon S3. You can do this by running a file-level copy to Amazon S3 from any Amazon EC2 instance running in the same region. This can be automated and scheduled using [AWS Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html) in combination with CloudWatch Events. ## Backup and restore for ASE database You must to regularly backup your operating system and database to recover them in case of any failure. AWS Cloud provides various services and tools that you can use to backup your SAP ASE database. ### Storage snapshots You can backup your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only blocks on the device that have changed after your most recent snapshot are saved. Snapshots of Amazon EBS volumes can be created for backup of SAP ASE database file systems. See [How to use snapshots to create an automated recovery procedure for SAP ASE databases](https://aws.amazon.com/blogs/awsforsap/how-to-use-snapshots-to-create-an-automated-recovery-procedure-for-sap-ase-databases/) to learn more. ### SAP ASE database backups You can configure your SAP ASE database to store backups on Amazon EFS or local Amazon EBS volumes. You must configure regular backups for Amazon EFS. For more information, see [Backing up your Amazon EFS file systems](https://docs.aws.amazon.com/efs/latest/ug/efs-backup-solutions.html). You can reduce costs by enabling Amazon EFS storage classes to retain cold backups in infrequent access. For more information, see [Amazon EFS Infrequent Access](https://aws.amazon.com/efs/features/infrequent-access/). You can also configure backups to be store on Amazon EFS volumes and to be regularly uploaded to Amazon S3. Use `DBACOCKPIT` to schedule backup frequency. You can also use [AWS Systems Manager Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-maintenance.html) to schedule backup frequency. Amazon SNS enables you to setup push notifications for success or failure. Once backups are stored in Amazon S3, you can use lifecycle policies to define data retention timeline. For more information, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html). You can improve Amazon S3 data upload performance with Gateway endpoints and AWS CLI. For more information, see [Gateway endpoints for Amazon S3](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) and [AWS CLI S3 Configuration](https://docs.aws.amazon.com/cli/latest/topic/s3-config.html). Review the following SAP Notes (portal access required) for more details. + [SAP Note 1585981 - SYB: Ensuring Recoverability for SAP ASE](https://me.sap.com/notes/1585981) + [SAP Note 1887068 - SYB: Using external backup and restore with SAP ASE](https://me.sap.com/notes/1887068) + [SAP Note 1588316 - SYB: Configure automatic database and log backups](https://me.sap.com/notes/1588316) + [SAP Note 1618817 - SYB: How to restore an SAP ASE database server (UNIX)](https://me.sap.com/notes/1618817) To use third-party tools to backup your SAP ASE database, see [AWS Storage Competency Partners](https://aws.amazon.com/backup-recovery/partner-solutions). # Disaster recovery See [Disaster recovery deployment](deploy-options-sap-ase.md#ase-disaster-recovery-deployment) to learn about disaster recovery for your SAP ASE database. ## Perform a DNS change In case of manual failover, you may install SAP application servers using a virtual hostname and perform a DNS change to direct the SAP application servers to the new primary database server. For a DNS resolution in AWS, you can use any of the following options. + [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html) enables you to create a private hosted zone for your environment and an A record for the virtual hostname used for SAP ASE database. Initially, this A record is mapped to the IP address of the primary SAP ASE database instance. + You can maintain your own DNS server on-premise or on your Amazon EC2 instances. You can create an A record there for your virtual hostname used for SAP ASE database. Initially, this A record is mapped to the IP address of the primary SAP ASE database instance. + With the [AWS Directory Service](https://aws.amazon.com/directoryservice/), you can create an A record for the virtual hostname used for SAP ASE database. With any of the previously mentioned options, you can change the A record to a private IP address of the primary database instance in case of a failover. This DNS change can also be automated using AWS services and scripts. # Resources SAP on AWS customers have the flexibility to deploy SAP ASE database on the scalable, on-demand Amazon EC2 platform in a highly available manner. They don’t have to invest in costly capital expenditures for the underlying infrastructure. By combining the AWS platform flexibility and SAP installation techniques, our customers greatly improve the availability of their deployments. For more details, see [SAP on AWS Case Studies](https://aws.amazon.com/sap/case-studies/). ## Support AWS offers three levels of support. [AWS Business Support](https://aws.amazon.com/premiumsupport/plans/business/) provides resources and technical support for customers running SAP workloads on AWS. [AWS Enterprise Support](https://aws.amazon.com/premiumsupport/plans/enterprise/) and [AWS Enterprise On-Ramp Support](https://aws.amazon.com/premiumsupport/plans/enterprise-onramp/) offers support to customers running mission critical SAP production workloads on AWS. To learn more about this, see [SAP Note 1656250 – SAP on AWS: Support prerequisites](https://me.sap.com/notes/1656250) (requires SAP portal access).