SAP NetWeaver on the AWS Cloud for AS ABAP and SAP HANA Quick Start Reference Deployment Somckit Khemmanivanh and Santiago Cardenas Solutions Architects, Amazon Web Services December 2017 Supports SAP NetWeaver 7.4 Support Release 2 SAP HANA Platform Edition 1 SPS 9–12 and SAP HANA Platform Edition 2 SPS 0-2 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 Contents About This Guide ................................................................................................................... 3 Quick Links ............................................................................................................................ 3 About Quick Starts ................................................................................................................. 4 Overview .................................................................................................................................... 4 SAP NetWeaver on AWS ........................................................................................................ 4 Cost and Licenses ................................................................................................................... 5 AWS Services.......................................................................................................................... 5 Architecture ............................................................................................................................... 7 SAP NetWeaver ABAP Instances ........................................................................................... 9 Implementation Details ....................................................................................................... 10 Planning the Deployment ........................................................................................................ 11 Deployment Options ............................................................................................................. 11 Prerequisites ......................................................................................................................... 11 Deployment Steps .................................................................................................................... 11 Step 1. Prepare Your AWS Account ..................................................................................... 12 Step 2. Perform Prerequisite Tasks for SAP HANA ............................................................ 14 Step 3. Download the SAP NetWeaver Software ................................................................. 15 Step 4. Launch the Quick Start ............................................................................................ 19 Step 5. Verify Your Deployment ......................................................................................... 30 Changing the Security Group Configuration .................................................................. 30 Using SAP GUI ................................................................................................................. 32 Using OS-Level Access ..................................................................................................... 33 Troubleshooting ...................................................................................................................... 35 Support ................................................................................................................................... 38 Security ................................................................................................................................... 38 Network Security ................................................................................................................. 38 Identity and Access Management (IAM) ............................................................................. 39 Page 2 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 OS Security ........................................................................................................................... 39 Security Groups .................................................................................................................... 39 Additional Resources .............................................................................................................. 39 Send Us Feedback ................................................................................................................... 41 Document Revisions................................................................................................................ 41 About This Guide This Quick Start deployment guide describes how to deploy an SAP NetWeaver Application Server (AS) Advanced Business Application Programming (ABAP) system on the Amazon Web Services (AWS) Cloud, using AWS CloudFormation templates that automate the deployment. The guide is for IT infrastructure architects, administrators, and DevOps professionals who are planning to implement or extend their SAP workloads on the AWS Cloud. This guide provides infrastructure and configuration information for planning and deploying an SAP infrastructure on the AWS Cloud. It doesn’t cover general installation and software configuration tasks for SAP. For general guidance and best practices, consult the SAP product documentation. Quick Links The links in this section are for your convenience. Before you launch the Quick Start, please review the architecture, configuration, network security, and other considerations discussed in this guide.  If you have an AWS account, and you’re already familiar with AWS services and SAP NetWeaver, you can launch the Quick Start to build the architecture shown in Figure 1 in a new or existing virtual private cloud (VPC). The deployment takes approximately 2 hours and 45 minutes. If you’re new to AWS or to SAP NetWeaver, please review the implementation details and follow the step-by-step instructions provided later in this guide. Launch Launch (for new VPC) (for existing VPC) Page 3 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017  If you want to take a look under the covers, you can view the AWS CloudFormation templates that automate the deployment. View template View template (for new VPC) (for existing VPC) About Quick Starts Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability. Overview SAP NetWeaver provides a set of technologies for running SAP business applications and for integrating people, processes, and information. SAP NetWeaver serves as the technical foundation for SAP’s ABAP and Java-based applications. This Quick Start deploys SAP NetWeaver AS ABAP, which supports the development of ABAP-based applications for SAP HANA databases. For a detailed description of SAP NetWeaver, see the SAP NetWeaver Master Guide on the SAP website. This Quick Start helps you deploy a complete SAP NetWeaver system on AWS. The deployment includes an SAP application tier, an SAP HANA database tier, and Remote Desktop Protocol (RDP) and bastion hosts. The Quick Start also provisions a virtual private cloud (VPC) to house all these components. SAP NetWeaver on AWS The AWS Cloud provides a suite of infrastructure services that enable you to deploy SAP NetWeaver in a highly available, fault-tolerant, and cost-effective way. By deploying SAP NetWeaver on the AWS Cloud, you can take advantage of the functionality of SAP along with the flexibility and security of AWS. Note This Quick Start supports SAP NetWeaver 7.4 Support Release 2 (SP2). Other versions of SAP NetWeaver may work but have not been tested with this Quick Start. Page 4 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 This Quick Start currently supports the following versions of the SUSE Linux Enterprise Server (SLES) operating system for SAP NetWeaver AS ABAP: SLES 11 SP3, SLES 12, SLES 12 SP1, and SLES 12 SP2. For a list of supported operating systems for SAP HANA, see the SAP HANA Quick Start deployment guide. Cost and Licenses You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change. This deployment uses a Bring Your Own License (BYOL) model for SAP. You must already own licenses for SAP, and you must be authorized to download software from the SAP Software Download Center (SWDC). For the SAP NetWeaver deployment, this Quick Start launches the Amazon Machine Image (AMI) for SLES 11 SP4, SLES 12, or SLES 12 SP1, which includes the license for the SLES operating system. For the SAP HANA deployment, the Quick Start launches the AMI for the operating system you choose (SLES, SLES for SAP, or RHEL), and the license cost for the operating system is included in the Amazon EC2 hourly price. There is an additional software cost for SLES for SAP AMIs. AWS Services The core AWS components used by this Quick Start include the following services and features. (If you are new to AWS, see the Getting Started Resource Center.)  Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. Page 5 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017  Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.  Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block- level storage volumes for use with EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. EBS volumes provide the consistent and low-latency performance needed to run your workloads.  Amazon Route 53 - Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.  Automatic recovery – Automatic recovery is a feature of Amazon EC2 that is designed to increase instance availability. You can enable automatic recovery for an instance by creating an Amazon CloudWatch alarm that monitors the instance and automatically recovers it if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. A recovered instance is identical to the original instance and has the same instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. This Quick Start optionally enables automatic recovery on SAP HANA nodes for you.  AWS CloudFormation – AWS CloudFormation gives you an easy way to create and manage a collection of related AWS resources, and provision and update them in an orderly and predictable way. You use a template to describe all the AWS resources (e.g., EC2 instances) that you want. You don't have to individually create and configure the resources or figure out dependencies—AWS CloudFormation handles all of that.  Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.  NAT Gateway – NAT Gateway is an AWS managed service that controls network address translation (NAT) gateway resources. A NAT gateway is a device that enables instances in a private subnet to connect to the internet or to other AWS services, but prevents the internet from connecting to those instances.  IAM – AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. With IAM, you can manage users, security credentials such as access keys, and permissions that control which AWS resources users can access, from a central location. Page 6 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 Architecture This Quick Start uses AWS CloudFormation, AWS Command Line Interface (AWS CLI) for Linux, and custom scripts to deploy an SAP NetWeaver ABAP stack with an SAP HANA database on AWS. AWS CloudFormation creates and manages the AWS and SAP resources. AWS CLI for Linux enables you to configure AWS resources from the command line. This Quick Start includes options for deploying the SAP NetWeaver ABAP stack with single-node or multi-node SAP HANA configurations. Deploying the Quick Start for a new VPC builds the following SAP NetWeaver environment in the AWS Cloud. Figure 1: SAP NetWeaver ABAP architecture on AWS (with optional AAS shown) Page 7 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 The Quick Start deploys and configures the following components:  A highly available architecture that spans two Availability Zones.*  A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*  An internet gateway to allow access to the internet.*  In the public subnets: – Bastion host instances in an Auto Scaling group to allow inbound SSH (Secure Shell) access to the SAP instances in the private subnets.* – Managed NAT gateways to allow outbound internet access for the SAP instances in the private subnets.* – An optional EC2 instance with Windows Server to host SAP GUI and SAP HANA Studio. You can install both SAP GUI and SAP HANA Studio manually to administer your SAP HANA database.  In the private subnets: – EC2 instance(s) to host the SAP NetWeaver software and SAP HANA database, and EBS volumes configured to meet or exceed SAP HANA storage key performance indicators (KPIs). Note This Quick Start only supports the SLES operating system for the SAP NetWeaver instances, but SAP HANA is supported with your choice of Linux operating systems (SLES, SLES for SAP, or RHEL for SAP HANA). – An optional automated installation of the SAP NetWeaver AS ABAP and SAP HANA software. – A Primary Application Server (PAS) instance. This is the core component of an SAP system. It provides all SAP system utilities. At least one PAS instance must exist in each SAP system. – An optional automated installation of Additional Application Server (AAS) instances. In Figure 1, these are labeled AAS-1, AAS-2 and AAS-x, where x represents up to 90 application servers.  An IAM instance role with fine-grained permissions for access to the AWS services necessary for the deployment process. Page 8 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017  Three security groups for fine-grained inbound access control from the bastion host, between the database instances, and for application access to the database.  AWS CLI and an instance role for installation bucket access.  An Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver ABAP server names. This private hosted zone is dedicated to the VPC that was created by the Quick Start. You can optionally choose to use the private hosted zone from your on-premises networks. * The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration. SAP NetWeaver ABAP Instances The SAP NetWeaver installation is automated with the SAP Software Provisioning Manager (SWPM). Here’s what you would see in the SAP SWPM tool for each instance type:  ASCS instance – This instance is the central point of communication and synchronization for the ABAP application server instances. It consists of the message server and the enqueue server for the ABAP stack.  Database instance – The ABAP stack uses its own database schema in the database. The Quick Start installs the ABAP SAP Central Services (ASCS) instance before installing the database instance.  Primary Application Server (PAS) instance – PAS is the core component of an SAP system. It provides all SAP system utilities. At least one PAS instance must exist in each SAP system.  Additional Application Server (AAS) instance – You can optionally install AAS instances to scale out your SAP application tier. For additional details about the SAP NetWeaver AS ABAP architecture, see the SAP documentation. Page 9 of 42 Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud December 2017 Implementation Details The Quick Start uses nested templates to deploy the SAP NetWeaver environment. It first launches the master template, and then calls additional templates in this order: 1. VPC template to create the VPC, subnets, internet gateway, and other infrastructure components. 2. Bastion host template to create the bastion host and Auto Scaling group. 3. SAP NetWeaver template to install the SAP HANA instance (by calling the SAP HANA template) and RDP host. After the SAP HANA instance has been installed, the ASCS, database, and PAS instances will be installed. 4. Optional SAP App server template to create the SAP AAS instances. All SAP instances are silently installed on a base AMI to ensure that the latest AMI is always chosen when the EC2 instance launches. The installation is automated with SWPM. The Quick Start requires the SAP software media to be made available in an S3 bucket, and will download the media to run the silent installation. In addition to installing SAP, the Quick Start provisions and performs configuration management on each EC2 instance, including:  Setting the time zone on the server  Setting up Network Time Protocol (NTP) on the server  Installing the AWS Systems Manager agent (SSM agent)  Setting up the uuidd daemon; see SAP Note 1391070 (login required)  Installing the AWS CLI  Applying SAP best practices from SAP Notes 2205917 and 2292711 (login required)  Installing the AWS for SAP Data provider (required for SAP support, see SAP Note 1656250)  Configuring the SWPM silent installation files  Creating and attaching EBS volumes for the /usr/sap/ file system Page 10 of 42