Professional Documents
Culture Documents
Sap Netweaver Abap On The Aws Cloud
Sap Netweaver Abap On The Aws Cloud
December 2017
(last update: June 2018)
Contents
About This Guide ................................................................................................................... 3
Quick Links ............................................................................................................................ 3
About Quick Starts ................................................................................................................. 4
Overview .................................................................................................................................... 4
SAP NetWeaver on AWS ........................................................................................................ 4
Cost and Licenses ................................................................................................................... 5
AWS Services.......................................................................................................................... 5
Architecture ............................................................................................................................... 7
SAP NetWeaver ABAP Instance Types ..................................................................................9
Implementation Details ....................................................................................................... 10
Planning the Deployment ........................................................................................................11
Deployment Options .............................................................................................................11
Prerequisites .........................................................................................................................11
Deployment Steps ....................................................................................................................11
Step 1. Prepare Your AWS Account ..................................................................................... 12
Step 2. Perform Prerequisite Tasks for SAP HANA ............................................................ 15
Step 3. Download the SAP NetWeaver Software ................................................................. 15
Step 4. Launch the Quick Start ............................................................................................ 21
Step 5. Verify Your Deployment .......................................................................................... 32
Changing the Security Group Configuration ................................................................... 33
Using SAP GUI .................................................................................................................34
Using OS-Level Access ..................................................................................................... 35
Troubleshooting ...................................................................................................................... 37
Support .................................................................................................................................... 41
Security .................................................................................................................................... 41
Network Security.................................................................................................................. 41
Identity and Access Management (IAM) .............................................................................42
Page 2 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
OS Security ...........................................................................................................................42
Security Groups ....................................................................................................................42
Additional Resources ..............................................................................................................42
GitHub Repository ..................................................................................................................44
Document Revisions................................................................................................................44
The guide is for IT infrastructure architects, administrators, and DevOps professionals who
are planning to implement or extend their SAP workloads on the AWS Cloud.
This guide provides infrastructure and configuration information for planning and
deploying an SAP infrastructure on the AWS Cloud. It doesn’t cover general installation and
software configuration tasks for SAP. For general guidance and best practices, consult the
SAP product documentation.
Quick Links
The links in this section are for your convenience. Before you launch the Quick Start, please
review the architecture, configuration, network security, and other considerations discussed
in this guide.
If you have an AWS account, and you’re already familiar with AWS services and SAP
NetWeaver, you can launch the Quick Start to build the architecture shown in Figure 1
in a new or existing virtual private cloud (VPC). The deployment takes approximately 2
hours and 45 minutes. If you’re new to AWS or to SAP NetWeaver, please review the
implementation details and follow the step-by-step instructions provided later in this
guide.
Launch Launch
(for new VPC) (for existing VPC)
Page 3 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
If you want to take a look under the covers, you can view the AWS CloudFormation
templates that automate the deployment.
Overview
SAP NetWeaver provides a set of technologies for running SAP business applications and
for integrating people, processes, and information. SAP NetWeaver serves as the technical
foundation for SAP’s ABAP and Java-based applications. This Quick Start deploys SAP
NetWeaver AS ABAP, which supports the development of ABAP-based applications for SAP
HANA databases. For a detailed description of SAP NetWeaver, see the SAP NetWeaver
Master Guide on the SAP website.
This Quick Start helps you deploy a complete SAP NetWeaver system on AWS. The
deployment includes an SAP application tier, an SAP HANA database tier, and Remote
Desktop Protocol (RDP) and bastion hosts. The Quick Start also provisions a virtual private
cloud (VPC) to house all these components.
Note This Quick Start supports SAP NetWeaver 7.4 Support Release 2 (SP2) and
SAP NetWeaver 7.5. Other versions of SAP NetWeaver may work but have not been
tested with this Quick Start.
Page 4 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
This Quick Start currently supports the following versions of the SUSE Linux
Enterprise Server (SLES) operating system for SAP NetWeaver AS ABAP:
SLES 12, SLES 12 SP1, SLES 12 SP2, and SLES 12 SP3.
For a list of supported operating systems for SAP HANA, see the SAP HANA Quick
Start deployment guide.
The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, will affect the cost of
deployment. For cost estimates, see the pricing pages for each AWS service you will be
using. Prices are subject to change.
This deployment uses a Bring Your Own License (BYOL) model for SAP software. You must
already own licenses for SAP, and you must be authorized to download software from the
SAP Software Download Center (SWDC).
For the SAP NetWeaver deployment, this Quick Start launches the Amazon Machine Image
(AMI) for the version of the SLES operating system you choose: SLES 12, SLES 12 SP1,
SLES 12 SP2, or SLES 12 SP3. The AMI includes the license for the SLES operating system.
For the SAP HANA deployment, the Quick Start launches the AMI for the operating system
you choose (SLES, SLES for SAP, or RHEL), and the license cost for the operating system is
included in the Amazon EC2 hourly price. There is an additional software cost for SLES for
SAP AMIs.
AWS Services
The core AWS components used by this Quick Start include the following services and
features. (If you are new to AWS, see the Getting Started Resource Center.)
Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you
provision a private, isolated section of the AWS Cloud where you can launch AWS
services and other resources in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of your own IP
address range, creation of subnets, and configuration of route tables and network
gateways.
Page 5 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you
to launch virtual machine instances with a variety of operating systems. You can choose
from existing Amazon Machine Images (AMIs) or import your own virtual machine
images.
Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-
level storage volumes for use with EC2 instances in the AWS Cloud. Each Amazon EBS
volume is automatically replicated within its Availability Zone to protect you from
component failure, offering high availability and durability. EBS volumes provide the
consistent and low-latency performance needed to run your workloads.
Amazon Route 53 - Amazon Route 53 is a highly available and scalable Domain Name
System (DNS) web service.
Automatic recovery – Automatic recovery is a feature of Amazon EC2 that is designed to
increase instance availability. You can enable automatic recovery for an instance by
creating an Amazon CloudWatch alarm that monitors the instance and automatically
recovers it if it becomes impaired due to an underlying hardware failure or a problem
that requires AWS involvement to repair. A recovered instance is identical to the
original instance and has the same instance ID, private IP addresses, Elastic IP
addresses, and all instance metadata. This Quick Start optionally enables automatic
recovery on SAP HANA nodes for you.
AWS CloudFormation – AWS CloudFormation gives you an easy way to create and
manage a collection of related AWS resources, and provision and update them in an
orderly and predictable way. You use a template to describe all the AWS resources (e.g.,
EC2 instances) that you want. You don't have to individually create and configure the
resources or figure out dependencies—AWS CloudFormation handles all of that.
Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the
applications you run on AWS in real time. You can use CloudWatch to collect and track
metrics, collect and monitor log files, set alarms, and automatically react to changes in
your AWS resources.
NAT Gateway – NAT Gateway is an AWS managed service that controls network
address translation (NAT) gateway resources. A NAT gateway is a device that enables
instances in a private subnet to connect to the internet or to other AWS services, but
prevents the internet from connecting to those instances.
IAM – AWS Identity and Access Management (IAM) enables you to securely control
access to AWS services and resources for your users. With IAM, you can manage users,
security credentials such as access keys, and permissions that control which AWS
resources users can access, from a central location.
Page 6 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Architecture
This Quick Start uses AWS CloudFormation, AWS Command Line Interface (AWS CLI) for
Linux, and custom scripts to deploy an SAP NetWeaver ABAP stack with an SAP HANA
database on AWS. AWS CloudFormation creates and manages the AWS and SAP resources.
AWS CLI for Linux enables you to configure AWS resources from the command line. This
Quick Start includes options for deploying the SAP NetWeaver ABAP stack with single-node
or multi-node SAP HANA configurations.
Deploying the Quick Start for a new VPC builds the following SAP NetWeaver environment
in the AWS Cloud.
Figure 1: SAP NetWeaver ABAP architecture on AWS (with optional AAS shown)
Page 7 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Note This Quick Start supports only the SLES operating system for the SAP
NetWeaver instances, but SAP HANA is supported with your choice of Linux
operating systems (SLES, SLES for SAP, or RHEL for SAP HANA).
– An optional setup of an Amazon Elastic File System (Amazon EFS) share for the
/sapmnt file system.
– An optional automated installation of the SAP NetWeaver AS ABAP and SAP HANA
software.
– Primary Application Server (PAS) and ABAP System Central Services (ASCS)
deployed into the same EC2 instance. PAS is the core component of an SAP system.
It provides all SAP system utilities. At least one PAS instance must exist in each SAP
system. Optionally, ASCS and PAS can be installed on separate EC2 instances. SAP
refers to this deployment type as a distributed installation.
Page 8 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
An IAM instance role with fine-grained permissions for access to the AWS services
necessary for the deployment process.
Three security groups for fine-grained inbound access control from the bastion host,
between the database instances, and for application access to the database.
AWS CLI and an instance role for installation bucket access.
An Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver
ABAP server names. This private hosted zone is dedicated to the VPC that was created
by the Quick Start.
* The template that deploys the Quick Start into an existing VPC skips the tasks marked by
asterisks and prompts you for your existing VPC configuration.
Page 9 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Primary Application Server (PAS) instance – PAS is the core component of an SAP
system. It provides all SAP system utilities. At least one PAS instance must exist in each
SAP system.
Additional Application Server (AAS) instance – You can optionally install AAS instances
to scale out your SAP application tier.
For additional details about the SAP NetWeaver AS ABAP architecture, see the SAP
documentation.
Implementation Details
The Quick Start uses nested templates to deploy the SAP NetWeaver environment. It first
launches the master template, and then calls additional templates in this order:
1. VPC template to create the VPC, subnets, internet gateway, and other infrastructure
components.
2. Bastion host template to create the bastion host and Auto Scaling group.
3. SAP NetWeaver template to install the SAP HANA instance (by calling the SAP HANA
template) and RDP host. After the SAP HANA instance has been installed, the ASCS,
database, and PAS instances will be installed.
4. Optional SAP App server template to create the SAP AAS instances.
All SAP instances are silently installed on a base AMI to ensure that the latest AMI is always
chosen when the EC2 instance launches. The installation is automated with SWPM. The
Quick Start requires the SAP software media to be made available in an S3 bucket, and will
download the media to run the silent installation.
In addition to installing SAP, the Quick Start provisions and performs configuration
management on each EC2 instance, including:
Setting the time zone on the server
Setting up Network Time Protocol (NTP) on the server
Installing the AWS Systems Manager agent (SSM agent)
Setting up the uuidd daemon; see SAP Note 1391070 (login required)
Installing the AWS CLI
Applying SAP best practices from SAP Notes 2205917 and 2292711 (login required)
Page 10 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Installing the AWS for SAP Data provider (required for SAP support, see SAP Note
1656250)
Configuring the SWPM silent installation files
Creating and attaching EBS volumes for the /usr/sap/ file system
Deploy SAP NetWeaver ABAP into an existing VPC – This option provisions
the SAP NetWeaver ABAP stack in your existing AWS infrastructure.
The Quick Start also lets you configure additional settings such as CIDR blocks, instance
types, and SAP NetWeaver and SAP HANA settings, as discussed later in this guide.
Prerequisites
The SAP NetWeaver ABAP Quick Start is integrated with the SAP HANA Quick Start.
Therefore, all the prerequisites for the SAP HANA Quick Start apply to this deployment as
well. For example, if you would like the Quick Start to install the SAP HANA software
automatically, you must download and stage the SAP HANA software by following the
instructions in the SAP HANA Quick Start guide. These prerequisites are discussed in
step 2 of the deployment steps.
Deployment Steps
The procedure for deploying the SAP NetWeaver AS ABAP architecture on AWS consists of
the following steps. For detailed instructions, follow the links for each step.
Page 11 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Step 2. Perform prerequisite tasks for SAP HANA (skip this step if you don’t want to install
SAP HANA software with this deployment)
In this step, you’ll take care of preliminary steps for deploying SAP HANA with SAP
NetWeaver AS ABAP.
Step 3. Download the SAP NetWeaver software (skip this step if you don’t want to install
SAP NetWeaver software with this deployment)
This step involves downloading the SAP NetWeaver software from SAP and placing the files
in an S3 bucket.
Step 4. Launch the Quick Start
In this step, you’ll launch the AWS CloudFormation template into your AWS account,
specify parameter values, and create the stack. The Quick Start provides separate templates
for end-to-end deployment and deployment into an existing VPC.
Step 5. Access SAP NetWeaver and SAP HANA to verify your deployment
You can access the SAP NetWeaver systems by using SAP GUI or through SSH and the
bastion host. You can access SAP HANA either through SAP HANA Studio or through the
bastion host.
Page 12 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Consider choosing a region closest to your data center or corporate network to reduce
network latency between systems running on AWS and the systems and users on your
corporate network.
3. Create a key pair in your preferred region. To do this, in the navigation pane of the
Amazon EC2 console, choose Key Pairs, Create Key Pair, type a name, and then
choose Create.
Page 13 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To
log in to your instances, you must create a key pair. With Windows instances, you use
the key pair to obtain the administrator password via the Amazon EC2 console, and then
log in using RDP, as explained in the Amazon EC2 User Guide. On Linux, the key pair is
used to authenticate SSH login.
4. If necessary, request a service quota increase for the instance types used for the
deployment. You might need to request an increase if you need additional Elastic IP
addresses or if you already have an existing deployment that uses the same instance
types as this architecture. To do this, on the Service Quotas console, for each instance
type that you want a service quota increase, choose the instance type, choose Request
quota increase, and then complete the fields in the quota increase form. It can take a
few days for the new service quota to become effective.
Page 14 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
This Quick Start gives you the option of installing SAP HANA along with SAP NetWeaver. If
you want to include SAP HANA in your deployment, follow these instructions in the SAP
HANA deployment guide:
See the Planning the Deployment section of the SAP HANA deployment guide to
understand your memory and storage options for SAP HANA.
Subscribe to the AMI for RHEL for SAP HANA or SLES for SAP in AWS Marketplace.
Download and stage the SAP HANA software, by following the instructions in step 3 of
the SAP HANA deployment guide.
This Quick Start is designed to work with SAP NetWeaver release 7.4 SP2 and NetWeaver
release 7.5. Before you launch the Quick Start, you must download, extract, and stage
the SAP media for SAP NetWeaver in an S3 bucket using a specific structure.
Page 15 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
1. Download and extract the SAP media by following the instructions in the SAP
documentation.
2. Sign in to the AWS Management Console and open the Amazon S3 console at
https://console.aws.amazon.com/s3.
3. Choose Create bucket.
4. In the Create bucket dialog box, provide a name for your new bucket, choose the
region where you want to create your bucket (this should be a region that is close to your
location), and then choose Create. For detailed information about bucket names and
region selection, see the Amazon S3 documentation.
5. Choose the bucket you created, choose the Permissions tab, and set permissions to
ensure that only you and authorized personnel from your organization have access to
this bucket. You can also set up an IAM or bucket policy to provide fine-grained access.
For details, see Managing Access Permissions to Your Amazon S3 Resources in the
Amazon S3 documentation.
6. In the bucket you created, create the following S3 prefix structure to organize your SAP
downloads. (Amazon S3 doesn’t provide folders, but you simulate a folder structure by
using key name prefixes.) Your S3 prefixes should be named exactly as shown.
7. Choose Upload to place the extracted SAP NetWeaver software under the appropriate
key name prefix. The SAP media must be extracted and named exactly as follows for
each SAP software CD.
SAP HANA PLATFORM EDIT. 1.0 Client for all supported Operating HDB_CLNTCD
Systems SPS07 Rev. 74 Number 51048410
Page 16 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
IND:SLTOOLSET:1.0:SWPM:*:LINUX_X86_64:* sapinst
SAP HANA PLATFORM EDIT. 1.0 Client for all supported Operating HDB_CLNTCD
Systems SPS09 Rev. 93 Number 51049641
IND:SLTOOLSET:1.0:SWPM:*:LINUX_X86_64:* sapinst
Note Place only the media files listed in this table in the S3 bucket. Do not place
multiple software versions in the same location. We recommend that you download
the latest SAP kernel files (for the relevant SAP kernel level) and update these files in
your KERN_CD. (See KERN_CD later in this section).
For example, for SAP NetWeaver 7.5, you would extract and store the CD 51050829_2 in
the prefix EXP_CD, which you created in your S3 bucket.
Here are examples of the extracted files in each key name prefix.
Page 17 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
EXP_CD:
HDB_CLNTCD:
Page 18 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
KERN_CD:
We recommend that you use the latest SAP kernel patch levels instead of the SAP kernel
files in CD 51051055_3. (We have seen issues with the SWPM silent installation when
using the default versions that come with the CD media.) You can download the appropriate
SAP kernel patch files and replace the SAPEXE.SAR and SAPEXEDB.SAR files in these
corresponding 51051055_3 (or CD 51051432_3 for NetWeaver 7.5) directories:
KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP
KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/HDB
You can use whichever patch level you need. For example, if you want to run SAP kernel
patch level 400, the correct SAPEXE and SAPEXEDB files are:
Page 19 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
You will need to rename the files as follows (using SAP kernel patch level 400 files as an
example):
Rename SAPEXE_400-80000699.SAR to:
KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR
Here are sample commands (assuming that your current directory is /tmp/KERN_CD):
sapinst:
Page 20 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
1. Choose one of the following options to launch the AWS CloudFormation template into
your AWS account. For help choosing an option, see deployment options earlier in this
guide.
Option 1 Option 2
Deploy SAP NetWeaver into a Deploy SAP NetWeaver into an
new VPC on AWS existing VPC on AWS
Launch Launch
Important If you’re deploying SAP NetWeaver into an existing VPC, make sure
that your VPC has two private subnets in different Availability Zones. These subnets
require NAT gateways or NAT instances in their route tables, to allow the instances
to download packages and software without exposing them to the internet. You will
also need the domain name option configured in the DHCP options, as explained in
the Amazon VPC documentation. You’ll be prompted for your VPC settings when you
launch the Quick Start.
Page 21 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
In the following tables, parameters are listed by category and described separately for
the two deployment options:
– Parameters for deploying SAP NetWeaver into a new VPC
– Parameters for deploying SAP NetWeaver into an existing VPC
Availability Zones Requires input The list of Availability Zones to use for the subnets in the VPC.
(AvailabilityZones) The Quick Start uses two Availability Zones from your list and
preserves the logical order you specify.
Private subnet 1 CIDR 10.0.0.0/19 CIDR block for the private subnet located in Availability Zone
(PrivateSubnet1CIDR) 1.
Private subnet 2 CIDR 10.0.32.0/19 CIDR block for the private subnet located in Availability Zone
(PrivateSubnet2CIDR) 2.
Public subnet 1 CIDR 10.0.128.0/20 CIDR block for the public (DMZ) subnet located in Availability
(PublicSubnet1CIDR) Zone 1.
Public subnet 2 CIDR 10.0.144.0/20 CIDR block for the public (DMZ) subnet located in Availability
(PublicSubnet2CIDR) Zone 2.
CIDR block for RDP & Requires input The CIDR IP range that is permitted to access the instances in
Bastion access your private subnets. We recommend that you set this value to
(RemoteAccessCIDR) a trusted IP range. For example, you might want to grant only
your corporate network access to the software.
Operating system SuSE-Linux-12- Operating system and version to be used for SAP HANA
version for HANA SP3-HVM servers. You can choose from various SLES and RHEL
(MyOSHANA) versions. (For more information, see the Operating System for
Deployment section in the SAP HANA deployment guide.)
SUSE BYOS — Registration code for SUSE BYOS. This parameter is used only
Registration Code if you choose one of the SLES BYOS operating system versions
(SLESBYOSRegCode) in the previous parameter.
Page 22 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
SAP HANA Server host saphanaqs Host name to use for SAP HANA database. (The SAP
name Application Server must be able to access the SAP HANA
(SAPHANAHostname) server.)
SAP HANA Server r4.4xlarge EC2 instance type for SAP HANA nodes. (For more
(HANAInstanceType) information, see the AWS Instance Types for SAP HANA
section in the SAP HANA deployment guide).
SAP HANA host count 1 Total number of nodes you want to deploy in the SAP HANA
(HANAHostCount) cluster.
SAP HANA and Requires input SAP HANA password to use during installation.
NetWeaver password
(HANAMasterPass)
Enable encryption No Set to Yes to enable encryption for all volumes (except root)
(Encryption) created for SAP HANA nodes.
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA data
for SAP HANA Data volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaData) (i01). (For details, see Storage Configuration for SAP HANA
in the SAP HANA deployment guide.)
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA log
for SAP HANA Log volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaLog) (i01). (For details, see Storage Configuration for SAP HANA
in the SAP HANA deployment guide.)
SSH key pair Requires input An existing public/private key pair, which enables you to
(KeyName) connect securely to your instance after it launches. When you
created an AWS account, this is the key pair you created in
your preferred region. This key pair can be used with all EC2
instances launched by the Quick Start.
S3 bucket for HANA s3:// / Full path to the Amazon S3 location where you’ve placed the
s/w. SAP HANA software. Make sure that the format is correct
(HANAInstallMedia) (e.g., s3://mysapbucket/HANA-media/); otherwise, the
installation will fail. (For more information, see step 3 in the
SAP HANA deployment guide.)
Enable AWS No Set to Yes to enable logging with AWS CloudTrail and AWS
CloudTrail & AWS Config.
Config logs
(EnableLogging)
S3 bucket for AWS Optional S3 bucket where AWS CloudTrail and AWS Config logs can be
CloudTrail & AWS stored (e.g., mycloudtrail).
Config logs
(CloudTrailS3Bucket)
Page 23 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
R53 private hosted Requires input The Amazon Route 53 private hosted zone to host the SAP
zone HANA and SAP NetWeaver ABAP server names. This private
(HostedZoneName) hosted zone is dedicated to the VPC that was created by the
Quick Start. You can optionally choose to use the private
hosted zone from your on-premises networks. Use a fully
qualified domain name; e.g., mycompany.local.
O.S. version for SAP SuSE-Linux-12- Operating system version (SLES only) for the SAP servers.
Servers (SLES only) SP3-HVM
(MyOS)
PAS EC2 Auto Yes Set to No to disable the automatic recovery feature on your
Recovery PAS nodes.
(AutoRecoveryPAS)
Split the ASCS and No Set to Yes to install ASCS and PAS on two different instances.
PAS
(DistributedInstall)
Use EFS for /sapmnt No Set to Yes to enable Amazon EFS for the /sapmnt file system.
(EFSSapmnt)
SAP PAS Server sappas00 Virtual host name to use for the SAP PAS server.
virtual name
(SAPASCSHostname)
Standby ASCS Server No Set to Yes to enable the standby ASCS instance.
in a different
Availability Zone
(EFSSapmnt)
SAP PAS Server host sappas00 Host name (DNS short name) to use for the SAP PAS server.
name
(SAPPASHostname)
SAP system ID HDB SAP system ID for installation and setup. If you set Install
(SID) SAP software to No, this parameter is ignored.
SAP database schema SAPABAP1 SAP ABAP schema name for the SAP HANA database.
(SAPSchemaName)
SAP ASCS instance r4.large EC2 instance type for the SAP ASCS server.
type
(ASCSMyInstanceType)
SAP PAS Server type r4.xlarge EC2 instance type for the SAP PAS server.
(MyInstanceType)
SAP instance number 00 SAP instance number to use for installation and setup, and to
(SAPInstanceNum) open ports for security groups. If you set Install SAP
software to No, this parameter is ignored.
Page 24 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
SIDadm user id 1001 UID for the SIDadm user. If you set Install SAP software to
(SIDadmUID) No, this parameter is ignored.
SAP Server timezone UC The time zone of your SAP server (PT, CT, ET, or UTC).
(SAPTZ)
S3 bucket for SAP my-sw-bucket Name of the S3 bucket for your SAP NetWeaver software, from
NetWeaver s/w. step 3. This should just be the bucket name; do not include
(SAPInstallMediaBucket) s3://. For more information, see step 3.
If you set Install SAP software to No, this parameter is
ignored.
S3 Key Prefix for SAP my/sw/version/ Path to the key prefix where your SAP NetWeaver software is
NetWeaver s/w. installed, from step 3. Leave blank if your structure isn’t
(SAPInstallMediaKey nested. For example, if you placed the EXP_CD software in
Prefix) s3://my-sw-bucket/my/sw/version/EXP_CD, enter
my/sw/version/. If you placed the software in s3://my-sw-
bucket/EXP_CD, leave this parameter blank. If you set Install
SAP software to No, this parameter is ignored.
Install SAP software Yes Set to No if you don’t want to install SAP NetWeaver. If you
(InstallSAP) choose No, the Quick Start will provision only the AWS
infrastructure.
SAP AAS Server host sapaas00 Host name template to use for the SAP Additional Application
name Server (AAS).
(SAPAASHostname)
SAP Additional App r4.xlarge EC2 instance type for SAP AAS.
Server instance type
(AASMyInstanceType)
EC2 Auto Recovery Yes Set to No to disable the automatic recovery feature on your
(AutoRecoveryAAS) AAS nodes.
Install SAP Additional No Set to No if you don’t want to install SAP AAS. If you choose
App Server No, the Quick Start will install only the SAP ASCS, SAP
(InstallSAPAAS) HANA, and PAS.
Page 25 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Optional configuration:
Parameter label Default Description
(name)
Install RDP and Yes Set to Yes if you want to install the RDP and bastion host
Bastion instances.
(InstallRDPAndBastion
Instance)
RDP instance m4.large EC2 instance type for the Windows RDP instance. This
(RDPInstanceType) parameter will be ignored if the Install RDP and Bastion
parameter is set to No.
Bastion host t2.small EC2 instance type for the bastion host instances. This
(BASTIONInstanceType) parameter will be ignored if the Install RDP and Bastion
parameter is set to No.
Advanced configuration:
Parameter label Default Description
(name)
Quick Start S3 Bucket aws-quickstart S3 bucket where the Quick Start templates and scripts are
Name installed. Use this parameter to specify the S3 bucket name
(QSS3BucketName) you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key quickstart-sap- The S3 key name prefix used to simulate a folder for your copy
Prefix netweaver-abap/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
Network Configuration:
Parameter label Default Description
(name)
1st Private Subnet 10.0.0.0/19 CIDR block for the private subnet in Availability Zone 1 in
CIDR your existing VPC.
(PrivateSubnet1CIDR)
Page 26 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
2nd Private Subnet 10.0.32.0/19 CIDR block for the private subnet in Availability Zone 2 in
CIDR your existing VPC.
(PrivateSubnet2CIDR)
1st Public Subnet 10.0.128.0/20 CIDR block for the public (DMZ) subnet in Availability Zone
CIDR 1 in your existing VPC.
(PublicSubnet1CIDR)
2nd Public Subnet 10.0.144.0/20 CIDR block for the public (DMZ) subnet in Availability Zone
CIDR 2 in your existing VPC.
(PublicSubnet2CIDR)
1st Private Subnet ID Requires input ID of the private subnet in Availability Zone 1 in your
(PrivateSubnet1ID) existing VPC.
2nd Private Subnet ID Requires input ID of the private subnet in Availability Zone 2 in your
(ApplicationCIDR) existing VPC.
1st Public Subnet ID Requires input ID of the public subnet in Availability Zone 1 in your
(PublicSubnet1ID) existing VPC.
O.S. version for SAP SuSE-Linux-12- Operating system and version to be used for SAP HANA
HANA Servers SP3-HVM servers. You can choose from various SLES and RHEL
(MyOSHANA) versions. (For more information, see the Operating System for
Deployment section in the SAP HANA deployment guide.)
SUSE BYOS — Registration code for SUSE BYOS. This parameter is used only
Registration Code if you choose one of the SLES BYOS operating system versions
(SLESBYOSRegCode) in the previous parameter.
SAP HANA Server host saphanaqs Host name to use for SAP HANA database. (The SAP
name Application Server must be able to access the SAP HANA
(SAPHANAHostname) server.)
SAP HANA Server r4.4xlarge EC2 instance type for SAP HANA nodes. (For more
(HANAInstanceType) information, see the AWS Instance Types for SAP HANA
section in the SAP HANA deployment guide).
SAP HANA host count 1 Total number of nodes you want to deploy in the SAP HANA
(HANAHostCount) cluster.
SAP HANA and Requires input SAP HANA password to use during installation.
NetWeaver password
(HANAMasterPass)
Enable encryption No Set to Yes to enable encryption for all volumes (except root)
(Encryption) created for SAP HANA nodes.
Page 27 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA data
for SAP HANA Data volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaData) (i01). (For details, see Storage Configuration for SAP HANA
in the SAP HANA deployment guide.)
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA log
for SAP HANA Log volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaLog) (i01). (For details, see Storage Configuration for SAP HANA
in the SAP HANA deployment guide.)
SSH key pair Requires input An existing public/private key pair, which enables you to
(KeyName) connect securely to your instance after it launches. When you
created an AWS account, this is the key pair you created in
your preferred region. This key pair can be used with all EC2
instances launched by the Quick Start.
S3 bucket for HANA s3:// / Full path to the Amazon S3 location where you’ve placed the
s/w. SAP HANA software. Make sure that the format is correct
(HANAInstallMedia) (e.g., s3://mysapbucket/HANA-media/); otherwise, the
installation will fail. (For more information, see step 3 in the
SAP HANA deployment guide.)
Enable AWS No Set to Yes to enable logging with AWS CloudTrail and AWS
CloudTrail & AWS Config.
Config logs
(EnableLogging)
S3 bucket for AWS Optional S3 bucket where AWS CloudTrail and AWS Config logs can be
CloudTrail & AWS stored (e.g., mycloudtrail).
Config logs
(CloudTrailS3Bucket)
Use EFS for /sapmnt No Set to Yes to enable Amazon EFS for the /sapmnt file system.
(EFSSapmnt)
R53 private hosted Requires input The Amazon Route 53 private hosted zone to host the SAP
zone HANA and SAP NetWeaver ABAP server names. This private
(HostedZoneName) hosted zone is dedicated to the VPC that was created by the
Quick Start. You can optionally choose to use the private
hosted zone from your on-premises networks. Use a fully
qualified domain name; e.g., mycompany.local.
SAP PAS Server host sappas00 Host name (DNS short name) to use for the SAP PAS server.
name
(SAPPASHostname)
SAP system ID HDB SAP system ID for installation and setup. If you set Install
(SID) SAP software to No, this parameter is ignored.
Page 28 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
SAP database schema SAPABAP1 SAP ABAP schema name for the SAP HANA database.
(SAPSchemaName)
SAP instance number 00 SAP instance number to use for installation and setup, and to
(SAPInstanceNum) open ports for security groups. If you set Install SAP
software to No, this parameter is ignored.
SIDadm user id 1001 UID for the SIDadm user. If you set Install SAP software to
(SIDadmUID) No, this parameter is ignored.
SAP Server timezone UC The time zone of your SAP server (PT, CT, ET, or UTC).
(SAPTZ)
S3 bucket for SAP my-sw-bucket Name of the S3 bucket for your SAP NetWeaver software, from
NetWeaver s/w. step 3. This should just be the bucket name; do not include
(SAPInstallMediaBucket) s3://. For more information, see step 3.
If you set Install SAP software to No, this parameter is
ignored.
S3 Key Prefix for SAP my/sw/version/ Path to the key prefix where your SAP NetWeaver software is
NetWeaver s/w. installed, from step 3. Leave blank if your structure isn’t
(SAPInstallMediaKey nested. For example, if you placed the EXP_CD software in
Prefix) s3://my-sw-bucket/my/sw/version/EXP_CD, enter
my/sw/version/. If you placed the software in s3://my-sw-
bucket/EXP_CD, leave this parameter blank. If you set Install
SAP software to No, this parameter is ignored.
SAP Primary App r4.xlarge EC2 instance type for the SAP PAS server.
Server
(MyInstanceType)
O.S. version for SAP SuSE-Linux-12- Operating system version (SLES only) for the SAP servers.
Servers (SLES only) SP3-HVM
(MyOS)
EC2 Auto Recovery Yes Set to No to disable the automatic recovery feature on your
(AutoRecoveryPAS) PAS nodes.
Install SAP software Yes Set to No if you don’t want to install SAP NetWeaver. If you
(InstallSAP) choose No, the Quick Start will provision only the AWS
infrastructure.
SAP AAS Server host sapaas00 Host name template to use for the SAP Additional Application
name Server (AAS).
(SAPAASHostname)
Page 29 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Parameter label
Default Description
(name)
SAP Additional App r4.xlarge EC2 instance type for SAP AAS.
Server instance type
(AASMyInstanceType)
AAS Private Subnet ID Optional The existing private subnet to use for deploying SAP AAS.
(PrivateSubnetID)
EC2 Auto Recovery Yes Set to No to disable the automatic recovery feature on your
(AutoRecoveryAAS) AAS nodes.
Install SAP Additional No Set to No if you don’t want to install SAP AAS. If you choose
App Server No, the Quick Start will install only SAP ASCS, DB, and PAS.
(InstallSAPAAS)
Optional configuration:
Parameter label Default Description
(name)
Install RDP No Set to Yes if you want to install the RDP instance.
(InstallRDP
Instance)
RDP instance type c4.large EC2 instance type for the Windows RDP instance. This
(RDPInstanceType) parameter will be ignored if the Install RDP parameter is set
to No.
Advanced configuration:
Parameter label Default Description
(name)
Quick Start S3 Bucket aws-quickstart S3 bucket where the Quick Start templates and scripts are
Name installed. Use this parameter to specify the S3 bucket name
(QSS3BucketName) you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key quickstart-sap- The S3 key name prefix used to simulate a folder for your copy
Prefix netweaver-abap/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
5. On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set advanced options. When you’re done, choose Next.
Page 30 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
6. On the Review page, review and confirm the template settings. Under Capabilities,
select the check box to acknowledge that the template will create IAM resources.
7. Choose Create to deploy the stack.
8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the SAP
NetWeaver system is ready.
9. Use the URLs displayed in the Resources and Outputs tab of the stack to view the
resources that were created.
SAP HANA:
Page 31 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
SAP PAS:
Page 32 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
To access your SAP NetWeaver systems through SAP GUI or RFC from your public subnet,
you must manually change the security group configuration of the PAS and AAS instances.
Figure 12 shows what the security group would look like when you add rules to allow access
from public subnets.
Figure 12: Security rules for accessing SAP NetWeaver from public subnets
You can access the SAP HANA nodes by using SAP HANA Studio or through OS-level
access. For instructions, see the SAP HANA deployment guide.
Page 33 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
You can access SAP NetWeaver from the public subnet in two ways:
Access with SAP GUI or RFC: Use a remote desktop client to connect to the
Windows Server instance. Once connected, you can manually install SAP GUI or use
RFC to start accessing your SAP NetWeaver system.
OS-level access: Use SSH to connect to the bastion host and then to the SAP
NetWeaver instances by using an SSH client of your choice.
Tip To connect directly to the SAP NetWeaver systems from a corporate network,
you can provision an encrypted IPsec hardware VPN connection between your
corporate data center and your VPC. For details, see the Amazon VPC FAQ on the
AWS website. You can also set up AWS Direct Connect between your data center and
AWS to gain direct access to your AWS resources. For details, see AWS Direct
Connect on the AWS website.
Figure 13: Amazon EC2 running instances with RDP instance selected
Page 34 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
8. Log in with the ddic user and the master password you specified in the Quick Start
parameters in step 4.
Note At this point, we recommend that you make a backup of your newly installed
SAP NetWeaver and SAP HANA systems. You can use the Amazon EC2 console to
make a complete system image (AMI) that can be used for recovery or for additional
system builds. Keep in mind that this image is only a point-in-time snapshot.
Page 35 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
3. Using an SSH client of your choice (for example, PuTTY or iTerm), connect to the
bastion host and use the key pair you specified during the deployment process.
Note If your connection times out, you might need to adjust the security group
rules for the bastion host to allow access from your computer’s IP address or proxy
server. For more information, see Security Group Rules in the Amazon EC2 User
Guide.
iTerm Example
1. Add the private key to the authentication agent (ssh-add).
2. Connect to the bastion host by using SSH, with the –A option to forward the key,
specifying the username ec2-user.
3. Connect to the SAP NetWeaver server by IP address using SSH.
PuTTY Example
1. Download PuTTY (putty.exe), PuTTY Key Generator (puttygen.exe), and Pageant
(pageant.exe).
2. Load your private key into PuTTY Key Generator and save it as a .ppk file that PuTTY
can use.
3. Run Pageant.exe, and add your new. ppk key. The Pageant process must be running in
order for agent forwarding to work.
4. Configure PuTTY with the private key and select Allow agent forwarding.
Page 36 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Troubleshooting
Q. Where are the logs that monitor the Quick Start deployment progress?
A. You can find the deployment log in the /var/log directory of the SAP NetWeaver
instance. The name of the log file is cfn-init.log. You can log in to the SAP NetWeaver
instance as soon as you see that it’s in the running state and the instance passes the status
checks in the Amazon EC2 console.
Q. I launched the SAP NetWeaver Quick Start template for a new VPC, and I see up to five
additional templates being launched in the AWS CloudFormation console. Why? (For the
default scenario, there will be more than five templates if you choose to split your ASCS and
PAS instances.)
Page 37 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
A. When you launch the SAP NetWeaver Quick Start for a new VPC, it launches up to five
templates: one template to set up your network infrastructure (VPC, subnets, managed
NAT gateway, and so on), a second template to deploy your Linux bastion host, a third
template to launch the SAP PAS instance (this template will then call the SAP HANA
template), and lastly an optional SAP AAS template if you decide to install AAS.
Q. Where is my SAP NetWeaver software staged when downloaded from the S3 bucket?
A. The SAP NetWeaver software is downloaded to the /sapmnt/SWPM directory on your PAS
instance. The /sapmnt directory is then NFS-shared with your AAS instances. By default,
the directory is shared with all servers whose hostnames begin with the same first three
letters as the PAS instance’s hostname. For example, if your PAS instance’s hostname was
sappas00, the share would be available to servers with the hostname sap*. You may change
this default in your /etc/exports file on the PAS instance.
Q. I encountered a CREATE_FAILED error when I launched the Quick Start. What should
I do?
A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the
template with Rollback on failure set to No. (This setting is under Advanced in the
AWS CloudFormation console, Options page.) With this setting, the stack’s state will be
retained and the instance will be left running, so you can troubleshoot the issue. (You'll
want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)
Page 38 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
The following table lists specific CREATE_FAILED error messages you might encounter.
API: ec2: RunInstances Not The template is referencing an We refresh AMIs on a regular basis, but our
authorized for images: ami- AMI that has expired schedule isn’t always synchronized with AWS
ID AMI updates. If you get this error message,
notify us, and we’ll update the template with the
new AMI ID.
If you’d like to fix the template yourself, you can
download it and update the Mappings section
with the latest AMI ID for your region.
We currently do not have The NAT instance requires Switch to an instance type that supports higher
sufficient m1.small capacity alarger instance type capacity, or complete the request form in the
in the AZ you requested AWS Support Center to increase the Amazon
EC2 limit for the instance type or region. Limit
increases are tied to the region they were
requested for.
The instance configuration You are trying to launch a Check your instance type and try to relaunch it
for this AWS Marketplace RHEL/SLES Marketplace with a supported instance type. If you want to
product is not supported. AMI with an instance type extend the support for your desired instance
Please see link for more that isn’t supported. type, contact the support team and open a
information about support case.
supported instance types,
regions, and operating
systems.
Signal-failure function not Deployment failed for an Contact the support team and open a support
implemented. unknown reason. case.
Not able to access SUSE (or The SAP HANA instance is See if it is possible to temporarily route the
Red Hat) update repository, unable to access the SUSE or Internet traffic by using a NAT instance or NAT
package installation may RHEL update repository to gateway.
fail. download OS packages. The If your Internet traffic has to go through your
possible cause could be that internal proxy, contact your network team for
Internet traffic for the SAP access to the SUSE or RHEL update repository.
HANA instance is not routed For further assistance, open a support case in
through a NAT instance or the AWS Support Center.
NAT gateway.
The HANA installation did SAP HANA installation failed Verify that you have staged the SAP HANA
not succeed. Please check or SAP HANA services didn’t software properly in the S3 bucket with correct
installation media. start up successfully. permissions. (See step 2 for details.)
Another reason could be that SAP HANA
services did not start up after the installation.
In either case, consider redeploying your
instance with the Install SAP software
parameter set to No. The Quick Start
redeployment will skip the SAP HANA
installation, and you can manually install the
SAP HANA software to troubleshoot the issue.
Page 39 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
We currently do not have The Availability Zone where Retry the deployment with a different instance
sufficient instance-type you are trying to deploy your type, or choose a subnet in a different
capacity in the AZ you Amazon EC2 resources didn’t Availability Zone.
requested. have enough capacity, or the
instance type may not be
available in that particular
Availability Zone.
WaitCondition timed out. The SAP HANA template did Double check the pre-requisites for the SAP
Received 0 conditions when not deploy. HANA Quick Start.
expecting 1. The CFN init did not initialize Create a ticket and attach the /var/log/cfn-
correctly on the PAS instance. init.log file.
Instance ID did not stabilize You have exceeded your IOPS Request a limit increase by completing the
for the region request form in the AWS Support Center.
SAP master password Refer to the SAP Change the master password
requirements documentation for password (HANAMasterPass parameter in step 4), and
requirements then relaunch the Quick Start. According to SAP
documentation,. the master password must
meet the following requirements:
It must be 8 to 14 characters long.
It must contain at least one letter (a-z, A-Z).
It must contain at least one digit (0-9).
It must not contain a backslash (\) or a
double quote (").
Additional restrictions may apply, depending on
the SAP HANA database:
Use at least one number, one lowercase
letter, and one uppercase letter.
Use only the following characters: _, a-z, A-Z,
0-9, #, @, $, ! and do not start the password
with a number or an underscore ( _ ).
Page 40 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Support
If you encounter an issue deploying this Quick Start, check the Troubleshooting section first
to see if the issue is covered. If it isn’t, or the suggested solution doesn’t resolve the issue,
open a support case in the AWS Support Center. Assistance with SAP NetWeaver and SAP
HANA deployment issues requires a subscription to the AWS Business Support plan.
If you’re opening a support case, please attach the /root/install/install.log file from the
SAP HANA master instance, and the /var/log/cfn-init.log file from each of your SAP
NetWeaver instances. For more information, see Troubleshooting AWS CloudFormation on
the AWS website.
Security
The AWS Cloud provides a scalable, highly reliable platform that helps enable customers to
deploy applications and data quickly and securely.
When you build systems on the AWS infrastructure, security responsibilities are shared
between you and AWS. This shared model can reduce your operational burden as AWS
operates, manages, and controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in which the services
operate. In turn, you assume responsibility and management of the guest operating system
(including updates and security patches), other associated application software such as SAP
HANA, as well as the configuration of the AWS-provided security group firewall. For more
information about security on AWS, visit the AWS Security Center.
Network Security
The default network security setup of this solution follows security best practices of AWS.
The provisioned SAP NetWeaver instances are configured to allow access only to the private
subnets in your VPC. SSH access to the SAP NetWeaver instance is allowed from the public
subnets by default. To allow access from traffic beyond your VPC, you have two options:
Update the security group created during the provisioning process to include the public
subnet CIDR block and ports that you want to allow access for.
Restrict access to a known CIDR block (of your network) if there is a provisioned Direct
Connect or VPN tunnel between your own data center and AWS.
For more information about allowing access from public subnets, see Changing the Security
Group Configuration earlier in this guide.
Page 41 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
OS Security
The root user on Linux or the administrator on the Windows RDP instance can be accessed
only by using the SSH key specified during the deployment process. AWS does not store
these SSH keys, so if you lose your SSH key, you can lose access to these instances.
Operating system patches are your responsibility and should be performed on a periodic
basis.
Security Groups
A security group acts as a firewall that controls the traffic for one or more instances. When
you launch an instance, you associate one or more security groups with the instance. You
add rules to each security group that allow traffic to or from its associated instances. You
can modify the rules for a security group at any time. The new rules are automatically
applied to all instances that are associated with the security group.
The security groups created and assigned to the individual instances as part of this solution
are restricted as much as possible while allowing access to the various functions of SAP
NetWeaver and SAP HANA.
Additional Resources
AWS services
AWS CloudFormation
https://aws.amazon.com/documentation/cloudformation/
Amazon EBS
– User guide
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
– Volume types
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
– Optimized instances
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html
Page 42 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Amazon EC2
– User guide for Microsoft Windows
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
– User guide for Linux
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
– X1 instances
https://aws.amazon.com/ec2/instance-types/x1/
Amazon VPC
https://aws.amazon.com/documentation/vpc/
Page 43 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
GitHub Repository
You can visit our GitHub repository to download the templates and scripts for this Quick
Start, to post your feedback, and to share your customizations with others.
Document Revisions
Date Change In sections
June 2018 Added support for SAP NetWeaver 7.5 and Changes in templates and
Amazon EFS throughout guide
December 2017 Added instructions for using the latest SAP kernel Step 3, KERN_CD
patch levels
Page 44 of 45
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Page 45 of 45