Sap Netweaver Abap On The Aws Cloud

SAP NetWeaver
on the AWS Cloud

for AS ABAP and SAP HANA
Quick Start Reference Deployment
Somckit Khemmanivanh and Santiago Cardenas

Solutions Architects, Amazon Web Services
December 2017
(last update: June 2018)
Supports: SAP NetWeaver 7.4 Support Release 2

SAP NetWeaver 7.5
SAP HANA Platform Edition 1 SPS 9–12
SAP HANA Platform Edition 2 SPS 0-2
Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud June 2018
Contents
About This Guide ................................................................................................................... 3
Quick Links ............................................................................................................................ 3
About Quick Starts ................................................................................................................. 4
Overview .................................................................................................................................... 4
SAP NetWeaver on AWS ........................................................................................................ 4
Cost and Licenses ................................................................................................................... 5
AWS Services.......................................................................................................................... 5
Architecture ............................................................................................................................... 7
SAP NetWeaver ABAP Instance Types ..................................................................................9
Implementation Details ....................................................................................................... 10
Planning the Deployment ........................................................................................................11
Deployment Options .............................................................................................................11
Prerequisites .........................................................................................................................11
Deployment Steps ....................................................................................................................11
Step 1. Prepare Your AWS Account ..................................................................................... 12
Step 2. Perform Prerequisite Tasks for SAP HANA ............................................................ 15
Step 3. Download the SAP NetWeaver Software ................................................................. 15
Step 4. Launch the Quick Start ............................................................................................ 21
Step 5. Verify Your Deployment .......................................................................................... 32
Changing the Security Group Configuration ................................................................... 33
Using SAP GUI .................................................................................................................34
Using OS-Level Access ..................................................................................................... 35
Troubleshooting ...................................................................................................................... 37
Support .................................................................................................................................... 41
Security .................................................................................................................................... 41
Network Security.................................................................................................................. 41
Identity and Access Management (IAM) .............................................................................42
Page 2 of 45
OS Security ...........................................................................................................................42
Security Groups ....................................................................................................................42
Additional Resources ..............................................................................................................42
GitHub Repository ..................................................................................................................44
Document Revisions................................................................................................................44
About This Guide

This Quick Start deployment guide describes how to deploy an SAP NetWeaver Application
Server (AS) Advanced Business Application Programming (ABAP) system on the Amazon
Web Services (AWS) Cloud, using AWS CloudFormation templates that automate the
deployment.
The guide is for IT infrastructure architects, administrators, and DevOps professionals who
are planning to implement or extend their SAP workloads on the AWS Cloud.
This guide provides infrastructure and configuration information for planning and
deploying an SAP infrastructure on the AWS Cloud. It doesn’t cover general installation and
software configuration tasks for SAP. For general guidance and best practices, consult the
SAP product documentation.
Quick Links
The links in this section are for your convenience. Before you launch the Quick Start, please
review the architecture, configuration, network security, and other considerations discussed
in this guide.
 If you have an AWS account, and you’re already familiar with AWS services and SAP
NetWeaver, you can launch the Quick Start to build the architecture shown in Figure 1
in a new or existing virtual private cloud (VPC). The deployment takes approximately 2
hours and 45 minutes. If you’re new to AWS or to SAP NetWeaver, please review the
implementation details and follow the step-by-step instructions provided later in this
guide.
Launch Launch
(for new VPC) (for existing VPC)
Page 3 of 45
 If you want to take a look under the covers, you can view the AWS CloudFormation
templates that automate the deployment.
View template View template

(for new VPC) (for existing VPC)
About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud.
Each Quick Start launches, configures, and runs the AWS compute, network, storage, and
other services required to deploy a specific workload on AWS, using AWS best practices for
security and availability.
Overview
SAP NetWeaver provides a set of technologies for running SAP business applications and
for integrating people, processes, and information. SAP NetWeaver serves as the technical
foundation for SAP’s ABAP and Java-based applications. This Quick Start deploys SAP
NetWeaver AS ABAP, which supports the development of ABAP-based applications for SAP
HANA databases. For a detailed description of SAP NetWeaver, see the SAP NetWeaver
Master Guide on the SAP website.
This Quick Start helps you deploy a complete SAP NetWeaver system on AWS. The
deployment includes an SAP application tier, an SAP HANA database tier, and Remote
Desktop Protocol (RDP) and bastion hosts. The Quick Start also provisions a virtual private
cloud (VPC) to house all these components.
SAP NetWeaver on AWS

The AWS Cloud provides a suite of infrastructure services that enable you to deploy SAP
NetWeaver in a highly available, fault-tolerant, and cost-effective way. By deploying SAP
NetWeaver on the AWS Cloud, you can take advantage of the functionality of SAP along
with the flexibility and security of AWS.
Note This Quick Start supports SAP NetWeaver 7.4 Support Release 2 (SP2) and
SAP NetWeaver 7.5. Other versions of SAP NetWeaver may work but have not been
tested with this Quick Start.
Page 4 of 45
This Quick Start currently supports the following versions of the SUSE Linux
Enterprise Server (SLES) operating system for SAP NetWeaver AS ABAP:
SLES 12, SLES 12 SP1, SLES 12 SP2, and SLES 12 SP3.
For a list of supported operating systems for SAP HANA, see the SAP HANA Quick
Start deployment guide.
Cost and Licenses

You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.
The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, will affect the cost of
deployment. For cost estimates, see the pricing pages for each AWS service you will be
using. Prices are subject to change.
This deployment uses a Bring Your Own License (BYOL) model for SAP software. You must
already own licenses for SAP, and you must be authorized to download software from the
SAP Software Download Center (SWDC).
For the SAP NetWeaver deployment, this Quick Start launches the Amazon Machine Image
(AMI) for the version of the SLES operating system you choose: SLES 12, SLES 12 SP1,
SLES 12 SP2, or SLES 12 SP3. The AMI includes the license for the SLES operating system.
For the SAP HANA deployment, the Quick Start launches the AMI for the operating system
you choose (SLES, SLES for SAP, or RHEL), and the license cost for the operating system is
included in the Amazon EC2 hourly price. There is an additional software cost for SLES for
SAP AMIs.
AWS Services
The core AWS components used by this Quick Start include the following services and
features. (If you are new to AWS, see the Getting Started Resource Center.)
 Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you
provision a private, isolated section of the AWS Cloud where you can launch AWS
services and other resources in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of your own IP
address range, creation of subnets, and configuration of route tables and network
gateways.
Page 5 of 45
 Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you
to launch virtual machine instances with a variety of operating systems. You can choose
from existing Amazon Machine Images (AMIs) or import your own virtual machine
images.
 Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-
level storage volumes for use with EC2 instances in the AWS Cloud. Each Amazon EBS
volume is automatically replicated within its Availability Zone to protect you from
component failure, offering high availability and durability. EBS volumes provide the
consistent and low-latency performance needed to run your workloads.
 Amazon Route 53 - Amazon Route 53 is a highly available and scalable Domain Name
System (DNS) web service.
 Automatic recovery – Automatic recovery is a feature of Amazon EC2 that is designed to
increase instance availability. You can enable automatic recovery for an instance by
creating an Amazon CloudWatch alarm that monitors the instance and automatically
recovers it if it becomes impaired due to an underlying hardware failure or a problem
that requires AWS involvement to repair. A recovered instance is identical to the
original instance and has the same instance ID, private IP addresses, Elastic IP
addresses, and all instance metadata. This Quick Start optionally enables automatic
recovery on SAP HANA nodes for you.
 AWS CloudFormation – AWS CloudFormation gives you an easy way to create and
manage a collection of related AWS resources, and provision and update them in an
orderly and predictable way. You use a template to describe all the AWS resources (e.g.,
EC2 instances) that you want. You don't have to individually create and configure the
resources or figure out dependencies—AWS CloudFormation handles all of that.
 Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the
applications you run on AWS in real time. You can use CloudWatch to collect and track
metrics, collect and monitor log files, set alarms, and automatically react to changes in
your AWS resources.
 NAT Gateway – NAT Gateway is an AWS managed service that controls network
address translation (NAT) gateway resources. A NAT gateway is a device that enables
instances in a private subnet to connect to the internet or to other AWS services, but
prevents the internet from connecting to those instances.
 IAM – AWS Identity and Access Management (IAM) enables you to securely control
access to AWS services and resources for your users. With IAM, you can manage users,
security credentials such as access keys, and permissions that control which AWS
resources users can access, from a central location.
Page 6 of 45
Architecture
This Quick Start uses AWS CloudFormation, AWS Command Line Interface (AWS CLI) for
Linux, and custom scripts to deploy an SAP NetWeaver ABAP stack with an SAP HANA
database on AWS. AWS CloudFormation creates and manages the AWS and SAP resources.
AWS CLI for Linux enables you to configure AWS resources from the command line. This
Quick Start includes options for deploying the SAP NetWeaver ABAP stack with single-node
or multi-node SAP HANA configurations.
Deploying the Quick Start for a new VPC builds the following SAP NetWeaver environment
in the AWS Cloud.
Figure 1: SAP NetWeaver ABAP architecture on AWS (with optional AAS shown)
Page 7 of 45
The Quick Start deploys and configures the following components:

 A highly available architecture that spans two Availability Zones.*
 A VPC configured with public and private subnets according to AWS best practices, to
provide you with your own virtual network on AWS.*
 An internet gateway to allow access to the internet.*
 In the public subnets:
– Bastion host instances in an Auto Scaling group to allow inbound SSH (Secure Shell)
access to the SAP instances in the private subnets.*
– Managed NAT gateways to allow outbound internet access for the SAP instances in
the private subnets.*
– An optional EC2 instance with Windows Server to host SAP GUI and SAP HANA
Studio. You can install both SAP GUI and SAP HANA Studio manually to administer
your SAP HANA database.
 In the private subnets:
– EC2 instance(s) to host the SAP NetWeaver software and SAP HANA database, and
EBS volumes configured to meet or exceed SAP HANA storage key performance
indicators (KPIs).
Note This Quick Start supports only the SLES operating system for the SAP
NetWeaver instances, but SAP HANA is supported with your choice of Linux
operating systems (SLES, SLES for SAP, or RHEL for SAP HANA).
– An optional setup of an Amazon Elastic File System (Amazon EFS) share for the
/sapmnt file system.
– An optional automated installation of the SAP NetWeaver AS ABAP and SAP HANA
software.
– Primary Application Server (PAS) and ABAP System Central Services (ASCS)
deployed into the same EC2 instance. PAS is the core component of an SAP system.
It provides all SAP system utilities. At least one PAS instance must exist in each SAP
system. Optionally, ASCS and PAS can be installed on separate EC2 instances. SAP
refers to this deployment type as a distributed installation.
Page 8 of 45
– An optional ASCS instance installed in a different Availability Zone. This optional

instance can act as a warm standby ASCS server.
– An optional automated installation of Additional Application Server (AAS) instances.
The AAS instances can be installed in the same Availability Zone or in a Multi-AZ
deployment for greater availability. In Figure 1, these are labeled AAS-1, AAS-2, and
AAS-x, where x represents up to 90 application servers.
 An IAM instance role with fine-grained permissions for access to the AWS services
necessary for the deployment process.
 Three security groups for fine-grained inbound access control from the bastion host,
between the database instances, and for application access to the database.
 AWS CLI and an instance role for installation bucket access.
 An Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver
ABAP server names. This private hosted zone is dedicated to the VPC that was created
by the Quick Start.
* The template that deploys the Quick Start into an existing VPC skips the tasks marked by
asterisks and prompts you for your existing VPC configuration.
SAP NetWeaver ABAP Instance Types

The SAP NetWeaver installation is automated with the SAP Software Provisioning Manager
(SWPM). Here’s what you would see in the SAP SWPM tool for each instance type:
 ASCS instance – This instance is the central point of communication and

synchronization for the ABAP application server instances. It consists of the message
server and the enqueue server for the ABAP stack.
 Database instance – The ABAP stack uses its own database schema in the database. The
Quick Start installs the ABAP SAP Central Services (ASCS) instance before installing the
database instance.
Page 9 of 45
 Primary Application Server (PAS) instance – PAS is the core component of an SAP
system. It provides all SAP system utilities. At least one PAS instance must exist in each
SAP system.
 Additional Application Server (AAS) instance – You can optionally install AAS instances
to scale out your SAP application tier.
For additional details about the SAP NetWeaver AS ABAP architecture, see the SAP
documentation.
Implementation Details
The Quick Start uses nested templates to deploy the SAP NetWeaver environment. It first
launches the master template, and then calls additional templates in this order:
1. VPC template to create the VPC, subnets, internet gateway, and other infrastructure
components.
2. Bastion host template to create the bastion host and Auto Scaling group.
3. SAP NetWeaver template to install the SAP HANA instance (by calling the SAP HANA
template) and RDP host. After the SAP HANA instance has been installed, the ASCS,
database, and PAS instances will be installed.
4. Optional SAP App server template to create the SAP AAS instances.
All SAP instances are silently installed on a base AMI to ensure that the latest AMI is always
chosen when the EC2 instance launches. The installation is automated with SWPM. The
Quick Start requires the SAP software media to be made available in an S3 bucket, and will
download the media to run the silent installation.
In addition to installing SAP, the Quick Start provisions and performs configuration
management on each EC2 instance, including:
 Setting the time zone on the server
 Setting up Network Time Protocol (NTP) on the server
 Installing the AWS Systems Manager agent (SSM agent)
 Setting up the uuidd daemon; see SAP Note 1391070 (login required)
 Installing the AWS CLI
 Applying SAP best practices from SAP Notes 2205917 and 2292711 (login required)
Page 10 of 45
 Installing the AWS for SAP Data provider (required for SAP support, see SAP Note
1656250)
 Configuring the SWPM silent installation files
 Creating and attaching EBS volumes for the /usr/sap/ file system
Planning the Deployment

Deployment Options
This Quick Start provides two deployment options:
 Deploy SAP NetWeaver AS ABAP into a new VPC (end-to-end deployment) –
This option builds a new AWS environment consisting of a VPC, subnets, NAT
gateways, security groups, bastion hosts, and other infrastructure components, and
then deploys the SAP NetWeaver AS ABAP stack into this new VPC.
 Deploy SAP NetWeaver ABAP into an existing VPC – This option provisions
the SAP NetWeaver ABAP stack in your existing AWS infrastructure.
The Quick Start also lets you configure additional settings such as CIDR blocks, instance
types, and SAP NetWeaver and SAP HANA settings, as discussed later in this guide.
Prerequisites
The SAP NetWeaver ABAP Quick Start is integrated with the SAP HANA Quick Start.
Therefore, all the prerequisites for the SAP HANA Quick Start apply to this deployment as
well. For example, if you would like the Quick Start to install the SAP HANA software
automatically, you must download and stage the SAP HANA software by following the
instructions in the SAP HANA Quick Start guide. These prerequisites are discussed in
step 2 of the deployment steps.
Deployment Steps
The procedure for deploying the SAP NetWeaver AS ABAP architecture on AWS consists of
the following steps. For detailed instructions, follow the links for each step.
Step 1. Prepare your AWS account

This involves signing up for an AWS account, choosing a region, creating a key pair, and
requesting increases for account limits, if necessary.
Page 11 of 45
Step 2. Perform prerequisite tasks for SAP HANA (skip this step if you don’t want to install
SAP HANA software with this deployment)
In this step, you’ll take care of preliminary steps for deploying SAP HANA with SAP
NetWeaver AS ABAP.
Step 3. Download the SAP NetWeaver software (skip this step if you don’t want to install
SAP NetWeaver software with this deployment)
This step involves downloading the SAP NetWeaver software from SAP and placing the files
in an S3 bucket.
Step 4. Launch the Quick Start
In this step, you’ll launch the AWS CloudFormation template into your AWS account,
specify parameter values, and create the stack. The Quick Start provides separate templates
for end-to-end deployment and deployment into an existing VPC.
Step 5. Access SAP NetWeaver and SAP HANA to verify your deployment
You can access the SAP NetWeaver systems by using SAP GUI or through SSH and the
bastion host. You can access SAP HANA either through SAP HANA Studio or through the
bastion host.
Step 1. Prepare Your AWS Account

1. If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions. Part of the sign-up process involves receiving a
phone call and entering a PIN using the phone keypad.
2. Use the region selector in the navigation bar to choose the AWS Region where you want
to deploy SAP NetWeaver on AWS. For more information, see Regions and Availability
Zones. Regions are dispersed and located in separate geographic areas. Each Region
includes at least two Availability Zones that are isolated from one another but connected
through low-latency links.
Page 12 of 45
Figure 2: Choosing an AWS Region
Consider choosing a region closest to your data center or corporate network to reduce
network latency between systems running on AWS and the systems and users on your
corporate network.
3. Create a key pair in your preferred region. To do this, in the navigation pane of the
Amazon EC2 console, choose Key Pairs, Create Key Pair, type a name, and then
choose Create.
Page 13 of 45
Figure 3: Creating a key pair
Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To
log in to your instances, you must create a key pair. With Windows instances, you use
the key pair to obtain the administrator password via the Amazon EC2 console, and then
log in using RDP, as explained in the Amazon EC2 User Guide. On Linux, the key pair is
used to authenticate SSH login.
4. If necessary, request a service quota increase for the instance types used for the
deployment. You might need to request an increase if you need additional Elastic IP
addresses or if you already have an existing deployment that uses the same instance
types as this architecture. To do this, on the Service Quotas console, for each instance
type that you want a service quota increase, choose the instance type, choose Request
quota increase, and then complete the fields in the quota increase form. It can take a
few days for the new service quota to become effective.
Page 14 of 45
Figure 4: Requesting a service quota increase
Step 2. Perform Prerequisite Tasks for SAP HANA

Skip this step if you don’t want to install SAP HANA with this deployment.
This Quick Start gives you the option of installing SAP HANA along with SAP NetWeaver. If
you want to include SAP HANA in your deployment, follow these instructions in the SAP
HANA deployment guide:
 See the Planning the Deployment section of the SAP HANA deployment guide to
understand your memory and storage options for SAP HANA.
 Subscribe to the AMI for RHEL for SAP HANA or SLES for SAP in AWS Marketplace.
 Download and stage the SAP HANA software, by following the instructions in step 3 of
the SAP HANA deployment guide.
Step 3. Download the SAP NetWeaver Software

Skip this step if you don’t want to install SAP NetWeaver during this deployment.
This Quick Start is designed to work with SAP NetWeaver release 7.4 SP2 and NetWeaver
release 7.5. Before you launch the Quick Start, you must download, extract, and stage
the SAP media for SAP NetWeaver in an S3 bucket using a specific structure.
Page 15 of 45
1. Download and extract the SAP media by following the instructions in the SAP
documentation.
2. Sign in to the AWS Management Console and open the Amazon S3 console at
https://console.aws.amazon.com/s3.
3. Choose Create bucket.
4. In the Create bucket dialog box, provide a name for your new bucket, choose the
region where you want to create your bucket (this should be a region that is close to your
location), and then choose Create. For detailed information about bucket names and
region selection, see the Amazon S3 documentation.
5. Choose the bucket you created, choose the Permissions tab, and set permissions to
ensure that only you and authorized personnel from your organization have access to
this bucket. You can also set up an IAM or bucket policy to provide fine-grained access.
For details, see Managing Access Permissions to Your Amazon S3 Resources in the
Amazon S3 documentation.
6. In the bucket you created, create the following S3 prefix structure to organize your SAP
downloads. (Amazon S3 doesn’t provide folders, but you simulate a folder structure by
using key name prefixes.) Your S3 prefixes should be named exactly as shown.
Figure 5: Key name prefixes for SAP NetWeaver downloads
7. Choose Upload to place the extracted SAP NetWeaver software under the appropriate
key name prefix. The SAP media must be extracted and named exactly as follows for
each SAP software CD.
For SAP NetWeaver 7.4 (SWPM 1.0 PL 19 was tested)

SAP CD label and CD number Upload to S3 key name prefix
SAP NETWEAVER 7.4 SR2 OS independent Number 51050819_1 EXP_CD
SAP HANA PLATFORM EDIT. 1.0 Client for all supported Operating HDB_CLNTCD
Systems SPS07 Rev. 74 Number 51048410
SAP DC Kernel 7.45 Linux on x86_64 64bit 51051055_3 KERN_CD
Page 16 of 45
IND:SLTOOLSET:1.0:SWPM:*:LINUX_X86_64:* sapinst
For SAP NetWeaver 7.5 (SWPM 1.0 PL 21 was tested):

SAP NETWEAVER 7.5 Installation Export 51050829_2 EXP_CD
SAP HANA PLATFORM EDIT. 1.0 Client for all supported Operating HDB_CLNTCD
Systems SPS09 Rev. 93 Number 51049641
SAP DC Kernel 7.49 Linux on x86_64 64bit 51051432_3 KERN_CD
IND:SLTOOLSET:1.0:SWPM:*:LINUX_X86_64:* sapinst
Note Place only the media files listed in this table in the S3 bucket. Do not place
multiple software versions in the same location. We recommend that you download
the latest SAP kernel files (for the relevant SAP kernel level) and update these files in
your KERN_CD. (See KERN_CD later in this section).
For example, for SAP NetWeaver 7.5, you would extract and store the CD 51050829_2 in
the prefix EXP_CD, which you created in your S3 bucket.
Here are examples of the extracted files in each key name prefix.
Page 17 of 45
EXP_CD:
Figure 6: Extracted files in EXP_CD
HDB_CLNTCD:
Figure 7: Extracted files in HDB_CLNTCD
Page 18 of 45
KERN_CD:
Figure 8: Extracted files in KERN_CD
We recommend that you use the latest SAP kernel patch levels instead of the SAP kernel
files in CD 51051055_3. (We have seen issues with the SWPM silent installation when
using the default versions that come with the CD media.) You can download the appropriate
SAP kernel patch files and replace the SAPEXE.SAR and SAPEXEDB.SAR files in these
corresponding 51051055_3 (or CD 51051432_3 for NetWeaver 7.5) directories:
 KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP
 KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/HDB
You can use whichever patch level you need. For example, if you want to run SAP kernel
patch level 400, the correct SAPEXE and SAPEXEDB files are:
Page 19 of 45
You will need to rename the files as follows (using SAP kernel patch level 400 files as an
example):
 Rename SAPEXE_400-80000699.SAR to:
KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR
 Rename SAPEXEDB_400-80000698.SAR to:

KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/HDB/SAPEXEDB.SAR
Here are sample commands (assuming that your current directory is /tmp/KERN_CD):
>/tmp/KERN_CD # mv SAPEXE_400-80000699.SAR DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR
>/tmp/KERN_CD # mv SAPEXEDB_400-80000698.SAR DATA_UNITS/K_745_U_LINUX_X86_64/HDB/SAPEXEDB.SAR
aws s3 sync /tmp/KERN_CD s3://my-sw-bucket/KERN_CD/
sapinst:
Figure 9: Extracted files in sapinst
Page 20 of 45
Step 4. Launch the Quick Start

Note You are responsible for the cost of the AWS services used while running this
Quick Start reference deployment. There is no additional cost for using this Quick
Start. For full details, see the pricing pages for each AWS service you will be using in
this Quick Start. Prices are subject to change.
1. Choose one of the following options to launch the AWS CloudFormation template into
your AWS account. For help choosing an option, see deployment options earlier in this
guide.
Option 1 Option 2
Deploy SAP NetWeaver into a Deploy SAP NetWeaver into an
new VPC on AWS existing VPC on AWS
Launch Launch
Important If you’re deploying SAP NetWeaver into an existing VPC, make sure
that your VPC has two private subnets in different Availability Zones. These subnets
require NAT gateways or NAT instances in their route tables, to allow the instances
to download packages and software without exposing them to the internet. You will
also need the domain name option configured in the DHCP options, as explained in
the Amazon VPC documentation. You’ll be prompted for your VPC settings when you
launch the Quick Start.
Each deployment takes about 2 hours and 45 minutes to complete.

2. Check the region that’s displayed in the upper-right corner of the navigation bar, and
change it if necessary. This is where the network infrastructure for SAP NetWeaver will
be built. The template is launched in the US East (Ohio) Region by default.
3. On the Select Template page, keep the default setting for the template URL, and then
choose Next.
4. On the Specify Details page, change the stack name if needed. Review the parameters
for the template. Provide values for the parameters that require input. For all other
parameters, review the default settings and customize them as necessary. When you
finish reviewing and customizing the parameters, choose Next.
Page 21 of 45
In the following tables, parameters are listed by category and described separately for
the two deployment options:
– Parameters for deploying SAP NetWeaver into a new VPC
– Parameters for deploying SAP NetWeaver into an existing VPC
 Option 1: Parameters for deploying SAP NetWeaver into a new VPC

View template
Network infrastructure details:
Parameter label Default Description
(name)
Availability Zones Requires input The list of Availability Zones to use for the subnets in the VPC.
(AvailabilityZones) The Quick Start uses two Availability Zones from your list and
preserves the logical order you specify.
VPC CIDR 10.0.0.0/16 CIDR block for the VPC.

(VPCCIDR)
Private subnet 1 CIDR 10.0.0.0/19 CIDR block for the private subnet located in Availability Zone
(PrivateSubnet1CIDR) 1.
Private subnet 2 CIDR 10.0.32.0/19 CIDR block for the private subnet located in Availability Zone
(PrivateSubnet2CIDR) 2.
Public subnet 1 CIDR 10.0.128.0/20 CIDR block for the public (DMZ) subnet located in Availability
(PublicSubnet1CIDR) Zone 1.
Public subnet 2 CIDR 10.0.144.0/20 CIDR block for the public (DMZ) subnet located in Availability
(PublicSubnet2CIDR) Zone 2.
CIDR block for RDP & Requires input The CIDR IP range that is permitted to access the instances in
Bastion access your private subnets. We recommend that you set this value to
(RemoteAccessCIDR) a trusted IP range. For example, you might want to grant only
your corporate network access to the software.
HANA Server and storage configuration:

(name)
Operating system SuSE-Linux-12- Operating system and version to be used for SAP HANA
version for HANA SP3-HVM servers. You can choose from various SLES and RHEL
(MyOSHANA) versions. (For more information, see the Operating System for
Deployment section in the SAP HANA deployment guide.)
SUSE BYOS — Registration code for SUSE BYOS. This parameter is used only
Registration Code if you choose one of the SLES BYOS operating system versions
(SLESBYOSRegCode) in the previous parameter.
Page 22 of 45

(name)
SAP HANA Server host saphanaqs Host name to use for SAP HANA database. (The SAP
name Application Server must be able to access the SAP HANA
(SAPHANAHostname) server.)
SAP HANA Server r4.4xlarge EC2 instance type for SAP HANA nodes. (For more
(HANAInstanceType) information, see the AWS Instance Types for SAP HANA
section in the SAP HANA deployment guide).
SAP HANA host count 1 Total number of nodes you want to deploy in the SAP HANA
(HANAHostCount) cluster.
SAP HANA and Requires input SAP HANA password to use during installation.
NetWeaver password
(HANAMasterPass)
Enable encryption No Set to Yes to enable encryption for all volumes (except root)
(Encryption) created for SAP HANA nodes.
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA data
for SAP HANA Data volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaData) (i01). (For details, see Storage Configuration for SAP HANA
in the SAP HANA deployment guide.)
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA log
for SAP HANA Log volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaLog) (i01). (For details, see Storage Configuration for SAP HANA
SSH key pair Requires input An existing public/private key pair, which enables you to
(KeyName) connect securely to your instance after it launches. When you
created an AWS account, this is the key pair you created in
your preferred region. This key pair can be used with all EC2
instances launched by the Quick Start.
S3 bucket for HANA s3:// / Full path to the Amazon S3 location where you’ve placed the
s/w. SAP HANA software. Make sure that the format is correct
(HANAInstallMedia) (e.g., s3://mysapbucket/HANA-media/); otherwise, the
installation will fail. (For more information, see step 3 in the
SAP HANA deployment guide.)
Enable AWS No Set to Yes to enable logging with AWS CloudTrail and AWS
CloudTrail & AWS Config.
Config logs
(EnableLogging)
S3 bucket for AWS Optional S3 bucket where AWS CloudTrail and AWS Config logs can be
CloudTrail & AWS stored (e.g., mycloudtrail).
Config logs
(CloudTrailS3Bucket)
Page 23 of 45
SAP NetWeaver Cluster setup and configuration:

(name)
R53 private hosted Requires input The Amazon Route 53 private hosted zone to host the SAP
zone HANA and SAP NetWeaver ABAP server names. This private
(HostedZoneName) hosted zone is dedicated to the VPC that was created by the
Quick Start. You can optionally choose to use the private
hosted zone from your on-premises networks. Use a fully
qualified domain name; e.g., mycompany.local.
O.S. version for SAP SuSE-Linux-12- Operating system version (SLES only) for the SAP servers.
Servers (SLES only) SP3-HVM
(MyOS)
PAS EC2 Auto Yes Set to No to disable the automatic recovery feature on your
Recovery PAS nodes.
(AutoRecoveryPAS)
Split the ASCS and No Set to Yes to install ASCS and PAS on two different instances.
PAS
(DistributedInstall)
Use EFS for /sapmnt No Set to Yes to enable Amazon EFS for the /sapmnt file system.
(EFSSapmnt)
SAP PAS Server sappas00 Virtual host name to use for the SAP PAS server.
virtual name
(SAPASCSHostname)
Standby ASCS Server No Set to Yes to enable the standby ASCS instance.
in a different
Availability Zone
(EFSSapmnt)
SAP PAS Server host sappas00 Host name (DNS short name) to use for the SAP PAS server.
name
(SAPPASHostname)
SAP system ID HDB SAP system ID for installation and setup. If you set Install
(SID) SAP software to No, this parameter is ignored.
SAP database schema SAPABAP1 SAP ABAP schema name for the SAP HANA database.
(SAPSchemaName)
SAP ASCS instance r4.large EC2 instance type for the SAP ASCS server.
type
(ASCSMyInstanceType)
SAP PAS Server type r4.xlarge EC2 instance type for the SAP PAS server.
(MyInstanceType)
SAP instance number 00 SAP instance number to use for installation and setup, and to
(SAPInstanceNum) open ports for security groups. If you set Install SAP
software to No, this parameter is ignored.
Page 24 of 45

(name)
SIDadm user id 1001 UID for the SIDadm user. If you set Install SAP software to
(SIDadmUID) No, this parameter is ignored.
SAP Server timezone UC The time zone of your SAP server (PT, CT, ET, or UTC).
(SAPTZ)
S3 bucket for SAP my-sw-bucket Name of the S3 bucket for your SAP NetWeaver software, from
NetWeaver s/w. step 3. This should just be the bucket name; do not include
(SAPInstallMediaBucket) s3://. For more information, see step 3.
If you set Install SAP software to No, this parameter is
ignored.
S3 Key Prefix for SAP my/sw/version/ Path to the key prefix where your SAP NetWeaver software is
NetWeaver s/w. installed, from step 3. Leave blank if your structure isn’t
(SAPInstallMediaKey nested. For example, if you placed the EXP_CD software in
Prefix) s3://my-sw-bucket/my/sw/version/EXP_CD, enter
my/sw/version/. If you placed the software in s3://my-sw-
bucket/EXP_CD, leave this parameter blank. If you set Install
SAP software to No, this parameter is ignored.
Install SAP software Yes Set to No if you don’t want to install SAP NetWeaver. If you
(InstallSAP) choose No, the Quick Start will provision only the AWS
infrastructure.
SAP NW version SAP-NetWeaver- Version of SAP NetWeaver to install.

(InstallSAPVersion) 7.4
SAP Additional App Server setup and configuration:

Parameter label
Default Description
(name)
SAP AAS Server host sapaas00 Host name template to use for the SAP Additional Application
name Server (AAS).
(SAPAASHostname)
SAP Additional App r4.xlarge EC2 instance type for SAP AAS.
Server instance type
(AASMyInstanceType)
EC2 Auto Recovery Yes Set to No to disable the automatic recovery feature on your
(AutoRecoveryAAS) AAS nodes.
Install SAP Additional No Set to No if you don’t want to install SAP AAS. If you choose
App Server No, the Quick Start will install only the SAP ASCS, SAP
(InstallSAPAAS) HANA, and PAS.
Page 25 of 45
Optional configuration:
(name)
Install RDP and Yes Set to Yes if you want to install the RDP and bastion host
Bastion instances.
(InstallRDPAndBastion
Instance)
RDP instance m4.large EC2 instance type for the Windows RDP instance. This
(RDPInstanceType) parameter will be ignored if the Install RDP and Bastion
parameter is set to No.
Bastion host t2.small EC2 instance type for the bastion host instances. This
(BASTIONInstanceType) parameter will be ignored if the Install RDP and Bastion
parameter is set to No.
Advanced configuration:
(name)
Quick Start S3 Bucket aws-quickstart S3 bucket where the Quick Start templates and scripts are
Name installed. Use this parameter to specify the S3 bucket name
(QSS3BucketName) you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key quickstart-sap- The S3 key name prefix used to simulate a folder for your copy
Prefix netweaver-abap/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
 Option 2: Parameters for deploying SAP NetWeaver into an existing VPC

View template
Network Configuration:
(name)
VPC ID Requires input ID of your existing VPC (e.g., vpc-0343606e).

(VPCID)
1st Private Subnet 10.0.0.0/19 CIDR block for the private subnet in Availability Zone 1 in
CIDR your existing VPC.
(PrivateSubnet1CIDR)
Page 26 of 45

(name)
2nd Private Subnet 10.0.32.0/19 CIDR block for the private subnet in Availability Zone 2 in
CIDR your existing VPC.
(PrivateSubnet2CIDR)
1st Public Subnet 10.0.128.0/20 CIDR block for the public (DMZ) subnet in Availability Zone
CIDR 1 in your existing VPC.
(PublicSubnet1CIDR)
2nd Public Subnet 10.0.144.0/20 CIDR block for the public (DMZ) subnet in Availability Zone
CIDR 2 in your existing VPC.
(PublicSubnet2CIDR)
1st Private Subnet ID Requires input ID of the private subnet in Availability Zone 1 in your
(PrivateSubnet1ID) existing VPC.
2nd Private Subnet ID Requires input ID of the private subnet in Availability Zone 2 in your
(ApplicationCIDR) existing VPC.
1st Public Subnet ID Requires input ID of the public subnet in Availability Zone 1 in your
(PublicSubnet1ID) existing VPC.
HANA Server and storage configuration:

(name)
O.S. version for SAP SuSE-Linux-12- Operating system and version to be used for SAP HANA
HANA Servers SP3-HVM servers. You can choose from various SLES and RHEL
(MyOSHANA) versions. (For more information, see the Operating System for
Deployment section in the SAP HANA deployment guide.)
SUSE BYOS — Registration code for SUSE BYOS. This parameter is used only
Registration Code if you choose one of the SLES BYOS operating system versions
(SLESBYOSRegCode) in the previous parameter.
SAP HANA Server host saphanaqs Host name to use for SAP HANA database. (The SAP
name Application Server must be able to access the SAP HANA
(SAPHANAHostname) server.)
SAP HANA Server r4.4xlarge EC2 instance type for SAP HANA nodes. (For more
(HANAInstanceType) information, see the AWS Instance Types for SAP HANA
section in the SAP HANA deployment guide).
SAP HANA host count 1 Total number of nodes you want to deploy in the SAP HANA
(HANAHostCount) cluster.
SAP HANA and Requires input SAP HANA password to use during installation.
NetWeaver password
(HANAMasterPass)
Enable encryption No Set to Yes to enable encryption for all volumes (except root)
(Encryption) created for SAP HANA nodes.
Page 27 of 45

(name)
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA data
for SAP HANA Data volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaData) (i01). (For details, see Storage Configuration for SAP HANA
Storage volume type gp2 Amazon EBS storage type to be used for SAP HANA log
for SAP HANA Log volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD
(VolumeTypeHanaLog) (i01). (For details, see Storage Configuration for SAP HANA
SSH key pair Requires input An existing public/private key pair, which enables you to
(KeyName) connect securely to your instance after it launches. When you
created an AWS account, this is the key pair you created in
your preferred region. This key pair can be used with all EC2
instances launched by the Quick Start.
S3 bucket for HANA s3:// / Full path to the Amazon S3 location where you’ve placed the
s/w. SAP HANA software. Make sure that the format is correct
(HANAInstallMedia) (e.g., s3://mysapbucket/HANA-media/); otherwise, the
installation will fail. (For more information, see step 3 in the
SAP HANA deployment guide.)
Enable AWS No Set to Yes to enable logging with AWS CloudTrail and AWS
CloudTrail & AWS Config.
Config logs
(EnableLogging)
S3 bucket for AWS Optional S3 bucket where AWS CloudTrail and AWS Config logs can be
CloudTrail & AWS stored (e.g., mycloudtrail).
Config logs
(CloudTrailS3Bucket)
SAP NetWeaver Cluster setup and configuration:

(name)
Use EFS for /sapmnt No Set to Yes to enable Amazon EFS for the /sapmnt file system.
(EFSSapmnt)
R53 private hosted Requires input The Amazon Route 53 private hosted zone to host the SAP
zone HANA and SAP NetWeaver ABAP server names. This private
(HostedZoneName) hosted zone is dedicated to the VPC that was created by the
Quick Start. You can optionally choose to use the private
hosted zone from your on-premises networks. Use a fully
qualified domain name; e.g., mycompany.local.
SAP PAS Server host sappas00 Host name (DNS short name) to use for the SAP PAS server.
name
(SAPPASHostname)
SAP system ID HDB SAP system ID for installation and setup. If you set Install
(SID) SAP software to No, this parameter is ignored.
Page 28 of 45

(name)
SAP database schema SAPABAP1 SAP ABAP schema name for the SAP HANA database.
(SAPSchemaName)
SAP instance number 00 SAP instance number to use for installation and setup, and to
(SAPInstanceNum) open ports for security groups. If you set Install SAP
software to No, this parameter is ignored.
SIDadm user id 1001 UID for the SIDadm user. If you set Install SAP software to
(SIDadmUID) No, this parameter is ignored.
SAP Server timezone UC The time zone of your SAP server (PT, CT, ET, or UTC).
(SAPTZ)
S3 bucket for SAP my-sw-bucket Name of the S3 bucket for your SAP NetWeaver software, from
NetWeaver s/w. step 3. This should just be the bucket name; do not include
(SAPInstallMediaBucket) s3://. For more information, see step 3.
If you set Install SAP software to No, this parameter is
ignored.
S3 Key Prefix for SAP my/sw/version/ Path to the key prefix where your SAP NetWeaver software is
NetWeaver s/w. installed, from step 3. Leave blank if your structure isn’t
(SAPInstallMediaKey nested. For example, if you placed the EXP_CD software in
Prefix) s3://my-sw-bucket/my/sw/version/EXP_CD, enter
my/sw/version/. If you placed the software in s3://my-sw-
bucket/EXP_CD, leave this parameter blank. If you set Install
SAP software to No, this parameter is ignored.
SAP Primary App r4.xlarge EC2 instance type for the SAP PAS server.
Server
(MyInstanceType)
O.S. version for SAP SuSE-Linux-12- Operating system version (SLES only) for the SAP servers.
Servers (SLES only) SP3-HVM
(MyOS)
(AutoRecoveryPAS) PAS nodes.
Install SAP software Yes Set to No if you don’t want to install SAP NetWeaver. If you
(InstallSAP) choose No, the Quick Start will provision only the AWS
infrastructure.
SAP NW version SAP-NetWeaver- Version of SAP NetWeaver to install.

(InstallSAPVersion) 7.4
SAP Additional App Server setup and configuration:

Parameter label
Default Description
(name)
SAP AAS Server host sapaas00 Host name template to use for the SAP Additional Application
name Server (AAS).
(SAPAASHostname)
Page 29 of 45
Parameter label
Default Description
(name)
SAP Additional App r4.xlarge EC2 instance type for SAP AAS.
Server instance type
(AASMyInstanceType)
AAS Private Subnet ID Optional The existing private subnet to use for deploying SAP AAS.
(PrivateSubnetID)
(AutoRecoveryAAS) AAS nodes.
Install SAP Additional No Set to No if you don’t want to install SAP AAS. If you choose
App Server No, the Quick Start will install only SAP ASCS, DB, and PAS.
(InstallSAPAAS)
Optional configuration:
(name)
Install RDP No Set to Yes if you want to install the RDP instance.
(InstallRDP
Instance)
RDP instance type c4.large EC2 instance type for the Windows RDP instance. This
(RDPInstanceType) parameter will be ignored if the Install RDP parameter is set
to No.
Advanced configuration:
(name)
Quick Start S3 Bucket aws-quickstart S3 bucket where the Quick Start templates and scripts are
Name installed. Use this parameter to specify the S3 bucket name
(QSS3BucketName) you’ve created for your copy of Quick Start assets, if you decide
to customize or extend the Quick Start for your own use. The
bucket name can include numbers, lowercase letters,
uppercase letters, and hyphens, but should not start or end
with a hyphen.
Quick Start S3 Key quickstart-sap- The S3 key name prefix used to simulate a folder for your copy
Prefix netweaver-abap/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
5. On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set advanced options. When you’re done, choose Next.
Page 30 of 45
6. On the Review page, review and confirm the template settings. Under Capabilities,
select the check box to acknowledge that the template will create IAM resources.
7. Choose Create to deploy the stack.
8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the SAP
NetWeaver system is ready.
Figure 10: SAP NetWeaver stacks
9. Use the URLs displayed in the Resources and Outputs tab of the stack to view the
resources that were created.
SAP HANA:
Page 31 of 45
Linux bastion hosts:
SAP PAS:
Step 5. Verify Your Deployment

The default network security setup for this solution follows AWS security best practices.
The SAP NetWeaver instances are placed in a private subnet to restrict direct exposure to
the internet. If you do not have a direct connection to the private subnet from your internal
network, you can access the SAP NetWeaver instances only through instances placed in the
public subnet.
Page 32 of 45
Changing the Security Group Configuration

If you deployed your stack with the default network configurations, the rules shown in
Figure 11 are configured by default for the PAS instances. These rules allow you to access
the SAP NetWeaver systems through SAP GUI and Remote Function Call (RFC) only from
the private subnets.
Figure 11: Default security group configuration
To access your SAP NetWeaver systems through SAP GUI or RFC from your public subnet,
you must manually change the security group configuration of the PAS and AAS instances.
Figure 12 shows what the security group would look like when you add rules to allow access
from public subnets.
Figure 12: Security rules for accessing SAP NetWeaver from public subnets
You can access the SAP HANA nodes by using SAP HANA Studio or through OS-level
access. For instructions, see the SAP HANA deployment guide.
Page 33 of 45
You can access SAP NetWeaver from the public subnet in two ways:
 Access with SAP GUI or RFC: Use a remote desktop client to connect to the
Windows Server instance. Once connected, you can manually install SAP GUI or use
RFC to start accessing your SAP NetWeaver system.
 OS-level access: Use SSH to connect to the bastion host and then to the SAP
NetWeaver instances by using an SSH client of your choice.
Tip To connect directly to the SAP NetWeaver systems from a corporate network,
you can provision an encrypted IPsec hardware VPN connection between your
corporate data center and your VPC. For details, see the Amazon VPC FAQ on the
AWS website. You can also set up AWS Direct Connect between your data center and
AWS to gain direct access to your AWS resources. For details, see AWS Direct
Connect on the AWS website.
Using SAP GUI

To install SAP GUI, establish a connection to the Windows Server instance.
1. Sign in to your AWS account, and open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
2. From the console dashboard, choose Running Instances to find the RDP instance.
Figure 13: Amazon EC2 running instances with RDP instance selected
3. Select your RDP instance and choose Connect.

4. Get the Windows administrator password from the Amazon EC2 console:
a. In the Connect to Your Instance dialog box, choose Get Password.
b. Paste the contents of your private key in the space provided, or
choose Browse and navigate to your private key file, select the file, and choose
Open to copy the entire contents of the file into the contents box.
Page 34 of 45
The password will be decrypted and displayed.

5. In the Connect to Your Instance dialog box, choose Download Remote Desktop
File, or connect by using an RDP client of your choice.
6. Install SAP GUI. You can do this in two ways:
– Download the SAP GUI installation files from SAP Service Marketplace.
—or—
– Download and extract the SAP GUI software from your S3 bucket to install SAP GUI
on your RDP server.
7. When the installation is complete, start SAP GUI, and add a system with the following
parameters.
– Description: Your naming standard for your SAP systems
– Application Server: The private IP address of your PAS
– Instance Number: Your SAP system number (for PAS, this is usually 01)
– System ID: Your SAP system identifier
8. Log in with the ddic user and the master password you specified in the Quick Start
parameters in step 4.
Note At this point, we recommend that you make a backup of your newly installed
SAP NetWeaver and SAP HANA systems. You can use the Amazon EC2 console to
make a complete system image (AMI) that can be used for recovery or for additional
system builds. Keep in mind that this image is only a point-in-time snapshot.
Using OS-Level Access

You can also connect to the bastion host to establish a remote SSH connection to any of the
SAP HANA master or worker nodes.
1. On the Amazon EC2 console, choose Running Instances.

2. Select your bastion host, and note the public Elastic IP address displayed below your
running instances.
Page 35 of 45
Figure 14: Elastic IP address for bastion host
3. Using an SSH client of your choice (for example, PuTTY or iTerm), connect to the
bastion host and use the key pair you specified during the deployment process.
Note If your connection times out, you might need to adjust the security group
rules for the bastion host to allow access from your computer’s IP address or proxy
server. For more information, see Security Group Rules in the Amazon EC2 User
Guide.
iTerm Example
1. Add the private key to the authentication agent (ssh-add).
2. Connect to the bastion host by using SSH, with the –A option to forward the key,
specifying the username ec2-user.
3. Connect to the SAP NetWeaver server by IP address using SSH.
PuTTY Example
1. Download PuTTY (putty.exe), PuTTY Key Generator (puttygen.exe), and Pageant
(pageant.exe).
2. Load your private key into PuTTY Key Generator and save it as a .ppk file that PuTTY
can use.
3. Run Pageant.exe, and add your new. ppk key. The Pageant process must be running in
order for agent forwarding to work.
4. Configure PuTTY with the private key and select Allow agent forwarding.
Page 36 of 45
Figure 15: PuTTY example for SSH connection
5. Save the configuration.

6. Open up the connection to the bastion host by using SSH with the ec2-user user ID.
7. Connect to the SAP HANA server by using SSH.
Troubleshooting
Q. Where are the logs that monitor the Quick Start deployment progress?
A. You can find the deployment log in the /var/log directory of the SAP NetWeaver
instance. The name of the log file is cfn-init.log. You can log in to the SAP NetWeaver
instance as soon as you see that it’s in the running state and the instance passes the status
checks in the Amazon EC2 console.
Q. I launched the SAP NetWeaver Quick Start template for a new VPC, and I see up to five
additional templates being launched in the AWS CloudFormation console. Why? (For the
default scenario, there will be more than five templates if you choose to split your ASCS and
PAS instances.)
Page 37 of 45
A. When you launch the SAP NetWeaver Quick Start for a new VPC, it launches up to five
templates: one template to set up your network infrastructure (VPC, subnets, managed
NAT gateway, and so on), a second template to deploy your Linux bastion host, a third
template to launch the SAP PAS instance (this template will then call the SAP HANA
template), and lastly an optional SAP AAS template if you decide to install AAS.
Q. Where is my SAP NetWeaver software staged when downloaded from the S3 bucket?
A. The SAP NetWeaver software is downloaded to the /sapmnt/SWPM directory on your PAS
instance. The /sapmnt directory is then NFS-shared with your AAS instances. By default,
the directory is shared with all servers whose hostnames begin with the same first three
letters as the PAS instance’s hostname. For example, if your PAS instance’s hostname was
sappas00, the share would be available to servers with the hostname sap*. You may change
this default in your /etc/exports file on the PAS instance.
Q. My SAP NetWeaver silent installation failed. What should I do?

A. The root cause of the installation issue can often be determined from one of these files in
your /tmp directory: /var/log/cfn-init.log, /var/log/cfn-init-cmd.log,
/root/install/install.log, or sapinst_dev.log. Here’s an excerpt from the error
message:
DETAILS: The content has been tampered with and must not be used. SOLUTION: Ensure
that you use the latest available version of Installation Export NW750
You might encounter this error with SAP SWPM 1.0 patch level 21 and above. A common
cause is additional software validation performed by the SWPM tool. For information about
this error, see SAP Note 1680045 - Release Note for Software Provisioning Manager 1.0
(recommended: SWPM 1.0 SP 23).
Q. I encountered a CREATE_FAILED error when I launched the Quick Start. What should
I do?
A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the
template with Rollback on failure set to No. (This setting is under Advanced in the
AWS CloudFormation console, Options page.) With this setting, the stack’s state will be
retained and the instance will be left running, so you can troubleshoot the issue. (You'll
want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)
Important When you set Rollback on failure to No, you’ll continue to

incur AWS charges for this stack. Please make sure to delete the stack when
you’ve finished troubleshooting.
Page 38 of 45
The following table lists specific CREATE_FAILED error messages you might encounter.
Error message Possible cause What to do
API: ec2: RunInstances Not The template is referencing an We refresh AMIs on a regular basis, but our
authorized for images: ami- AMI that has expired schedule isn’t always synchronized with AWS
ID AMI updates. If you get this error message,
notify us, and we’ll update the template with the
new AMI ID.
If you’d like to fix the template yourself, you can
download it and update the Mappings section
with the latest AMI ID for your region.
We currently do not have The NAT instance requires Switch to an instance type that supports higher
sufficient m1.small capacity alarger instance type capacity, or complete the request form in the
in the AZ you requested AWS Support Center to increase the Amazon
EC2 limit for the instance type or region. Limit
increases are tied to the region they were
requested for.
The instance configuration You are trying to launch a Check your instance type and try to relaunch it
for this AWS Marketplace RHEL/SLES Marketplace with a supported instance type. If you want to
product is not supported. AMI with an instance type extend the support for your desired instance
Please see link for more that isn’t supported. type, contact the support team and open a
information about support case.
supported instance types,
regions, and operating
systems.
Signal-failure function not Deployment failed for an Contact the support team and open a support
implemented. unknown reason. case.
Not able to access SUSE (or The SAP HANA instance is See if it is possible to temporarily route the
Red Hat) update repository, unable to access the SUSE or Internet traffic by using a NAT instance or NAT
package installation may RHEL update repository to gateway.
fail. download OS packages. The If your Internet traffic has to go through your
possible cause could be that internal proxy, contact your network team for
Internet traffic for the SAP access to the SUSE or RHEL update repository.
HANA instance is not routed For further assistance, open a support case in
through a NAT instance or the AWS Support Center.
NAT gateway.
The HANA installation did SAP HANA installation failed Verify that you have staged the SAP HANA
not succeed. Please check or SAP HANA services didn’t software properly in the S3 bucket with correct
installation media. start up successfully. permissions. (See step 2 for details.)
Another reason could be that SAP HANA
services did not start up after the installation.
In either case, consider redeploying your
instance with the Install SAP software
parameter set to No. The Quick Start
redeployment will skip the SAP HANA
installation, and you can manually install the
SAP HANA software to troubleshoot the issue.
Page 39 of 45
Error message Possible cause What to do
We currently do not have The Availability Zone where Retry the deployment with a different instance
sufficient instance-type you are trying to deploy your type, or choose a subnet in a different
capacity in the AZ you Amazon EC2 resources didn’t Availability Zone.
requested. have enough capacity, or the
instance type may not be
available in that particular
Availability Zone.
WaitCondition timed out. The SAP HANA template did Double check the pre-requisites for the SAP
Received 0 conditions when not deploy. HANA Quick Start.
expecting 1. The CFN init did not initialize Create a ticket and attach the /var/log/cfn-
correctly on the PAS instance. init.log file.
Instance ID did not stabilize You have exceeded your IOPS Request a limit increase by completing the
for the region request form in the AWS Support Center.
SAP master password Refer to the SAP Change the master password
requirements documentation for password (HANAMasterPass parameter in step 4), and
requirements then relaunch the Quick Start. According to SAP
documentation,. the master password must
meet the following requirements:
 It must be 8 to 14 characters long.
 It must contain at least one letter (a-z, A-Z).
 It must contain at least one digit (0-9).
 It must not contain a backslash (\) or a
double quote (").
Additional restrictions may apply, depending on
the SAP HANA database:
 Use at least one number, one lowercase
letter, and one uppercase letter.
 Use only the following characters: _, a-z, A-Z,
0-9, #, @, $, ! and do not start the password
with a number or an underscore ( _ ).
For additional information, see Troubleshooting AWS CloudFormation on the AWS

website.
Q. I encountered a size limitation error when I deployed the AWS Cloudformation

templates.
A. We recommend that you launch the Quick Start templates from the location we’ve
provided or from another S3 bucket. If you deploy the templates from a local copy on your
computer or from a non-S3 location, you might encounter template size limitations when
you create the stack. For more information about AWS CloudFormation limits, see the AWS
documentation.
Page 40 of 45
Support
If you encounter an issue deploying this Quick Start, check the Troubleshooting section first
to see if the issue is covered. If it isn’t, or the suggested solution doesn’t resolve the issue,
open a support case in the AWS Support Center. Assistance with SAP NetWeaver and SAP
HANA deployment issues requires a subscription to the AWS Business Support plan.
If you’re opening a support case, please attach the /root/install/install.log file from the
SAP HANA master instance, and the /var/log/cfn-init.log file from each of your SAP
NetWeaver instances. For more information, see Troubleshooting AWS CloudFormation on
the AWS website.
Security
The AWS Cloud provides a scalable, highly reliable platform that helps enable customers to
deploy applications and data quickly and securely.
When you build systems on the AWS infrastructure, security responsibilities are shared
between you and AWS. This shared model can reduce your operational burden as AWS
operates, manages, and controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in which the services
operate. In turn, you assume responsibility and management of the guest operating system
(including updates and security patches), other associated application software such as SAP
HANA, as well as the configuration of the AWS-provided security group firewall. For more
information about security on AWS, visit the AWS Security Center.
Network Security
The default network security setup of this solution follows security best practices of AWS.
The provisioned SAP NetWeaver instances are configured to allow access only to the private
subnets in your VPC. SSH access to the SAP NetWeaver instance is allowed from the public
subnets by default. To allow access from traffic beyond your VPC, you have two options:
 Update the security group created during the provisioning process to include the public
subnet CIDR block and ports that you want to allow access for.
 Restrict access to a known CIDR block (of your network) if there is a provisioned Direct
Connect or VPN tunnel between your own data center and AWS.
For more information about allowing access from public subnets, see Changing the Security
Group Configuration earlier in this guide.
Page 41 of 45
Identity and Access Management (IAM)

This solution leverages an IAM role with least privileged access. It is not necessary or
recommended to store SSH keys or secret keys or access keys on the provisioned instances.
OS Security
The root user on Linux or the administrator on the Windows RDP instance can be accessed
only by using the SSH key specified during the deployment process. AWS does not store
these SSH keys, so if you lose your SSH key, you can lose access to these instances.
Operating system patches are your responsibility and should be performed on a periodic
basis.
Security Groups
A security group acts as a firewall that controls the traffic for one or more instances. When
you launch an instance, you associate one or more security groups with the instance. You
add rules to each security group that allow traffic to or from its associated instances. You
can modify the rules for a security group at any time. The new rules are automatically
applied to all instances that are associated with the security group.
The security groups created and assigned to the individual instances as part of this solution
are restricted as much as possible while allowing access to the various functions of SAP
NetWeaver and SAP HANA.
Additional Resources
AWS services
 AWS CloudFormation
https://aws.amazon.com/documentation/cloudformation/
 Amazon EBS
– User guide
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
– Volume types
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
– Optimized instances
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html
Page 42 of 45
 Amazon EC2
– User guide for Microsoft Windows
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
– User guide for Linux
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
– X1 instances
https://aws.amazon.com/ec2/instance-types/x1/
 Amazon VPC
https://aws.amazon.com/documentation/vpc/
SAP NetWeaver documentation

 SAP NetWeaver help
https://help.sap.com
 SAP Notes and Knowledge Base articles
https://support.sap.com/notes
SAP HANA on AWS

 SAP HANA Quick Start
https://docs.aws.amazon.com/quickstart/latest/sap-hana/
 SAP HANA on AWS Implementation and Operations Guide
https://d0.awsstatic.com/enterprise-
marketing/SAP/SAP_HANA_on_AWS_Implementation_and_Operations_Guide.pdf
 High Availability and Disaster Recovery Options for SAP HANA on AWS
https://d0.awsstatic.com/enterprise-marketing/SAP/sap-hana-on-aws-high-
availability-disaster-recovery-guide.pdf
 Setting up AWS Resources and SLES for SAP HANA Installation
https://d0.awsstatic.com/enterprise-marketing/SAP/SAP-HANA-on-AWS-Manual-
Setup-Guide.pdf
 Migrating SAP HANA Systems to X1 Instances on AWS
https://d0.awsstatic.com/enterprise-marketing/SAP/migrating-sap-hana-to-x1-on-
aws.pdf
 Additional information about SAP solutions on AWS
https://aws.amazon.com/sap/whitepapers/
Page 43 of 45
Quick Start reference deployments

 Additional reference deployments
https://aws.amazon.com/quickstart/
GitHub Repository
You can visit our GitHub repository to download the templates and scripts for this Quick
Start, to post your feedback, and to share your customizations with others.
Document Revisions
Date Change In sections
June 2018 Added support for SAP NetWeaver 7.5 and Changes in templates and
Amazon EFS throughout guide
December 2017 Added instructions for using the latest SAP kernel Step 3, KERN_CD
patch levels
December 2017 Initial publication —
Page 44 of 45
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Page 45 of 45

Sap Netweaver Abap On The Aws Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sap Netweaver Abap On The Aws Cloud

Uploaded by

Copyright:

Available Formats

SAP NetWeaver

on the AWS Cloud

Somckit Khemmanivanh and Santiago Cardenas

Supports: SAP NetWeaver 7.4 Support Release 2

About This Guide

View template View template

About Quick Starts

SAP NetWeaver on AWS

Cost and Licenses

The Quick Start deploys and configures the following components:

– An optional ASCS instance installed in a different Availability Zone. This optional

SAP NetWeaver ABAP Instance Types

 ASCS instance – This instance is the central point of communication and

Planning the Deployment

Step 1. Prepare your AWS account

Step 1. Prepare Your AWS Account

Figure 2: Choosing an AWS Region

Figure 3: Creating a key pair

Figure 4: Requesting a service quota increase

Step 2. Perform Prerequisite Tasks for SAP HANA

Step 3. Download the SAP NetWeaver Software

Figure 5: Key name prefixes for SAP NetWeaver downloads

For SAP NetWeaver 7.4 (SWPM 1.0 PL 19 was tested)

SAP NETWEAVER 7.4 SR2 OS independent Number 51050819_1 EXP_CD

SAP DC Kernel 7.45 Linux on x86_64 64bit 51051055_3 KERN_CD

SAP CD label and CD number Upload to S3 key name prefix

For SAP NetWeaver 7.5 (SWPM 1.0 PL 21 was tested):

SAP NETWEAVER 7.5 Installation Export 51050829_2 EXP_CD

SAP DC Kernel 7.49 Linux on x86_64 64bit 51051432_3 KERN_CD

Figure 6: Extracted files in EXP_CD

Figure 7: Extracted files in HDB_CLNTCD

Figure 8: Extracted files in KERN_CD

 Rename SAPEXEDB_400-80000698.SAR to:

>/tmp/KERN_CD # mv SAPEXE_400-80000699.SAR DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR

>/tmp/KERN_CD # mv SAPEXEDB_400-80000698.SAR DATA_UNITS/K_745_U_LINUX_X86_64/HDB/SAPEXEDB.SAR

aws s3 sync /tmp/KERN_CD s3://my-sw-bucket/KERN_CD/

Figure 9: Extracted files in sapinst

Step 4. Launch the Quick Start

Each deployment takes about 2 hours and 45 minutes to complete.

 Option 1: Parameters for deploying SAP NetWeaver into a new VPC

VPC CIDR 10.0.0.0/16 CIDR block for the VPC.

HANA Server and storage configuration:

Parameter label Default Description

SAP NetWeaver Cluster setup and configuration:

Parameter label Default Description

SAP NW version SAP-NetWeaver- Version of SAP NetWeaver to install.

SAP Additional App Server setup and configuration:

 Option 2: Parameters for deploying SAP NetWeaver into an existing VPC

VPC ID Requires input ID of your existing VPC (e.g., vpc-0343606e).

Parameter label Default Description

HANA Server and storage configuration:

Parameter label Default Description

SAP NetWeaver Cluster setup and configuration:

Parameter label Default Description

SAP NW version SAP-NetWeaver- Version of SAP NetWeaver to install.

SAP Additional App Server setup and configuration:

Figure 10: SAP NetWeaver stacks

Linux bastion hosts:

Step 5. Verify Your Deployment

Changing the Security Group Configuration

Figure 11: Default security group configuration

Using SAP GUI

3. Select your RDP instance and choose Connect.