Sap-netweaver-abap-on-the-aws-cloud.pdf

SAP NetWeaver on the AWS Cloud for AS ABAP and SAP HANA Quick Start Reference Deployment Somckit Khemmanivanh and Santiago Cardenas Solutions Architects, Amazon Web Services December 2017

Supports SAP NetWeaver 7.4 Support Release 2 SAP HANA Platform Edition 1 SPS 9–12 and SAP HANA Platform Edition 2 SPS 0-2

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Contents About This Guide ................................................................................................................... 3 Quick Links ............................................................................................................................ 3 About Quick Starts ................................................................................................................. 4 Overview .................................................................................................................................... 4 SAP NetWeaver on AWS ........................................................................................................ 4 Cost and Licenses ................................................................................................................... 5 AWS Services.......................................................................................................................... 5 Architecture ............................................................................................................................... 7 SAP NetWeaver ABAP Instances ........................................................................................... 9 Implementation Details ....................................................................................................... 10 Planning the Deployment ........................................................................................................11 Deployment Options .............................................................................................................11 Prerequisites .........................................................................................................................11 Deployment Steps ....................................................................................................................11 Step 1. Prepare Your AWS Account ..................................................................................... 12 Step 2. Perform Prerequisite Tasks for SAP HANA ............................................................ 14 Step 3. Download the SAP NetWeaver Software ................................................................. 15 Step 4. Launch the Quick Start ............................................................................................ 19 Step 5. Verify Your Deployment ......................................................................................... 30 Changing the Security Group Configuration .................................................................. 30 Using SAP GUI .................................................................................................................32 Using OS-Level Access ..................................................................................................... 33 Troubleshooting ...................................................................................................................... 35 Support ................................................................................................................................... 38 Security ................................................................................................................................... 38 Network Security................................................................................................................. 38 Identity and Access Management (IAM) .............................................................................39 Page 2 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

OS Security ...........................................................................................................................39 Security Groups ....................................................................................................................39 Additional Resources ..............................................................................................................39 Send Us Feedback ................................................................................................................... 41 Document Revisions................................................................................................................ 41

About This Guide This Quick Start deployment guide describes how to deploy an SAP NetWeaver Application Server (AS) Advanced Business Application Programming (ABAP) system on the Amazon Web Services (AWS) Cloud, using AWS CloudFormation templates that automate the deployment. The guide is for IT infrastructure architects, administrators, and DevOps professionals who are planning to implement or extend their SAP workloads on the AWS Cloud. This guide provides infrastructure and configuration information for planning and deploying an SAP infrastructure on the AWS Cloud. It doesn’t cover general installation and software configuration tasks for SAP. For general guidance and best practices, consult the SAP product documentation.

Quick Links The links in this section are for your convenience. Before you launch the Quick Start, please review the architecture, configuration, network security, and other considerations discussed in this guide. 

If you have an AWS account, and you’re already familiar with AWS services and SAP NetWeaver, you can launch the Quick Start to build the architecture shown in Figure 1 in a new or existing virtual private cloud (VPC). The deployment takes approximately 2 hours and 45 minutes. If you’re new to AWS or to SAP NetWeaver, please review the implementation details and follow the step-by-step instructions provided later in this guide.

Launch (for new VPC)

Page 3 of 42

Launch (for existing VPC)

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud



December 2017

If you want to take a look under the covers, you can view the AWS CloudFormation templates that automate the deployment.

View template (for new VPC)

View template (for existing VPC)

About Quick Starts Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.

Overview SAP NetWeaver provides a set of technologies for running SAP business applications and for integrating people, processes, and information. SAP NetWeaver serves as the technical foundation for SAP’s ABAP and Java-based applications. This Quick Start deploys SAP NetWeaver AS ABAP, which supports the development of ABAP-based applications for SAP HANA databases. For a detailed description of SAP NetWeaver, see the SAP NetWeaver Master Guide on the SAP website. This Quick Start helps you deploy a complete SAP NetWeaver system on AWS. The deployment includes an SAP application tier, an SAP HANA database tier, and Remote Desktop Protocol (RDP) and bastion hosts. The Quick Start also provisions a virtual private cloud (VPC) to house all these components.

SAP NetWeaver on AWS The AWS Cloud provides a suite of infrastructure services that enable you to deploy SAP NetWeaver in a highly available, fault-tolerant, and cost-effective way. By deploying SAP NetWeaver on the AWS Cloud, you can take advantage of the functionality of SAP along with the flexibility and security of AWS. Note This Quick Start supports SAP NetWeaver 7.4 Support Release 2 (SP2). Other versions of SAP NetWeaver may work but have not been tested with this Quick Start.

Page 4 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

This Quick Start currently supports the following versions of the SUSE Linux Enterprise Server (SLES) operating system for SAP NetWeaver AS ABAP: SLES 11 SP3, SLES 12, SLES 12 SP1, and SLES 12 SP2. For a list of supported operating systems for SAP HANA, see the SAP HANA Quick Start deployment guide.

Cost and Licenses You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change. This deployment uses a Bring Your Own License (BYOL) model for SAP. You must already own licenses for SAP, and you must be authorized to download software from the SAP Software Download Center (SWDC). For the SAP NetWeaver deployment, this Quick Start launches the Amazon Machine Image (AMI) for SLES 11 SP4, SLES 12, or SLES 12 SP1, which includes the license for the SLES operating system. For the SAP HANA deployment, the Quick Start launches the AMI for the operating system you choose (SLES, SLES for SAP, or RHEL), and the license cost for the operating system is included in the Amazon EC2 hourly price. There is an additional software cost for SLES for SAP AMIs.

AWS Services The core AWS components used by this Quick Start include the following services and features. (If you are new to AWS, see the Getting Started Resource Center.) 

Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Page 5 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017



Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.



Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent blocklevel storage volumes for use with EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. EBS volumes provide the consistent and low-latency performance needed to run your workloads.



Amazon Route 53 - Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.



Automatic recovery – Automatic recovery is a feature of Amazon EC2 that is designed to increase instance availability. You can enable automatic recovery for an instance by creating an Amazon CloudWatch alarm that monitors the instance and automatically recovers it if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. A recovered instance is identical to the original instance and has the same instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. This Quick Start optionally enables automatic recovery on SAP HANA nodes for you.



AWS CloudFormation – AWS CloudFormation gives you an easy way to create and manage a collection of related AWS resources, and provision and update them in an orderly and predictable way. You use a template to describe all the AWS resources (e.g., EC2 instances) that you want. You don't have to individually create and configure the resources or figure out dependencies—AWS CloudFormation handles all of that.



Amazon CloudWatch – Amazon CloudWatch monitors your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.



NAT Gateway – NAT Gateway is an AWS managed service that controls network address translation (NAT) gateway resources. A NAT gateway is a device that enables instances in a private subnet to connect to the internet or to other AWS services, but prevents the internet from connecting to those instances.



IAM – AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. With IAM, you can manage users, security credentials such as access keys, and permissions that control which AWS resources users can access, from a central location.

Page 6 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Architecture This Quick Start uses AWS CloudFormation, AWS Command Line Interface (AWS CLI) for Linux, and custom scripts to deploy an SAP NetWeaver ABAP stack with an SAP HANA database on AWS. AWS CloudFormation creates and manages the AWS and SAP resources. AWS CLI for Linux enables you to configure AWS resources from the command line. This Quick Start includes options for deploying the SAP NetWeaver ABAP stack with single-node or multi-node SAP HANA configurations. Deploying the Quick Start for a new VPC builds the following SAP NetWeaver environment in the AWS Cloud.

Figure 1: SAP NetWeaver ABAP architecture on AWS (with optional AAS shown)

Page 7 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

The Quick Start deploys and configures the following components: 

A highly available architecture that spans two Availability Zones.*



A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*



An internet gateway to allow access to the internet.*



In the public subnets:



–

Bastion host instances in an Auto Scaling group to allow inbound SSH (Secure Shell) access to the SAP instances in the private subnets.*

–

Managed NAT gateways to allow outbound internet access for the SAP instances in the private subnets.*

–

An optional EC2 instance with Windows Server to host SAP GUI and SAP HANA Studio. You can install both SAP GUI and SAP HANA Studio manually to administer your SAP HANA database.

In the private subnets: –

EC2 instance(s) to host the SAP NetWeaver software and SAP HANA database, and EBS volumes configured to meet or exceed SAP HANA storage key performance indicators (KPIs).

Note This Quick Start only supports the SLES operating system for the SAP NetWeaver instances, but SAP HANA is supported with your choice of Linux operating systems (SLES, SLES for SAP, or RHEL for SAP HANA).



–

An optional automated installation of the SAP NetWeaver AS ABAP and SAP HANA software.

–

A Primary Application Server (PAS) instance. This is the core component of an SAP system. It provides all SAP system utilities. At least one PAS instance must exist in each SAP system.

–

An optional automated installation of Additional Application Server (AAS) instances. In Figure 1, these are labeled AAS-1, AAS-2 and AAS-x, where x represents up to 90 application servers.

An IAM instance role with fine-grained permissions for access to the AWS services necessary for the deployment process.

Page 8 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017



Three security groups for fine-grained inbound access control from the bastion host, between the database instances, and for application access to the database.



AWS CLI and an instance role for installation bucket access.



An Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver ABAP server names. This private hosted zone is dedicated to the VPC that was created by the Quick Start. You can optionally choose to use the private hosted zone from your on-premises networks.

* The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

SAP NetWeaver ABAP Instances The SAP NetWeaver installation is automated with the SAP Software Provisioning Manager (SWPM). Here’s what you would see in the SAP SWPM tool for each instance type:



ASCS instance – This instance is the central point of communication and synchronization for the ABAP application server instances. It consists of the message server and the enqueue server for the ABAP stack.



Database instance – The ABAP stack uses its own database schema in the database. The Quick Start installs the ABAP SAP Central Services (ASCS) instance before installing the database instance.



Primary Application Server (PAS) instance – PAS is the core component of an SAP system. It provides all SAP system utilities. At least one PAS instance must exist in each SAP system.



Additional Application Server (AAS) instance – You can optionally install AAS instances to scale out your SAP application tier.

For additional details about the SAP NetWeaver AS ABAP architecture, see the SAP documentation.

Page 9 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Implementation Details The Quick Start uses nested templates to deploy the SAP NetWeaver environment. It first launches the master template, and then calls additional templates in this order: 1. VPC template to create the VPC, subnets, internet gateway, and other infrastructure components. 2. Bastion host template to create the bastion host and Auto Scaling group. 3. SAP NetWeaver template to install the SAP HANA instance (by calling the SAP HANA template) and RDP host. After the SAP HANA instance has been installed, the ASCS, database, and PAS instances will be installed. 4. Optional SAP App server template to create the SAP AAS instances. All SAP instances are silently installed on a base AMI to ensure that the latest AMI is always chosen when the EC2 instance launches. The installation is automated with SWPM. The Quick Start requires the SAP software media to be made available in an S3 bucket, and will download the media to run the silent installation. In addition to installing SAP, the Quick Start provisions and performs configuration management on each EC2 instance, including: 

Setting the time zone on the server



Setting up Network Time Protocol (NTP) on the server



Installing the AWS Systems Manager agent (SSM agent)



Setting up the uuidd daemon; see SAP Note 1391070 (login required)



Installing the AWS CLI



Applying SAP best practices from SAP Notes 2205917 and 2292711 (login required)



Installing the AWS for SAP Data provider (required for SAP support, see SAP Note 1656250)



Configuring the SWPM silent installation files



Creating and attaching EBS volumes for the /usr/sap/ file system

Page 10 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Planning the Deployment Deployment Options This Quick Start provides two deployment options: 

Deploy SAP NetWeaver AS ABAP into a new VPC (end-to-end deployment) – This option builds a new AWS environment consisting of a VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components, and then deploys the SAP NetWeaver AS ABAP stack into this new VPC.



Deploy SAP NetWeaver ABAP into an existing VPC – This option provisions the SAP NetWeaver ABAP stack in your existing AWS infrastructure.

The Quick Start also lets you configure additional settings such as CIDR blocks, instance types, and SAP NetWeaver and SAP HANA settings, as discussed later in this guide.

Prerequisites The SAP NetWeaver ABAP Quick Start is integrated with the SAP HANA Quick Start. Therefore, all the prerequisites for the SAP HANA Quick Start apply to this deployment as well. For example, if you would like the Quick Start to install the SAP HANA software automatically, you must download and stage the SAP HANA software by following the instructions in the SAP HANA Quick Start guide. These prerequisites are discussed in step 2 of the deployment steps.

Deployment Steps The procedure for deploying the SAP NetWeaver AS ABAP architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step. Step 1. Prepare your AWS account This involves signing up for an AWS account, choosing a region, creating a key pair, and requesting increases for account limits, if necessary. Step 2. Perform prerequisite tasks for SAP HANA (skip this step if you don’t want to install SAP HANA software with this deployment) In this step, you’ll take care of preliminary steps for deploying SAP HANA with SAP NetWeaver AS ABAP. Step 3. Download the SAP NetWeaver software (skip this step if you don’t want to install SAP NetWeaver software with this deployment) Page 11 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

This step involves downloading the SAP NetWeaver software from SAP and placing the files in an S3 bucket. Step 4. Launch the Quick Start In this step, you’ll launch the AWS CloudFormation template into your AWS account, specify parameter values, and create the stack. The Quick Start provides separate templates for end-to-end deployment and deployment into an existing VPC. Step 5. Access SAP NetWeaver and SAP HANA to verify your deployment You can access the SAP NetWeaver systems by using SAP GUI or through SSH and the bastion host. You can access SAP HANA either through SAP HANA Studio or through the bastion host.

Step 1. Prepare Your AWS Account 1. If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad. 2. Use the region selector in the navigation bar to choose the AWS Region where you want to deploy SAP NetWeaver on AWS. For more information, see Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Each Region includes at least two Availability Zones that are isolated from one another but connected through low-latency links.

Figure 2: Choosing an AWS Region

Page 12 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Consider choosing a region closest to your data center or corporate network to reduce network latency between systems running on AWS and the systems and users on your corporate network. 3. Create a key pair in your preferred region. To do this, in the navigation pane of the Amazon EC2 console, choose Key Pairs, Create Key Pair, type a name, and then choose Create.

Figure 3: Creating a key pair

Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To log in to your instances, you must create a key pair. With Windows instances, you use the key pair to obtain the administrator password via the Amazon EC2 console, and then log in using RDP, as explained in the Amazon EC2 User Guide. On Linux, the key pair is used to authenticate SSH login. 4. If necessary, request a service limit increase for the EC2 instance types you’re using in this deployment. To do this, in the AWS Support Center, choose Create Case, Service Limit Increase, EC2 instances, and then complete the fields in the limit increase form. You might need to request an increase if you already have an existing deployment that uses this instance type, and you think you might exceed the default limit with this reference deployment. It might take a few days for the new service limit to become effective. For more information, see the Amazon EC2 User Guide.

Page 13 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Figure 4: Requesting a service limit increase

Step 2. Perform Prerequisite Tasks for SAP HANA Skip this step if you don’t want to install SAP HANA with this deployment. This Quick Start gives you the option of installing SAP HANA along with SAP NetWeaver. If you want to include SAP HANA in your deployment, follow these instructions in the SAP HANA deployment guide: 

See the Planning the Deployment section of the SAP HANA deployment guide to understand your memory and storage options for SAP HANA.



Subscribe to the AMI for RHEL for SAP HANA or SLES for SAP in AWS Marketplace.



Download and stage the SAP HANA software, by following the instructions in step 3 of the SAP HANA deployment guide.

Page 14 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Step 3. Download the SAP NetWeaver Software Skip this step if you don’t want to install SAP NetWeaver during this deployment. This Quick Start is designed to work with SAP NetWeaver release 7.4 SP2. Before you launch the Quick Start, you must download, extract, and stage the SAP media for SAP NetWeaver in an S3 bucket using a specific structure. 1. Download and extract the SAP media by following the instructions in the SAP documentation. 2. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3. 3. Choose Create bucket. 4. In the Create bucket dialog box, provide a name for your new bucket, choose the region where you want to create your bucket (this should be a region that is close to your location), and then choose Create. For detailed information about bucket names and region selection, see the Amazon S3 documentation. 5. Choose the bucket you created, choose the Permissions tab, and set permissions to ensure that only you and authorized personnel from your organization have access to this bucket. You can also set up an IAM or bucket policy to provide fine-grained access. For details, see Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 documentation. 6. In the bucket you created, create the following S3 prefix structure to organize your SAP downloads. (Amazon S3 doesn’t provide folders, but you simulate a folder structure by using key name prefixes.) Your S3 prefixes should be named exactly as shown.

Figure 5: Key name prefixes for SAP NetWeaver downloads

7. Choose Upload to place the extracted SAP NetWeaver software under the appropriate key name prefix. The SAP media must be extracted and named exactly as follows for each SAP software CD:

Page 15 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

SAP CD label and CD number

Upload to S3 key name prefix

SAP NETWEAVER 7.4 SR2 OS independent Number 51050819_1

EXP_CD

SAP HANA PLATFORM EDIT. 1.0 Client for all supported Operating Systems SPS07 Rev. 74 Number 51048410

HDB_CLNTCD

SAP DC Kernel 7.45 Linux on x86_64 64bit 51051055_3

KERN_CD

IND:SLTOOLSET:1.0:SWPM:*:LINUX_X86_64:*

sapinst

Note Place only the media files listed in this table in the S3 bucket. Do not place multiple software versions in the same location. For example, you would extract and store the CD 51050819_1 in the prefix EXP_CD, which you created in your S3 bucket. Here are examples of the extracted files in each key name prefix. EXP_CD:

Figure 6: Extracted files in EXP_CD

Page 16 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

HDB_CLNTCD:

Figure 7: Extracted files in HDB_CLNTCD

KERN_CD:

Figure 8: Extracted files in KERN_CD

Page 17 of 42

December 2017

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

If you would like to use the latest SAP kernel patch levels (instead of the SAP kernel files in CD 51051055_3), you can download the appropriate SAP kernel patch files and replace the SAPEXE.SAR and SAPEXEDB.SAR files in these corresponding 51051055_3 directories: 

KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP



KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/HDB

You can use whichever patch level you need. For example, if you want to run SAP kernel patch level 400, the correct SAPEXE and SAPEXEDB files are:

You will need to rename the files as follows (using SAP kernel patch level 400 files as an example): 

Rename SAPEXE_400-80000699.SAR to:

KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR 

Rename SAPEXEDB_400-80000698.SAR to:

KERN_CD/DATA_UNITS/K_745_U_LINUX_X86_64/HDB/SAPEXEDB.SAR Here are sample commands (assuming that your current directory is /tmp/KERN_CD): >/tmp/KERN_CD # mv SAPEXE_400-80000699.SAR DATA_UNITS/K_745_U_LINUX_X86_64/DBINDEP/SAPEXE.SAR >/tmp/KERN_CD # mv SAPEXEDB_400-80000698.SAR DATA_UNITS/K_745_U_LINUX_X86_64/HDB/SAPEXEDB.SAR aws s3 sync /tmp/KERN_CD

Page 18 of 42

s3://my-sw-bucket/KERN_CD/

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

sapinst:

Figure 9: Extracted files in sapinst

Step 4. Launch the Quick Start Note You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service you will be using in this Quick Start. Prices are subject to change. 8. Choose one of the following options to launch the AWS CloudFormation template into your AWS account. For help choosing an option, see deployment options earlier in this guide. Option 1

Option 2

Deploy SAP NetWeaver into a new VPC on AWS

Deploy SAP NetWeaver into an existing VPC on AWS

Launch

Page 19 of 42

Launch

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Important If you’re deploying SAP NetWeaver into an existing VPC, make sure that your VPC has two private subnets in different Availability Zones. These subnets require NAT gateways or NAT instances in their route tables, to allow the instances to download packages and software without exposing them to the internet. You will also need the domain name option configured in the DHCP options, as explained in the Amazon VPC documentation. You’ll be prompted for your VPC settings when you launch the Quick Start. Each deployment takes about 2 hours and 45 minutes to complete. 9. Check the region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for SAP NetWeaver will be built. The template is launched in the US East (Ohio) Region by default. 10. On the Select Template page, keep the default setting for the template URL, and then choose Next. 11. On the Specify Details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next. In the following tables, parameters are listed by category and described separately for the two deployment options:



–

Parameters for deploying SAP NetWeaver into a new VPC

–

Parameters for deploying SAP NetWeaver into an existing VPC

Option 1: Parameters for deploying SAP NetWeaver into a new VPC View template Network infrastructure details: Parameter label (name)

Default

Description

Availability Zones (AvailabilityZones)

Requires input

The list of Availability Zones to use for the subnets in the VPC. The Quick Start uses two Availability Zones from your list and preserves the logical order you specify.

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR block for the VPC.

Page 20 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

Private subnet 1 CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

CIDR block for the private subnet located in Availability Zone 1.

Private subnet 2 CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

CIDR block for the private subnet located in Availability Zone 2.

Public subnet 1 CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR block for the public (DMZ) subnet located in Availability Zone 1.

Public subnet 2 CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR block for the public (DMZ) subnet located in Availability Zone 2.

CIDR block for RDP & Bastion access (RemoteAccessCIDR)

Requires input

The CIDR IP range that is permitted to access the instances in your private subnets. We recommend that you set this value to a trusted IP range. For example, you might want to grant only your corporate network access to the software.

HANA Server and storage configuration: Parameter label (name)

Default

Description

Operating system version for HANA (MyOSHANA)

SuSE-Linux-12SP1-HVM

Operating system and version to be used for SAP HANA servers. You can choose from various SLES and RHEL versions. (For more information, see the Operating System for Deployment section in the SAP HANA deployment guide.)

SAP HANA Server host name (SAPHANAHostname)

saphanaqs

Host name to use for SAP HANA database. (The SAP Application Server must be able to access the SAP HANA server.)

SAP HANA Server (HANAInstanceType)

r4.4xlarge

EC2 instance type for SAP HANA nodes. (For more information, see the AWS Instance Types for SAP HANA section in the SAP HANA deployment guide).

SAP HANA host count (HANAHostCount)

1

Total number of nodes you want to deploy in the SAP HANA cluster.

SAP HANA password (HANAMasterPass)

Requires input

SAP HANA password to use during installation.

Enable encryption (Encryption)

No

Set to Yes to enable encryption for all volumes (except root) created for SAP HANA nodes.

EBS storage volume type (VolumeType)

gp2

Amazon EBS storage type to be used for SAP HANA data and log volumes: General Purpose SSD (gp2) or Provisioned IOPS SSD (i01). (For details, see Storage Configuration for SAP HANA in the SAP HANA deployment guide.)

SSH key pair (KeyName)

Requires input

An existing public/private key pair, which enables you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region. This key pair can be used with all EC2 instances launched by the Quick Start.

Page 21 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

S3 bucket for HANA s/w. (HANAInstallMedia)

s3:// /

Full path to the Amazon S3 location where you’ve placed the SAP HANA software. Make sure that the format is correct (e.g., s3://mysapbucket/HANA-media/); otherwise, the installation will fail. (For more information, see step 3 in the SAP HANA deployment guide.)

Enable AWS CloudTrail & AWS Config logs (EnableLogging)

No

Set to Yes to enable logging with AWS CloudTrail and AWS Config.

S3 bucket for AWS CloudTrail & AWS Config logs (CloudTrailS3Bucket)

Optional

S3 bucket where AWS CloudTrail and AWS Config logs can be stored (e.g., mycloudtrail).

SAP NetWeaver Cluster setup and configuration: Parameter label (name)

Default

Description

R53 private hosted zone (HostedZoneName)

Requires input

The Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver ABAP server names. This private hosted zone is dedicated to the VPC that was created by the Quick Start. You can optionally choose to use the private hosted zone from your on-premises networks. Use a fully qualified domain name; e.g., mycompany.local.

O.S. version for SAP Servers (SLES only) (MyOS)

SuSE-Linux-12SP1-HVM

Operating system version (SLES only) for the SAP servers.

EC2 Auto Recovery (AutoRecoveryPAS)

Yes

Set to No to disable the automatic recovery feature on your PAS nodes.

SAP PAS Server host name (SAPPASHostname)

sappas00

Host name (DNS short name) to use for the SAP PAS.

SAP system ID (SID)

HDB

SAP system ID for installation and setup. If you set Install SAP software to No, this parameter is ignored.

SAP PAS Server type (MyInstanceType)

r4.xlarge

EC2 instance type for the SAP PAS.

SAP instance number (SAPInstanceNum)

00

SAP instance number to use for installation and setup, and to open ports for security groups. If you set Install SAP software to No, this parameter is ignored.

SIDadm user id (SIDadmUID)

1001

UID for the SIDadm user. If you set Install SAP software to No, this parameter is ignored.

Page 22 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

SAP Server timezone (SAPTZ)

UC

The time zone of your SAP server (PT, CT, ET, or UTC).

S3 bucket for SAP NetWeaver s/w. (SAPInstallMediaBucket)

my-sw-bucket

Name of the S3 bucket for your SAP NetWeaver software, from step 3. This should just be the bucket name; do not include s3://. For more information, see step 3. If you set Install SAP software to No, this parameter is ignored.

S3 Key Prefix for SAP NetWeaver s/w. (SAPInstallMediaKey Prefix)

my/sw/version/

Path to the key prefix where your SAP NetWeaver software is installed, from step 3. Leave blank if your structure isn’t nested. For example, if you placed the EXP_CD software in s3://my-sw-bucket/my/sw/version/EXP_CD, enter my/sw/version/. If you placed the software in s3://my-swbucket/EXP_CD, leave this parameter blank. If you set Install SAP software to No, this parameter is ignored.

Install SAP software (InstallSAP)

Yes

Set to No if you don’t want to install SAP NetWeaver. If you choose No, the Quick Start will provision only the AWS infrastructure.

SAP Additional App Server setup and configuration: Parameter label (name)

Default

Description

SAP AAS Server host name (SAPAASHostname)

sapaas00

Host name template to use for the SAP Additional Application Server (AAS).

SAP Additional App Server instance type (AASMyInstanceType)

r4.xlarge

EC2 instance type for SAP AAS.

EC2 Auto Recovery (AutoRecoveryAAS)

Yes

Set to No to disable the automatic recovery feature on your AAS nodes.

Install SAP Additional App Server (InstallSAPAAS)

No

Set to No if you don’t want to install SAP AAS. If you choose No, the Quick Start will install only the SAP ASCS, SAP HANA, and PAS.

Optional configuration: Parameter label (name)

Default

Description

Install RDP and Bastion (InstallRDPAndBastion Instance)

Yes

Set to Yes if you want to install the RDP and bastion host instances.

Page 23 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

RDP instance (RDPInstanceType)

c4.large

EC2 instance type for the Windows RDP instance. This parameter will be ignored if the Install RDP and Bastion parameter is set to No.

Bastion host (BASTIONInstanceType)

t2.small

EC2 instance type for the bastion host instances. This parameter will be ignored if the Install RDP and Bastion parameter is set to No.

Advanced configuration:



Parameter label (name)

Default

Description

Quick Start S3 Bucket Name (QSS3BucketName)

quickstartreference

S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.

Quick Start S3 Key Prefix (QSS3KeyPrefix)

sap/netweaver/ abap/latest/

The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes.

Option 2: Parameters for deploying SAP NetWeaver into an existing VPC View template Network Configuration: Parameter label (name)

Default

Description

VPC ID (VPCID)

Requires input

ID of your existing VPC (e.g., vpc-0343606e).

1st Private Subnet CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

CIDR block for the private subnet in Availability Zone 1 in your existing VPC.

2nd Private Subnet CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

CIDR block for the private subnet in Availability Zone 2 in your existing VPC.

1st Public Subnet CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR block for the public (DMZ) subnet in Availability Zone 1 in your existing VPC.

Page 24 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

2nd Public Subnet CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR block for the public (DMZ) subnet in Availability Zone 2 in your existing VPC.

1st Private Subnet ID (PrivateSubnet1ID)

Requires input

ID of the private subnet in Availability Zone 1 in your existing VPC.

1st Public Subnet ID (PublicSubnet1ID)

Requires input

ID of the public subnet in Availability Zone 1 in your existing VPC.

HANA Server and storage configuration: Parameter label (name)

Default

Description

O.S. version for SAP HANA Servers (MyOSHANA)

SuSE-Linux-12SP1-HVM

Operating system and version to be used for SAP HANA servers. You can choose from various SLES and RHEL versions. (For more information, see the Operating System for Deployment section in the SAP HANA deployment guide.)

SAP HANA Server host name (SAPHANAHostname)

saphanaqs

Host name to use for SAP HANA database. (The SAP Application Server must be able to access the SAP HANA server.)

SAP HANA Server (HANAInstanceType)

r4.4xlarge

EC2 instance type for SAP HANA nodes. (For more information, see the AWS Instance Types for SAP HANA section in the SAP HANA deployment guide).

SAP HANA host count (HANAHostCount)

1

Total number of nodes you want to deploy in the SAP HANA cluster.

SAP HANA password (HANAMasterPass)

Requires input

SAP HANA password to use during installation.

Enable encryption (Encryption)

No

Set to Yes to enable encryption for all volumes (except root) created for SAP HANA nodes.

EBS storage volume type (VolumeType)

gp2

Amazon EBS storage type to be used for SAP HANA data and log volumes. You can choose General Purpose SSD (gp2) or Provisioned IOPS SSD (io1). (For more information, see the Storage Configuration for SAP HANA section in the SAP HANA deployment guide.)

SSH key pair (KeyName)

Requires input

An existing public/private key pair, which enables you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region. This key pair can be used with all EC2 instances launched by the Quick Start.

S3 bucket for HANA s/w. (HANAInstallMedia)

s3:// /

Full path to the Amazon S3 location where you’ve placed the SAP HANA software. Make sure that the format is correct (e.g., s3://mysapbucket/HANA-media/); otherwise, the

Page 25 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud Parameter label (name)

Default

December 2017

Description installation will fail. (For more information, see step 3 in the SAP HANA deployment guide.)

Enable AWS CloudTrail & AWS Config logs (EnableLogging)

No

Set to Yes to enable logging with AWS CloudTrail and AWS Config.

S3 bucket for AWS CloudTrail & AWS Config logs (CloudTrailS3Bucket)

Optional

S3 bucket where AWS CloudTrail and AWS Config logs can be stored (e.g., mycloudtrail).

SAP NetWeaver Cluster setup and configuration: Parameter label (name)

Default

Description

R53 private hosted zone (HostedZoneName)

Requires input

The Amazon Route 53 private hosted zone to host the SAP HANA and SAP NetWeaver ABAP server names. This private hosted zone is dedicated to the VPC that was created by the Quick Start. You can optionally choose to use the private hosted zone from your on-premises networks. Use a fully qualified domain name; e.g., mycompany.local.

SAP PAS Server host name (SAPPASHostname)

sappas00

Host name (DNS short name) to use for the SAP PAS.

SAP system ID (SID)

HDB

SAP system ID for installation and setup. If you set Install SAP software to No, this parameter is ignored.

SAP instance number (SAPInstanceNum)

00

SAP instance number to use for installation and setup, and to open ports for security groups. If you set Install SAP software to No, this parameter is ignored.

SIDadm user id (SIDadmUID)

1001

UID for the SIDadm user. If you set Install SAP software to No, this parameter is ignored.

SAP Server timezone (SAPTZ)

UC

The time zone of your SAP server (PT, CT, ET, or UTC).

SAP NetWeaver password (SAPNetWeaverPass)

Requires input

SAP NetWeaver password to use during installation. For now, use the password you specified for SAP HANA.

S3 bucket for SAP s/w (SAPInstallMediaBucket)

my-sw-bucket

Name of the S3 bucket for your SAP NetWeaver software, from step 3. This should just be the bucket name; do not include s3://. For more information, see step 3. If you set Install SAP software to No, this parameter is ignored.

S3 Key Prefix for SAP s/w

Page 26 of 42

my/sw/version/

Path to the key prefix where your SAP NetWeaver software is installed, from step 3. Leave blank if your structure isn’t

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud Parameter label (name)

Default

(SAPInstallMediaKey Prefix)

December 2017

Description nested. For example, if you placed the EXP_CD software in s3://my-sw-bucket/my/sw/version/EXP_CD, enter my/sw/version/. If you placed the software in s3://my-swbucket/EXP_CD, leave this parameter blank. If you set Install SAP software to No, this parameter is ignored.

SAP Primary App Server (MyInstanceType)

r4.xlarge

EC2 instance type for the SAP PAS.

O.S. version for SAP Servers (SLES only) (MyOS)

SuSE-Linux-12SP1-HVM

Operating system version (SLES only) for the SAP servers.

EC2 Auto Recovery (AutoRecoveryPAS)

Yes

Set to No to disable the automatic recovery feature on your PAS nodes.

Install SAP software (InstallSAP)

Yes

Set to No if you don’t want to install SAP NetWeaver. If you choose No, the Quick Start will provision only the AWS infrastructure.

SAP Additional App Server setup and configuration: Parameter label (name)

Default

Description

SAP AAS Server host name (SAPAASHostname)

sapaas00

Host name template to use for the SAP Additional Application Server (AAS).

SAP Additional App Server instance type (AASMyInstanceType)

r4.xlarge

EC2 instance type for SAP AAS.

AAS Private Subnet ID (PrivateSubnetID)

Optional

The existing private subnet to use for deploying SAP AAS.

EC2 Auto Recovery (AutoRecoveryAAS)

Yes

Set to No to disable the automatic recovery feature on your AAS nodes.

Install SAP Additional App Server (InstallSAPAAS)

No

Set to No if you don’t want to install SAP AAS. If you choose No, the Quick Start will install only SAP ASCS, DB, and PAS.

Optional configuration: Parameter label (name)

Default

Description

Install RDP (InstallRDP Instance)

No

Set to Yes if you want to install the RDP instance.

Page 27 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Parameter label (name)

Default

Description

RDP instance type (RDPInstanceType)

c4.large

EC2 instance type for the Windows RDP instance. This parameter will be ignored if the Install RDP parameter is set to No.

Advanced configuration: Parameter label (name)

Default

Description

Quick Start S3 Bucket Name (QSS3BucketName)

quickstartreference

S3 bucket where the Quick Start templates and scripts are installed. Use this parameter to specify the S3 bucket name you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.

Quick Start S3 Key Prefix (QSS3KeyPrefix)

sap/netweaver/ abap/latest/

The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes.

12. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re done, choose Next. 13. On the Review page, review and confirm the template settings. Under Capabilities, select the check box to acknowledge that the template will create IAM resources. 14. Choose Create to deploy the stack. 15. Monitor the status of the stack. When the status is CREATE_COMPLETE, the SAP NetWeaver system is ready.

Figure 10: SAP NetWeaver stacks

Page 28 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

16. Use the URLs displayed in the Resources and Outputs tab of the stack to view the resources that were created. SAP HANA:

Linux bastion hosts:

Page 29 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

SAP PAS:

Step 5. Verify Your Deployment The default network security setup for this solution follows AWS security best practices. The SAP NetWeaver instances are placed in a private subnet to restrict direct exposure to the internet. If you do not have a direct connection to the private subnet from your internal network, you can access the SAP NetWeaver instances only through instances placed in the public subnet.

Changing the Security Group Configuration If you deployed your stack with the default network configurations, the rules shown in Figure 11 are configured by default for the PAS instances. These rules allow you to access the SAP NetWeaver systems through SAP GUI and Remote Function Call (RFC) only from the private subnets.

Figure 11: Default security group configuration

To access your SAP NetWeaver systems through SAP GUI or RFC from your public subnet, you must manually change the security group configuration of the PAS and AAS instances.

Page 30 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Figure 12 shows what the security group would look like when you add rules to allow access from public subnets.

Figure 12: Security rules for accessing SAP NetWeaver from public subnets

You can access the SAP HANA nodes by using SAP HANA Studio or through OS-level access. For instructions, see the SAP HANA deployment guide. You can access SAP NetWeaver from the public subnet in two ways: 

Access with SAP GUI or RFC: Use a remote desktop client to connect to the Windows Server instance. Once connected, you can manually install SAP GUI or use RFC to start accessing your SAP NetWeaver system.



OS-level access: Use SSH to connect to the bastion host and then to the SAP NetWeaver instances by using an SSH client of your choice. Tip To connect directly to the SAP NetWeaver systems from a corporate network, you can provision an encrypted IPsec hardware VPN connection between your corporate data center and your VPC. For details, see the Amazon VPC FAQ on the AWS website. You can also set up AWS Direct Connect between your data center and AWS to gain direct access to your AWS resources. For details, see AWS Direct Connect on the AWS website.

Page 31 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Using SAP GUI To install SAP GUI, establish a connection to the Windows Server instance. 1. Sign in to your AWS account, and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. From the console dashboard, choose Running Instances to find the RDP instance.

Figure 13: Amazon EC2 running instances with RDP instance selected

3. Select your RDP instance and choose Connect. 4. Get the Windows administrator password from the Amazon EC2 console: a. In the Connect to Your Instance dialog box, choose Get Password. b. Paste the contents of your private key in the space provided, or choose Browse and navigate to your private key file, select the file, and choose Open to copy the entire contents of the file into the contents box. The password will be decrypted and displayed. 5. In the Connect to Your Instance dialog box, choose Download Remote Desktop File, or connect by using an RDP client of your choice. 6. Install SAP GUI. You can do this in two ways: – –

Download the SAP GUI installation files from SAP Service Marketplace. —or— Download and extract the SAP GUI software from your S3 bucket to install SAP GUI on your RDP server.

7. When the installation is complete, start SAP GUI, and add a system with the following parameters. –

Description: Your naming standard for your SAP systems

–

Application Server: The private IP address of your PAS

–

Instance Number: Your SAP system number (for PAS, this is usually 01)

–

System ID: Your SAP system identifier

Page 32 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

8. Log in with the ddic user and the master password you specified in the Quick Start parameters in step 4. Note At this point, we recommend that you make a backup of your newly installed SAP NetWeaver and SAP HANA systems. You can use the Amazon EC2 console to make a complete system image (AMI) that can be used for recovery or for additional system builds. Keep in mind that this image is only a point-in-time snapshot.

Using OS-Level Access You can also connect to the bastion host to establish a remote SSH connection to any of the SAP HANA master or worker nodes. 1. On the Amazon EC2 console, choose Running Instances. 2. Select your bastion host, and note the public Elastic IP address displayed below your running instances.

Figure 14: Elastic IP address for bastion host

3. Using an SSH client of your choice (for example, PuTTY or iTerm), connect to the bastion host and use the key pair you specified during the deployment process. Note If your connection times out, you might need to adjust the security group rules for the bastion host to allow access from your computer’s IP address or proxy server. For more information, see Security Group Rules in the Amazon EC2 User Guide.

Page 33 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

iTerm Example 1. Add the private key to the authentication agent (ssh-add). 2. Connect to the bastion host by using SSH, with the –A option to forward the key, specifying the username ec2-user. 3. Connect to the SAP NetWeaver server by IP address using SSH. PuTTY Example 1. Download PuTTY (putty.exe), PuTTY Key Generator (puttygen.exe), and Pageant (pageant.exe). 2. Load your private key into PuTTY Key Generator and save it as a .ppk file that PuTTY can use. 3. Run Pageant.exe, and add your new. ppk key. The Pageant process must be running in order for agent forwarding to work. 4. Configure PuTTY with the private key and select Allow agent forwarding.

Figure 15: PuTTY example for SSH connection

5. Save the configuration.

Page 34 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

6. Open up the connection to the bastion host by using SSH with the ec2-user user ID. 7. Connect to the SAP HANA server by using SSH.

Troubleshooting Q. Where are the logs that monitor the Quick Start deployment progress? A. You can find the deployment log in the /var/log directory of the SAP NetWeaver instance. The name of the log file is cfn-init.log. You can log in to the SAP NetWeaver instance as soon as you see that it’s in the running state and the instance passes the status checks in the Amazon EC2 console. Q. I launched the SAP NetWeaver Quick Start template for a new VPC, and I see up to five additional templates being launched in the AWS CloudFormation console. Why? A. When you launch the SAP NetWeaver Quick Start for a new VPC, it launches up to five templates: one template to set up your network infrastructure (VPC, subnets, managed NAT gateway, and so on), a second template to deploy your Linux bastion host, a third template to launch the SAP PAS instance (this template will then call the SAP HANA template), and lastly an optional SAP AAS template if you decide to install AAS. Q. Where is my SAP NetWeaver software staged when downloaded from the S3 bucket? A. The SAP NetWeaver software is downloaded to the /sapmnt/SWPM directory on your PAS instance. The /sapmnt directory is then NFS-shared with your AAS instances. By default, the directory is shared with all servers whose hostnames begin with the same first three letters as the PAS instance’s hostname. For example, if your PAS instance’s hostname was sappas00, the share would be available to servers with the hostname sap*. You may change this default in your /etc/exports file on the PAS instance. Q. I encountered a CREATE_FAILED error when I launched the Quick Start. What should I do? A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state will be retained and the instance will be left running, so you can troubleshoot the issue. (You'll want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

Page 35 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Important When you set Rollback on failure to No, you’ll continue to incur AWS charges for this stack. Please make sure to delete the stack when you’ve finished troubleshooting. The following table lists specific CREATE_FAILED error messages you might encounter. Error message

Possible cause

API: ec2: RunInstances Not authorized for images: amiID

What to do

The template is referencing an AMI that has expired

We refresh AMIs on a regular basis, but our schedule isn’t always synchronized with AWS AMI updates. If you get this error message, notify us, and we’ll update the template with the new AMI ID. If you’d like to fix the template yourself, you can download it and update the Mappings section with the latest AMI ID for your region.

We currently do not have sufficient m1.small capacity in the AZ you requested

The NAT instance requires alarger instance type

Switch to an instance type that supports higher capacity, or complete the request form in the AWS Support Center to increase the Amazon EC2 limit for the instance type or region. Limit increases are tied to the region they were requested for.

The instance configuration for this AWS Marketplace product is not supported. Please see link for more information about supported instance types, regions, and operating systems.

You are trying to launch a RHEL/SLES Marketplace AMI with an instance type that isn’t supported.

Check your instance type and try to relaunch it with a supported instance type. If you want to extend the support for your desired instance type, contact the support team and open a support case.

Signal-failure function not implemented.

Deployment failed for an unknown reason.

Contact the support team and open a support case.

Not able to access SUSE (or Red Hat) update repository, package installation may fail.

The SAP HANA instance is unable to access the SUSE or RHEL update repository to download OS packages. The possible cause could be that Internet traffic for the SAP HANA instance is not routed through a NAT instance or NAT gateway.

See if it is possible to temporarily route the Internet traffic by using a NAT instance or NAT gateway.

The HANA installation did not succeed. Please check installation media.

SAP HANA installation failed or SAP HANA services didn’t start up successfully.

Verify that you have staged the SAP HANA software properly in the S3 bucket with correct permissions. (See step 2 for details.)

If your Internet traffic has to go through your internal proxy, contact your network team for access to the SUSE or RHEL update repository. For further assistance, open a support case in the AWS Support Center.

Another reason could be that SAP HANA services did not start up after the installation.

Page 36 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud Error message

Possible cause

December 2017

What to do In either case, consider redeploying your instance with the Install SAP software parameter set to No. The Quick Start redeployment will skip the SAP HANA installation, and you can manually install the SAP HANA software to troubleshoot the issue.

We currently do not have sufficient instance-type capacity in the AZ you requested.

The Availability Zone where you are trying to deploy your Amazon EC2 resources didn’t have enough capacity, or the instance type may not be available in that particular Availability Zone.

Retry the deployment with a different instance type, or choose a subnet in a different Availability Zone.

WaitCondition timed out. Received 0 conditions when expecting 1.

The SAP HANA template did not deploy.

Double check the pre-requisites for the SAP HANA Quick Start.

The CFN init did not initialize correctly on the PAS instance.

Create a ticket and attach the /var/log/cfninit.log file.

Instance ID did not stabilize

You have exceeded your IOPS for the region

Request a limit increase by completing the request form in the AWS Support Center.

SAP master password requirements

Refer to the SAP documentation for password requirements

Change the master password (HANAMasterPass parameter in step 4), and then relaunch the Quick Start. According to SAP documentation,. the master password must meet the following requirements:  It must be 8 to 14 characters long.  It must contain at least one letter (a-z, A-Z).  It must contain at least one digit (0-9).  It must not contain a backslash (\) or a double quote ("). Additional restrictions may apply, depending on the SAP HANA database:  Use at least one number, one lowercase letter, and one uppercase letter.  Use only the following characters: _, a-z, A-Z, 0-9, #, @, $, ! and do not start the password with a number or an underscore ( _ ).

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Page 37 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

Q. I encountered a size limitation error when I deployed the AWS Cloudformation templates. A. We recommend that you launch the Quick Start templates from the location we’ve provided or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a non-S3 location, you might encounter template size limitations when you create the stack. For more information about AWS CloudFormation limits, see the AWS documentation.

Support If you encounter an issue deploying this Quick Start, check the Troubleshooting section first to see if the issue is covered. If it isn’t, or the suggested solution doesn’t resolve the issue, open a support case in the AWS Support Center. Assistance with SAP NetWeaver and SAP HANA deployment issues requires a subscription to the AWS Business Support plan. If you’re opening a support case, please attach the /root/install/install.log file from the SAP HANA master instance, and the /var/log/cfn-init.log file from each of your SAP NetWeaver instances.

Security The AWS Cloud provides a scalable, highly reliable platform that helps enable customers to deploy applications and data quickly and securely. When you build systems on the AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated application software such as SAP HANA, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

Network Security The default network security setup of this solution follows security best practices of AWS. The provisioned SAP NetWeaver instances are configured to allow access only to the private subnets in your VPC. SSH access to the SAP NetWeaver instance is allowed from the public subnets by default. To allow access from traffic beyond your VPC, you have two options:

Page 38 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017



Update the security group created during the provisioning process to include the public subnet CIDR block and ports that you want to allow access for.



Restrict access to a known CIDR block (of your network) if there is a provisioned Direct Connect or VPN tunnel between your own data center and AWS.

For more information about allowing access from public subnets, see Changing the Security Group Configuration earlier in this guide.

Identity and Access Management (IAM) This solution leverages an IAM role with least privileged access. It is not necessary or recommended to store SSH keys or secret keys or access keys on the provisioned instances.

OS Security The root user on Linux or the administrator on the Windows RDP instance can be accessed only by using the SSH key specified during the deployment process. AWS does not store these SSH keys, so if you lose your SSH key, you can lose access to these instances. Operating system patches are your responsibility and should be performed on a periodic basis.

Security Groups A security group acts as a firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. The new rules are automatically applied to all instances that are associated with the security group. The security groups created and assigned to the individual instances as part of this solution are restricted as much as possible while allowing access to the various functions of SAP NetWeaver and SAP HANA.

Additional Resources AWS services 

AWS CloudFormation https://aws.amazon.com/documentation/cloudformation/



Amazon EBS –

User guide https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

Page 39 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud





December 2017

–

Volume types https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

–

Optimized instances https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html

Amazon EC2 –

User guide for Microsoft Windows https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/

–

User guide for Linux https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/

–

X1 instances https://aws.amazon.com/ec2/instance-types/x1/

Amazon VPC https://aws.amazon.com/documentation/vpc/

SAP NetWeaver documentation 

SAP NetWeaver help https://help.sap.com



SAP Notes and Knowledge Base articles https://support.sap.com/notes

SAP HANA on AWS 

SAP HANA Quick Start https://docs.aws.amazon.com/quickstart/latest/sap-hana/



SAP HANA on AWS Implementation and Operations Guide https://d0.awsstatic.com/enterprisemarketing/SAP/SAP_HANA_on_AWS_Implementation_and_Operations_Guide.pdf



High Availability and Disaster Recovery Options for SAP HANA on AWS https://d0.awsstatic.com/enterprise-marketing/SAP/sap-hana-on-aws-highavailability-disaster-recovery-guide.pdf



Setting up AWS Resources and SLES for SAP HANA Installation https://d0.awsstatic.com/enterprise-marketing/SAP/SAP-HANA-on-AWS-ManualSetup-Guide.pdf

Page 40 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017



Migrating SAP HANA Systems to X1 Instances on AWS https://d0.awsstatic.com/enterprise-marketing/SAP/migrating-sap-hana-to-x1-onaws.pdf



Additional information about SAP solutions on AWS https://aws.amazon.com/sap/whitepapers/

Quick Start reference deployments 

Additional reference deployments https://aws.amazon.com/quickstart/

Send Us Feedback You can visit our GitHub repository to download the templates and scripts for this Quick Start, to post your feedback, and to share your customizations with others.

Document Revisions Date

Change

In sections

December 2017

Added instructions for using the latest SAP kernel patch levels

Step 3, KERN_CD

December 2017

Initial publication

—

Page 41 of 42

Amazon Web Services – SAP NetWeaver ABAP on the AWS Cloud

December 2017

© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Page 42 of 42