SAP HANA Operation Guide

Last Updated: Nov 28, 2017

This document mainly describes recommended methods for and notes about using SAP HANA deployed on Alibaba Cloud ECS instances. For more information about how to use SAP HANA, refer to the SAP official documentation.

Manage your SAP HANA system

This section describes how to perform administrative tasks typically required to operate an SAP HANA system on Alibaba Cloud ECS, including information about starting, stopping, and cloning the system.

Start and stop an ECS instance

You can stop one or multiple SAP HANA hosts at any time. As a best practice, you need to first stop SAP HANA running on the Alibaba Cloud ECS instance before you stop the instance. When you resume the instance, it will automatically start with the same IP address, network, and storage configuration as before.

Create a custom image for your SAP HANA

ECS allows to you create custom images based on your current ECS instances. Custom images help you rapidly create multiple ECS instances with the identical operating system and environment to meet auto scaling requirements.You can create a custom image for an existing instance on the ECS console. For details about how to create a custom image, refer to Create a custom image using an instance.

You can use a custom image as follows:

  • Create a full offline backup for the SAP HANA system, including the operating system, HANA program /usr/sap, shared program and file /hana/shared, data, logs, and backup files.
  • Create a new ECS instance or Change the system disk of an ECS instance.
  • Move an SAP HANA system from one region to another: You can create a custom image for an existing ECS instance and use it to create a new ECS instance in another region by following the instructions in Copy an image. Image copying allows you to maintain a consistent environment when you deploy applications across multiple regions.
  • Clone an SAP HANA system: You can create an image for an existing SAP HANA system and create an exact clone of the system. Refer to the next section in this document.

NOTE: To create a custom image of the SAP HANA system with a consistent state, you need to first stop the SAP HANA instance before creating the image, or follow the instructions in SAP Note 1703435.

Clone an SAP HANA system

Single-node system – To create a clone of a single-node SAP HANA system, you can create a custom image of the system in the same zone. The image includes an operating system and preinstalled SAP HANA software.

Multi-node system – A multi-node SAP HANA system cannot be cloned by creating an image. Instead, you can perform backup and restoration to create multiple nodes according to the following steps:

  • Create a new SAP HANA system with the same configuration as the SAP HANA system you want to clone.
  • Back up data of the original system.
  • Restore the backup of the original system to the new system.

Manage your account

The following three types of administrator accounts are required to manage an SAP HANA system on Alibaba Cloud:

  • Alibaba Cloud account – Before using Alibaba Cloud products and services, you need to create an Alibaba Cloud account first. Using this account, you can manage your ECS instances, configure networks, and manage system images or disk snapshots for your SAP HANA system.
  • ECS instance administrator account – When an ECS instance is created, you need to create an administrator account in the operating system of the instance. The default administrator of a Linux system is the root user. As an administrator, you can create or delete user accounts as required by the operating system.
  • HANA database administrator – A system ID (SID) needs to be specified during SAP HANA installation. HANA will use adm as the administrator and create this account in the operating system by default. In scale-out scenarios, all nodes need to use the same adm and ensure that the UID and GID are consistent.

Network configuration

It is strongly recommended that you use Virtual Private Cloud (VPC) as the default network type to build the SAP HANA system on Alibaba Cloud ECS. VPC is a private network established on Alibaba Cloud. VPCs are logically isolated from each other. VPC enables you to use Alibaba Cloud resources in your own VPC.

You have full control over your own VPC, including choosing your preferred IP address range, network segment, route table, and gateway, to achieve safe and easy access to your resources and applications. For more information, refer to VPC. You can also establish connections through a leased line or VPN between your VPC and traditional data centers to form an on-demand network environment for smooth application migration to the cloud and expansion of data centers.

Security isolation

  • ECS instances of different users are deployed in different VPCs.
  • Different VPCs are isolated by tunnel IDs. Because of the existence of VSwitches and VRouters, a VPC can be divided into subnets as if in a conventional network environment. Different ECS instances in each subnet are interconnected through the same VSwitch. Different subnets are interconnected through VRouters.
  • Different VPCs are completely isolated over the intranet, and can only be interconnected through a mapped public IP address (EIP or NAT IP).
  • Because the tunneling technology is used to encapsulate the IP packets of ECS instances, the data link layer (Layer 2 MAC address) information of the ECS instances is not transferred to the physical network, thus implementing Layer 2 network isolation between ECS instances and further implementing Layer 2 network isolation between VPCs.
  • ECS instances in a VPC use security group firewalls for Layer 3 network access control.

Public network access

If your enterprise security policy requires that all VMs must be in the enterprise’s private network, you can use the following ways to access the public network:

  • Set up NAT Gateway on your private network and a NAT proxy to provide a public traffic portal for the private network. In NAT Gateway, configure a corresponding route to enable your VMs to access the public network. For details about how to set up NAT Gateway, refer to Appendix: How to create NAT Gateway.
  • As you are not allowed to directly connect VMs in the private network through SSH, you must set up a bastion host. The bastion host has a public IP address and can record data streams of the SSH O&M protocol. The bastion host can serve as a channel that connects the VMs in your private network. For details about how to set up a bastion host, refer to Guide on implementing SAP HANA on Alibaba Cloud.

VPN connection

VPN Gateway is an Internet-based service provided by Alibaba Cloud. It connects enterprise data centers and Alibaba Cloud VPCs safely and reliably through encrypted channels.

Security groups

A security group is a logical group that consists of instances in the same region with the same security requirements and mutual trust. Each instance belongs to at least one security group, which must be specified at the time of creation. Instances in the same security group can communicate through the network, but instances in different security groups cannot communicate through an intranet by default. Mutual access can be authorized between two security groups.A security group is a virtual firewall that provides the stateful packet inspection (SPI) function. Security groups are used to set network access control for one or more ECSs. As an important means of security isolation, security groups are used to divide security domains on the cloud.

For more information, refer to Introduction to security groups.

Technical support for SAProuter access to SAP

SAProuter is a software application that provides a remote connection between the customer’s network and the SAP network. In some situations, it may be necessary to allow an SAP technical support engineer to access your SAP HANA system on Alibaba Cloud for fault diagnosis. SAProuter is required to establish the access connection. One of the prerequisites for using SAProuter is a network connection from the customer’s network to the SAP network.

SAProuter can be considered as a technical support connection channel between SAP and Alibaba Cloud ECS. To configure SAProuter, perform the following steps:

  • Start the ECS instance where SAProuter is to be installed. Because the instance is located in the customer’s VPC, you need to buy an EIP and dynamically bind it to the ECS instance without restarting the instance.
  • Create and configure a security group, which only allows the inbound and outbound access between the SAProuter instance and the SAP technical support network over TCP port 3299.
  • Install SAProuter by following SAP Note 1628296, and create a file named “saprouttab”.
  • Use Secure Network Communication (SNC) to set up the Internet connection required by SAProuter. For more information, refer to SAP remote support – help.

Security configuration

For an HANA system running on Alibaba Cloud, Alibaba Cloud maintains security of the infrastructure that supports the cloud, and the customer is responsible for ensuring the security of the cloud resources, HANA database, and other related applications, which the customer uses.

Besides common security protection methods for your SAP HANA system, Alibaba Cloud provides the following additional security resources:


Resource Access Management (RAM) is an Alibaba Cloud service designed for user identity management and resource access control. Using RAM, you can create and manage user accounts (for example, employees, systems, and applications) and control the operation permissions these user accounts possess for resources under your account. RAM thereby allows you to securely grant access and management permissions for Alibaba Cloud resources to only your designated enterprise personnel or partners as needed, to reduce the security risks of your enterprise information. For more information, refer to RAM.

Server Guard (server security)

Server Guard is a host security software application, providing vulnerability management, baseline detection, intrusion alerting, and other functions through interworking between lightweight software installed on ECS and on-cloud security center. Server Guard monitors the server in real time and accurately captures various security events, as well as provides warnings and solutions for intrusions and abnormal behavior. For more information, refer to Server Guard.

Security notification

Alibaba Cloud message center allows you to configure the notification type. After you enable Alibaba Cloud Security notification in the security message, you will receive security notifications about server security and Anti-DDoS. If you have bought services, such as Cloud Anti-DDoS Service and Web Application Firewall, you will receive corresponding notifications.

Necessary configuration changes

You need to configure your SAP HANA system and the operating system with recommended security settings. For example, make sure that only necessary network ports are whitelisted for access, harden the operating system you are running SAP HANA, and so on.

Refer to the following SAP Notes:

Disable some SAP HANA services

SAP HANA services such as HANA Extended Application Services (HANA XS) are optional and need to be disabled if they are not needed.

For details about how to disable these services, refer to SAP Note 1697613: Remove XS Engine out of SAP HANA database. After a service has been disabled, remove all the TCP ports that were opened for the service from the security groups.

For more information about the security protection, refer to the guide on security of SAP HANA on Alibaba Cloud.

High availability and disaster recovery

For details and best practices about the high-availability and disaster recovery solutions of SAP HANA running on Alibaba Cloud, refer to Guide on high availability and disaster recovery of SAP HANA on Alibaba Cloud.

Backup and restoration

Backups are critical for protecting your system data. Because SAP HANA is an in-memory database, you can create regular data backups at a specific time point when SAP HANA workload is low, depending on your business conditions. In this case, you can recover your data from unexpected system failures.

For details and best practices, refer to Guide on backup and restoration of SAP HANA on Alibaba Cloud.

Appendix: How to create NAT Gateway

NAT Gateway is an enterprise-level VPC public network gateway that provides NAT proxy services (SNAT and DNAT), 10 Gbps forwarding capacity, and cross-zone disaster tolerance capabilities. NAT Gateway must be used with a shared bandwidth package. Together, they provide a high-performance enterprise-level gateway that can be flexibly configured.

  1. Log on to the VPC console.
  2. In the left navigation bar, click “NAT Gateway”.
  3. Click “Create NAT Gateway”.
  4. Select the region, VPC, type, and billing cycle, and click “Buy Now” to complete the creation.
  5. After NAT Gateway is successfully created, the system automatically creates a port forwarding table and a SNAT table for this
  6. Click the “Buy Shared Bandwidth Package” link.
    NOTE: If a bandwidth package has been configured for NAT gateway, click “Manage”, and select a bandwidth package in the left navigation bar.
  7. On the bandwidth package page, click “Buy Shared Bandwidth Package” again.
  8. Configure the number of public IP addresses, bandwidth, and billing method for the bandwidth package.
  9. Click “Buy Now” to complete the creation.
  10. After the bandwidth package is created, the system allocates public IP addresses to NAT Gateway based on the specified number of IP
  11. Return to the NAT Gateway page, click “Port Forwarding Table”, set the DNAT, and click “Create Port Forwarding Entry”.
  12. Configure the port forwarding entry: Select an available public IP address, specify the private IP address of the ECS instance on the VPC to be mapped, and select the mapping mode.
    • All ports: IP mapping is used, and an EIP is configured for the selected ECS instance, which can receive requests from any port or any protocol from the public network.
      After all ports are selected, you do not need to configure the public network port, private network port, and protocol type.
    • Specific port: Port mapping is used. After configuration, NAT Gateway will receive data from [Private IP address:Private network port] with the specified protocol to the specified [Public IP address:Public network port], and send data from [Public IP address:Public network port] with the specified protocol to the specified [Private IP address:Private network port].
      After a specific port is selected, you need to configure the public network port, private network port, and protocol type.
  13. Click “OK” to complete the configuration.
    The new rule is displayed in the port forwarding table and in the “Configuring” state. Click “Refresh”. When the status shows “Available”, the port forwarding rule is successfully
Thank you! We've received your feedback.