- Overview of Alibaba Cloud
- Alibaba Cloud ECS
- Network and Security
- System Copy and Migration
- SAP NetWeaver monitoring and support
- Installation media
- SAP Router and Solution Manager
Alibaba Cloud is built on a global infrastructure providing all kinds of IaaS products and services. Alibaba Could services are available to use in different geographical regions across the globe. Before running your SAP NetWeaver on Alibaba Cloud, following basic knowledge must be understood well:
- Alibaba Cloud Elastic Compute Service (ECS)
Alibaba Cloud Elastic Compute Service (ECS) is a web service that provides resizable compute capacity in the cloud. Its simple web service interface allows you to obtain and configure computing capacity with minimal effort. You are able to quickly scale capacity up and down as your computing requirements change, and you only pay for capacity that you actually need.
- Alibaba Cloud Block Storage (Cloud Disk)
Alibaba Cloud Block Storage (Cloud Disk) provides persistent block-level storage volumes for use with Alibaba Cloud ECS instance on the Alibaba Cloud Platform. Cloud Disk volumes provide the consistent and low-latency performance needed to run your workloads. With Cloud Disk, you can scale your usage up or down within minutes – all while paying a low price for only what you provision.
- Alibaba Cloud Object Storage Service (OSS)
Alibaba Cloud Object Storage Service (OSS) is an easy-to-use service that enables you to store, backup and archive large amounts of data on the cloud. OSS acts as an encrypted central repository from where files can be securely accessed from around the globe. OSS guarantees up to 99.9999% availability and is a perfect fit for global teams and international project management.
- Virtual Private Cloud (VPC)
Virtual Private Cloud (VPC) creates an isolated network environment for users on Alibaba Cloud. You can select an IP address range, divide networks, and configure the routing list and gateway.
SAP NetWeaver and the Alibaba Cloud services work together in particular ways to deliver combined business application and infrastructure capabilities to our customers.
- SAP NetWeaver system and database components use Alibaba Cloud ECS instances storage services as well as Virtual Private Cloud service.
- SAP Host Agent/SAPOSCOL is deployed with standard installation of SAP NetWeaver and is able to make calls to the monitoring agent component provided by Alibaba Cloud.
- Alibaba Cloud ECS Metrics Collector is the monitoring agent that collects required CPU\Memory\Disk\Network monitoring data and makes these metrics available to SAP applications.
The following diagram shows some details of a 2-tier architecture running on Alibaba Cloud:
In this architecture, all the components run on a single ECS instance. The ECS instance has 3attached disks, and each disk serves a specific role. These roles include:
- System Disk: contains the operating system and paging files for the ECS instance.
- Data Disk 1: contains the SAP NetWeaver installation and the profile files as well as database installation and profiles
- Data Disk 2: contains the database data files used for maintaining data consistency. Caution: data disk 2, should using SSD cloud disk to guarantee performance of database.
- Data Disk 3: contains the database log files used for maintaining data consistency. Caution: disk 3 should also using SSD cloud disk to guarantee performance of the database.
- Data Disk 4: contains for backup of database;
See the HANA Deployment Guide for more information about the deployment architecture for SAP HANA on Alibaba Cloud：https://www.alibabacloud.com/help/doc-detail/57229.htm.
For 2-tier deployment with SAP HANA, please kindly refer to SAP official note: 1953429 - SAP HANA and SAP NetWeaver AS ABAP on one Server.
When facing a higher workload, SAP supports a scale-out architecture that uses multiple application servers as needed.
In scale-out configuration, nodes must access a shared file system. For Linux, use the Network File System (NFS) as your file share on the NetWeaver binaries/profiles disk of the central system (
/sapmnt/[SID], where [SID] is the system ID). For more detailed information, please kindly refer SAP standard documents.
The following diagram shows some details of a 3-tier scale-out architecture running on Alibaba Cloud:
In this architecture, the SAP NetWeaver system distributes work across multiple NetWeaver Application Servers (AS) hosted on multiple ECS instances. All the NetWeaver AS nodes share the same database, which is hosted on a separate ECS instance.
All the NetWeaver AS nodes mount and access a shared file system that hosts the SAP NetWeaver binaries and profiles. For Linux, use the Network File System (NFS) as your fileshare for the NetWeaver binaries/profiles disk of the central system (
/sapmnt/[SID], where [SID] is the system ID). For more detailed information, please kindly refer SAP standard documents.
In our diagram, this shared file system is contained on a cloud disk that is attached to ECS Instance 1, along with the SAP central services.
For guidelines and best practices on planning and setting up high availability for SAP solutions on Alibaba Cloud, these documents will be provided soon.
Alibaba Cloud ECS offers a number of instance types (virtual machine sizes) for deploying SAP solutions. Each instance type offers different CPU, memory, and I/O capabilities. You can only run your SAP applications on ECS instances which have been certified by SAP. For a list of SAP-certified instance types approved for SAP NetWeaver usage, see following, and for the most current information please kindly see SAP Note 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM types
For detailed descriptions of ECS instance types, please kindly check the official website of Alibaba Cloud.
Each SAP-certified ECS instance type has been sized using SAP’s Standard Application Sales and Distribution (SD) benchmark toolkit. For the SAPS rating of each SAP certified instance, please also see SAP Note 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM types
When you create an ECS instance, you use an image that contains a pre-installed base operating system. Alibaba Cloud works with operating system partners to provide you with up-to-date, optimized operating system images. There are several ways you can specify an image for your ECS instance.
Licenses for the operating system in public images are already included in the price of ECS instance charge. You are not required to provide your own operating system licenses. Following ones are the required operating systems for SAP NetWeaver usage available in Public Image list:
For the most current information on supported operating systems please kindly see SAP Note 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM types.
The Alibaba Cloud infrastructure is built around Regions and Zones. A Region is a physical location in the world, where for most cases, we have multiple Zones. Zones consist of one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities. These Zones offer you the ability to operate production applications and databases which are more highly available, fault tolerant and scalable than it would be possible from a single data center. Alibaba Cloud operates 29 Zones within 14 geographic Regions around the world.
Virtual Private Cloud (VPC) allows you to provision a private, isolated section of Alibaba Cloud where you can launch IaaS resources in a virtual network that you define. With VPC, you can define a virtual network topology that closely resembles a traditional network that you might operate in your own data center. Additionally, you can create a connection between your corporate data center and your VPC on Alibaba Cloud, and use the Alibaba Cloud as an extension of your corporate data center.
You can use the standard Alibaba Cloud methods to deploy your ECS instances on Alibaba Cloud platform, including ECS Console (the Cloud Platform Console web UI) and REST API. You can read the following pages to get more useful information.
For detailed information and step-by-step instructions about deploying your SAP NetWeaver system on ECS, please refer to SAP NetWeaver Implementation Guide on Alibaba Cloud.
On a Linux-based ECS instance, users have SSH capabilities, and can access an ECS instance through SSH based tools such as putty. For example, you can access the ECS instance through putty from a Jumping server.
On a Windows-based ECS instance, users are able to access the ECS through Remote Desktop Protocol (RDP), as long as the ECS instance is accessible from a public IP address.
For SAP NetWeaver on Alibaba Cloud, you can use SAP HANA.
SAP HANA is supported only for SUSE Linux Enterprise Server for the moment. For more information on supported ECS instance types and operating systems, see the SAP HANA deployment guide.
For more information about SAP HANA, see the SAP HANA Operation guide and the SAP documentation.
To determine the sizing guidelines and recommendations for SAP HANA, please kindly check SAP official website for sizing.
Since most SAP NetWeaver systems are used for mission critical workloads, customers must have a data backup and restore plan to ensure that their system and database can be restored if the worst case happens.
For information about backup and recovery for SAP HANA, see the SAP HANA on Alibaba Cloud Operations Guide as follows:
- Operation Guide, https://www.alibabacloud.com/help/doc-detail/57886.htm
- Backup and Restore, https://www.alibabacloud.com/help/doc-detail/57886.htm
By default, each ECS instance has a small System disk (Ultra Cloud Disk or SSD Cloud Disk) that contains the operating system. You can add additional Data disks, and attach them to your ECS instance to act as storage for the different components of your system.
Alibaba Cloud Block Storage (Cloud Disk) provides persistent block-level storage volumes for use with Alibaba Cloud ECS instance. You can choose different Cloud Disk type depending on your requirement:
|Disk Category||Basic Cloud Disk||Ultra Cloud Disk||SSD Cloud Disk|
|Max size of single disk||2 TB||32.768 TB||32.768 TB|
|Max IOPS per disk||300+ IOPS||3,000 IOPS||20,000 IOPS|
|Max throughput per disk||20~40 MBps||80 MBps||300 MBps|
|Access latency||5.0~10.0 ms||1.0~3.0 ms||0.5~2.0 ms|
|Typical scenarios||Data is not frequently accessed or with low I/O loads.||- Small and medium sized databases.
- Development and testing.
- Cloud Server logging.
|- I/O intensive applications.
- Medium sized or large relational databases.
- NoSQL databases.
For Data reliability, with the strength of the Alibaba Cloud distributed storage technology, which uses a triplicate storage system, all these 3 disk types ensure data integrity of 99.9999999%. |
In General, we recommend following disk layout:
|Disk Layout||Usage||Cloud Disk Type|
|System Disk||Operating System||Ultra Cloud Disk|
|Data Disk 1||Executives, profiles etc. of NetWeaver, Database||SSD Cloud Disk|
|Data Disk 2||Data files of database||SSD Cloud Disk|
|Data Disk 3||Log files of database||SSD Cloud Disk|
For SAP HANA database, we recommend using SSD Cloud Disk. For more information about how to setup storage system for SAP HANA, please kindly refer to SAP HANA Operation guide on Alibaba Cloud.
Alibaba Cloud Object Storage Service is an object store for files of any type or format; it has virtually unlimited storage and you do not have to worry about provisioning it or adding more capacity.
It’s common practice to use OSS to store backup files for long term storage.
A security group functions similarly to virtual firewalls, and is used to set network access controls for one or more ECS instances. When creating instances, you must select a security group. You can also add security group rules to control outbound and inbound network access for all ECS instances in the security group.
Alibaba Cloud offers two authentication methods for remote logon to ECS instances:
- Password logon: A standard authentication method using the administrator password. It applies to both Windows instances and Linux instances.
- SSH Key Pair logon: This method only applies to Linux instances. If you are running Linux, it is recommended that you choose this authentication method to protect your ECS instance’s security.
An SSH Key Pair is a pair of keys generated by an encryption algorithm: one key is intentionally available, known as the public key; and the other key is kept confidential, known as the private key.
Alibaba Cloud can help you to generate the key pair using 2048-bit RSA key by default. You are also welcome to import the public key of a key pair that has been generated by other key pair generation tool. For more details, please kindly see SSH key pair on Alibaba Cloud as follows: https://www.alibabacloud.com/help/doc-detail/51792.htm.
If you have placed the public key in a Linux instance, you can use the private key to log on to the instance using SSH commands or related tools from local computer or another instance, without the need to enter a password.
When you create a VPC network on Alibaba Cloud, a vRouter and route table are automatically created after the VPC creation. You cannot create or delete them directly. They will be deleted automatically with the deletion of the VPC. You can add route entries to the route table to route network traffic.
Each entry in the route table is a route entry determining where network traffic is directed. A route entry with the destination CIDR block 100.64.0.0/10 is added by the system by default, when you create a VPC. You are allowed to add customized route entries for your VPC.
If an ECS instance in the VPC, without external IP address, wants to access the internet, a NAT gateway is needed. You can see more details about NAT gateway from following link: https://www.alibabacloud.com/product/NAT.
Bastion hosts provide an external facing point of entry into a VPC network containing private-network VMs. This host can provide a single point of fortification or audit and can be started and stopped to enable or disable inbound SSH communication from the Internet.
SSH access to VMs that do not have an external IP address can be achieved by first connecting to a bastion host.
When using a bastion host, you log into the bastion host first, and then into your target private ECS instance through an SSH based tool, like putty.
When an ECS instance is created within VPC and without an assigned external IP address, it cannot make direct connections to external services.
To allow these ECS instances to access the Internet, you can set up and configure a NAT gateway. The NAT gateway can route traffic on behalf of any ECS instance in the VPC. You should have one NAT gateway per VPC.
In the case of deploying an SAP solution, an NAT gateway configure with SNAT for the VPC is a must. For more details about this configuration, please kindly refer to Implementation guide.
See more details about NAT Gateway, from Alibaba Cloud official site as follows: https://www.alibabacloud.com/product/NAT
If you want to allow the access to your SAP system from Internet, it is suggested that you use a NAT gateway.
You can securely connect your existing IDC to your VPC on Alibaba Cloud through a VPN connection using IPSec by using VPN gateway on Alibaba Cloud. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet. For more information, please kindly check Alibaba Cloud official site.
See more details of VPN Gateway from Alibaba Cloud official network as follows: https://www.alibabacloud.com/product/vpn-gateway
If you only want to have access your SAP system from local data center or office LAN, it is suggested that you can connect your local data center and office LAN to VPC on Alibaba Cloud through VPN Gateway.
Following additional resources will help you to further understand your SAP environment on Alibaba Cloud from security and compliance perspective:
Please kindly refer to SAP official document System copy and migration guide from: http://support.sap.com/sltoolset -> System Provisioning -> System Copy Option first.
SAP is offering the system copy and migration services of Software Provisioning Manager 1.0 that enables you to create consistent copies of your SAP systems
- When the source and target systems use the same operating system and database system, you need to use homogeneous system copy.
For homogeneous system copy, you probably have this options:
- Using database independent process (R3load / JLoad);
- Database restore/recovery; (by using database recover and restore, you can minimize your system downtime. Especially if you combine this approach with some kind of log shipping);
- When the source and target systems use a different operating system or database system, you need to use heterogeneous system copy
- The system copy guides can be found here: https://help.sap.com/viewer/nwguidefinder
- For a heterogeneous SAP system copy, a consultant with SAP migration certification is necessary.
For more details about best practice of SAP system Copy and migration, please kindly refer this link: https://wiki.scn.sap.com/wiki/display/SL/System%2BCopy%2Band%2BMigration
The SAP application in a cloud environment runs on a guest operating system (Guest OS) installed inside the virtual environment. SAP Host Agent collects all information required for SAP monitoring and provides them to the SAP NetWeaver local monitoring and Solution Manager to analyze and display. Customer or SAP Technical Support can access the SAP tool through SAP transaction code ST06, either in the local system monitoring of an ABAP system or via SolutionManager for a managed system running on Alibaba Cloud.
In addition to that, Alibaba Cloud and SAP have worked together to create a monitoring agent – ECS Metrics Collector, for SAP NetWeaver running on Alibaba Cloud. ECS Metrics Collector is responsible for gathering information about configuration and resource (CPU \ Memory \ Disk \ Network) utilization from the underlying Alibaba Cloud infrastructure and virtualization platform, and feeding them to SAP Host Agent.
For details and step-by-step instructions about how to install ECS Metrics Collector, please check the SAP NetWeaver on Alibaba Cloud Implementation Guide, and for details about its lifecycle and operations, see the SAP NetWeaver on Alibaba Cloud Operation Guide.
Running SAP on Alibaba Cloud requires you to bring your own license (BYOL).
For more information about SAP licensing, please contact SAP.
In Alibaba Cloud, there are two ways to license SUSE Linux:
- Pay-as-you-go licensing model: Alibaba Cloud provides SLES 11 SP4 and SLES 12 SP2 as public images, and the SLES license cost is included in ECS instance price
- BYOL model: Customer can purchase their own SLES license and import SLES operating system as customized images.
There are two main options for copying SAP installation media to ECS instance:
- Download from SAP Service Marketplace to ECS instance directly. From your ECS instance, connect to the SAP Service Marketplace and download the required installation media. This option will most likely be the fastest method for getting SAP installation media to Alibaba Cloud, because ECS instances have very fast connections to the Internet. You can create a dedicated ECS instance, for downloading and storing the SAP installation media.
- Copy from your network to the ECS instance. If you already have the required SAP installation media downloaded to a location in your network, you can copy the media from your network directly to an ECS instance.
The following sections describe options for SAP Solution Manager and SAProuter when running SAP solutions on Alibaba Cloud.
Hybrid Architecture – Part of the SAP solution on Cloud, part of the SAP solution on local IDC
When using Alibaba Cloud as an extension to your IT infrastructure, you can use your existing SAP Solution Manager system and SAProuter that are running in your local data center to manage SAP systems running on Alibaba Cloud within a VPC.
All-on-Alibaba Cloud Architecture
When setting up an SAP environment on Alibaba Cloud, you will need to set up an SAP Solution Manager system and a SAProuter with a connection to the SAP support network, as you would with any infrastructure.
When setting up the SAProuter and SAP support network connection, follow these guidelines:
- The instance that the SAProuter software will be installed on should be launched into a public subnet of an Alibaba Cloud VPC and assigned an Elastic IP address (EIP).
- A specific security group should be created for the SAProuter instance with the necessary rules to allow the required inbound and outbound access to the SAP support network.
- You should use the Secure Network Communication (SNC) type of Internet connection. For more information, see https://support.sap.com/en/tools/connectivity-tools/remote-support.html