|Version||Revision Date||Types Of Changes||Effective Date|
This guide provides best practices for operating SAP MaxDB systems that have been deployed on Alibaba Cloud. Note that this guide is not intended to replace any of the standard SAP documentation.
This section shows how to perform administrative tasks typically required to operate an SAP MaxDB system on Alibaba Cloud, including information about starting, stopping, and cloning systems.
You can stop any SAP MaxDB hosts at any time. As a best practice, you should first stop SAP MaxDB running on the Alibaba Cloud ECS instance before you stop the instance. When you resume the instance, the ECS instance will automatically be started with the same IP address, network, and storage configuration as before.
Custom images on Alibaba Cloud can help you run ECS instances effectively by allowing you to create multiple ECS instances with identical OS and environment data to meet scaling requirements.
You can create your own Custom Image based on an existing instance by using the Alibaba Cloud Management Console. For more information, see the Create a custom image using a snapshot section in the Alibaba documentation.You could use an image as following:
- Creating a full offline MaxDB system backup (of the OS, /usr/sap, data, log, backup files).
- You can use an image to create an ECS instance or change the system disk of an ECS instance;
- Moving a SAP MaxDB system from one region to another – Create an image of an existing Alibaba Cloud ECS instance and move to another region by following the instructions in the Alibaba Cloud documentation. You can also copy a custom image to another region to maintain a consistent environment and application deployment across multiple regions.
- Cloning an SAP MaxDB system – You can create an image of an existing SAP MaxDB system to create an exact clone of the system. See the next section in this document.
Note: To create an image of SAP Max system with a consistent state., you need to first stop the SAP MaxDB instance before creation.
Creating a clone of a SAP MaxDB system, you can create an image of SAP MaxDB system in Alibaba Cloud ECS within the same zone. It generally includes an operating system and preinstalled SAP MaxDB software, as well as the same storage system layout.
During management in SAP MaxDB system on Alibaba Cloud, there are 3 types of administrator accounts as below,
- Alibaba Cloud account - Before using Alibaba Cloud products and services, you have to create an Alibaba account first on Alibaba Cloud website. Using this account, you can manage ECS, configure VPC, and manage images or snapshots for your SAP MaxDB system from Alibaba Cloud website.
- ECS Instance Administrator account - When ECS instance is created, an administrator account (usually root) will be created OS level. Alibaba Cloud will not create any account within the operating system; the default Linux system user is only the root user. While using the system, users can create or delete user accounts as required by the operating system.
- SAP MaxDB Database System Administrator - The SID needs to be specified during SAP MaxDB installation, SAP MaxDB will use [sid]adm as the system account and create this account by default.
You are provisioning your SAP MaxDB system using ECS with the ECS virtual network. We strongly recommend to use Virtual Private Cloud (VPC) as the default network type for SAP MaxDB. The Alibaba Cloud VPC is a private network established in Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. VPC enables you to launch and use the Alibaba Cloud resources in your own VPC.
You have full control over your Alibaba Cloud VPC, for example, you can select its IP address range, further segment your VPC into subnets, as well as configure route tables and network gateways. see the user guide of Virtual Private Cloud in the Alibaba documentation. Additionally, you can connect your VPC with your on-premises network using a physical connection or a VPN to form an on-demand customizable network environment. This allows you to smoothly migrate your applications to Alibaba Cloud with little effort.
- By default, the cloud servers of different users are located in the different VPCs.
- Different VPCs are isolated by tunnel IDs. Using VSwitches and VRouters, you can segment your VPC into subnets as you do in the traditional network environment. Different cloud servers in the same subnet use the VSwitch to communicate with each other, while cloud servers in different subnets within a VPC use VRouters to communicate with each other.
- The intranets between different VPCs are completely isolated and can only be interconnected by external mapping of IP (Elastic IP and NAT IP).
- Because the IP packets of cloud servers are encapsulated with the tunneling ID, the data link layer (two-layer MAC address) of the cloud server will not transfer to the physical network. Therefore, the two-layer network of different cloud servers is isolated. In another word, the two-layer networks between different VPCs are isolated.
- The ECS instances within a VPC use a security group firewall to control the network access. This is the third layer isolation.
If your security policy requires truly internal VMs, you need to set up a NAT proxy manually on your network and a corresponding route so that VMs can reach the Internet. It is important to note that you cannot connect to a fully internal VM instance directly by using SSH. To connect to such internal machines, you must set up a bastion instance that has an external IP address and then tunnel through it. For users how to set up a bastion instance, see the SAP MaxDB Deployment Guide on Alibaba Cloud guide. When VMs do not have external IP addresses, they can only be reached by other VMs on the network, or through a managed VPN gateway. You can provision VMs in your network to act as trusted relays for inbound connections, called bastion hosts, or network egress, called NAT gateways. For more transparent connectivity without setting up such connections, you can use a managed VPN gateway resource.
A security group is a logical group that groups instances in the same region with the same security requirements and mutual trust. Each instance belongs to at least one security group, which must be specified at the time of creation. Instances in the same security group can communicate through the network, but instances in different security groups by default cannot communicate through an intranet. However, mutual access can be authorized between two security groups.
A security group is a virtual firewall that provides stateful packet inspection (SPI). Security groups are used to set network access control for one or more ECSs. As an important means of security isolation, security groups are used to divide security domains on the cloud. See the User Guide of Security Groups in the Alibaba documentation.
SAProuter is a software application that provides a remote connection between customer’s network and SAP. In some situations it may be necessary to allow an SAP support engineer to access your SAP MaxDB systems on Alibaba Cloud. The only pre-requisite for using SAProuter is a network connection from the customer’s network to the SAP network.
When setting up a direct support connection to SAP from ECS on Alibaba Cloud, Follow these steps:
- Launch the ECS instance that the SAProuter software will be installed on, purchase Elastic IP (EIP) resource and dynamically bound to a VPC ECS instance without restarting the ECS instance.
- Create and configure a specific security group, which only allows the required inbound and outbound access to the SAP support network, for the SAProuter instance, along with TCP port 3299.
- Install the SAProuter software following SAP Note 1628296, and create a saprouttab file that allows access from SAP to your SAP MaxDB systems on Alibaba Cloud.
- Set up the connection with SAP. For your Internet connection, use Secure Network Communication (SNC). For more information, see the SAP Remote Support – Help .
For an IaaS deployment and SAP MaxDB system implement, Alibaba Cloud maintains security of the infrastructure that supports the cloud, and the customer is responsible for ensuring the security of the cloud resources and applications, which the customer uses.
Here are additional Alibaba Cloud security resources to help you achieve the level of security you require for your SAP MaxDB environment on Alibaba Cloud.
Alibaba Cloud Resource Access Management (RAM) is an identity and access control service, which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account. See the User Guide of Resource access management in the Alibaba documentation.
Alibaba Cloud Message Center allows user to subscribe notifications and configure the notification channel, including email and SMS message. Users will be notified if there are any SSH login on their servers.
Alibaba Cloud Server Guard is a reliable and secure service offering real-time monitoring of your servers and databases. Around the clock monitoring of exposed vulnerabilities ensure optimal availability of your services and applications. See the User Guide of Server Guard in the Alibaba documentation. There are some measures for Login Security as below,
- Monitors generic web software vulnerabilities throughout the network in real-time.
- Allows users to access Alibaba Cloud Security’s emergency vulnerability response capabilities, including vulnerability patches (available before the release of official patches).
- Lets users repair vulnerabilities with one click and intercept hacker attacks between the duration when a vulnerability is exposed and an official patch is released.
Backups are vital for protecting your System of Record. You should create regular backups when SAP MaxDB workload is low, and you can recover from unexpected system failures. Following are some key points about backup and recovery on Alibaba Cloud.
The primary difference between backing up SAP MaxDB on Alibaba Cloud compared to a traditional on-premises infrastructure is the final backup destination. The typical final backup destination used with on-premises infrastructure is tape. On Alibaba Cloud, backups are stored in OSS instead. There are many benefits to store backups in Alibaba Cloud OSS compared to tape, such as you can read, write, delete and store unlimited objects in your OSS bucket; OSS stores three copies of your objects in multiple locations to ensure 99.999999999% data reliability; built-in security mechanisms including multi-level security, monitoring of non-authorized login attempts, DDoS attack protection and data access policies, etc.
By default, on Alibaba Could, SAP MaxDB ECS instance are configured with Cloud Disk as SAP MaxDB database’s initial local backup destination. SAP MaxDB backups are first stored on these local Cloud Disk volumes, and then copied to OSS for long-term storage.
To grant access to backups in OSS bucket, you need to configure the user with access rule in RAM console. Please refer to the following steps:
- Select the user you want to specify the OSS access, click “Authorization”
- Select authorization policy “AliyunOSSFullAccess”
- As the account owner, you will be asked to input a verification code via phone verification
- After the phone verification, you can check the access in the policy management panel
- If you want to create a customized policy, you can make it from the policy management panel as well. For more details, please refer to RAM Policy Management documentation (https://help.aliyun.com/document_detail/28652.html) on Alibaba Cloud website
This section provides backup options for non-production systems. Example of non-production systems are:
- Demo systems
- Training systems
- Sandbox systems
- Proof-of-concept systems
- Trail systems
Typical requirements of non-production systems:
- Infrequent backups
- No request for Point-in-time recovery
- Simple low cost
Cloud Disk Snapshot offers simple and low cost backup service, which can be leveraged to reach requirements of non-production system. It has a very flexible snapshot policy, for example, a user can take snapshots on the hour and for several times in a day, a user can choose any day as the recurring day for taking weekly snapshots, and a user can specify the snapshot retention period or choose to retain it permanently. Please be noticed that when the maximum number of automatic snapshots has been reached, the oldest automatic snapshot will be deleted. For more information about Cloud Disk Snapshot, please read the documentation (https://help.aliyun.com/document_detail/25391.html) on Alibaba Cloud website.
Meanwhile, before using Cloud Disk Snapshot to do backup, please kindly check SAP Note: 1928060 - Data backup and recovery with file system backup. Some specific pre-requisite must be achieved before taking Disk snapshot.
Automatic snapshot for Cloud Disk volumes attached to SAP MaxDB ECS instance, including system disk (/usr/sap), data disk for data file system and log filesystem, can be configured to create snapshot on a regular basis.
Snapshots can be used to manually restore a whole SAP MaxDB ECS instance of non-production system.
The backup options covered in this section address the following backup requirements that are common for production systems:
- Frequent backups based on a schedule
- Point-in-time database recovery
- By default, on Alibaba Cloud platform, SAP MaxDB database’s initial local backup destination are configured on Cloud Disk volumes attached to the SAP MaxDB ECS instance;
- Users can use SQL commands, or the SAP DBA Cockpit to start or schedule SAP MaxDB data backups. Log backups are written automatically unless disabled;
- Users then can copy SAP MaxDB database backup files on its local Cloud disk to Alibaba Cloud OSS for long term storage;
- If cross-regions redundant is needed, backup files on the OSS can configured to be replicated to different regions.
- Copy backup files in a OSS to an Cloud Disk of backup directory of the SAP MaxDB ECS Instance;
- Restore and recover SAP MaxDB Database based on the backup files of backup Cloud Disk.