SAP:SAP MaxDB operation guide

Starting and stopping ECS instances

Stop SAP MaxDB before stopping the ECS instance to ensure a consistent state.

When the instance resumes, ECS starts it with the same IP address, network, and storage configuration.

Creating a custom image

Custom images create multiple ECS instances with identical OS and environment data for scaling.

Create a custom image from an existing instance through the Alibaba Cloud Management Console. For more information, see the Create a custom image using a snapshot section in the Alibaba Cloud documentation.

Stop the SAP MaxDB instance before creating the image to ensure a consistent state.

Use cases for custom images:

• Full offline backup -- Back up the entire MaxDB system (OS, /usr/sap, data, log, and backup files).

• Instance creation -- Create an ECS instance or change the system disk of an ECS instance.

• Region migration -- Copy a custom image to another region to maintain a consistent environment and application deployment across multiple regions.

• System cloning -- Create an image of an existing SAP MaxDB system to produce an exact clone. See the next section for details.

Cloning an SAP MaxDB system

Create a clone by making an image of an SAP MaxDB system in Alibaba Cloud ECS within the same zone. The image includes the operating system, preinstalled SAP MaxDB software, and the same storage system layout.

Isolating networks with VPC

VPC provides multiple layers of network isolation:

Setting up NAT gateway access

If your security policy requires fully internal VMs, set up a NAT proxy manually on the network and configure a corresponding route so that VMs can reach the internet.

Fully internal VM instances cannot be reached directly by SSH. Set up a bastion instance with an external IP address and tunnel through it. For details on setting up a bastion instance, see the SAP MaxDB Deployment Guide on Alibaba Cloud.

When VMs do not have external IP addresses, they can only be reached by other VMs on the network or through a managed VPN gateway. Provision VMs in the network to act as trusted relays for inbound connections (bastion hosts) or network egress (NAT gateways). For transparent connectivity without setting up such connections, use a managed VPN gateway resource.

Controlling access with security groups

A security group is a logical group of instances in the same region with the same security requirements and mutual trust. Each instance belongs to at least one security group, which must be specified at the time of creation.

Communication rules:

• Instances in the same security group can communicate through the network.

• Instances in different security groups cannot communicate through the intranet by default. Authorize mutual access between two security groups as needed.

A security group functions as a virtual firewall that provides stateful packet inspection (SPI). Security groups set network access control for one or more ECS instances and divide security domains on the cloud. See the User Guide of Security Groups in the Alibaba Cloud documentation.

Prerequisite

A network connection from the customer network to the SAP network is required.

Setup steps

1. Launch the ECS instance where the SAProuter software will be installed. Purchase an Elastic IP (EIP) resource and dynamically bind it to a VPC ECS instance without restarting the ECS instance.

2. Create and configure a specific security group for the SAProuter instance. Allow only the required inbound and outbound access to the SAP support network, along with TCP port 3299.

3. Install the SAProuter software following SAP Note 1628296. Create a saprouttab file that allows access from SAP to the SAP MaxDB systems on Alibaba Cloud.

4. Set up the connection with SAP. Use Secure Network Communication (SNC) for the internet connection. For more information, see the SAP Remote Support documentation.

Controlling resource access with RAM

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service. It enables centralized management of users (including employees, systems, or applications) and secure control of their access to resources through permission levels.

RAM grants access permissions for Alibaba Cloud resources to selected privileged users, enterprise personnel, and partners. This ensures secure and appropriate usage of cloud resources and protects against unsolicited access. See the User Guide of Resource Access Management in the Alibaba Cloud documentation.

Receiving login notifications

Alibaba Cloud Message Center allows users to subscribe to notifications and configure the notification channel, including email and SMS message. Users are notified of any SSH login on their servers.

Monitoring with Server Guard

Alibaba Cloud Server Guard provides real-time monitoring of servers and databases. Around-the-clock monitoring of exposed vulnerabilities ensures optimal availability of services and applications. See the User Guide of Server Guard in the Alibaba Cloud documentation.

Server Guard capabilities:

• Monitors generic web software vulnerabilities throughout the network in real time.

• Provides access to Alibaba Cloud Security emergency vulnerability response capabilities, including vulnerability patches available before the release of official patches.

• Repairs vulnerabilities with one click and intercepts attacks between the time a vulnerability is exposed and an official patch is released.

Understanding backup destinations on Alibaba Cloud

The primary difference from on-premises infrastructure is the backup destination. On-premises environments typically use tape. On Alibaba Cloud, backups are stored in OSS instead.

Benefits of storing backups in Alibaba Cloud OSS:

• Read, write, delete, and store unlimited objects in an OSS bucket.

• Three copies stored in multiple locations to ensure 99.999999999% data reliability.

• Built-in security mechanisms including multi-level security, monitoring of unauthorized login attempts, DDoS attack protection, and data access policies.

By default, SAP MaxDB ECS instances are configured with cloud disk as the initial local backup destination. SAP MaxDB backups are first stored on these local cloud disk volumes, then copied to OSS for long-term storage.

Comparing backup strategies

Managing identity and access for backups

Grant access to backups in an OSS bucket by configuring the user with access rules in the RAM console.

1. Select the user to grant OSS access and click Authorization.

2. Select the authorization policy AliyunOSSFullAccess.

3. As the account owner, input a verification code through phone verification.

4. After phone verification, check the access in the policy management panel.

5. To create a customized policy, use the policy management panel. For more details, see RAM Policy Management.

Backing up non-production systems

Non-production systems include demo, training, sandbox, proof-of-concept, and trial systems. These systems typically require infrequent backups, no point-in-time recovery, and simple low-cost solutions.

Cloud disk snapshot offers a backup service that meets these requirements. Snapshot policy options include:

• Hourly snapshots, multiple times per day

• Any day as the recurring day for weekly snapshots

• Configurable retention period or permanent retention

When the maximum number of automatic snapshots is reached, the oldest automatic snapshot is deleted. For more information, see Snapshot overview. Before using cloud disk snapshot for backup, check SAP Note 1928060 - Data backup and recovery with file system backup. Specific prerequisites must be met before taking a disk snapshot.

Backing up production systems

Production systems require frequent schedule-based backups and point-in-time database recovery.