All Products
Document Center

SAP:SAP MaxDB Deployment Guide

Last Updated:Sep 21, 2023

Version Control


Revision Date

Types Of Changes

Effective Date




SAP® MaxDB™ is the database management system developed and supported by SAP SE.SAP MaxDB is available on Microsoft Windows, Linux and UNIX and for the most prominent hardware platforms as well as Public Cloud. For more details about SAP MaxDB, please kindly refer to SAP official website:

This deployment guide describes how to plan and deploy the SAP MaxDB database system on Alibaba Cloud ECS, including how to configure the ECS instances, block storage, network, and SUSE Linux Enterprise Server (SLES) operating system. This guide includes the best practices from Alibaba Cloud and SAP.

ECS Instance TypesECS Instance Types

This deployment guide describes an ECS General Purpose Instance Family (sn2ne) certified for SAP MaxDB, which runs on the Intel Broadwell architecture and belongs to one of ECS enterprise instance type families. The SSD cloud disk and Ultra cloud disk can be used to host data volumes and logs in the SAP MaxDB database. The currently supported ECS instance types are listed in the table below, for more information, please kindly refer to SAP Note: 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM Types

Instance Type


Memory (GiB)








































For details about the ECS memory instance type family se1, go to

Alibaba Cloud Services

The following table lists services included in the Alibaba Cloud core components used by this deployment guide.




Elastic Compute Service (ECS) is a type of computing service that features elastic processing capabilities. ECS has a simpler and more efficient management mode than that for the physical server. You can create instances, change the operating system, and add or release any number of ECS instances at any time to fit your business needs.

SSD Cloud Disk

It is applicable to I/O intensive applications, and provides stable and high random IOPS performance.

Ultra Cloud Disk

It is applicable to medium I/O load application scenarios and provides the storage performance of up to 3,000 random read/write IOPS for ECS instances.


The Alibaba Cloud Virtual Private Cloud (VPC) is a private network built on Alibaba Cloud. It is logically isolated from other virtual networks in Alibaba Cloud. VPC enables you to launch and use Alibaba Cloud resources in your own defined network.


Alibaba Cloud Object Storage Service (OSS) is a network-based data access service. OSS enables you to store and retrieve structured and unstructured data, including text files, images, audios, and videos.

Deploy SAP MaxDB on Alibaba Cloud

This section describes how to deploy a SAP MaxDB on Alibaba Cloud.


Alibaba Cloud account

If you do not have an Alibaba cloud account yet, you can apply for one according to the following process:

  • Perform the registration process. Go to the Alibaba Cloud homepage, and click Free Account on the upper-right of the page.

  • Follow the guidance described in Sign up with Alibaba Cloud

  • Then, Add a payment method

Region and Zone
  1. Zone

  • A zone is a physical area with independent power grids and networks in one region. The network latency for ECS instances within the same zone is shorter.

  • Intranet communication can take place between zones in the same region, and fault isolation can be performed between zones. Whether to deploy ECS instances in the same zone depends on the requirements for disaster tolerance capabilities and network latency.

  • If your applications require high disaster tolerance capabilities, you are advised to deploy your ECS instances in different zones of the same region.

  • If your applications require low network latency between instances, you are advised to create your ECS instances in the same zone.

  1. Region

Alibaba Cloud data centers are deployed in the following regions at present: China East 1 (Hangzhou), China East 2 (Shanghai), China North 1 (Qingdao), China North 2 (Beijing), China North 3 (Zhangjiakou), China South 1 (Shenzhen), China(Hong Kong), US West 1 (Silicon Valley), US East 1 (Virginia), Singapore, Asia Pacific NE 1 (Japan), Germany 1 (Frankfurt), and Middle East 1 (Dubai).

For more information, please kindly refer to Regions and Zones.

  1. How to select a region

Regions in Chinese mainland

In general cases, it is recommended that you select a data center closest to your end users to further speed up user access. Alibaba Cloud’s data centers in Chinese mainland are similar to each other in terms of infrastructure, BGP network quality, service quality, and ECS operation and configuration. Domestic BGP networks ensure fast access to regions across China.

International regions

The data centers outside the Chinese mainland provide international bandwidth and target areas outside the Chinese mainland. Access to these regions from the Chinese mainland may cause high latency. Therefore, you are not advised to use them.

  1. Different Alibaba Cloud products in different regions cannot communicate with each other through an intranet.

  • ECS, and OSS instances in different regions cannot communicate with each other through an intranet.

  • ECS instances and other cloud resources in different regions, such as OSS instances, cannot communicate with each other through the intranet.

  • Server Load Balancer cannot be deployed for ECS instances in different regions, that is, ECS instances bought in different regions cannot be deployed in the same Server Load Balancer instance.

  • A single VPC can only be deployed in one region. VPCs in different regions cannot be communicate with each other by default. You can select VPCs based on the actual running environment.

SAP MaxDB installation media
  1. Download SAP MaxDB installation media from SAP official website;

  2. Upload the SAP MaxDB installation media to ECS instance;

Deployment process

Configure a network
  1. Create a VPC and switch

  • Log on to the VPC console.

  • In the left navigation bar, click “VPC”.

  • On the VPC list page, select the region where the VPC is located, and click “Create VPC”.

  • In the “Create a VPC” dialog box, enter the VPC name and select the network segment for the VPC.

You can select one of the following standard network segments of the VPC: After the VPC is created, its network segment cannot be modified. You are advised to use a large network segment to prevent subsequent resizing: - - -
  • Click Create VPC.

    After the VPC is created, a VPC ID is generated. A router is created for the VPC at the same time.

  • Click Next to create a switch.

  • On the Create a Switch tab page, provide the following information, and click Create Switch.

    Name: Specify the switch name. Zone: Select the zone of the switch. Network segment: Specify the network segment of the switch. The network segment of the switch can be the same as that of the VPC to which the switch belongs or the subnet of the VPC network segment. The size of the network segment of the switch must be between a 16-bit netmask and a 29-bit netmask. NOTE: If the network segment of your switch is the same as that of the VPC to which your switch belongs, you can only create one switch under the VPC.

  • Click Finish.

    Return to the instance list page, and click the ID link of the created VPC to enter the VPC details page. Check the VPC and switch on the page.

  1. Configure a security group

About security groups

A security group is a logical group that consists of instances in the same region with the same security requirements and mutual trust. Each instance belongs to at least one security group, which must be specified at the time of creation. Instances in the same security group can communicate through the network, but instances in different security groups cannot communicate through an intranet by default. Mutual access can be authorized between two security groups.

A security group is a virtual firewall that provides the stateful packet inspection (SPI) function. Security groups are used to set network access control for one or more ECSs. As an important means of security isolation, security groups are used to divide security domains on the cloud.

  • Security group restrictions

    • A single security group cannot contain more than 1,000 instances. If you require intranet mutual access between more than 1,000 instances, you can allocate them to different security groups and permit mutual access through mutual authorization.

    • Each instance can join a maximum of five security groups.

    • Each user can have a maximum of 100 security groups.

    • Adjusting security groups will not affect the continuity of a user’s service.

    • Security groups are stateful. If an outbound packet is permitted, inbound packets corresponding to this connection will also be permitted.

    • Security groups have two network types: classic network and VPC.

      • Instances of the classic network type can join security groups on the classic networks in the same region.

      • Instances of the VPC type can join security groups on the same VPC.

  • Security group rules

    • Security group rules can be set to permit or forbid ECS instances associated with security groups to access a public network or an intranet from the inbound and outbound directions.

    • You can authorize or delete security group rules at any time. Security group rules you have changed will automatically apply to ECS instances associated with the security groups. When setting security group rules, make sure security group rules are simple. If you allocate multiple security groups to an instance, up to hundreds of rules may apply to the instance. When you access the instance, the network may be disconnected.

    • Security group rule restrictions

      • Each security group can have a maximum of 100 security group rules.

Security group configuration methods

  • Log on to the ECS console.

  • In the left navigation bar, click Security Group.

  • Select the region on which you want to create a security group.

  • Click Create Security Group. In the displayed dialog box, enter the following information:

  • Click “OK” and then click “Configuration Rule”.

  • Complete rule settings by following the corresponding instructions. You are advised to keep only the ports for remote access.


Port configuration reference

During SAP MaxDB deployment, a VPC is used. You only need to set the rules in the outbound and inbound directions, without specifying the public network or VPC. The security group rules are blank by default. When creating an ECS instance, make sure that the selected security group contains port 22 (Linux) or 3389 (Windows). Otherwise, you cannot remotely log on to the ECS instance.

For details about specific ports that SAP needs to access and the related security group rules, refer to SAP official documentation.

Create an SAP MaxDB ECS instance

  1. Log on to Alibaba Cloud ECS ECS product purchase page.

  2. Select Subscription as the payment option.

  3. Select the region and zone.

  4. Select “VPC” for the network type. After selecting the network type, fill in the information about the created or existing VPC and switch. In a multi-node architecture, SAP MaxDB does not provide external services directly. Therefore, set “Public IP Address” to “Not Allocate”.

  5. Select an instance type. Select an instance type which is in sn2ne ECS instance family.

  6. Select an operating system image. The operating system could be SUSE Linux Enterprise Server.

  1. Configure storage disks. You are advised to select storage disks as follows (separate SSD Cloud Disk for log and data file systems, and separate ultra Cloud Disk for backup file system)

  1. Configure initialization information.

After setting the initial password, click “Create”, and wait several minutes for instance initialization.

  1. Create a bastion host.

Create a bastion host with one vCPU and 2 GB memory and without additional storage in the same VPC of the same zone by following the preceding steps.

  1. Configure the network for the bastion host.

There are multiple ways to configure a public IP address at present. The elastic IP address (EIP) configuration is used as an example.An EIP is a public IP address resource that can be independently bought and held. It can be dynamically bound to or unbound from different ECS instances without stopping the ECS instances.

  • Log on to the EIP console.

  • Click “Apply for EIP”.

  • On the purchase page, select the region, bandwidth peak, and payment option on the EIP, click “Buy Now”, and make the payment.

  • NOTE: The region of the EIP must be the same as that of the ECS instance to which the EIP is to be bound.

  • Return to the EIP list page, select the region of the EIP, and click “Refresh” to check the created EIP instance.

  • Click “Bind”.

  • In the “Bind a Public EIP” dialog box, select the created ECS instance, and click “OK”.

  • After the binding is complete, click “Refresh” on the EIP list page to check the EIP instance status.

  • When the EIP instance status is “Allocated”, the ECS instance to which the EIP is bound can be accessed through a public network.

  • Log on to the ECS instance and run the following command to test access through a public network.

  1. Log on to an instance.

No public network is configured for the SAP MaxDB ECS instance currently. Therefore, a bastion host is required for logon to the SAP MaxDB ECS instance.

  1. Install SAP system with the SAP MaxDB according to SAP installation guide.

Connect to SAP MaxDB

As no public IP address will be configured for your SAP MaxDB instance in the preceding deployment, you can only connect to the SAP MaxDB instances through the bastion host using SSH;

  • To connect to SAP MaxDB through the bastion host, connect the SSH client you select to the bastion host and then to the SAP MaxDB instance.


1173395 - FAQ: SAP MaxDB and liveCache configuration

1142243 - SAP MaxDB release for virtual systems

1492000 - General Support Statement for Virtual Environments