Alibaba Cloud overview
Alibaba Cloud SAP NetWeaver overview
Alibaba Cloud is built on global infrastructure and offers various types of IaaS products and services. Customers can use Alibaba Cloud services in different regions worldwide. Before running SAP NetWeaver on Alibaba Cloud, you must fully understand the following basic knowledge:
Alibaba Cloud Elastic Compute Service (ECS)
Alibaba Cloud Elastic Compute Service (ECS) is a web service that provides scalable computing power in the cloud. The simple web service interface allows you to easily obtain and configure computing power. As computing needs change, you can quickly scale computing power up and down, and you only pay for what you actually need.
Alibaba Cloud Block Storage (cloud disk)
Alibaba Cloud Block Storage (cloud disk) provides persistent block-level storage volumes for Alibaba Cloud ECS instances running on the Alibaba Cloud platform. Cloud disk storage volumes offer consistency and low latency performance to meet your workload needs. With cloud disks, you can increase or decrease usage within minutes, and all this is available at a low cost based on actual usage.
Alibaba Cloud Object Storage Service (OSS)
Alibaba Cloud Object Storage Service (OSS) is an easy-to-use service that allows you to store, back up, and archive large amounts of data in the cloud. OSS acts as an encrypted central repository, allowing people to securely access files from around the world. OSS guarantees up to 99.9999% availability, making it an ideal choice for global teams and international project management.
Virtual Private Cloud (VPC)
Virtual Private Cloud (VPC) allows Alibaba Cloud users to build an isolated network environment. You can choose the IP address range, divide the network, and configure route tables and gateways.
SAP NetWeaver and Alibaba Cloud services work together in a specific way to provide our customers with unified enterprise application and infrastructure capabilities.
SAP NetWeaver system and database components use Alibaba Cloud ECS instance storage services and VPC services.
SAP Host Agent/SAPOSCOL can be deployed with the standard installation of SAP NetWeaver and can invoke the monitoring agent components provided by Alibaba Cloud.
Alibaba Cloud ECS Metrics Collector is a monitoring agent program that collects required CPU, memory, disk, and network monitoring data and provides these metrics for SAP applications.
Two-tier architecture
In this architecture, all components run on a single ECS instance. The ECS instance has three disks mounted, each playing a specific role. These roles include the following:
System disk: Contains the operating system and paging file of the ECS instance.
Data disk 1: Contains SAP NetWeaver installation and configuration files and database installation and configuration files.
Data disk 2: Contains database data files for maintaining data consistency. Note: Data disk 2 should use SSD or ESSD cloud disks to ensure database performance.
Data disk 3: Contains database log files for maintaining data consistency. Note: Data disk 3 should also use SSD or ESSD cloud disks to ensure database performance.
For more information about Alibaba Cloud SAP HANA deployment architecture, see SAP HANA deployment guide.
For information about two-tier deployment of SAP HANA, see the official SAP documentation: 1953429 - SAP HANA and SAP NetWeaver AS ABAP on one Server.
Three-tier architecture (SAP NetWeaver application server horizontal scaling)
To handle higher workloads, SAP supports a horizontal scaling architecture with multiple application servers on demand.
In a horizontal scaling configuration, each node must access the same shared file system. For Linux, use the "Network File System" (NFS) as the file sharing system for the NetWeaver binary/configuration file disk of the central system (/sapmnt/[SID], where [SID] is the system ID). For more detailed information, refer to the SAP standard documentation.
In this architecture, the SAP NetWeaver system can distribute workloads to multiple NetWeaver application servers (AS) hosted on multiple ECS instances. All NetWeaver AS nodes share the same database, which is hosted on a separate ECS instance.
All NetWeaver AS nodes install and access a shared file system that hosts SAP NetWeaver binary and configuration files. For Linux, use the "Network File System" (NFS) as the file sharing system for the NetWeaver binary/configuration file disk of the central system (/sapmnt/[SID], where [SID] is the system ID). For more detailed information, refer to the SAP standard documentation.
High availability
For high availability deployment of SAP applications on the Alibaba Cloud platform, refer to SAP S/4 high availability deployment best practices.
Alibaba Cloud ECS
ECS instance types
Alibaba Cloud ECS offers various instance types (virtual machine specifications) to deploy SAP solutions. Each instance type provides different CPU, memory, and I/O capabilities. You can only run SAP applications on ECS instances certified by SAP. For a list of SAP-certified instance types for SAP NetWeaver, see SAP official Notes 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM types.
For a detailed introduction to ECS instance types, please visit the official Alibaba Cloud website.
Images
When creating an ECS instance, you use an image that contains a pre-installed basic operating system. Alibaba Cloud collaborates with operating system partners to provide you with the latest optimized operating system images. There are multiple ways to specify an image for your ECS instance.
Public images
The operating system license fee for public images is included in the ECS instance pricing. You do not need to provide your own operating system license. The following are the operating systems available in the public image list required for SAP NetWeaver:
Linux
SUSE Linux Enterprise Server 12 SP2 (SLES12) and later
Red Hat Enterprise Linux 7.4 (RHEL7) and later
Windows
Microsoft Windows Server 2012 R2, 2016, and 2019
For the latest information on supported operating systems, see SAP Notes 2552731 - SAP Applications on Alibaba Cloud: Supported Products and IaaS VM types.
Regions and zones
Alibaba Cloud infrastructure is built around regions and zones. A region refers to a specific physical location on Earth, and in most cases, we have multiple regions. A zone consists of one or more isolated data centers, each with redundant power, network, and connectivity capabilities, and located in separate facilities. These zones provide you with the ability to run production environment applications and databases, offering higher availability, fault tolerance, and scalability compared to a single data center. Alibaba Cloud operates 29 zones in 14 regions worldwide.
VPC
Virtual Private Cloud (VPC) allows you to build a private, isolated network environment in Alibaba Cloud, where you can run IaaS resources in your defined virtual network. With VPC, you can define a virtual network topology that is very similar to the traditional operational network in your data center. Additionally, you can establish a connection between your enterprise data center and Alibaba Cloud VPC, using Alibaba Cloud as an extension of your enterprise data center.
Deploy ECS instances
You can deploy your ECS instances on the Alibaba Cloud platform using standard Alibaba Cloud methods, including the ECS Console (cloud platform console web UI) and REST API. You can read the following pages for more useful information.
For detailed information and step-by-step instructions on deploying SAP NetWeaver systems on ECS, see the Alibaba Cloud SAP NetWeaver Implementation Guide.
Access ECS instances
For Linux-based ECS instances, users can use SSH functionality to access ECS instances through SSH-based tools such as PuTTY. For example, you can access ECS instances from a jump server using PuTTY.
For Windows-based ECS instances, users can access ECS using Remote Desktop Protocol (RDP) as long as the public IP address can access the ECS instance.
Database
For Alibaba Cloud SAP NetWeaver, you can use SAP HANA.
SAP HANA
SAP HANA currently only supports SUSE Linux Enterprise Server. For more information on supported ECS instance types and operating systems, see the SAP HANA deployment guide.
For more information about SAP HANA, see the SAP HANA operation guide and SAP documentation.
To obtain specifications and recommendations for SAP HANA, check the relevant information on the official SAP website.
Database backup and recovery
Since most SAP NetWeaver systems are used for mission-critical workloads, customers must have a data backup and recovery plan to ensure they can recover their systems and databases in the worst-case scenario.
For information on SAP HANA backup and recovery, refer to:
Storage
By default, each ECS instance has a small system disk (ultra disk or SSD cloud disk) that contains the operating system. You can add additional data disks and mount them to the ECS instance to serve as storage disks for different components of your system.
Block storage (cloud disk)
Alibaba Cloud Block Storage (cloud disk) provides persistent block-level storage volumes for use with Alibaba Cloud ECS instances. You can choose different cloud disk types based on your needs:
For data reliability, leveraging the advantages of Alibaba Cloud's distributed storage technology with a triple storage system, all three types of cloud disks can ensure 99.9999999% data integrity.
For SAP HANA databases, we recommend using SSD or ESSD cloud disks. For more information on how to set up a storage system for SAP HANA, see storage planning.
Object Storage Service (OSS)
Alibaba Cloud Object Storage Service is an object storage for files of any type or format. It has virtually unlimited storage space, so you don't have to worry about capacity limitations or scaling issues.
The common practice is to use OSS to store archived or infrequently accessed files.
Network and security
Security group
The security group functions like a virtual firewall to set network access control for one or more ECS instances. When creating an instance, you must select a security group. You can also add security group rules to control the outbound and inbound network access of all ECS instances in the security group.
SSH key pair
Alibaba Cloud provides two authentication methods for remote logon to ECS instances:
Password logon: The standard authentication method using an administrator password. It is applicable to both Windows and Linux instances.
SSH key pair logon: This method is only applicable to Linux instances. If you are running on Linux, it is recommended to choose this authentication method to secure ECS instances.
An SSH key pair is a pair of keys generated by an encryption algorithm: one is public and shared with the outside world, called the public key; the other is kept by you, called the private key.
Alibaba Cloud will create a 2048-bit RSA key pair for you by default. You can also import the public key of a key pair generated by other key pair generation tools. For more detailed information, visit the following link to learn about Alibaba Cloud SSH key pair.
If you place the public key in a Linux instance, you can use the private key to log on to this instance from a local computer or other instance using the SSH command or related tools without entering a password.
Router configuration
When creating a VPC network on Alibaba Cloud, the system automatically creates a router and route table after the VPC is created. You cannot directly create or delete them. After the VPC is deleted, these routers and route tables will be automatically deleted. You can add route entries to the route table to route network traffic.
Each entry in the route table is used to guide the direction of network traffic. When creating a VPC, the system will add a default route entry with a target CIDR block of 100.64.0.0/10. You can add custom route entries for your VPC.
If ECS instances in the VPC without external IP addresses want to access the Internet, a NAT Gateway is required.
Bastionhost
A bastion host provides an external entry point into a VPC network containing virtual machines in a private network. This host can provide single-point defense or audit, and you can start and stop this feature to enable or disable inbound SSH communication from the Internet.
By first connecting to the bastion host, you can achieve SSH access to virtual machines without external IP addresses.
When using a bastion host, first log on to the bastion host, and then log on to the target private ECS instance using SSH-based tools such as PuTTY.
NAT Gateway
If an ECS instance is created inside a VPC and is not assigned an external IP address, it cannot directly connect to external services.
To allow these ECS instances to access the Internet, you can set up and configure a NAT Gateway. A NAT Gateway can route traffic on behalf of any ECS instance in the VPC. Each VPC should have a NAT Gateway.
When deploying SAP solutions, you must configure a NAT Gateway with SNAT for the VPC. For more detailed information on this configuration, refer to the implementation guide.
If you want to allow access to your SAP system from the Internet, it is recommended to use a NAT Gateway.
VPN Gateway
You can securely connect your existing IDC and Alibaba Cloud VPC in Alibaba Cloud through a VPN Gateway and VPN connection (using IPSec). Traffic transmission between the two networks is encrypted by one VPN Gateway and then decrypted by another VPN Gateway. This protects your data transmission on the Internet. For more information, please refer to the official Alibaba Cloud website.
If you only want to access your SAP system from your local data center or office local area network, it is recommended to connect your local data center and office local area network to Alibaba Cloud VPC through a VPN Gateway.
Security documentation
The following additional resources can help you further understand the SAP environment in Alibaba Cloud from a security and compliance perspective:
SAP NetWeaver monitoring and support
SAP applications in the cloud environment run on the guest operating system (Guest OS) installed in the virtual environment. SAP Host Agent can collect all the information required for SAP monitoring and provide it to SAP NetWeaver local monitoring and Solution Manager for analysis and display. Customers or SAP technical support personnel can access SAP tools through SAP transaction code ST06, whether through the local ABAP monitoring system or through Solution Manager (for managed systems running in Alibaba Cloud).
In addition, Alibaba Cloud and SAP have jointly developed a monitoring agent program - ECS Metrics Collector for SAP NetWeaver running on Alibaba Cloud. ECS Metrics Collector is responsible for collecting information about configuration and resource (CPU, memory, disk, network) utilization from the underlying Alibaba Cloud infrastructure and virtualization platform and providing it to SAP Host Agent.
For detailed information and step-by-step instructions on how to install ECS Metrics Collector, see the ECS Metrics Collector for SAP deployment guide.
Licensing
SAP licenses
Running SAP on Alibaba Cloud requires you to bring your own license (BYOL).
For more information about SAP licenses, please contact SAP.
Linux licenses
In Alibaba Cloud, there are two ways to obtain SUSE Linux licenses:
Pay-as-you-go licensing model: Alibaba Cloud offers SLES 12 for SAP and SLES 15 for SAP, and the cost of the SLES subscription is included in the ECS instance price.
BYOL model: Customers can purchase their own SLES licenses and import the SLES operating system as a custom image.
Installation media
There are two main options for copying SAP installation media to ECS instances:
Download directly from SAP Service Marketplace to the ECS instance. Connect from your ECS instance to SAP Service Marketplace and download the required installation media. This option is likely the fastest way to obtain SAP installation media in Alibaba Cloud because the connection speed between ECS instances and the Internet is very fast. You can create a dedicated ECS instance to download and store SAP installation media.
Copy from your network to the ECS instance. If you have already downloaded the required SAP installation media to a location in your network, you can copy the media directly from your network to the ECS instance.
SAP Router and Solution Manager
The following sections describe the options for SAP Solution Manager and SAProuter when running SAP solutions on Alibaba Cloud.
Hybrid architecture - Part of the SAP solution in the cloud, part of the SAP solution in the local IDC
Pure Alibaba Cloud architecture
When setting up SAProuter and SAP support network connections, follow these guidelines:
The instance where the SAProuter software is installed must be launched into the public subnet of the Alibaba Cloud VPC and assigned an Elastic IP Address (EIP).
A specific security group must be created for the SAProuter instance, with the necessary rules configured to allow the required inbound and outbound access to the SAP support network.
You should use a Secure Network Communication (SNC) type of external network connection. For more information, see https://support.sap.com/en/tools/connectivity-tools/remote-support.html