Deploy SAP applications with Amazon Launch Wizard for SAP using a proxy server - Amazon Launch Wizard
SetupRun Launch WizardTroubleshoot
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deploy SAP applications with Amazon Launch Wizard for SAP using a proxy server

Amazon Launch Wizard for SAP launches and configures Amazon EC2 instances to deploy an SAP system on Amazon. The launched instances must have outbound connectivity to internet to download operating system patches and communicate with several Amazon services. You can setup this connection via an internet gateway or a proxy server in a public subnet.

The following is an example on how to configure a Squid proxy server for deploying SAP applications on Amazon with Launch Wizard.

Setup

Configure your Squid proxy server with the following steps.

  1. Choose any Linux-based AMI. In this example, we have selected SLES 12 SP5 for SAP AMI.

  2. Verify that your server is hosted on a public subnet and is attached to a public IP address.

  3. Add Amazon services to the allowed_list file.

    1. In the Squid server configuration file /etc/squid/squid.conf, create an allowed_list path using the acl command.

      acl whitelist dstdomain '/etc/squid/allowed_list'

    2. In the allowed_list file, add the domains of all the services listed in the following table.

    3. Run the rcsquid restart command for the changes to take effect.

Service name Domains to be allowed
Amazon DynamoDB
.dynamodb.<<region>>.amazonaws.com
.dynamodb-fips.<<region>>.amazonaws.com
Amazon EFS
.elasticfilesystem.<<region>>.amazonaws.com
.elasticfilesystem-fips.<<region>>.amazonaws.com
Amazon EBS
.com.amazonaws.<<region>>.ebs
Amazon EC2
.api.ec2.<<region>>.aws
.ec2.<<region>>.amazonaws.com
.ec2-fips.<<region>>.amazonaws.com
.ec2messages.<<region>>.amazonaws.com
.169.254.169.254
Amazon FSx
.fsx.<region>.amazonaws.com
Amazon Lambda
.com.amazonaws.<<region>>.lambda
.lambda.<<region>>.amazonaws.com
.lambda-fips.<<region>>.amazonaws.com
.lambda.<<region>>.api.aws
Amazon Route 53
.route53.amazonaws.com
Amazon CloudWatch
.com.amazonaws.<<region>>.evidently
.com.amazonaws.<<region>>.evidently-dataplane
.com.amazonaws.<<region>>.monitoring
.com.amazonaws.<<region>>.rum
.com.amazonaws.<<region>>.rum-dataplane
.com.amazonaws.<<region>>.synthetics
.com.amazonaws.<<region>>.events.monitoring.<<region>>.amazonaws.com
.logs.<<region>>.amazonaws.com
.monitoring-fips.<<region>>.amazonaws.com
Amazon CloudFormation
.cloudformation.<<region>>.amazonaws.com
.cloudformation-fips.<<region>>.amazonaws.com
.com.amazonaws.<<region>>.cloudformation
Amazon KMS
.com.amazonaws.<<region>>.kms
.kms.<<region>>.amazonaws.com
.kms-fips.<<region>>.amazonaws.com
Amazon Secrets Manager
.secretsmanager.<<region>>.amazonaws.com
.com.amazonaws.<<region>>.secretsmanager
Amazon Identity and Access Management
.iam.amazonaws.com
.iam-fips.amazonaws.com
Amazon Systems Manager
.ssm.<<region>>.amazonaws.com
.ssmmessages.<<region>>.amazonaws.com
amazon-ssm-us-east-1.s3.us-east-1.amazonaws.com
Amazon S3
.s3.amazonaws.com
<<S3_bucket_for_HANA_backint_backups>>.s3.<<region>>.amazonaws.com
.s3.<<region>>.amazonaws.com
.s3.dualstack.us-east-1.amazonaws.com
Amazon CLI
awscli.amazonaws.com.
SUSE infrastructure for SLES
.smt-ec2.susecloud.net
.54.225.105.144
.54.197.240.216
.107.22.231.220
.34.197.223.242
SUSE packages
.scc.suse.com
REDHAT repository
.rhui.<<region>>.aws.ce.redhat.com
Python packages
.files.pythonhosted.org
.pypi.org
.python.org
Amazon Cognito
.cognito-identity.us-east-1.amazonaws.com
Amazon Security Token Service
.sts.amazonaws.com

Run Launch Wizard

After you complete the initial setup, you can begin deploying your SAP application using Launch Wizard. For more information, see Deploy an SAP application with Amazon Launch Wizard.

To connect your SAP deployment on Launch Wizard with the Squid proxy server, enter the IP address of the server. To add the server address, go to Step 2 Define infrastructure > Infrastructure - SAP landscape > Security groups > Proxy server address - optional.

The No proxy setting contains the list of whitelisted domains and IP addresses that do not pass through the proxy server.

In the No proxy setting - optional field, you must include the following IP addresses:

  • Localhost - 127.0.0.1

  • Internal

  • Amazon EC2 instance metadata- 169.254.169.254

Note

Include the hostnames of ASCS, ERS, primary SAP HANA, and secondary SAP HANA instances in the No proxy setting - optional field, if you are deploying an SAP system with high availability using RHEL operating system. This will enable the cluster to communicate with all the nodes as well as perform any failover or failback operations.

Amazon EC2 connection

Your Amazon EC2 instance must be connected to the SUSE repository servers on Amazon. Add the following IP addresses to the route tables of the associated Amazon EC2 instances. For more information, see Add and remove routes from a route table. The Target of these routes should be the NAT gateway of your subnet. For more information, see Add a NAT Gateway to an Existing VPC.

  • 34.197.223.242/32

  • 54.197.240.216/32

  • 54.225.105.144/32

  • 107.22.231.220/32

Troubleshoot

To resolve any connectivity issues with the Squid proxy server, use the following steps.

  1. Login to your Squid proxy server.

  2. Open the access.log file located at /var/log/squid/access.log.

  3. Search for the TCP_DENIED message in the access.log file. The message displays an address that is not allowed in the proxy configuration.

  4. Add the address to the squid.conf file and restart the Squid server for the changes to take effect.

  5. You can now start over your SAP deployment with Launch Wizard.

Note

The troubleshooting steps are only applicable to the Squid proxy server. The location of the log file varies with the type of proxy server.