SAP Support Access - SAP HANA on Amazon
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SAP Support Access

In some situations it may be necessary to allow an SAP support engineer to access your SAP HANA systems on Amazon. The following information serves only as a supplement to the information contained in the “Getting Support” section of the SAP HANA Administration Guide.

A few steps are required to configure proper connectivity to SAP. These steps differ depending on whether you want to use an existing remote network connection to SAP, or you are setting up a new connection directly with SAP from systems on Amazon.

Support Channel Setup with SAProuter on Amazon

When setting up a direct support connection to SAP from Amazon, consider the following steps:

  1. For the SAProuter instance, create and configure a specific SAProuter security group, which only allows the required inbound and outbound access to the SAP support network. This should be limited to a specific IP address that SAP gives you to connect to, along with TCP port 3299. See the Amazon EC2 security group documentation for additional details about creating and configuring security groups.

  2. Launch the instance that the SAProuter software will be installed on into a public subnet of the VPC and assign it an Elastic IP address.

  3. Install the SAProuter software and create a saprouttab file that allows access from SAP to your SAP HANA system on Amazon.

  4. Set up the connection with SAP. For your internet connection, use Secure Network Communication (SNC). For more information, see the SAP Remote Support – Help page.

  5. Modify the existing SAP HANA security groups to trust the new SAProuter security group you have created.

    Tip

    For added security, shut down the EC2 instance that hosts the SAProuter service when it is not needed for support purposes

Support connectivity with SAProuter on Amazon

Figure 13: Support connectivity with SAProuter on Amazon

Support Channel Setup with SAProuter on Premises

In many cases, you may already have a support connection configured between your data center and SAP. This can easily be extended to support SAP systems on Amazon. This scenario assumes that connectivity between your data center and Amazon has already been established, either by way of a secure VPN tunnel over the internet or by using Amazon Direct Connect.

You can extend this connectivity as follows:

  1. Ensure that the proper saprouttab entries exist to allow access from SAP to resources in the VPC.

  2. Modify the SAP HANA security groups to allow access from the on- premises SAProuter IP address.

  3. Ensure that the proper firewall ports are open on your gateway to allow traffic to pass over TCP port 3299.

Support connectivity with SAProuter on premises

Figure 14: Support connectivity with SAProuter on premises