SAP Support Access
In some situations it may be necessary to allow an SAP support engineer to access your
SAP HANA systems on Amazon. The following information serves only as a supplement to the
information contained in the “Getting Support” section of the SAP HANA Administration
Guide
A few steps are required to configure proper connectivity to SAP. These steps differ depending on whether you want to use an existing remote network connection to SAP, or you are setting up a new connection directly with SAP from systems on Amazon.
Support Channel Setup with SAProuter on Amazon
When setting up a direct support connection to SAP from Amazon, consider the following steps:
-
For the SAProuter instance, create and configure a specific SAProuter security group, which only allows the required inbound and outbound access to the SAP support network. This should be limited to a specific IP address that SAP gives you to connect to, along with TCP port 3299. See the Amazon EC2 security group documentation for additional details about creating and configuring security groups.
-
Launch the instance that the SAProuter software will be installed on into a public subnet of the VPC and assign it an Elastic IP address.
-
Install the SAProuter software and create a saprouttab file that allows access from SAP to your SAP HANA system on Amazon.
-
Set up the connection with SAP. For your internet connection, use Secure Network Communication (SNC). For more information, see the SAP Remote Support – Help
page. -
Modify the existing SAP HANA security groups to trust the new SAProuter security group you have created.
Tip
For added security, shut down the EC2 instance that hosts the SAProuter service when it is not needed for support purposes
Figure 13: Support connectivity with SAProuter on Amazon
Support Channel Setup with SAProuter on Premises
In many cases, you may already have a support connection configured between your data
center and SAP. This can easily be extended to support SAP systems on Amazon. This scenario
assumes that connectivity between your data center and Amazon has already been established,
either by way of a secure VPN tunnel over the internet or by using Amazon Direct Connect
You can extend this connectivity as follows:
-
Ensure that the proper saprouttab entries exist to allow access from SAP to resources in the VPC.
-
Modify the SAP HANA security groups to allow access from the on- premises SAProuter IP address.
-
Ensure that the proper firewall ports are open on your gateway to allow traffic to pass over TCP port 3299.
Figure 14: Support connectivity with SAProuter on premises