# Operations ## Tagging Amazon resources A tag is a label that you assign to an Amazon resource. Each tag consists of a key and an optional value, both defined by you. Adding tags to various Amazon resources will make managing SAP environments more efficient, and help you search for resources quickly. Many Amazon EC2 API calls can be used in conjunction with a special tag filter. For more information, see [Tagging Amazon resources](https://docs.amazonaws.cn/general/latest/gr/aws_tagging.html). The following are some examples of how you can use tags for your operational needs. | | | | --- |--- | | **Tag name** | **Tag value** | | Name | SAP server’s virtual (host) name | | Environment | SAP server’s landscape role; for example: SBX, DEV, QAT, STG, PRD. | | Application | SAP solution or product; for example: ECC, CRM, BW, PI, SCM, SRM, EP | | Owner | SAP point of contact | | Service level | Known uptime and downtime schedule | After tagging your resources, you can apply specific security restrictions, such as access control (as seen in the following example policy), based on tag values. ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "LaunchEC2Instances", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:RunInstances" ], "Resource": [ "*" ] }, { "Sid": "AllowActionsIfYouAreTheOwner", "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:TerminateInstances" ], "Condition": { "StringEquals": { "ec2:ResourceTag/PrincipalId": "${aws:userid}" } }, "Resource": [ "*" ] } ] } ``` IAM only allows specific permissions based on the tag value. In this scenario, the current ID must match the tag value to enable permissions for the user. For more information, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html). ## Monitoring Amazon provides multiple native services to monitor and manage your SAP environment. [CloudWatch](https://www.amazonaws.cn/cloudwatch/) and [CloudTrail](https://www.amazonaws.cn/cloudtrail/) can be used to monitor your underlying infrastructure and APIs. CloudWatch provides ready-to-use KPIs for CPU, disk utilization, and enables you to create custom metrics for KPIs that you want to monitor. CloudTrail allows you to log the API calls made to your Amazon infrastructure components. ## Operating system maintenance In general, operating system maintenance across large estates of Amazon EC2 instances can be managed by using: + Third-party products, such as those available on Amazon Marketplace. + Amazon Systems Manager *The following are some key operating system maintenance tasks.* ### Patching You can follow SAP recommended patching process to update your landscape on Amazon. With [Amazon Systems Manager Patch Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-patch.html), you can roll out OS patches according to your corporate policies. It has multiple benefits: + Scheduling based on tags + Defining patch baselines + Auto-approving patches with lists of approved and rejected patches Amazon Systems Patch Manager integrates with IAM, CloudTrail, and CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage. For details about the process, see [How Patch Manager operations work](https://docs.amazonaws.cn/systems-manager/latest/userguide/patch-manager-how-it-works.html). Third-party products are available on [Amazon Marketplace](https://www.amazonaws.cn/marketplace). ### Maintenance Windows [Amazon Systems Manager Maintenance Windows](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-maintenance.html) lets you define a schedule to perform potentially disruptive actions on your instances, such as patching an operating system, updating drivers, installing software or patches. ### Administrator access For administrative purposes, you can access the backend of your SAP systems via SSH or [Amazon Systems Manager Session Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/session-manager.html). ## Automation Amazon Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon EC2 instances and other Amazon resources. For more information, see [Amazon Systems Manager Automation](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-automation.html). **Automation using Infrastructure-as-Code with Amazon CloudFormation** We recommend following the principle of Infrastructure-as-Code (IaC) for automating and maintaining your workloads on Amazon. [Amazon CloudFormation](https://www.amazonaws.cn/cloudformation/) provides a common language for you to describe and provision all the infrastructure resources in your cloud environment in a repeatable and automated manner. ## Cost optimization We recommend cost optimization as an ongoing process. There are many Amazon services that help with budgeting, cost control and optimization. For more details, see [Cost Optimization Pillar - Amazon Well-Architected Framework](https://docs.amazonaws.cn/wellarchitected/latest/cost-optimization-pillar/welcome.html) and [Cost Optimization Pillar -SAP Lens](https://docs.amazonaws.cn/wellarchitected/latest/sap-lens/cost-optimization.html). # Compute & storage ## Compute Amazon EBS volumes are exposed as NVMe block devices on [Instances built on the Nitro System](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances). When changing Amazon EC2 instance types from a previous generation to a Nitro generation, NVMe device IDs associated with the volume can change. To avoid mount errors during change of instance type or instance reboots, you need to create a label for your file systems and mount it by the label, *and not* the NVMe IDs. For more details, see [support article](https://www.amazonaws.cn/premiumsupport/knowledge-center/boot-error-linux-nitro-instance/). Aside from operating system maintenance, you should consider maintenance for your Amazon EC2 instances. It can be driven by using [Creating your own runbooks](https://docs.amazonaws.cn/systems-manager/latest/userguide/automation-documents.html). The following are some examples. + Use ` Amazon-StopEC2InstanceWithApproval` to request one or more IAM users approve the instance stop action. After the approval is received, runbook stops the instance. + Use ` Amazon-StopEC2Instance` to automatically stop instances on a schedule, using CloudWatch Events or a Maintenance Window task. For example, you can configure an Automation workflow to stop instances every Friday evening and restart on Monday mornings. Note that this automation will only stop and start the Amazon EC2 instance. You must create additional document to gracefully stop and start SAP applications and database and then use the Amazon Systems Manager to run such automations. + Use ` Amazon-UpdateCloudFormationStackWithApproval` to update resources that were deployed using Amazon CloudFormation template. The update applies a new template. You can configure the Automation to request approval by one or more IAM users before the update begins. You can also use [Amazon Instance Scheduler](https://www.amazonaws.cn/solutions/implementations/instance-scheduler/) to configure custom start and stop schedules for Amazon EC2 and Amazon RDS instances. ## Storage The following are the storage services used across this guide. + Amazon EBS provides persistent storage for SAP applications and database. Amazon EBS volumes can be resized and even have the volume type changed without disrupting the applications. For more details, see [Amazon EBS Elastic Volumes](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ebs-modify-volume.html). After modifying the Amazon EBS volume, you need to extend the file system to match the extended volume size. For more details, see [Extend a Linux file system after resizing a volume](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html). + Amazon EFS does not require you to explicitly provision storage, you pay only for your usage. It is built to scale on demand, without disrupting applications, growing and shrinking automatically as you add and remove files. This ensures that your applications have the required storage. + Amazon S3 also does not require you to explicitly provision storage, you pay only for your usage. You can use Object lifecycle management to set rules that define when objects are transitioned or archived to colder storage (Amazon S3 IA or S3 Glacier) and when they expire. For more information, see [Managing your storage lifecycle](https://docs.amazonaws.cn/AmazonS3/latest/userguide/object-lifecycle-mgmt.html). # Backup & restore ## Snapshots and AMIs A common approach for backing up your SAP NetWeaver application servers is using snapshots and AMIs. The SAP application data is stored on Amazon EBS volumes attached to the SAP NetWeaver application servers. You can back up the data on these volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups of Amazon EBS volumes, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more information, see [Create Amazon EBS snapshots](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html). An Amazon Machine Image (AMI) provides the information required to launch an instance along with a block device mapping of all Amazon EBS volumes attached to it. Amazon EC2 powers down the instance before creating the AMI to ensure that everything on the instance is stopped and in a consistent state during the creation process. If you’re confident that your instance is in a consistent state appropriate for AMI creation, you can check the *No Reboot* option. You can use [Amazon Backup](https://www.amazonaws.cn/backup) to centrally configure backup policies and monitor backup activity for these snapshots. Once you have completed the SAP installation and post-installation steps, create an image of the instance. ``` aws ec2 create-image --instance-id i-1234567890abcdef0 --name "My server" --description "An AMI for my server" ``` Amazon provides a very simple and quick way to copy an SAP system. You can use the [Amazon Console Home](https://console.amazonaws.cn/ec2) or the Amazon CLI to create a new AMI of an existing SAP system. You can then launch exact copies of the original system from the new AMI. For more details, see [Amazon Machine Images (AMI)](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/AMIs.html). ## Backup to Amazon S3 You can perform traditional file-based backup to Amazon S3 from your Amazon EBS volumes. One way to take backup is to use Amazon CLI and initiate it by using Amazon Systems Manager `Run` command, so that you can centrally manage the backups. ## Backup with third-party products Many third-part products for Amazon services are certified by SAP. For more information, see [Amazon SAP Competency Partners](https://www.amazonaws.cn/sap/partner-solutions/). ## Amazon EFS backup Using Amazon Backup, you can centrally configure backup policies and monitor backup activity for Amazon resources, including Amazon EFS file systems. Alternatively, you can perform a file-level backup of your Amazon EFS file system to Amazon S3. You can do this by running a file-level copy to Amazon S3 from any Amazon EC2 instance running in the same region. This can be automated and scheduled using [Amazon Systems Manager Run Command](https://docs.amazonaws.cn/systems-manager/latest/userguide/execute-remote-commands.html) in combination with CloudWatch Events. ## Backup and restore for ASE database You must to regularly backup your operating system and database to recover them in case of any failure. Amazon Cloud provides various services and tools that you can use to backup your SAP ASE database. ### Storage snapshots You can backup your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only blocks on the device that have changed after your most recent snapshot are saved. Snapshots of Amazon EBS volumes can be created for backup of SAP ASE database file systems. See [How to use snapshots to create an automated recovery procedure for SAP ASE databases](https://www.amazonaws.cn/blogs/awsforsap/how-to-use-snapshots-to-create-an-automated-recovery-procedure-for-sap-ase-databases/) to learn more. ### SAP ASE database backups You can configure your SAP ASE database to store backups on Amazon EFS or local Amazon EBS volumes. You must configure regular backups for Amazon EFS. For more information, see [Backing up your Amazon EFS file systems](https://docs.amazonaws.cn/efs/latest/ug/efs-backup-solutions.html). You can reduce costs by enabling Amazon EFS storage classes to retain cold backups in infrequent access. For more information, see [Amazon EFS Infrequent Access](https://www.amazonaws.cn/efs/features/infrequent-access/). You can also configure backups to be store on Amazon EFS volumes and to be regularly uploaded to Amazon S3. Use `DBACOCKPIT` to schedule backup frequency. You can also use [Amazon Systems Manager Maintenance Windows](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-maintenance.html) to schedule backup frequency. Amazon SNS enables you to setup push notifications for success or failure. Once backups are stored in Amazon S3, you can use lifecycle policies to define data retention timeline. For more information, see [Managing your storage lifecycle](https://docs.amazonaws.cn/AmazonS3/latest/userguide/object-lifecycle-mgmt.html). You can improve Amazon S3 data upload performance with Gateway endpoints and Amazon CLI. For more information, see [Gateway endpoints for Amazon S3](https://docs.amazonaws.cn/vpc/latest/privatelink/vpc-endpoints-s3.html) and [Amazon CLI S3 Configuration](https://docs.amazonaws.cn/cli/latest/topic/s3-config.html). Review the following SAP Notes (portal access required) for more details. + [SAP Note 1585981 - SYB: Ensuring Recoverability for SAP ASE](https://me.sap.com/notes/1585981) + [SAP Note 1887068 - SYB: Using external backup and restore with SAP ASE](https://me.sap.com/notes/1887068) + [SAP Note 1588316 - SYB: Configure automatic database and log backups](https://me.sap.com/notes/1588316) + [SAP Note 1618817 - SYB: How to restore an SAP ASE database server (UNIX)](https://me.sap.com/notes/1618817) To use third-party tools to backup your SAP ASE database, see [Amazon Storage Competency Partners](https://www.amazonaws.cn/backup-recovery/partner-solutions). # Disaster recovery See [Disaster recovery deployment](deploy-options-sap-ase.md#ase-disaster-recovery-deployment) to learn about disaster recovery for your SAP ASE database. ## Perform a DNS change In case of manual failover, you may install SAP application servers using a virtual hostname and perform a DNS change to direct the SAP application servers to the new primary database server. For a DNS resolution in Amazon, you can use any of the following options. + [Amazon Route 53](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/dns-configuring.html) enables you to create a private hosted zone for your environment and an A record for the virtual hostname used for SAP ASE database. Initially, this A record is mapped to the IP address of the primary SAP ASE database instance. + You can maintain your own DNS server on-premise or on your Amazon EC2 instances. You can create an A record there for your virtual hostname used for SAP ASE database. Initially, this A record is mapped to the IP address of the primary SAP ASE database instance. + With the [Amazon Directory Service](https://www.amazonaws.cn/directoryservice/), you can create an A record for the virtual hostname used for SAP ASE database. With any of the previously mentioned options, you can change the A record to a private IP address of the primary database instance in case of a failover. This DNS change can also be automated using Amazon services and scripts.