Deploy SAP applications with Amazon Launch Wizard for SAP using a proxy server
Amazon Launch Wizard for SAP launches and configures Amazon EC2 instances to deploy an SAP system on Amazon. The launched instances must have outbound connectivity to internet to download operating system patches and communicate with several Amazon services. You can setup this connection via an internet gateway or a proxy server in a public subnet.
The following is an example on how to configure a Squid proxy server for deploying SAP applications on Amazon with Launch Wizard.
Setup
Configure your Squid proxy server with the following steps.
-
Choose any Linux-based AMI. In this example, we have selected SLES 12 SP5 for SAP AMI.
-
Verify that your server is hosted on a public subnet and is attached to a public IP address.
-
Add Amazon services to the
allowed_list
file.-
In the Squid server configuration file
/etc/squid/squid.conf
, create anallowed_list
path using theacl
command.acl whitelist dstdomain '/etc/squid/allowed_list'
-
In the
allowed_list
file, add the domains of all the services listed in the following table. -
Run the
rcsquid restart
command for the changes to take effect.
-
Service name | Domains to be allowed |
---|---|
Amazon DynamoDB |
|
Amazon EFS |
|
Amazon EBS |
|
Amazon EC2 |
|
Amazon FSx |
|
Amazon Lambda |
|
Amazon Route 53 |
|
Amazon CloudWatch |
|
Amazon CloudFormation |
|
Amazon KMS |
|
Amazon Secrets Manager |
|
Amazon Identity and Access Management |
|
Amazon Systems Manager |
|
Amazon S3 |
|
Amazon CLI |
|
SUSE infrastructure for SLES |
|
SUSE packages |
|
REDHAT repository |
|
Python packages |
|
Amazon Cognito |
|
Amazon Security Token Service |
|
Run Launch Wizard
After you complete the initial setup, you can begin deploying your SAP application using Launch Wizard. For more information, see Deploy an SAP application with Amazon Launch Wizard.
To connect your SAP deployment on Launch Wizard with the Squid proxy server, enter the IP address of the server. To add the server address, go to Step 2 Define infrastructure > Infrastructure - SAP landscape > Security groups > Proxy server address - optional.
The No proxy setting contains the list of whitelisted domains and IP addresses that do not pass through the proxy server.
In the No proxy setting - optional field, you must include the following IP addresses:
-
Localhost -
127.0.0.1
-
Internal
-
Amazon EC2 instance metadata-
169.254.169.254
Note
Include the hostnames of ASCS, ERS, primary SAP HANA, and secondary SAP HANA instances in the No proxy setting - optional field, if you are deploying an SAP system with high availability using RHEL operating system. This will enable the cluster to communicate with all the nodes as well as perform any failover or failback operations.
Amazon EC2 connection
Your Amazon EC2 instance must be connected to the SUSE repository servers on Amazon. Add the following IP addresses to the route tables of the associated Amazon EC2 instances. For more information, see Add and remove routes from a route table. The Target of these routes should be the NAT gateway of your subnet. For more information, see Add a NAT Gateway to an Existing VPC.
-
34.197.223.242/32
-
54.197.240.216/32
-
54.225.105.144/32
-
107.22.231.220/32
Troubleshoot
To resolve any connectivity issues with the Squid proxy server, use the following steps.
-
Login to your Squid proxy server.
-
Open the
access.log
file located at/var/log/squid/access.log
. -
Search for the TCP_DENIED message in the
access.log
file. The message displays an address that is not allowed in the proxy configuration. -
Add the address to the
squid.conf
file and restart the Squid server for the changes to take effect. -
You can now start over your SAP deployment with Launch Wizard.
Note
The troubleshooting steps are only applicable to the Squid proxy server. The
location of the log
file varies with the type of proxy server.