Security - Databases for SAP applications on Amazon
Network SecurityEncryptionSizing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security

Amazon provides security capabilities and services to securely run your SAP applications on the Amazon platform. In the context of IBM Db2 for SAP applications, you can use network services and features such as Amazon VPC, Amazon Virtual Private Network (Amazon VPN), Amazon Direct Connect, Amazon EC2 Security Groups, network access controls lists (NACLs), route tables, and more to restrict the access to your database.

Network Security

The databases of SAP applications don’t usually require direct user access. The end users access the application using SAP Graphical User Interface (GUI), SAP Web Dispatcher, or SAP Fiori. We recommend that you limit direct access to the EC2 instances to administrators only, for maintenance purpose.

IBM Db2 listens on TCP port 5912 by default. Depending on your VPC design, you should configure Amazon EC2 Security Groups, Network Access Control List (NaCls), and route tables to allow traffic to TCP Port 5912 from SAP primary application servers and additional application servers (PAS/AAS) and ABAP SAP Central Services/SAP Central Services (ASCS/SCS). To learn more about configuring the security group, see Security groups for your VPC.

Encryption

Encryption is a security mechanism that converts plain text (readable data) into ciphertext. Amazon offers built-in encryption for Amazon EBS data volumes, boot volumes, and snapshots. The encryption process occurs automatically, and you don’t need to manage encryption keys. This mechanism protects your EBS volumes at rest, and data in transit that passes between EC2 servers. This encryption level is offered at no additional cost.

You also can use the native IBM Db2 native database encryption feature if required.

Sizing

SAP Quick Sizer is used to size SAP environment for new implementations. However, if you are migrating your existing SAP applications based on IBM Db2 to Amazon, consider using the following tools to right-size your SAP environment based on current utilization.

  • SAP Early Watch Alerts (EWA):--SAP EWA reports are provided by SAP regularly. These reports provide an overview of historical system utilization. Analyze these reports to see if your existing SAP system is over-utilized or under-utilized. Use this information to right-size your environment.

  • Linux native tools:--Gather and analyze historical utilization data for CPU/Memory to right-size your environment. In case your source is IBM AIX, you can make use of nmon reports as well.

  • Amazon Services-- Use services such as Amazon Migration Evaluator or Amazon Application Discovery Services that help with collecting usage and configuration data about your on-premises servers. Use this information to analyze and right-size your environment.

Because it’s easy to scale up or scale down your Amazon EC2 instances on Amazon, consider the following while sizing your SAP environment on Amazon.

  • You don’t need to over-provision storage to meet future demand.

  • SAP Quick Sizer tools provide sizing guidance based on assumptions that on 100% load (as per your inputs to tool), system utilization will not be more than 65%, so there is some buffer built into SAP Quick Sizer recommendation. See SAP’s Quick Sizer guidance for details. (Login required.)