Technical Articles
Backup and Recovery of SAP HANA Database Directly to AWS S3 Bucket using AWS Backint Agent – Part I
This blog post contains all the SAP and AWS related technical Snapshots and settings which can be used for configuring HANA Database backup on SUSE Linux Enterprise Server 15 SP2. Operations described in the document are performed when SAP HANA Database is deployed on AWS. SAP has provided several notes which support SAP products on AWS:-
- 1656250 – SAP on AWS: Support prerequisites
- 1656099 – SAP Applications on AWS: Supported DB/OS and AWS EC2 products
This blog post mostly concentrate on the information about installation and configurations of AWS Backint Agent and related changes that needs to be done on HANA databases for backuping up the database directly on Amazon S3 Bucket.
1. SAP HANA BACKUP ON AWS
AWS provides SAP-certified cloud infrastructure for running SAP HANA. AWS and SAP have worked together closely so that companies can fully realize all the benefits of the SAP HANA in-memory computing platform on AWS. SAP HANA can be deployed on either SUSE Linux Enterprise Server (SLES) or Red Hat Enterprise Linux (RHEL).
1.1 AWS Backint Agent for SAP HANA
AWS Backint Agent for SAP HANA (AWS Backint Agent) is an SAP-certified backup and restore application for SAP HANA workloads running on Amazon EC2 instances in the cloud. This Agent runs as a standalone application runs on SAP HANA Server that integrates with the existing workflows to back up SAP HANA databases to Amazon S3 Buckets and to restore it using SAP HANA Cockpit, SAP HANA Studio, and SQL commands. AWS Backint Agent supports full, incremental, and differential backup of SAP HANA databases. Additionally, backup of log files and catalogs can be done directly to Amazon S3. To restore SAP HANA database server, SAP HANA reads the catalog files stored in S3 bucket using the AWS Backint Agent and then initiates a request to restore the required files directly from S3.
SAP has provided support process for AWS Backint Agent 2920965 – Support Process for AWS Backint Agent
1.2 Mechanism of AWS Backint Agent
AWS Backint Agent can be deployed to SAP HANA instances from the AWS Systems Manager (SSM) console. From the AWS SSM console, an AWS SSM document is executed on the instances to install this agent. Parameterized configuration information can be provided to the SSM document. This agent can also be downloaded and installed manually. AWS Backint Agent increases scalability through parallel processing of backup and restore processes, providing maximum throughput and reducing backup Recovery Time Objective (RTO) during recovery.
1.3 Cost
AWS Backint Agent is a free service provided by AWS. One only need to pay for the underlying AWS services as per the usage, for example Amazon S3.
1.4 Support
With respect to support of AWS Backint Agent we have the following:
1.4.1 Operating System
AWS Backint Agent is supported on the following operating systems:
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP
- Red Hat Enterprise Linux for SAP
1.4.2 Databases
AWS Backint Agent supports the following databases:
- SAP HANA 1.0 SP12 (single node and multi node)
- SAP HANA 2.0 and later (single node and multi node)
1.4.3 Regions
AWS Backint Agent is available in all commercial Regions, as well as in China (Beijing), China (Ningxia), and GovCloud.
2. PREREQUISITES
When SAP HANA system is successfully running on an Amazon EC2 instance, Need to verify the following prerequisites:
2.1 AWS Identity and Access Management
2.1.1 Role for AWS SSM
AWS Systems Manager need access to AWS resources to install AWS Backint Agent, for this managed policy AmazonSSMManagedInstanceCore needs to be attached to the IAM role.
This role is not required in case need to install manually using AWS Backint installer
2.1.2 Role for AWS EC2
To allow Amazon EC2 instance on which SAP is HANA installed to access target Amazon S3 bucket, an inline IAM policy needs to be created or updated with the attached permissions using below steps: –
Got IAM in AWS Console and click on Create Role
AWS IAM Console
Specify the AWS resource for which role needs to be created i.e. EC2 and Click on Next: Permission
AWS IAM Console
Click on Create Policy
AWS IAM Console
Click on Json
AWS IAM Console
Paste the below policy and replace the required fields and Click on Review Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicyStatus",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::<Bucket Name>/*",
"arn:aws:s3:::<Bucket Name>"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "<KMS Arn>"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<bucket name>/<folder name>/*"
}
]
}
AWS IAM Console
Make sure if policies are correct in next screen
AWS IAM Console
Specify the Name of the Policy and Description and click Create Policy
AWS IAM Console
Select newly created Policy to Role and Click Next: Tags
AWS IAM Console
Specify the tags (If any) then click on Next: Review
AWS IAM Console
AWS IAM Console
To attach this role to HANA instance, Goto EC2 → Instances and then select the HANA instance. Then click on Actions → Security → Modify IAM role
AWS EC2 Console
Select role S3BucketAccess and Click Save
AWS EC2 Console
2.2 AWS Systems Manager
To install the AWS Backint Agent with the Amazon EC2 Systems Manager Agent (SSM) document, Amazon EC2 Systems Manager Agent (SSM Agent) version 2.3.274.0 or later needs to be installed, and instance must be a managed instance that is configured for AWS Systems Manager. This is not required in case of manual installation using AWS Backint Installer from OS level.
Version of SSM can be checked by going to Systems Manager → Managed Instances
AWS Systems Manager
2.3 AWS S3 Bucket
AWS Backint Agent supports backing up SAP HANA database to an Amazon S3 bucket with the S3 Standard, S3 Standard-IA, and S3 One Zone-IA storage classes. Others S3 storage classes such as S3 Reduced Redundancy, S3 Intelligent-Tiering, Deep Archive, and Glacier are not supported by AWS Backint Agent. By default, the S3 Standard storage class is used to store your backups.
For Creating the S3 Bucket, Goto S3 and click on Create Bucket
AWS S3 Console
Name of the S3 bucket needs to be specified where SAP HANA backups will be stored.
AWS S3 Console
Make sure that the Amazon S3 bucket where backups are getting stored, doesn’t have public access enabled. If the S3 bucket has public access enabled, backups will fail.
AWS S3 Console
Specify the Bucket Versioning and Tags as per the requirement
AWS S3 Console
Backups must be encrypted, so it is good to specify the encryption settings as per the requirement
AWS S3 Console
Write-once-read-many (WORM) model can be used for storing log/data files with S3 Object Lock, specify the required option and then click on Create Bucket
Please note if S3 Object Lock is enabled, then SAP HANA Cockpit can’t delete SAP HANA backups stored in Amazon S3 until the retention period of the particular file expires.
AWS S3 Console
Bucket has been created:
AWS S3 Console
Please note Amazon S3 buckets created after May 2019 are compatible with AWS Backint Agent. Need to create new S3 Bucket if not available.
AWS Backint Agent also supports backing up to Amazon S3 with VPC endpoints.
This is end of Part – I, in next part of this blog post Backup and Recovery of SAP HANA Database Directly to AWS S3 Bucket using AWS Backint Agent – Part II you can find more information about Installation, Configuration and Verification of the AWS Backint Agent
Thanks Jaskirat for the useful information. Could you please share details if its possible to do HANA DB SYSTEM copy (QA system refresh) using AWS snapshots instead of using backup/recovery method.
Thanks
Varun