Skip to Content
Technical Articles
Author's profile photo Jaskirat Singh

Backup and Recovery of SAP HANA Database Directly to AWS S3 Bucket using AWS Backint Agent – Part I

This blog post contains all the SAP and AWS related technical Snapshots and settings which can be used for configuring HANA Database backup on SUSE Linux Enterprise Server 15 SP2. Operations described in the document are performed when SAP HANA Database is deployed on AWS. SAP has provided several notes which support SAP products on AWS:-

This blog post mostly concentrate on the information about installation and configurations of AWS Backint Agent and related changes that needs to be done on HANA databases for backuping up the database directly on Amazon S3 Bucket.

1. SAP HANA BACKUP ON AWS

AWS provides SAP-certified cloud infrastructure for running SAP HANA. AWS and SAP have worked together closely so that companies can fully realize all the benefits of the SAP HANA in-memory computing platform on AWS. SAP HANA can be deployed on either SUSE Linux Enterprise Server (SLES) or Red Hat Enterprise Linux (RHEL).

1.1 AWS Backint Agent for SAP HANA

AWS Backint Agent for SAP HANA (AWS Backint Agent) is an SAP-certified backup and restore application for SAP HANA workloads running on Amazon EC2 instances in the cloud. This Agent runs as a standalone application runs on SAP HANA Server that integrates with the existing workflows to back up SAP HANA databases to Amazon S3 Buckets and to restore it using SAP HANA Cockpit, SAP HANA Studio, and SQL commands. AWS Backint Agent supports full, incremental, and differential backup of SAP HANA databases. Additionally, backup of log files and catalogs can be done directly to Amazon S3. To restore SAP HANA database server, SAP HANA reads the catalog files stored in S3 bucket using the AWS Backint Agent and then initiates a request to restore the required files directly from S3.

SAP has provided support process for AWS Backint Agent 2920965 – Support Process for AWS Backint Agent

1.2 Mechanism of AWS Backint Agent

AWS Backint Agent can be deployed to SAP HANA instances from the AWS Systems Manager (SSM) console. From the AWS SSM console, an AWS SSM document is executed on the instances to install this agent. Parameterized configuration information can be provided to the SSM document. This agent can also be downloaded and installed manually. AWS Backint Agent increases scalability through parallel processing of backup and restore processes, providing maximum throughput and reducing backup Recovery Time Objective (RTO) during recovery.

1.3 Cost

AWS Backint Agent is a free service provided by AWS. One only need to pay for the underlying AWS services as per the usage, for example Amazon S3.

1.4 Support

With respect to support of AWS Backint Agent we have the following:

1.4.1 Operating System

AWS Backint Agent is supported on the following operating systems:

  • SUSE Linux Enterprise Server
  • SUSE Linux Enterprise Server for SAP
  • Red Hat Enterprise Linux for SAP

1.4.2 Databases

AWS Backint Agent supports the following databases:

  • SAP HANA 1.0 SP12 (single node and multi node)
  • SAP HANA 2.0 and later (single node and multi node)

1.4.3 Regions

AWS Backint Agent is available in all commercial Regions, as well as in China (Beijing), China (Ningxia), and GovCloud.

2. PREREQUISITES

When SAP HANA system is successfully running on an Amazon EC2 instance, Need to verify the following prerequisites:

2.1 AWS Identity and Access Management

2.1.1 Role for AWS SSM

AWS Systems Manager need access to AWS resources to install AWS Backint Agent, for this managed policy AmazonSSMManagedInstanceCore needs to be attached to the IAM role.
This role is not required in case need to install manually using AWS Backint installer

2.1.2 Role for AWS EC2

To allow Amazon EC2 instance on which SAP is HANA installed to access target Amazon S3 bucket, an inline IAM policy needs to be created or updated with the attached permissions using below steps: –
Got IAM in AWS Console and click on Create Role

Got%20IAM%20in%20AWS%20Console%20and%20click%20on%20Create%20Role

AWS IAM Console

Specify the AWS resource for which role needs to be created i.e. EC2 and Click on Next: Permission

AWS%20IAM%20Console

AWS IAM Console

Click on Create Policy

AWS%20IAM%20Console

AWS IAM Console

Click on Json

AWS%20IAM%20Console

AWS IAM Console

Paste the below policy and replace the required fields and Click on Review Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucket Name>/*",
                "arn:aws:s3:::<Bucket Name>"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<KMS Arn>"
        },
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "s3:PutObjectTagging",
                  "s3:PutObject",
                  "s3:GetObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws:s3:::<bucket name>/<folder name>/*"
          }
    ]
}

AWS%20IAM%20Console

AWS IAM Console

Make sure if policies are correct in next screen

AWS%20IAM%20Console

AWS IAM Console

Specify the Name of the Policy and Description and click Create Policy

AWS IAM Console

Select newly created Policy to Role and Click Next: Tags

AWS IAM Console

Specify the tags (If any) then click on Next: Review

AWS IAM Console

Specify the name of the role and click Create Role

AWS IAM Console

To attach this role to HANA instance, Goto EC2 → Instances and then select the HANA instance. Then click on Actions → Security → Modify IAM role

AWS%20EC2%20Console

AWS EC2 Console

Select role S3BucketAccess and Click Save

AWS%20EC2%20Console

AWS EC2 Console

2.2 AWS Systems Manager

To install the AWS Backint Agent with the Amazon EC2 Systems Manager Agent (SSM) document,  Amazon EC2 Systems Manager Agent (SSM Agent) version 2.3.274.0 or later needs to be installed, and instance must be a managed instance that is configured for AWS Systems Manager. This is not required in case of manual installation using AWS Backint Installer from OS level.

Version of SSM can be checked by going to Systems Manager → Managed Instances

AWS%20Systems%20Manager

AWS Systems Manager

2.3 AWS S3 Bucket

AWS Backint Agent supports backing up SAP HANA database to an Amazon S3 bucket with the S3 Standard, S3 Standard-IA, and S3 One Zone-IA storage classes. Others S3 storage classes such as S3 Reduced Redundancy, S3 Intelligent-Tiering, Deep Archive, and Glacier are not supported by AWS Backint Agent. By default, the S3 Standard storage class is used to store your backups.

For Creating the S3 Bucket, Goto S3 and click on Create Bucket

AWS%20S3%20Console

AWS S3 Console

Name of the S3 bucket needs to be specified where SAP HANA backups will be stored.

AWS%20S3%20Console

AWS S3 Console

Make sure that the Amazon S3 bucket where backups are getting stored, doesn’t have public access enabled. If the S3 bucket has public access enabled, backups will fail.

AWS%20S3%20Console

AWS S3 Console

Specify the Bucket Versioning and Tags as per the requirement

AWS%20S3%20Console

AWS S3 Console

Backups must be encrypted, so it is good to specify the encryption settings as per the requirement

AWS%20S3%20Console

AWS S3 Console

Write-once-read-many (WORM) model can be used for storing log/data files with S3 Object Lock, specify the required option and then click on Create Bucket

Please note if S3 Object Lock is enabled, then SAP HANA Cockpit can’t delete SAP HANA backups stored in Amazon S3 until the retention period of the particular file expires.

AWS%20S3%20Console

AWS S3 Console

Bucket has been created:

AWS%20S3%20Console

AWS S3 Console

Please note Amazon S3 buckets created after May 2019 are compatible with AWS Backint Agent. Need to create new S3 Bucket if not available.

AWS Backint Agent also supports backing up to Amazon S3 with VPC endpoints.

 

This is end of Part – I, in next part of this blog post Backup and Recovery of SAP HANA Database Directly to AWS S3 Bucket using AWS Backint Agent – Part II you can find more information about Installation, Configuration and Verification of the AWS Backint Agent

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Varun Kumar Sharma
      Varun Kumar Sharma

      Thanks Jaskirat for the useful information. Could you please share details if its possible to do HANA DB SYSTEM copy (QA system refresh) using AWS snapshots instead of using backup/recovery method.

      Thanks

      Varun