Backup and Recovery of SAP HANA Database on Azure using Azure Backup Plugin for HANA – Part I
This article contains all the SAP and Azure related technical Snapshots and settings which can be used for configuring HANA Database backup on SUSE Linux Enterprise Server 15 SP2. Operations described in the document are performed when SAP HANA Database is deployed on Azure. SAP has provided several notes which support SAP products on Azure:-
- 2015553 – SAP on Microsoft Azure: Support prerequisites
- 1928533 – SAP Applications on Azure: Supported Products and Azure VM types
This article mostly concentrates on the information about installation and configurations of Azure Backup Plugin for HANA and related changes that needs to be done on HANA databases for backing up the HANA database.
1. SAP HANA BACKUP ON AZURE
SAP HANA databases are mission critical workloads that require a low recovery point objective (RPO) and a fast recovery time objective (RTO). SAP HANA databases can be backed up by running on Azure VMs using Azure Backup.
Azure Backup is Backint certified by SAP, to provide native backup support by leveraging SAP HANA’s native APIs. This offering from Azure Backup aligns with Azure Backup’s model of zero-infrastructure backups, eliminating the need to deploy and manage backup infrastructure. SAP HANA databases can now seamlessly backup and restore running on Azure VMs (M series VMs also supported now!) and leverage enterprise management capabilities that Azure Backup provides.
SAP has also provided below notes which can help in understanding the same:-
- 2756788 – Support Process Microsoft Azure Backup BackInt
- 1730932 – Using backup tools with Backint for HANA
1.2 Azure Backup Offerings
Using Azure Backup solution to backup and restore SAP HANA databases, have the following advantages:
- 15-minute Recovery Point Objective (RPO): Recovery of critical data of up to 15 minutes is possible.
- One-click, point-in-time restores: Restore of production data can be done on alternate HANA servers. Chaining of backups and catalogs to perform restores is all managed by Azure behind the scenes.
- Long-term retention: For rigorous compliance and audit needs. Backups can be retained for years, based on the retention duration, beyond which the recovery points will be pruned automatically by the built-in lifecycle management capability.
- Backup Management from Azure: Use Azure Backup’s management and monitoring capabilities for improved management experience. Azure CLI is also supported.
1.3 Backup Architecture
Below is the overview of the Backup Architecture of SAP HANA backup using backint using Azure
- The backup process begins by creating a Recovery Services vault in Azure. This vault will be used to store the backups and recovery points created over time.
- The Azure VM running SAP HANA server is registered with the vault, and the databases to be backed-up are discovered. To enable the Azure Backup service to discover databases, there are some specific steps that needs to be done which is described later.
- Azure Backup Service installs the Azure Backup Plugin for HANA on the registered SAP HANA server.
- Azure Backup Plugin will be installed on the VM where SAP HANA database is running which perform all backup and restore operations.
- To configure backup on the databases that are discovered, we also need to choose the required backup policy and enable backups.
- The Azure Backup Plugin for HANA maintains all the backup schedules and policy details. It triggers the scheduled backups and communicates with the HANA Backup Engine through the Backint APIs.
- The HANA Backup Engine returns a Backint streams with the data to be backed up.
- All the scheduled backups and on-demand backups (triggered from the Azure portal) that are either full or differential are initiated by the Azure Backup Plugin for HANA. However, log backups are managed and triggered by HANA Backup Engine itself.
- Azure Backup for SAP HANA, being a Backint certified solution, doesn’t depend on underlying disk or VM types. The backup is performed by streams generated by HANA.
1.3 VM Backup with SAP HANA Backup
In addition to using the SAP HANA backup in Azure that provides database level backup and recovery with the help of Azure Backup Plugin for HANA, Azure VM backup solution can be used to back up the OS and non-database disks.
The VM backup can be taken once every day and its backups up all the disks (except Write Accelerator (WA) OS disks i.e. Log and ultra-disks i.e. Data). Since the database is being backed up using the Azure SAP HANA backup solution, file-consistent backup can be taken only for the OS and non-database disks using the Selective disk backup and restore for Azure VMs feature.
Flexibility has been provided to choose between locally redundant storage (LRS), zone redundant storage (ZRS)Preview or geo-redundant storage (GRS) for the backups. Both LRS and GRS are Block Blob Storage. Charges for storage are separate from the cost of Azure Backup.
With respect to support of Azure Backup Plugin for HANA we have following:
1.5.1 HANA Topology
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Topology:
- Supported: SAP HANA running in Azure Linux VMs only
- Not Supported: HANA Large Instances (HLI)
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to Regions:
- Supported: Central US, East US 2, East US, North Central US, South Central US, West US 2, West Central US, West US, Canada Central, Canada East, Brazil South, Australia Central, Australia Central 2, Australia East, Australia Southeast, Japan East, Japan West, Korea Central, Korea South, East Asia, Southeast Asia, Central India, South India, West India, China East, China North, China East2, China North 2, West Europe, North Europe, France Central, UK South, UK West, Germany North, Germany West Central, Switzerland North, Switzerland West, Central Switzerland North, Norway East, Norway West, South Africa North, South Africa West, UAE North, UAE Central and Azure Government regions
- Not Supported: France South, Germany Central, Germany Northeast, US Gov IOWA
1.5.3 Operating Systems
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to Operating System:
- SUSE Linux Enterprise Server 12 with SP2, SP3, SP4 and SP5
- SUSE Linux Enterprise Server 15 with SP0, SP1, SP2
- As of August 1st, 2020, SAP HANA backup for RHEL (7.4, 7.6, 7.7 & 8.1) is available.
1.5.4 HANA Versions
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Versions:
- SDC on HANA 1.x
- MDC on HANA 2.x SPS04, SPS05 Rev <= 53 (validated for encryption enabled scenarios as well)
1.5.5 HANA Deployments
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Deployments:
- Supported: SAP HANA on a single Azure VM – Scale up only
- Not Supported: Scale-out SAP HANA Systems
1.5.6 HANA Instances
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Instances:
- Supported: A single SAP HANA instance on a single Azure VM – scale up only
- Not Supported: Multiple SAP HANA instances on a single VM.
1.5.7 HANA Database Types
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Database Types:
- Single Database Container (SDC) ON 1.x
- Multi-Database Container (MDC) on 2.x
- Not Supported:
- MDC in HANA 1.x
1.5.8 HANA Database Sizes
SAP HANA Backups via Azure Backup Plugin for HANA is only supported for the HANA databases which has size <= 8 TB(This is the Database Size, not Memory)
1.5.9 HANA Backup Types
SAP HANA Backups via Azure Backup Plugin for HANA has following information with respect to HANA Backup Types:
- Full Database Backup
- Differential Database Backup
- Incremental Database Backup
- Log Backup
- Not Supported:
After our SAP HANA system is successfully running on an Azure VM, we need to verify the following prerequisites
2.1 Azure Recovery Service Vault
A Recovery Services vault is an entity that stores the backups and recovery points created over time. The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.
To create a Recovery Services vault:
In Azure portal, Go to Recovery Service Vaults and Click on New
- Name: The name is used to identify the Recovery Services vault and must be unique to the Azure subscription. Need to specify a name that has at least two, but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.
- Subscription: Choose the subscription to use. There are multiple choices only if your work or school account is associated with more than one Azure subscription.
- Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list box. To create a new resource group, select Create new and enter the name. For complete information about resource groups, see Azure Resource Manager overview.
- Location: Need to select the geographic region for the vault. The vault must be in the same region as the Virtual Machine running SAP HANA.
Specify Tags, if any and click on Review + Create
Click on Create
Recovery Service Vault has been created successfully
2.2 Network Connectivity
For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage (if Required), and Azure Active Directory (if Required),. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data.
2.2.1 Private Endpoints
Private endpoints allow to connect securely from servers inside a virtual network to the Recovery Services vault. The private endpoint uses an IP from the VNET address space for the vault. The network traffic between the resources inside the virtual network and the vault travels over your virtual network and a private link on the Microsoft backbone network. This eliminates exposure from the public internet.
To setup Private Endpoints Go to the created Recovery Service Vault
Fill in the basic details for Private Endpoints. The region should be the same as the vault and the resource being backed up.
Next requires selecting the PaaS resource for which connection needs to be created. Select Microsoft.RecoveryServices/vaults from the resource type for desired subscription. Once done, choose the name of Recovery Services vault as the Resource and AzureBackup as the Target sub-resource.
In next configuration, specify the virtual network and subnet where the private endpoint needs to be created. This will be the VNet where the VM is present. To connect privately, need to add required DNS records. Based on network setup, following can be chosen:
- Integrate your private endpoint with a private DNS zone: Select Yes if you wish to integrate.
- Use your custom DNS server: Select No if you wish to use your own DNS server.
Specify Tags if required
Click on Review + Create to create Private Endpoints
2.2.2 NSG Tags
For Network Security Groups (NSG), AzureBackup needs to be used as service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, connectivity needs to be allowed for authentication.
For doing so, go to Network Security Groups in Azure portal and click on Outbound Security Rules and then click on Add
Below settings needs to be done according to the network infrastructure.
2.2.3 Firewall Tags
If Azure Firewall is getting used then, create an application rule by using the AzureBackup Azure Firewall FQDN tag. This allows all outbound access to Azure Backup.
2.2.4 Access to Service IP Ranges
For allowing access of service IPs, then need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Azure Active Directory.
2.2.5 Access to Service FQDNs
Following FQDNs to allow access to the required services from the servers:
- Azure Backup – *.backup.windowsazure.com
- Azure Storage – *.blob.core.windows.net, *.queue.core.windows.net
2.2.6 HTTP proxy server to route traffic
While backing up an SAP HANA database running on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. Use the list of IPs and FQDNs mentioned above for allowing access to the required services. Authenticated proxy servers aren’t supported.
2.3 Pre-Registration Script
Run the SAP HANA backup configuration script (pre-registration script) in the virtual machine where HANA is installed, as the root user. This script gets the HANA system ready for backup
If HANA setup uses Private Endpoints, run the pre-registration script with the -sn or –skip-network-checks parameter.
Running the pre-registration script performs the following functions:
- Based on your Linux distribution, the script installs or updates any necessary packages required by the Azure Backup agent.
- It performs outbound network connectivity checks with Azure Backup servers and dependent services like Azure Active Directory and Azure Storage.
- It logs into your HANA system using the user key listed as part of the prerequisites. The user key is used to create a backup user (AZUREWLBACKUPHANAUSER) in the HANA system and the user key can be deleted after the pre-registration script runs successfully.
- AZUREWLBACKUPHANAUSER is assigned these required roles and permissions:
- For MDC: DATABASE ADMIN and BACKUP ADMIN (from HANA 2.0 SPS05 onwards): to create new databases during restore.
- For SDC: BACKUP ADMIN: to create new databases during restore.
- CATALOG READ: to read the backup catalog.
- SAP_INTERNAL_HANA_SUPPORT: to access a few private tables. Only required for SDC and MDC versions below HANA 2.0 SPS04 Rev 46. This is not required for HANA 2.0 SPS04 Rev 46 and above since we are getting the required information from public tables now with the fix from HANA.
- The script adds a key to hdbuserstore for AZUREWLBACKUPHANAUSER for the HANA backup plug-in to handle all operations (database queries, restore operations, configuring and running backup).
Latest script can be downloaded from here
Copy the script to the temporary location of the VM where HANA has been installed
–help argument can be used to check the script’s help menu
/bin/bash /tmp/msawb-plugin-config-com-sap-hana.sh –help
Now, need to create a backup user which will be used by Azure Backup to trigger the backup/restore of the HANA database backups. We can use below queries to create new user in HANA, alternatively we can also use HANA studio or HANA cockpit for the same, SAP has provided guides for the same:
CREATE USER <user> PASSWORD <password> NO FORCE_FIRST_PASSWORD_CHANGE; GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ, INIFILE ADMIN TO <user>;
Now, need to create user store for the HANA databases, so that Azure Backup for HANA plugin can use the same to access the HANA databases, SAP has provided guides to use the same:-
hdbuserstore Set <keyname> <hostname>:<port>@SYSTEMDB <user> <password>
Now, we need to execute the pre-registration script with proper arguments as below
/bin/bash /tmp/msawb-plugin-config-com-sap-hana.sh -a -s <SID> -n <NR> -sk <SYSTEM_KEY_NAME> -bk <BACKUP_KEY_NAME>
Pre-registration script executed successfully.
This is end of Part – I, in next part Backup and Recovery of SAP HANA Database on Azure using Azure Backup Plugin for HANA – Part II of this article you can find more information about Configuration of Azure Backup Plugin for HANA and Backups using the same.