Introduction
Deploying SAP HANA on AWS requires a robust network architecture that seamlessly integrates with your existing On-Premise data center. To ensure secure authentication and name resolution, we will establish a hybrid environment where On-Premise Active Directory (AD) manages identity, but AWS handles the DNS resolution and SAP workload traffic.
This guide covers the creation of the AWS Organization structure, VPC design, DNS migration (Replacement), VPN/Direct Connect, and the SAP HANA POC deployment.
Phase 1: AWS Organizations & Account Structure - Detailed Configuration
Complete AWS Account Structure for SAP Deployment
Organization Hierarchy
CIDR Block Allocation Strategy
IP Address Schema
Step-by-Step Account Creation
Step 1: Create AWS Master Account (Already Exists)
If you don't have an AWS account, create one first. This will be your Root/Master account.
This account handles:
- Root organization management
- Consolidated billing
- Service Control Policies (SCPs)
Step 2: Create AWS Organization
Login to Master Account
Navigate to AWS Organizations
Click Create organization
Enable All features
Organization ID: o-xxxxxxxxxx
Feature Set: ALL
Step 3: Create Organizational Units (OUs)
Step 4: Create Member Accounts
Method A: Using AWS Console
Go to AWS Organizations → Add account → Create account
Fill in details:
Email: aws-sap-dev@company.com
Account Name: AWS SAP Dev Account
IAM Account Alias: aws-sap-dev
Method B: Using AWS Control Tower (Recommended)
Control Tower -> Organization -> Register account
Method C: Using AWS Organizations CLI
# Create account in specific OU
aws organizations create-account \
--email "aws-network-transit@company.com" \
--account-name "Network-Transit Account" \
--parent-organizational-unit-id "ou-example-1234567"
Detailed Services & Components per Account
1. Network-Transit Account
CIDR Allocation:
VPC Name: network-transit-vpc
CIDR: 10.0.0.0/16
Subnets:
- Name: dt-jump-public-a
CIDR: 10.0.1.0/24
AZ: us-east-1a
- Name: dt-jump-public-b
CIDR: 10.0.2.0/24
AZ: us-east-1b
- Name: dt-transit-attach-a
CIDR: 10.0.10.0/24
AZ: us-east-1a
- Name: dt-transit-attach-b
CIDR: 10.0.11.0/24
AZ: us-east-1b
2. Network-DNS Account
Architecture:
On-Premise DNS (192.168.10.10)
↓
Conditional Forwarder
↓
Route 53 Resolver Outbound Endpoint
↓
SAP VPC Instances
CIDR Allocation:
VPC Name: network-dns-vpc
CIDR: 10.1.0.0/16
Subnets:
- Name: dns-resolver-a
CIDR: 10.1.1.0/24
AZ: us-east-1a
- Name: dns-resolver-b
CIDR: 10.1.2.0/24
AZ: us-east-1b
3. Shared-Services Account (AD & Identity)
AD Architecture:
On-Premise Data Center
│
│ Port 389/636 (LDAP)
│
├── ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
│ (Direct Connect)
│
↓
AWS Shared-Services Account
│
├── AD Connector (Proxy to On-Prem AD)
│
└── EC2 Bastion Host
│
↓
SAP Workload Accounts (via Transit Gateway)
CIDR Allocation:
VPC Name: shared-services-vpc
CIDR: 10.2.0.0/16
Subnets:
- Name: ss-jump-bastion-a
CIDR: 10.2.1.0/24
AZ: us-east-1a
Purpose: Jump Server / bastion host
- Name: ss-jump-bastion-b
CIDR: 10.2.2.0/24
AZ: us-east-1b
Purpose: HA Jump Server
- Name: ss-internal-a
CIDR: 10.2.10.0/24
AZ: us-east-1a
Purpose: Internal services
- Name: ss-internal-b
CIDR: 10.2.11.0/24
AZ: us-east-1b
Purpose: Internal services
4. Security-Log Account
Purpose: Centralized security logging and compliance**
CIDR Allocation:
VPC Name: security-log-vpc
CIDR: 10.3.0.0/16
Subnets:
- Name: sec-monitoring-a
CIDR: 10.3.1.0/24
AZ: us-east-1a
- Name: sec-monitoring-b
CIDR: 10.3.2.0/24
AZ: us-east-1b
5. SAP Workload Accounts (Dev, QA, Staging, Prod)
SAP-Dev Account
VPC Name: sap-dev-vpc
CIDR: 10.10.0.0/16
Subnets:
- Name: sap-dev-app-a
CIDR: 10.10.1.0/24
AZ: us-east-1a
Purpose: SAP App Server (ASCS, ERS, Dialog)
- Name: sap-dev-app-b
CIDR: 10.10.2.0/24
AZ: us-east-1b
Purpose: SAP App Server HA
- Name: sap-dev-db-a
CIDR: 10.10.10.0/24
AZ: us-east-1a
Purpose: SAP HANA Database Node 1
- Name: sap-dev-db-b
CIDR: 10.10.11.0/24
AZ: us-east-1b
Purpose: SAP HANA Database Node 2
Services:
- EC2: t3.large (App), r5.xlarge (DB)
- EFS: sap-dev-efs
- RDS: SQL Server (optional)
- S3: sap-dev-data-bucket
Scale:
- HANA: Single node (Demo)
- SAP Apps: instances
SAP-QA Account
VPC Name: sap-qa-vpc
CIDR: 10.20.0.0/16
Subnets:
- Name: sap-qa-app-a
CIDR: 10.20.1.0/24
AZ: us-east-1a
- Name: sap-qa-app-b
CIDR: 10.20.2.0/24
AZ: us-east-1b
- Name: sap-qa-db-a
CIDR: 10.20.10.0/24
AZ: us-east-1a
- Name: sap-qa-db-b
CIDR: 10.20.11.0/24
AZ: us-east-1b
Services:
- EC2: m5.large (App), r5.2xlarge (DB)
- EFS: sap-qa-efs
- RDS: SQL Server
Scale:
- HANA: 2-node scale-out (Basic)
- SAP Apps: instances
SAP-Staging (Pre-Production) Account
VPC Name: sap-staging-vpc
CIDR: 10.30.0.0/16
Subnets:
- Name: sap-staging-app-a
CIDR: 10.30.1.0/24
AZ: us-east-1a
- Name: sap-staging-app-b
CIDR: 10.30.2.0/24
AZ: us-east-1b
- Name: sap-staging-db-a
CIDR: 10.30.10.0/24
AZ: us-east-1a
- Name: sap-staging-db-b
CIDR: 10.30.11.0/24
AZ: us-east-1b
Scale:
- HANA: 2-node scale-out
- SAP Apps: instances
- Simulates Production topology
SAP-Prod Account (Production)
VPC Name: sap-prod-vpc
CIDR: 10.40.0.0/16
Subnets:
- Name: sap-prod-app-a
CIDR: 10.40.1.0/24
AZ: us-east-1a
- Name: sap-prod-app-b
CIDR: 10.40.2.0/24
AZ: us-east-1b
- Name: sap-prod-app-c
CIDR: 10.40.3.0/24
AZ: us-east-1c
- Name: sap-prod-db-a
CIDR: 10.40.10.0/24
AZ: us-east-1a
- Name: sap-prod-db-b
CIDR: 10.40.11.0/24
AZ: us-east-1b
- Name: sap-prod-db-c
CIDR: 10.40.12.0/24
AZ: us-east-1c
Services:
- EC2: r5b.4xlarge (DB), r5.2xlarge (App)
- FSx for NetApp ONTAP: /hana/shared, /sapmnt
- EFS: sap-prod-efs
- RDS: Oracle or SQL Server
- ELB: Application Load Balancer
- Auto Scaling: Min 4, Max 20
Scale:
- HANA: 3-node scale-out (Production HA)
- SAP Apps: 8+ instances with ALB
- Multi-AZ High Availability
Network Architecture Diagram
Phase 2: Network Connectivity setup and configuration with Direct Connect & VPN.
BGP ROUTING EXAMPLE
═══════════════════
On-Prem ASN : 65000
AWS TGW ASN : 64512
Advertised Routes:
──────────────────
On-Prem → AWS
192.168.0.0/16
AWS → On-Prem
10.10.0.0/16 (SAP DEV)
10.30.0.0/16 (Shared Services)
10.40.0.0/16 (SAP PROD)
HIGH AVAILABILITY DESIGN
════════════════════════
Primary Route
On-Prem ── Direct Connect ── DXGW ── TGW ── AWS
↓ Failover
Secondary Route
On-Prem ── VPN Tunnel 1/2 ── TGW ── AWS
Step 1: Create Direct Connect Location & Connection
Prerequisites
AWS Account: Network-Transit Account
On-PremiseRouter: Compatible device (Cisco, Juniper, etc.)
LOA-CFA: Generated from AWS after connection request
Method A: AWS Console
# Step 1.1: Navigate to Direct Connect Console
AWS Console → Direct Connect → Locations
Method B: AWS CLI
# Step 1.1: Create Direct Connect Location (AWS Partner)
aws directconnect create-direct-connect-gateway \
--direct-connect-gateway-name "DX-Gateway-OnPrem" \
--amazon-asn 65001
# Output:
{
"directConnectGateway": {
"directConnectGatewayId": "dxgw-0123456789abcdef0",
"directConnectGatewayName": "DX-Gateway-OnPrem",
"amazonAsn": 65001,
"ownerAccount": "111111111111",
"state": "available"
}
}
# Step 1.2: Create Hosted VIF (If using Partner)
aws directconnect create-connection \
--location "EqDC2" \
--bandwidth "1Gbps" \
--connection-name "OnPrem-Direct-Connect" \
--partner-name "partner-name"
# Output:
{
"connection": {
"connectionId": "dxcon-ffghty12345678",
"connectionName": "OnPrem-Direct-Connect",
"location": "EqDC2",
"bandwidth": "1Gbps",
"vlan": 101,
"partnerName": "Partner Name",
"state": "pending"
}
}
# Step 1.3: Create Virtual Interface (Private VIF)
aws directconnect create-private-virtual-interface \
--virtual-interface-name "SAP-VIF-OnPrem" \
--vlan 101 \
{address-family}
--bgp-asn 65001 \
--amazon-address 169.254.11.1/30 \
--customer-address 169.254.11.2/30 \
--virtual-interface-type private \
--direct-connect-gateway-id dxgw-0123456789abcdef0 \
--vlan 101 \
--bgp-peer-mode active
# Output:
{
"virtualInterface": {
"virtualInterfaceId": "dxvif-1234567890abcdef",
"virtualInterfaceName": "SAP-VIF-OnPrem",
"virtualInterfaceType": "private",
"vlan": 101,
"directConnectGatewayId": "dxgw-0123456789abcdef0",
"amazonAddress": "169.254.11.1/30",
"customerAddress": "169.254.11.2/30",
"addressFamily": "ipv4",
"bgpAsn": 65001,
"bgpStatus": "down",
"state": "pending"
}
}
Step 2: Create Transit Gateway
Method A: AWS Console
# Step 2.1: Navigate to VPC Console → Transit Gateway
Method B: AWS CLI (Network-Transit Account)
# Step 2.1: Create Transit Gateway
aws ec2 create-transit-gateway \
--description "Central TGW for SAP Workload" \
--amazon-asn 64512 \
--options "DnsSupport={Enable=true},AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,AssociationDefaultRouteTableId=tgtb-1122334455,DefaultRouteTablePropagation=enable,PropagationDefaultRouteTableId=tgtb-1122334455" \
--tag-specifications 'ResourceType=transit-gateway,Tags=[{Key=Name,Value=TGW-SAP-Network}]'
# Output:
{
"TransitGateway": {
"TransitGatewayId": "tgw-0123456789abcdef0",
"TransitGatewayArn": "arn:aws:ec2:us-east-1:111111111111:transit-gateway/tgw-0123456789abcdef0",
"State": "available",
"OwnerAccountId": "111111111111",
"AmazonAsn": 64512,
"Description": "Central TGW for SAP Workload",
"CreationTime": "2024-01-15T10:00:00.000Z",
"State": "available"
}
}
Step 3: Create Transit Gateway Route Tables
# Step 3.1: Create Route Table
aws ec2 create-transit-gateway-route-table \
--transit-gateway-id tgw-0123456789abcdef0 \
--tag-specifications 'ResourceType=transit-gateway-route-table,Tags=[{Key=Name,Value=TGW-RouteTable-Main}]'
# Output:
{
"TransitGatewayRouteTable": {
"TransitGatewayRouteTableId": "tgw-rtb-0123456789abcdef0",
"TransitGatewayId": "tgw-0123456789abcdef0",
"Associations": [],
"Attachments": [],
"Routes": [],
"State": "available"
}
}
# Step 3.2: Associate Route Table as Default
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-id tgw-0123456789abcdef0 \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--association default
# Step 3.3: Propagate Route Table as Default
aws ec2 enable-transit-gateway-route-table-propagation \
--transit-gateway-id tgw-0123456789abcdef0 \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--transit-gateway-attachment-id dxgw-1122334455
Step 4: Attach VPCs to Transit Gateway
4.1 Attach Network-Transit VPC
# Step 4.1.1: Create Attachment to Network-Transit VPC
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-0123456789abcdef0 \
--vpc-id vpc-0123456789abcdef0 \
--subnet-ids subnet-0a1b2c3d subnet-0e1f2g3h \
--options "DnsSupport=enable,Ipv6Support=disable" \
--tag-specifications 'ResourceType=transit-gateway-vpc-attachment,Tags=[{Key=Name,Value=TGW-Attach-Network-Transit}]'
# Output:
{
"TransitGatewayVpcAttachment": {
"TransitGatewayAttachmentId": "tgw-attach-1234567890abcdef",
"TransitGatewayId": "tgw-0123456789abcdef0",
"VpcId": "vpc-0123456789abcdef0",
"SubnetIds": ["subnet-0a1b2c3d", "subnet-0e1f2g3h"],
"State": "pending"
}
}
4.2 Attach Other VPCs (Repeat for each account)
# Step 4.2.1: Attach Shared-Services VPC
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-0123456789abcdef0 \
--vpc-id vpc-0abcdef1234567890 \
--subnet-ids subnet-09i8h7g6 subnet-05f4e3d2 \
--tag-specifications 'ResourceType=transit-gateway-vpc-attachment,Tags=[{Key=Name,Value=TGW-Attach-Shared-Services}]'
# Step 4.2.2: Attach SAP-Dev VPC
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-0123456789abcdef0 \
--vpc-id vpc-0fedcba9876543210 \
--subnet-ids subnet-0q1w2e3r4 subnet-0t7y6u5i4 \
--tag-specifications 'ResourceType=transit-gateway-vpc-attachment,Tags=[{Key=Name,Value=TGW-Attach-SAP-Dev}]'
# Repeat for: SAP-QA, SAP-Staging, SAP-Prod, Network-DNS, Security-Log
Step 5: Configure Transit Gateway Routes
# Step 5.1: Add Route for On-Premise (via Direct Connect)
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--destination-cidr-block 192.168.0.0/16 \
--transit-gateway-attachment-id dxgw-attachment-id
# Step 5.2: Add Route for SAP VPCs
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--destination-cidr-block 10.10.0.0/16 \
--transit-gateway-attachment-id tgw-attach-sap-dev
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--destination-cidr-block 10.20.0.0/16 \
--transit-gateway-attachment-id tgw-attach-sap-qa
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--destination-cidr-block 10.30.0.0/16 \
--transit-gateway-attachment-id tgw-attach-sap-staging
aws ec2 create-transit-gateway-route \
--transit-gateway-route-table-id tgtb-0123456789abcdef0 \
--destination-cidr-block 10.40.0.0/16 \
--transit-gateway-attachment-id tgw-attach-sap-prod
Step 6: Create VPN (Backup Connection)
6.1 Create Customer Gateway
# Step 6.1.1: Create Customer Gateway (On-Premise Router)
aws ec2 create-customer-gateway \
--type ipsec.1 \
--gateway-ip-address 203.0.113.1 \
--bgp-asn 65001 \
--tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=OnPrem-CGW}]'
# Output:
{
"CustomerGateway": {
"CustomerGatewayId": "cgw-0123456789abcdef0",
"IpAddress": "203.0.113.1",
"Type": "ipsec.1",
"BgpAsn": "65001",
"State": "available"
}
}
6.2 Create Virtual Private Gateway
# Step 6.2.1: Create Virtual Private Gateway (VGW)
aws ec2 create-vpn-gateway \
--type ipsec.1 \
--tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=VGW-SAP-Backup}]'
# Output:
{
"VpnGateway": {
"VpnGatewayId": "vgw-0123456789abcdef0",
"Type": "ipsec.1",
"State": "available",
"AvailabilityZone": "us-east-1a"
}
}
6.3 Attach VGW to Transit Gateway
# Step 6.3.1: Attach VGW to Transit Gateway
aws ec2 attach-vpn-gateway \
--vpn-gateway-id vgw-0123456789abcdef0 \
--transit-gateway-id tgw-0123456789abcdef0
6.4 Create Site-to-Site VPN Connection
# Step 6.4.1: Create VPN Connection
aws ec2 create-vpn-connection \
--customer-gateway-id cgw-0123456789abcdef0 \
--vpn-gateway-id vgw-0123456789abcdef0 \
--options "StaticRoutesOnly=false,OutsideIpAddress=Auto-generate" \
--tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=VPN-SAP-Backup}]'
# Output:
{
"VpnConnection": {
"VpnConnectionId": "vpn-0123456789abcdef0",
"CustomerGatewayId": "cgw-0123456789abcdef0",
"VpnGatewayId": "vgw-0123456789abcdef0",
"State": "pending",
"CustomerGatewayConfiguration": "...",
"Options": {
"StaticRoutesOnly": false,
"TunnelInsideIpFamily": "ipv4"
},
"Routes": []
}
}
# Step 6.4.2: Get VPN Tunnel Details
aws ec2 describe-vpn-connections \
--vpn-connection-id vpn-0123456789abcdef0
# Output shows:
# - Tunnel 1: Outside IP (203.0.113.XX) -> AWS IP (34.XX.XX.XX)
# - Tunnel 2: Outside IP (203.0.113.XX) -> AWS IP (35.XX.XX.XX)
# - Pre-shared key (PSK)
# - IKE Version
Step 7: Configure VPC Route Tables
7.1 Network-Transit VPC Route Table
# Step 7.1.1: Create Route Table
aws ec2 create-route-table \
--vpc-id vpc-0123456789abcdef0 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=RT-Network-Transit-Main}]'
# Step 7.1.2: Add Routes
aws ec2 create-route \
--route-table-id rtb-0123456789abcdef0 \
--destination-cidr-block 192.168.0.0/16 \
--transit-gateway-id tgw-0123456789abcdef0
aws ec2 create-route \
--route-table-id rtb-0123456789abcdef0 \
--destination-cidr-block 10.10.0.0/16 \
--transit-gateway-id tgw-0123456789abcdef0
aws ec2 create-route \
--route-table-id rtb-0123456789abcdef0 \
--destination-cidr-block 10.40.0.0/16 \
--transit-gateway-id tgw-0123456789abcdef0
7.2 SAP-Prod VPC Route Table
# Step 7.2.1: Create Route Table for Database Subnet
aws ec2 create-route-table \
--vpc-id vpc-0fedcba9876543210 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=RT-SAP-Prod-DB}]'
# Step 7.2.2: Add Routes (via TGW)
aws ec2 create-route \
--route-table-id rtb-sap-prod-db \
--destination-cidr-block 192.168.0.0/16 \
--transit-gateway-id tgw-0123456789abcdef0
aws ec2 create-route \
--route-table-id rtb-sap-prod-db \
--destination-cidr-block 10.0.0.0/8 \
--transit-gateway-id tgw-012345
Phase 3: VPC Architecture for SAP HANA - Complete Configuration
ROUTE TABLE SUMMARY
═══════════════════
Public Subnets:
0.0.0.0/0 ──► Internet Gateway (IGW)
Application Subnets:
0.0.0.0/0 ──► NAT Gateway (Same AZ)
192.168.0.0/16 ──► Transit Gateway
Database Subnets:
192.168.0.0/16 ──► Transit Gateway
No Direct Internet Access
Step 1: Create VPC for SAP Production
# Account: SAP-Prod Account (111111111112)
# Region: us-east-1
# Step 1.1: Create VPC
aws ec2 create-vpc \
--cidr-block 10.40.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=SAP-Prod-VPC},{Key=Environment,Value=Production},{Key=Project,Value=SAP}]'
# Output:
{
"Vpc": {
"VpcId": "vpc-0a1b2c3d4e5f6g7h8",
"CidrBlock": "10.40.0.0/16",
"DhcpOptionsId": "dopt-0123456789abcdef",
"State": "pending",
"VpcOwnerId": "111111111112",
"IsDefault": false,
"Tags": [
{"Key": "Name", "Value": "SAP-Prod-VPC"}
]
}
}
# Step 1.2: Enable DNS Hostnames and DNS Support
aws ec2 modify-vpc-attribute \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--enable-dns-hostnames "Value=true"
aws ec2 modify-vpc-attribute \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--enable-dns-support "Value=true"
# Step 1.3: Enable ClassicLink (if needed for legacy)
# aws ec2 modify-vpc-attribute --vpc-id vpc-0a1b2c3d4e5f6g7h8 --enable-classic-link-dns-support "Value=false"
Step 2: Create Subnets
2.1 Availability Zone A Subnets
# Step 2.1.1: Public Subnet - AZ A (us-east-1a)
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.1.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-Public-AZ1},{Key=Tier,Value=Public}]'
# Output:
{
"Subnet": {
"SubnetId": "subnet-0a1b2c3d4e5f6g7h8",
"VpcId": "vpc-0a1b2c3d4e5f6g7h8",
"CidrBlock": "10.40.1.0/24",
"AvailabilityZone": "us-east-1a",
"AvailableIpAddressCount": 251,
"MapPublicIpOnLaunch": false,
"Tags": [{"Key": "Name", "Value": "SAP-Prod-Public-AZ1"}]
}
}
# Step 2.1.2: App Tier Subnet - AZ A
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.10.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-App-AZ1},{Key=Tier,Value=App}]'
# Step 2.1.3: Database Tier Subnet - AZ A
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.20.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-DB-AZ1},{Key=Tier,Value=Database}]'
2.2 Availability Zone B Subnets
# Step 2.2.1: Public Subnet - AZ B (us-east-1b)
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.2.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-Public-AZ2},{Key=Tier,Value=Public}]'
# Step 2.2.2: App Tier Subnet - AZ B
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.11.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-App-AZ2},{Key=Tier,Value=App}]'
# Step 2.2.3: Database Tier Subnet - AZ B
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.21.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-DB-AZ2},{Key=Tier,Value=Database}]'
2.3 Availability Zone C Subnets (Optional for Production)
# Step 2.3.1: Public Subnet - AZ C (us-east-1c)
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.3.0/24 \
--availability-zone us-east-1c \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-Public-AZ3},{Key=Tier,Value=Public}]'
# Step 2.3.2: App Tier Subnet - AZ C
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.12.0/24 \
--availability-zone us-east-1c \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-App-AZ3},{Key=Tier,Value=App}]'
# Step 2.3.3: Database Tier Subnet - AZ C
aws ec2 create-subnet \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--cidr-block 10.40.22.0/24 \
--availability-zone us-east-1c \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=SAP-Prod-DB-AZ3},{Key=Tier,Value=Database}]'
Step 3: Create Internet Gateway & NAT Gateways
3.1 Internet Gateway
# Step 3.1.1: Create Internet Gateway
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=IGW-SAP-Prod}]'
# Output:
{
"InternetGateway": {
"InternetGatewayId": "igw-0a1b2c3d4e5f6g7h8",
"Attachments": [],
"Tags": [{"Key": "Name", "Value": "IGW-SAP-Prod"}]
}
}
# Step 3.1.2: Attach IGW to VPC
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-0a1b2c3d4e5f6g7h8 \
--vpc-id vpc-0a1b2c3d4e5f6g7h8
3.2 Elastic IP Addresses
# Step 3.2.1: Allocate EIP for NAT Gateway AZ A
aws ec2 allocate-address \
--domain vpc \
--tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=EIP-NAT-AZ1}]'
# Step 3.2.2: Allocate EIP for NAT Gateway AZ B
aws ec2 allocate-address \
--domain vpc \
--tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=EIP-NAT-AZ2}]'
# Step 3.2.3: Allocate EIP for NAT Gateway AZ C (Optional)
aws ec2 allocate-address \
--domain vpc \
--tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=EIP-NAT-AZ3}]'
3.3 NAT Gateways
# Step 3.3.1: Create NAT Gateway - AZ A
aws ec2 create-nat-gateway \
--subnet-id subnet-0a1b2c3d4e5f6g7h8 \
--allocation-id eipalloc-0a1b2c3d4e5f6g7h8 \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-GW-AZ1}]'
# Step 3.3.2: Create NAT Gateway - AZ B
aws ec2 create-nat-gateway \
--subnet-id subnet-0b2c3d4e5f6g7h80 \
--allocation-id eipalloc-0b2c3d4e5f6g7h80 \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-GW-AZ2}]'
# Step 3.3.3: Create NAT Gateway - AZ C
aws ec2 create-nat-gateway \
--subnet-id subnet-0c3d4e5f6g7h801 \
--allocation-id eipalloc-0c3d4e5f6g7h801 \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-GW-AZ3}]'
Step 4: Create VPC Route Tables
4.1 Public Route Table
# Step 4.1.1: Create Public Route Table
aws ec2 create-route-table \
--vpc-id vpc-0a1b2c3d4e5f6g7h8 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=RT-SAP-Prod-Public}]'
# Note Route Table ID: rtb-0a1b2c3d4e5f6g7h8
# Step 4.1.2: Add Route to Internet Gateway (0.0.0.0/0)
aws ec2 create-route \
--route-table-id rtb-0a1b2c3d4e5f6g7h8 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-0a1b2c3
Phase 4: Active Directory & DNS Configuration
This is the core "On-Premise to Cloud" integration. We will replace the default VPC DNS resolver with a hybrid DNS architecture using Amazon Route 53.
Step 5: DNS Architecture (The "Replacement" Strategy)
We will use Route 53 as the authoritative DNS for the AWS VPC, forwarding queries to On-Premise AD.
Create a Route 53 Resolver Outbound Endpoint in the VPC.
Create Conditional Forwarding Rules:
Rule: Forward queries for domain corp.company.com to the On-Premise DNS Servers (IP: 192.168.10.10).
Rule: Forward internal SAP zone sap.local to On-Premise DNS as well.
In On-Premise DNS Server, create Conditional Forwarders pointing to the Route 53 Inbound Endpoints (You will create these in the next step).
Step 6: AD Connector Setup
We want users logging into SAP HANA to authenticate against the On-Premise AD, not a cloud-only directory.
In the Workload-SAP Account, go to AWS Directory Service.
Select Directory Type: AD Connector.
Enter the On-Premise DSN IP (e.g., 192.168.10.10).
Provide Service Account Credentials (A read-only user in On-Premise AD).
Enable DNS: AD Connector usually handles DNS resolution for instances joined to the directory.
Phase 4: Active Directory & DNS Configuration with complete step-by-step setup.
- DNS Architecture with Route 53 Resolver
- Conditional Forwarding Rules
- AD Connector Setup
- VPC DNS configuration
- On-Premise DNS configuration
- Security groups and network configurations
Phase 4: Active Directory & DNS Configuration - Complete Setup
DNS QUERY FLOW
══════════════
SAP EC2/HANA
│
▼
AmazonProvidedDNS (VPC Resolver)
│
▼
Route 53 Outbound Resolver
│
▼
On-Prem DNS Server
│
▼
Active Directory Integrated DNS
│
▼
Response Returned to SAP Host
AD AUTHENTICATION FLOW
══════════════════════
SAP Server / EC2
│
▼
AWS AD Connector
│
LDAP / LDAPS / Kerberos
│
▼
On-Prem Active Directory
│
▼
User Authentication Successful
ROUTE 53 RESOLVER RULES
═══════════════════════
Domain Name Forward To
──────────────────────────────────────────────────────────────────────
corp.company.com 192.168.10.10
sap.local 192.168.10.10
ad.company.com 192.168.10.10
CONDITIONAL FORWARDERS (ON-PREM)
════════════════════════════════
Domain Name Forward To
──────────────────────────────────────────────────────────────────────
aws.corp.company.com Route53 Inbound Endpoint
sap.aws.local Route53 Inbound Endpoint
Step 1: Prepare On-Premise Infrastructure
1.1 Create DNS Service Account in On-Premise AD
# Run on On-Premise Domain Controller (as Administrator)
# Step 1.1.1: Create a readonly service account for AWS AD Connector
New-ADUser `
-Name "AWS-AD-Connector-Service" `
-SamAccountName "aws_ad_conn_svc" `
-UserPrincipalName "aws_ad_conn_svc@corp.company.com" `
-Path "OU=ServiceAccounts,OU=Administrators,DC=corp,DC=company,DC=com" `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-CannotChangePassword $false
# Step 1.1.2: Grant read access to AD Connector (or full domain read if needed)
# By default, AD Connector only needs read access
# Step 1.1.3: Verify DNS Service is running
Get-Service -Name DNS
# Step 1.1.4: Create DNS Conditional Forwarder on On-Premise DNS for AWS zones
Add-DnsServerConditionalForwarderZone `
-Name "sap.local" `
-MasterServers @("10.1.1.10", "10.1.2.10") `
-ReplicationScope "Domain"
# Or via DNS Manager:
# Right-click Conditional Forwarders → New Conditional Forwarder
# Zone name: sap.local
# IP addresses: 10.1.1.10, 10.1.2.10 (Route 53 Inbound Endpoint IPs)
Step 2: Configure DNS in Network-DNS Account (Route 53)
2.1 Create Route 53 Private Hosted Zone
# Account: Network-DNS Account
# Region: us-east-1
# Step 2.1.1: Create Private Hosted Zone for SAP domain
aws route53 create-hosted-zone \
--name "sap.local" \
--caller-reference "sap-local-$(date +%s)" \
--vpc "VPCId=vpc-0networkdns123456,VPCCRegion=us-east-1" \
--hosted-zone-config "Comment=SAP Local DNS,PrivateZone=true" \
--tag-specifications 'ResourceType=hosted-zone,Tags=[{Key=Name,Value=SAP-Local-HZ}]'
# Output:
{
"HostedZone": {
"Id": "/hostedzone/Z1234567890ABCDEF",
"Name": "sap.local.",
"Config": {
"Comment": "SAP Local DNS",
"PrivateZone": true
},
"ResourceRecordSetCount": 2,
"VpcId": "vpc-0networkdns123456",
"VpcRegion": "us-east-1"
}
}
# Step 2.1.2: Create Private Hosted Zone for AWS-specific internal domain
aws route53 create-hosted-zone \
--name "internal.company.com" \
--caller-reference "internal-$(date +%s)" \
--vpc "VPCId=vpc-0networkdns123456,VPCCRegion=us-east-1" \
--hosted-zone-config "Comment=Internal DNS,PrivateZone=true"
# Step 2.1.3: Create records for Route 53 Resolver endpoints
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234567890ABCDEF \
--change-batch '{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "resolver.sap.local.",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{"Value": "10.1.1.10"},
{"Value": "10.1.2.10"}
]
}
}]
}'
2.2 Create Route 53 Resolver Endpoints
# Step 2.2.1: Create Security Group for Route 53 Resolver
aws ec2 create-security-group \
--group-name "SG-Route53-Resolver" \
--description "Security group for Route 53 Resolver endpoints" \
--vpc-id vpc-0networkdns123456 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-Route53-Resolver}]'
# Step 2.2.2: Add Inbound Rules (Allow DNS from SAP VPCs)
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef \
--protocol udp \
--port 53 \
--cidr 10.10.0.0/16 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-Route53-Resolver}]'
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef \
--protocol udp \
--port 53 \
--cidr 10.20.0.0/16 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-Route53-Resolver}]'
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef \
--protocol udp \
--port 53 \
--cidr 10.30.0.0/16 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-Route53-Resolver}]'
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef \
--protocol udp \
--port 53 \
--cidr 10.40.0.0/16
# Step 2.2.3: Create Inbound Endpoint (For On-Premise to query AWS)
aws route53 create-resolver-endpoint \
--name "Inbound-Resolver-Endpoint" \
--creator-request-id "inbound-endpoint-$(date +%s)" \
--security-group-ids sg-0123456789abcdef \
--direction INBOUND \
--ip-address-config '{
"SubnetId": "subnet-dns-a",
"Ip": "10.1.1.10"
}' \
--tag-specifications 'ResourceType=resolver-endpoint,Tags=[{Key=Name,Value=Inbound-Resolver}]'
# Output:
{
"ResolverEndpoint": {
"Id": "rvi-0123456789abcdef",
"Name": "Inbound-Resolver-Endpoint",
"SecurityGroupIds": ["sg-0123456789abcdef"],
"Direction": "INBOUND",
"IpAddressCount": 1,
"State": "creating",
"ResolverEndpointType": "INBOUND"
}
}
# Step 2.2.4: Create Outbound Endpoint (For AWS to query On-Premise)
aws route53 create-resolver-endpoint \
--name "Outbound-Resolver-Endpoint" \
--creator-request-id "outbound-endpoint-$(date +%s)" \
--security-group-ids sg-0123456789abcdef \
--direction OUTBOUND \
--ip-address-config '[
{"SubnetId": "subnet-dns-a", "Ip": "10.1.1.20"},
{"SubnetId": "subnet-dns-b", "Ip": "10.1.2.20"}
]' \
--tag-specifications 'ResourceType=resolver-endpoint,Tags=[{Key=Name,Value=Outbound-Resolver}]'
# Output:
{
"ResolverEndpoint": {
"Id": "rvo-0123456789abcdef",
"Name": "Outbound-Resolver-Endpoint",
"SecurityGroupIds": ["sg-0123456789abcdef"],
"Direction": "OUTBOUND",
"IpAddressCount": 2,
"State": "creating",
"ResolverEndpointType": "OUTBOUND"
}
}
Step 3: Create DNS Conditional Forwarding Rules
3.1 Create Forwarding Rules for On-Premise Domains
# Step 3.1.1: Create Forwarding Rule for corp.company.com
aws route53 create-resolver-rule \
--name "Forward-To-OnPrem-AD" \
--creator-request-id "rule-onprem-$(date +%s)" \
--rule-type FORWARD \
--domain-name "corp.company.com" \
--target-ips '[
{"Ip": "192.168.10.10", "Port": "53"},
{"Ip": "192.168.10.11", "Port": "53"}
]' \
--resolver-endpoint-id rvo-0123456789abcdef \
--tag-specifications 'ResourceType=resolver-rule,Tags=[{Key=Name,Value=Forward-OnPrem}]'
# Output:
{
"ResolverRule": {
"Id": "rulet-0123456789abcdef",
"Name": "Forward-To-OnPrem-AD",
"RuleType": "FORWARD",
"DomainName": "corp.company.com",
"TargetIps": [
{"Ip": "192.168.10.10", "Port": 53},
{"Ip": "192.168.10.11", "Port": 53}
],
"ResolverEndpointId": "rvo-0123456789abcdef",
"Status": "pending"
}
}
# Step 3.1.2: Create Forwarding Rule for sap.local
aws route53 create-resolver-rule \
--name "Forward-SAP-Local" \
--creator-request-id "rule-sap-$(date +%s)" \
--rule-type FORWARD \
--domain-name "sap.local" \
--target-ips '[
{"Ip": "192.168.10.10", "Port": "53"},
{"Ip": "192.168.10.11", "Port": "53"}
]' \
--resolver-endpoint-id rvo-0123456789abcdef
# Step 3.1.3: Create Forwarding Rule for additional On-Premise zones
aws route53 create-resolver-rule \
--name "Forward-OnPrem-Internal" \
--creator-request-id "rule-internal-$(date +%s)" \
--rule-type FORWARD \
--domain-name "internal.company.com" \
--target-ips '[
{"Ip": "192.168.10.10", "Port": "53"}
]' \
--resolver-endpoint-id rvo-0123456789abcdef
3.2 Associate Forwarding Rules with VPCs
# Step 3.2.1: Associate rules with SAP VPCs
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-0123456789abcdef \
--vpc-id vpc-0sapdev123456789
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-0123456789abcdef \
--vpc-id vpc-0sapqa123456789
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-0123456789abcdef \
--vpc-id vpc-0sapstaging123456
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-0123456789abcdef \
--vpc-id vpc-0sapprod123456789
# Repeat for SAP-Local rules
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-saplocal123456 \
--vpc-id vpc-0sapdev123456789
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-saplocal123456 \
--vpc-id vpc-0sapqa123456789
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-saplocal123456 \
--vpc-id vpc-0sapstaging123456
aws route53 associate-resolver-rule \
--resolver-rule-id rulet-saplocal123456 \
--vpc-id vpc-0sapprod123456789
Step 4: Configure AD Connector
4.1 Create IAM Role for AD Connector
# Account: Shared-Services Account
# Step 4.1.1: Create IAM role for Directory Service
aws iam create-role \
--role-name "AWSDirectoryServiceRole" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ds.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}]
}'
# Step 4.1.2: Attach managed policy
aws iam attach-role-policy \
--role-name "AWSDirectoryServiceRole" \
--policy-arn "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess"
4.2 Create AD Connector
# Step 4.2.1: Create AD Connector (Size: Small for POC, Large for Production)
aws ds create-ad-connector \
--name "AD-Connector-OnPrem" \
--size Small \
--connector-account-id 111111111113 \
--region us-east-1 \
--customer-dns-ips 192.168.10.10 \
--customer-dns-ips 192.168.10.11 \
--customer-user-name "corp\\aws_ad_conn_svc" \
--customer-password "P@ssw0
Phase 5: Deploying the SAP HANA POC
Now we build the actual workload.
Step 7: Launch SAP HANA Instance
EC2 Console: Click Launch Instance.
Choose AMI: Select a SAP Certified OS (e.g., SUSE Linux Enterprise Server for SAP or Red Hat Enterprise Linux).
Instance Type: Select a Memory Optimized instance (e.g., r5.4xlarge or r5b.4xlarge for Bare Metal).
Network Settings:
Select the SAP-VPC.
Select the Private Subnet (Database Tier: 10.0.20.10).
Storage:
Root Volume: 100GB gp3.
Data Volume: 1TB (Provisioned IOPS) for /hana/shared, /sap, and /usr/sap.
Note: For production, you would use Amazon FSx for NetApp ONTAP or EFS.
Security Groups:
Allow Inbound: 3XX15/16 (SAP GUI/Ports) from App Subnet.
Allow Inbound: SSH (22) from Jump Host.
Step 8: Post-Deployment
Join Domain: Log in to the instance and join it to the domain using adcli or PowerShell tools provided by the AD Connector.
Verify DNS: Run nslookup sap.local to ensure it resolves via the On-Premise servers through the Route 53 Resolver.
Install SAP HANA: Proceed with the standard SAP binary installation using the <sid>adm user.
Phase 5 of the SAP HANA deployment guide.
Let me provide a comprehensive step-by-step guide for:
- Creating the VPC and subnet details
- Launching SAP HANA EC2 instances
- Storage configuration
- Security groups
- Network configuration
- Domain join
- DNS verification
- SAP HANA installation
Phase 5: Deploying the SAP HANA POC - Complete Step-by-Step Configuration
Backup Architecture
═══════════════════
SAP HANA
│
▼
/hana/backup
│
▼
AWS Backup
│
▼
Amazon S3
│
▼
S3 Glacier Deep Archive
High Availability Flow
══════════════════════
Primary Failure
│
▼
Pacemaker Detects Failure
│
▼
Automatic Failover
│
▼
Promote Secondary Node
│
▼
Move Virtual IP
│
▼
SAP Application Reconnect
│
▼
Service Restored (RTO < 5 Minutes)
Step 1: Create IAM Roles for SAP HANA EC2
# Account: SAP-Prod Account
# Step 1.1: Create IAM Role for SAP HANA Instance
aws iam create-role \
--role-name "SAP-HANA-Role" \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}'
# Output:
{
"Role": {
"RoleName": "SAP-HANA-Role",
"RoleId": "AROA1234567890ABCDEF",
"Arn": "arn:aws:iam::111111111112:role/SAP-HANA-Role",
"CreateDate": "2024-01-15T10:00:00.000Z"
}
}
# Step 1.2: Attach IAM Policies
aws iam attach-role-policy \
--role-name "SAP-HANA-Role" \
--policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
aws iam attach-role-policy \
--role-name "SAP-HANA-Role" \
--policy-arn "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
aws iam attach-role-policy \
--role-name "SAP-HANA-Role" \
--policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" \
--policy-arn "arn:aws:iam::aws:policy/AmazonFSxFullAccess"
# Step 1.3: Create Instance Profile
aws iam create-instance-profile \
--instance-profile-name "SAP-HANA-Profile"
aws iam add-role-to-instance-profile \
--instance-profile-name "SAP-HANA-Profile" \
--role-name "SAP-HANA-Role"
Step 2: Create Security Groups
2.1 SAP HANA Security Group
# Step 2.1.1: Create Security Group for SAP HANA Database
aws ec2 create-security-group \
--group-name "SG-SAP-HANA-DB" \
--description "Security group for SAP HANA Database nodes" \
--vpc-id vpc-0sapprod123456789 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-SAP-HANA-DB}]'
# Output:
{
"GroupId": "sg-0a1b2c3d4e5f6g7h8"
}
# Step 2.1.2: Add Inbound Rules for SAP HANA
# SAP HANA SQL Port (Internal)
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 30013 \
--cidr 10.40.10.0/24 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-SAP-HANA-DB}]'
# SAP HANA Index Server
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 30015 \
--cidr 10.40.10.0/24
# SAP HANA Name Server
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 30010 \
--cidr 10.40.10.0/24
# SAP HANA Studio (for on-prem management)
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 30030 \
--cidr 192.168.0.0/16
# SSH from Jump Server
aws ec2 authorize-security-group-ingress \
--group-id sg-0a1b2c3d4e5f6g7h8 \
--protocol tcp \
--port 22 \
--cidr 10.2.1.0/24
2.2 SAP App Tier Security Group
# Step 2.2.1: Create Security Group for SAP App Servers
aws ec2 create-security-group \
--group-name "SG-SAP-App" \
--description "Security group for SAP Application servers" \
--vpc-id vpc-0sapprod123456789 \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=SG-SAP-App}]'
# Step 2.2.2: Add Inbound Rules
# SAP Message Server (HTTP)
aws ec2 authorize-security-group-ingress \
--group-id sg-0b2c3d4e5f6g7h80 \
--protocol tcp \
--port 8000 \
--cidr 10.40.0.0/16
# SAP Message Server (HTTPS)
aws ec2 authorize-security-group-ingress \
--group-id sg-0b2c3d4e5f6g7h80 \
--protocol tcp \
--port 443 \
--cidr 10.40.0.0/16
# SAP ICF Services
aws ec2 authorize-security-group-ingress \
--group-id sg-0b2c3d4e5f6g7h80 \
--protocol tcp \
--port 8000 \
--cidr 0.0.0.0/0
# SSH from Jump Server
aws ec2 authorize-security-group-ingress \
--group-id sg-0b2c3d4e5f6g7h80 \
--protocol tcp \
--port 22 \
--cidr 10.2.1.0/24
Step 3: Launch SAP HANA EC2 Instances
3.1 Launch Node 1 (AZ-A)
# Step 3.1.1: Launch EC2 Instance for SAP HANA Node 1
aws ec2 run-instances \
--image-id ami-0c1234567890abcdef \
--instance-type r5b.4xlarge \
--iam-instance-profile Name="SAP-HANA-Profile" \
--key-name "SAP-Prod-Key-Pair" \
--subnet-id subnet-0a1b2c3d4e5f6g7h8 \
--private-ip-address 10.40.20.10 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=SAP-HANA-Node1},{Key=SAP SID,Value=HDB},{Key=Environment,Value=Production}]' \
--block-device-mappings '[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 100,
"VolumeType": "gp3",
"DeleteOnTermination": true,
"Encrypted": true
}
},
{
"DeviceName": "/dev/sdb",
"Ebs": {
"VolumeSize": 2048,
"VolumeType": "io2",
"Iops": 10000,
"DeleteOnTermination": true,
"Encrypted": true
}
},
{
"DeviceName": "/dev/sdc",
"Ebs": {
"VolumeSize": 512,
"VolumeType": "io2",
"Iops": 3000,
"DeleteOnTermination": true,
"Encrypted": true
}
},
{
"DeviceName": "/dev/sdd",
"Ebs": {
"VolumeSize": 512,
"VolumeType": "gp3",
"DeleteOnTermination": true,
"Encrypted": true
}
}
]' \
--security-group-ids sg-0a1b2c3d4e5f6g7h8 \
--enable-termination-protection
# Output:
{
"Instances": [{
"InstanceId": "i-0a1b2c3d4e5f6g7h8",
"InstanceType": "r5b.4xlarge",
"PrivateIpAddress": "10.40.20.10",
"SubnetId": "subnet-0a1b2c3d4e5f6g7h8",
"State": {"Name": "pending"}
}]
}
3.2 Launch Node 2 (AZ-B)
# Step 3.2.1: Launch EC2 Instance for SAP HANA Node 2
aws ec2 run-instances \
--image-id ami-0c1234567890abcdef \
--instance-type r5b.4xlarge \
--iam-instance-profile Name="SAP-HANA-Profile" \
--key-name "SAP-Prod-Key-Pair" \
--subnet-id subnet-0b2c3d4e5f6g7h80 \
--private-ip-address 10.40.21.10 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=SAP-HANA-Node2},{Key=SAP SID,Value=HDB},{Key=Environment,Value=Production}]' \
--block-device-mappings '[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 100,
"VolumeType": "gp3",
"DeleteOnTermination": true
}
},
{
"DeviceName": "/dev/sdb",
"Ebs": {
"VolumeSize": 2048,
"VolumeType": "io2",
"Iops": 10000
}
},
{
"DeviceName": "/dev/sdc",
"Ebs": {
"VolumeSize": 512,
"VolumeType": "io2",
"Iops": 3000
}
},
{
"DeviceName": "/dev/sdd",
"Ebs": {
"VolumeSize": 512,
"VolumeType": "gp3"
}
}
]' \
--security-group-ids sg-0a1b2c3d4e5f6g7h8 \
--enable-termination-protection
Step 4: Configure Storage (EBS & Mount Points)
4.1 Prepare EBS Volumes (Post-Launch)
# SSH to SAP HANA Node 1
# Step 4.1.1: Check available disks
lsblk
# Step 4.1.2: Create LVM physical volumes
pvcreate /dev/nvme1n1
pvcreate /dev/nvme2n1
# Step 4.1.3: Create volume group
vgcreate vg_hana_data /dev/nvme1n1
vgcreate vg_hana_log /dev/nvme2n1
# Step 4.1.4: Create logical volumes
lvcreate -l 100%VG -n lv_hana_data vg_hana_data
lvcreate -l 100%VG -n lv_hana_log vg_hana_log
# Step 4.1.5: Create filesystems
mkfs.xfs /dev/vg_hana_data/lv_hana_data
mkfs.xfs /dev/vg_hana_log/lv_hana_log
# Step 4.1.6: Create mount points
mkdir -p /hana/data
mkdir -p /hana/log
mkdir -p /hana/shared
mkdir -p /sapmnt
mkdir -p /usr/sap
# Step 4.1.7: Mount volumes
mount /dev/vg_hana_data/lv_hana_data /hana/data
mount /dev/vg_hana_log/lv_hana_log /hana/log
# Step 4.1.8: Add to /etc/fstab
echo "/dev/mapper/vg_hana_data-lv_hana_data /hana/data xfs defaults,noatime,nodiratime 0 0" >> /etc/fstab
echo "/dev/mapper/vg_hana_log-lv_hana_log /hana/log xfs defaults,noatime,nodiratime 0 0" >> /etc/fstab
Step 5: Configure Network (Elastic IPs & DNS)
5.1 Associate Elastic IP (Optional for Management)
# Step 5.1.1: Allocate Elastic IP
aws ec2 allocate-address \
--domain vpc \
--tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=EIP-SAP-HANA-Node1}]'
# Step 5.1.2: Associate EIP with Instance
aws ec2 associate-address \
--allocation-id eipalloc-0a1b2c3d4e5f6g7h8 \
--instance-id i-0a1b2c3d4e5f6g7h8
# Repeat for Node 2
5.2 Update /etc/hosts
# Step 5.2.1: Update /etc/hosts on both nodes
=============================================
Full Architecture Diagram - SAP HANA on AWS:
=============================================
