AWS Backup provides centralized, automated protection for your multi-account SAP environment, covering EC2 instances, EBS volumes, Active Directory DCs, and SAP HANA databases. SAP Backint integration ensures transactionally consistent HANA backups to encrypted S3, while AWS Backup handles infrastructure with VSS-aware AD snapshots and intelligent lifecycle management.
Key Benefits
Centralized: Single console across all accounts and OUs.
SAP-Native: Backint for HANA + VSS for Windows AD.
Compliance: KMS encryption, audit trails, retention policies.
Cost-Optimized: Auto-tiering to Glacier/Deep Archive.
Objective
Automated backups ensuring:
Application-consistent snapshots (VSS, Backint).
Cross-account centralized management.
DR-tested recovery (quarterly validation).
Environment-specific retention (Prod: 7yr, Dev: 30d).
Backup Scope & Strategy
Resource Method Frequency Retention Storage
SAP App Servers AWS Backup (EBS) Daily 35 days S3 → Glacier
SAP HANA Backint → S3 Daily Full + 2hr Inc 35 days S3 → Deep Archive
AD DCs AWS Backup (VSS) Daily 90 days S3 → Glacier
Shared Services AWS Backup (EBS) Weekly 90 days S3 Standard
Technical Implementation Steps
Step 1: AWS Backup Centralized Setup
Backup Vault (Security OU → Logging Account):
Vault: SAP-Backup-Central
Encryption: KMS (alias/sap-backup-kms)
Access: Cross-account via RAM
Backup Plan:
Plan: SAP-Prod-Backup-Plan
Rules:
├── Daily-EC2: 02:00 UTC, Keep 35d, Cold after 7d
├── Weekly-AD: Sunday 03:00 UTC, Keep 90d
├── Monthly-DR: 1st of month, Keep 1yr
CLI:
aws backup create-backup-plan \
--backup-plan 'BackupPlanName=SAP-Prod-Plan,Rules=[{RuleName=Daily,TargetBackupVaultName=SAP-Central-Vault,ScheduleExpression="cron(0 2 ? * * *)",StartWindowMinutes=60,Lifecycle={DeleteMarker=false}}]'
Step 2: EBS Fast Snapshot Restore (FSR) for Critical Volumes
Enable FSR for SAP HANA data volumes:
Vol: /hana/data → FSR enabled (ap-southeast-1)
Vol: /hana/log → FSR enabled
Step 3: Active Directory VSS Backup
Windows EC2 (AD DCs) → Install AWS Backup VSS Provider:
# Download from S3
Invoke-WebRequest -Uri "https://s3.amazonaws.com/awsbackup-vss/latest/AWSBackupVSSInstaller.exe" -OutFile "VSSInstaller.exe"
.\VSSInstaller.exe /quiet
AWS Backup Selection:
Resources: tag:Environment=Production AND tag:Tier=AD-DC
IAM Role: AWSBackupDefaultServiceRole
Step 4: SAP HANA Backint Configuration
HANA Studio → Configuration → backup:
basepath_datavolumes = /hana/data/SID
basepath_logvolumes = /hana/log/SID
[backint]
program = /hnadb/exe/linuxx86_64/backint
parameterfile = /hnadb/exe/linuxx86_64/backint.sap
backint.sap (parameter file):
SAPBACKUP HOST = localhost
SAPBACKUP GATEWAY = /usr/sap/SID/SYS/exe/hdb
SAPBACKUP S3_BUCKET = s3://sap-hana-backups-prod
SAPBACKUP KMS_KEY = arn:aws:kms:.../alias/sap-backint-kms
SAPBACKUP LIFECYCLE = Glacier after 30d
HANA Backup Schedule (hdbsql):
-- Daily full + log backup
BACKUP DATA CREATE ... FULLSCAN;
-- Incremental every 2 hours
BACKUP DATA CREATE INCREMENTAL ... FULLSCAN;
Step 5: Cross-Account Backup Vault Access
RAM Sharing (Management Account):
Principal: Prod OU accounts
Resource: SAP-Backup-Central vault
Step 6: Lifecycle & Compliance Policies
S3 Bucket: sap-backups-central
├── 0-30d: S3 Standard (frequent access)
├── 30-365d: S3 Glacier Instant Retrieval
├── 1-7yr: S3 Glacier Flexible Retrieval
└── 7yr+: S3 Glacier Deep Archive
Step 7: Monitoring & Audit
CloudWatch Events (Backup failures):
Event Pattern: AWS/Backup,detail.operationName=StartBackupJob,detail.status=FAILED
Target: SNS → Backup Team + Lambda (retry logic)
Backup Compliance Dashboard:
Metric Target Alert
Backup Success Rate >99% <98% → Critical
Recovery Tests Quarterly Missed → Major
HANA RPO <2hr >4hr → Critical
Vault Encryption KMS-256 Non-compliant → Block
Step 8: Quarterly Restore Testing
DR Playbook:
1. Restore HANA Backint → New EC2 (r6i.8xlarge)
2. Verify SAP app connectivity (30015, 30017)
3. Test AD recovery → Domain join test instance
4. Measure RTO (<4hr), RPO (<2hr)
5. Document in Confluence → Compliance audit
Backup Architecture
SAP HANA Recovery Validation:
# Point-in-time recovery
hdbsql -i 00 -u SYSTEM BACKUP CATALOG
RECOVER DATABASE UNTIL TIMESTAMP '2026-03-07 14:00:00' USING BACKUP_ID 12345
Cost Optimization:
Monthly Cost: ~$150 (100TB, mixed lifecycle)
- S3 Standard: 10TB × $0.023/GB = $230
- Glacier: 80TB × $0.004/GB = $320
- FSR (10 vols): $100/mo
Savings: Multi-account vault sharing (-30%)
Best Practices
Tagging: Environment=Prod, Tier=SAP-HANA, Backup=Daily
KMS: Customer-managed keys per environment
Testing: Quarterly DR drills with actual restores
Automation: EventBridge → Lambda for failed backup retry
Audit: CloudTrail + Config rules for backup compliance
No comments:
Post a Comment