Running SAP systems on a cloud platform offers significant benefits — rapid scalability, minimal incremental hardware cost, and the reduction of internal resource needs. The case for running SAP systems on a cloud platform is compelling for non-productive systems. However, there are inherent risks in allowing your data to reside with a hosted service provider and accessing it over the Internet. You can address these risks via due diligence and robust security and administration practices.
Key Concept
Amazon Web Services provides a comprehensive solution for cloud computing, including the Elastic Compute Cloud (EC2) platform. This platform allows users to select an operating system and hosted database solution, if desired. The choices for the operating system include 32-bit and 64-bit platforms such as Microsoft Windows and various flavors of UNIX (e.g., Solaris, Red Hat Linux, or SUSE Linux). The hosted database solution allows you to use standard tools and utilities to manage an MS SQL Server installation, for example, with a Windows Server installation. Users can install database server software of their choice as well (with their own licensing).
Cloud computing allows companies to launch hardware and application capacity at will, at low incremental expense, and virtually zero capital cost. The major benefits of using such a platform are the ability to scale infrastructure rapidly at a low cost. Most companies run their systems on dedicated hardware that’s deployed within their data centers. They incur significant cost running and maintaining such systems. In addition, planning, budgeting, and procurement are required to scale up existing infrastructure capacity.
With a cloud computing model, there is little lead time and zero capital cost for adding more capacity. The ongoing cost involved is usually similar to or less than the cost of maintaining similar capacity in a private data center. The cost of ownership is also reduced because of a reduction in data-center capacity needs, power and cooling requirements, and more. Moreover, your systems can be hosted locally to various regions of the world, improving network response times for globally dispersed users.
There are certain risks associated with running your enterprise applications on a cloud platform. Your company’s data is stored outside your private network. You are dependent on the security architecture of your service provider. Even if the data’s storage is sufficiently secure, it is accessed over public networks, which raises further concerns around the security of data transmission. These concerns and others are addressed later in this article.
Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3) offer a reliable and cost-effective platform for hosting applications such as SAP ERP Central Component (SAP ECC) and SAP NetWeaver. The ease of access, support, and international availability of the platform make it a suitable cloud-based solution for most organizations. The Amazon EC2/S3 platforms are fitting for small or mid-size businesses that are cost conscious as well as for larger businesses that need to scale their SAP environment rapidly (e.g., for a new product launch or seasonal spikes in business-volume).
SAP Systems Architecture on a Cloud Platform
The architecture of an SAP instance running on a cloud computing platform is similar to a privately installed system. The SAP installation and database installation is performed on SAN-attached S3 storage. The S3 platform provides a hosted data-storage solution, which allows backup and replication of data. It also allows systems to be cloned and duplicated into multiple instances.
The application runs on a dedicated host (in this case, an EC2 instance). There is locally mounted paging space available for the OS to use. You can install and connect additional application servers as needed.
SAP’s Product Availability Matrix (PAM) provides guidelines on which OS, database, and platform combinations you can use to run an SAP instance. Consult the PAM to determine whether you can use an available Amazon platform to install and run your SAP systems. SAP supports running its applications on three Amazon platforms: Microsoft Windows, Red Hat Linux, and Solaris. There are certain tips and tricks to installing and running an SAP system on EC2/S3, which are given later in this article.
Install an SAP System on Amazon’s EC2 Platform
To install an SAP system on Amazon’s cloud platform, you have to first create an Amazon Web Services (AWS) account. Then you can log in to the AWS Management Console, create a private key, and launch an Amazon Machine Image (AMI). This AMI is an OS image of your choice (selected after reviewing SAP’s PAM) and is the basis for the installation of your SAP system. To launch your system, go to AMIs and click Launch (Figure 1).

Figure 1
AWS Management Console: launch an AMI
Select the AMI that you would like to use as a generic template from which to launch your system. I used the 64-bit Windows Server image as the base AMI, which I selected to keep with the existing architecture of the company’s SAP environment (Figure 2).

Figure 2
AWS Management Console: sizing and security selection
Once the instance starts up, right-click its name and select Retrieve default admin password. Paste in your private key and click the Decrypt Password button (Figure 3).

Figure 3
AWS Management Console: retrieve the default Windows password
Now log on to the machine. Execute the Ec2ConfigServiceSettings.exe script (the script name for UNIX may be different) and uncheck the two settings shown in Figure 4. These settings prevent the hostname from changing when the AMI is launched again.

Figure 4
Amazon Utility: prevent hostname changes
Now change the hostname of this server to a name of your liking. You can do this in Windows by right-clicking My Computer and selecting Properties (Figure 5).

Figure 5
My Computer Properties: Change the hostname
Go back to your AWS Management Console to allocate storage space to your machine. Click Volumes under ELASTIC BLOCK STORE and then click the Create Volume button. Create separate volumes for your SAP system and database installation, database data files, and database log files. You may also want to allocate a dedicated drive for storing the SAP installation media and another drive for storing database backups. Size these volumes according to the expected system installation and database size. It’s better to set larger sizes than you need; Amazon only charges for the actual space consumed.
Next, attach the volumes by clicking the Attach Volume button. The status for each drive turns to in-use once they are attached (Figure 6).

Figure 6
AWS Management Console: attach storage volumes
Now go back to your host and discover and format the mounted drives. For a Windows instance, you may have to reboot the server to allow the drives to be discovered.
Your Amazon machine is now ready to begin system installation. Download and install a Java Runtime Environment (JRE) to this host. If you are installing a generic IDES system, for example, go ahead and download the SAP installation software (including SAPinst) to the host as well. You may want to download the software directly from SAP Service Marketplace via the SAP Download Manager. You can download any required Support Packages and patches as well.
Alternatively, if you are going to create a copy of an existing internal system, you need to upload the database backup that you will use to create this system. You also need to upload the SAPinst tools to perform the installation and restore. Furthermore, you need to upload your database installation media. You can upload all these files via FTP if an FTP server is installed and configured on the host first. Alternatively, you can download and install freeware tools such the S3 Firefox Organizer add-on that’s available for the Firefox Web browser. This add-on allows you to upload and download files to and from your allocated S3 storage. It also enables you to create a folder to store your OS/Host backups, also known as bundles, which I discuss in the next section.
Next, go through the process to install your SAP system. The installation steps are identical to those for a regular private system. After you complete the installation, patching, and any other related activity, run a full system backup. Store the backup on the predefined S3 drive.
Bundle Your SAP Instance
You are now ready to bundle your SAP system. After you create and register the bundle, you can use it to create additional systems. Your bundle becomes the starting point for all subsequent installations — for adding application servers as well as installing additional SAP instances in your landscape.
To create the bundle, first stop the SAP system and database via the standard SAP tools (e.g., SAP Management Console [SAP MMC] for Windows). Then go to the list of Instances on your AWS Management Console (Figure 7).

Figure 7
AWS Management Console: list of instances
Select the system and follow menu path Instance Actions > Bundle Windows Instance. This step creates a copy of the OS drive so the system can recreate the SAP installation (Figure 8).

Figure 8
AWS Management Console: bundle an instance
Monitor this bundling activity by refreshing the Bundle Tasks link in EC2 until the status shows complete (Figure 9).

Figure 9
AWS Management Console: monitor the bundling status
Next, register the bundle to save it. To do so, first create a bucket in S3 using the S3 Firefox Organizer (Figure 10).

Figure 10
S3 Firefox Organizer: create a bucket
Then select the Bundle and click the Register as an AMI button — this option is activated once bundling is completed. When prompted, specify the bucket name and the AMI name to store the bundle in (Figure 11).

Figure 11
AWS Management Console: register the bundled AMI
You can now stop this system and server. First, stop the running SAP system and the database. Then proceed to shut the server down. The server’s status will change in the EC2 console (Figure 12). Shortly after it’s shut down, the server disappears from your EC2 console. The storage volumes then show as available on the Volumes view.

Figure 12
AWS Management Console: storage volumes become available
Recreate Your SAP Instance
To launch a stopped or saved SAP system, log into the AWS Management Console and go to the AMI view. Select the appropriate stored AMI and click the Launch button. In the pop-up window, select the appropriate instance type to designate capacity. Ensure that this instance is launched in the same time zone as the S3 storage that will be attached to it.
Once the server has completed starting up, switch to the Volumes view. Select each storage volume that needs to be attached to the host. Attach each volume individually by selecting it as shown and clicking the Attach button (Figure 13).

Figure 13
AWS Management Console: attach the storage volumes
After you have attached all the volumes, log into the server (using the standard SAP Admin/sidadm account created at installation) and reboot the server. The reboot activates the default paging space that’s assigned and allows the attached disks to be discovered. When the server completes its reboot, log into it and start the SAP system.
Connectivity and Security of Systems
To connect to an application running on EC2, you have to open the appropriate ports in the AWS EC2 security console. For example, to connect to a server via remote desktop, you have to open port 23 on the security console (Figure 14). Similarly, to allow connectivity to an SAP message server for instance 33, you have to open port 3633 through the security console.

Figure 14
AWS Security Console: Specify the ports to allow traffic
Security Tips
Security is a major concern with any enterprise application. When the same application runs outside your own data center, the concern is amplified. Here are 10 tips for securing your systems:
- Tip 1. Encryption of credentials: Use Secure Socket Layer (SSL) for the transmission of logon credentials for Web-based applications.
- Tip 2. Minimize open ports: Only open those ports in your AWS EC2 security console that are absolutely necessary. Use irregular instance numbers for your SAP systems as much as possible (i.e., do not use instance number 00 or 99).
- Tip 3. Randomize the SAP standard ports: Consider changing the port numbers for the SAP dispatcher, message server, and gateway to random numbers instead of the standard 32XX, 36XX, and 39XX port numbers. Doing so makes it harder to predict and hack these sensitive ports.
- Tip 4. Protect your AMIs: Keep all registered AMIs private. Use nondescript names for each. Disable the default Amazon Admin accounts for each AMI. This reduces the vulnerability of your AMI.
- Tip 5. Protect your internal network: If you allow your Amazon systems to communicate with systems running inside your company’s private network, set very strict port/IP address rules on your firewalls. Specify source and target IP addresses along with port numbers in the rules.
- Tip 6. Secure your DNS: Use DNS names for servers from within your domain. If that is not possible, use a similar domain. This increases security by giving the appearance that these systems are hosted within your private network.
- Tip 7. Minimize general exposure: Keep the details of your landscape private. If you share any details or provide system access to customers, minimize the information provided.
- Tip 8. Protect production data: At the start, you may want to run only non-production systems on EC2. You should scramble productive data before uploading or refreshing it to your EC2-based systems.
- Tip 9. Protect the data on EC2: Run regular backups to your S3 storage. This allows you to recover rapidly in case of a disaster or corruption.
-
Tip 10. Secure data transfer: Amazon allows you to ship data on DVD, which is uploaded to S3 directly. This avoids transmission (and security issues) across the Internet. Alternatively, if you choose to upload data via FTP, use secure FTP services only. Make sure you open the secure FTP port on the Amazon security console only for the duration of the FTP transfer.
Tips for Running SAP Systems on Amazon’s Cloud Platform
Here are a few tips and tricks for running SAP systems on Amazon’s cloud platform. These tips are derived from practical experience running an SAP ECC 6.0 instance for extended periods on EC2/S3.
Tip 1. When installing or starting a new SAP instance, always provision the smallest server size needed to minimize ongoing cost. Scale up the hardware if you see performance issues. Keep in mind that it doesn’t take very long to add hardware capacity in a cloud environment.
Tip 2. Amazon offers a hosted Microsoft SQL Server for the database platform. However, consider installing and maintaining the database platform yourself. Doing it yourself may be more cost effective, depending on your organization’s licensing agreements with Microsoft.
Tip 3. Set up shutdown and startup scripts to bring your SAP systems down over weekends and other periods of inactivity, if appropriate. This reduces the cost incurred for the hosted services and reduces your security exposures.
Tip 4. For better stability, use the Firefox browser to connect to the AWS Management Console. In addition, several add-ons are available for Firefox, which make it easier to manage S3 and other services.
Tip 5. Familiarize yourself with the EC2 and S3 APIs. There may be significant value for your landscape in developing custom scripts or services for use with the Amazon tool set.
Tip 6. Set the alternate hostname parameter (gw/alternative_hostnames) in the instance profiles of all SAP instances installed on EC2. This parameter helps you avoid issues with connectivity for the TP and R3trans tools because of potential mismatches between the physical and virtual host names. Alternatively, you can launch the SAP installation with the SAPinst command-line parameter SAPINST_USE_HOSTNAME to specify a virtual hostname.
Saad Y Hassan
Saad Y. Hassan is an experienced SAP consulting manager and an entrepreneur. His area of expertise is the architecture, implementation, and management of SAP application components.
If you have any comments about this article or SAP Professional Journal, or want to submit and idea for an article, contact the SAP Professional Journal editor.
You may contact the author at saad.hassan@hassanassociates.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.