AWS for SAP

SAP HANA database redirected restore with AWS Backint Agent

This blog is aimed at reducing the operational overhead by performing a redirected restore of a SAP HANA database from an Amazon Simple Storage Service (S3) bucket. We will walk you through the process of restoring a Production SAP HANA database from an Amazon S3 bucket to a target SAP HANA database running on a different Amazon Elastic Compute Cloud (EC2) instance under same or different AWS account. Since you can backup your SAP HANA database directly to a S3 bucket using AWS Backint Agent for SAP HANA, you can use the redirected restore and refresh your non-production SAP HANA databases.

Overview:

There are several methods available to backup your SAP HANA database on AWS. One of the common methods is a two-step approach where you backup the SAP HANA database to a staging disk and then copy it over to an S3 bucket

SAP HANA Database Backups using EC2 EBS Volumes

Figure: SAP HANA Database Backups using local EBS Volumes

This backup process requires you to first copy the backup of HANA database to a staging disk (an Amazon Elastic Block Store (EBS) volume) attached to the SAP HANA server and then initiate the restore process.

With AWS Backint Agent, you can back up your SAP HANA database and logs directly to an Amazon S3 bucket and initiate the restore process from the S3 bucket. This eliminates the need for a backup staging disk and significantly reduces the time it takes to perform a database backup and recovery.

This blog talks about using AWS Backint Agent for SAP HANA to perform a redirected SAP HANA database restore between two different accounts (the process for redirected restore between the same accounts/same region/cross region is very similar). It is assumed that you are using AWS Backint Agent to backup your SAP HANA database to an S3 bucket.

Current SAP HANA database backup Policy:

Figure: SAP HANA Database backup

The blog assumes that you are currently using the following backup process:

1.You are using AWS Backint Agent interface to backup the SAP HANA database directly to the S3 Bucket
2.You are using AWS Backint Agent to backup the SAP HANA logs directly to the S3 bucket
3.S3 bucket is encrypted using the Customer Managed key (CMK)

Objective:

The objective is to restore the SAP HANA database on the target instance using the source database backup that resides in the S3 bucket by using SAP HANA redirected restore. The source and target account for the SAP HANA database can be owned by the same or different account ID. The account owner plays an important role while granting access to the S3 bucket using the bucket policy.

Figure:Redirected Restore

Advantages of redirected restore:

1.Periodic validation of production database backup (an important question by the auditors)
2.Reduced time to perform system copy of the SAP HANA based SAP Systems while achieving the same point in time recovery for depenent systems like ECC and BW
3.Reduced backup foot-print (no staging area!)
4.Perform regular SAP HANA consistency checks on the restored database which is a copy of production

Source and target account Pre-requisite:

1.From the source account grant access to source CMK to the target account. KMS..Customer Managed Key..YourKey..Other AWS Accounts

2.Login to the Target account & build a new policy in order to de-crypt the backup stored inside the source S3 bucket. Policy: comaws_cross_cmk_access_policy(sample name)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfCMKInAccountSourceaccount",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-east-1: 012345678901:key/<cmk key>"
        }
    ]
}

3. On the target account, create a new or use an existing EC2-Policy and add the following policy:
Role: arn:aws:iam:: 987654321098:role/comaws_ec2_instance_role_name
Note: The name of the role can be of your choice.
Attach the following policies to this role:

4. In the target account, attach the IAM role to your Amazon EC2 instance where your target SAP HANA database is running.

5. Create a Source bucket Policy granting access to target account EC2 instance role that you created above

Source S3 Bucket: Attach the following policy to the source bucket(Amazon S3 > Your Source Bucket > Permissions > Bucket Policy)

{
    "Version": "2012-10-17",
    "Id": "Policy1606090894637",
    "Statement": [
        {
            "Sid": "Stmt1606090751178",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                     "arn:aws:iam::987654321098:role/comaws_ec2_instance_role"
                ]
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3::: SourceBucketName"
        },
        {
            "Sid": "Stmt1606090890057",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                     "arn:aws:iam::987654321098:role/comaws_ec2_instance_role"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": " arn:aws:s3::: sourceBucketName/*"
        }
    ]
}

You are ready to restore the SAP HANA database backup from a S3 bucket owned by 012345678901 to an account 987654321098 using the SAP HANA database redirected restore method. The following instructions can be used to perform the database restores in below circumstances:

  • Systems running under same AWS account/same region.
  • Systems running under different accounts/same region using VPC Endpoint for S3.
  • Systems running under different account/different region using a NAT Gateway.

**data transfer cost may apply

Performing SAP HANA database re directed restore:

  1. Login to the target SAP HANA database server and change the current directiry to /hana/shared/aws-backint-agent.

cd /hana/shared/aws-backint-agent

2. Create a backup of the existing aws-backint-agent-config.yaml file

cp aws-backint-agent-config.yaml aws-backint-agent-config.yaml.backup

3. Edit and replace the contents of aws-backint-agent-config.yaml from the source aws-backint-agent-config.yaml. Sample aws-backint-agent-config.yaml

S3BucketAwsRegion: "us-east-1"
S3BucketName: "SourceBucketName"
S3BucketFolder: "backup/database/hana"
S3BucketOwnerAccountID: "012345678901"
LogFile: "/hana/shared/aws-backint-agent/aws-backint-agent.log"
S3SseKmsArn: "arn:aws:kms:us-east-1:012345678901:key/CMK"
S3SseEnabled: "true"

This step is required to allow AWS Backint Agent to read the backups stored in source S3 bucket
4. On the target system, check access to the source S3 bucket by using AWS command line interface:

aws s3 ls s3://SourceBucketName/backup/database/hana/PH5/usr/sap/PH5/SYS/global/hdb/backint/DB_SUP/2020_11_22_05_00_00_full_databackup
Sample Output:
PRE 2020_11_22-05_00_00_full_databackup_0_1/
PRE 2020_11_22-05_00_00_full_databackup_2_1/
PRE 2020_11_22-05_00_00_full_databackup_2_10/
PRE 2020_11_22-05_00_00_full_databackup_2_12/
PRE 2020_11_22-05_00_00_full_databackup_2_2/
PRE 2020_11_22-05_00_00_full_databackup_2_3/
PRE 2020_11_22-05_00_00_full_databackup_2_4/

Now we can start the database restore operations on the target system.

Restoring a Scale-up SAP HANA database using redirected restore:

Login to the target database using hdbsql and create a tenant database

hdbsql -n localhost -i 05 -u system -d systemdb CREATE DATABASE SUD SYSTEM USER PASSWORD Manager1;

–To recover using a particular source backup

RECOVER DATA FOR SUD USING SOURCE 'SUP@PH2' USING BACKINT ('/usr/sap/PH2/SYS/global/hdb/backint/DB_SUP/2020_11_21_04_00_00_full') CLEAR LOG; 
0 rows affected (overall time 2443.266878 sec; server time 2443.263834 sec) 
*Source tenant DB Name=SUP, Source SAP HANA system name=PH2

— To perform a point in time recovery:

RECOVER DATABASE FOR SUD UNTIL TIMESTAMP '2020-11-29 20:00:00' CLEAR LOG USING SOURCE 'SUP@PH2' USING CATALOG BACKINT USING LOG PATH ('/usr/sap/PH2/SYS/global/hdb/backint/DB_SUP/') USING DATA PATH ('/usr/sap/PH2/SYS/global/hdb/backint/DB_SUP/');

0 rows affected (overall time 402.686351 sec; server time 402.683220 sec) 
**Time shown above is in UTC

Monitoring the progress of the restore operation:

1. You can monitor the restore progress by running a tail command on the backup.log file under the target DB_SID directory on the target server

tail -f /usr/sap/DH2/HDB10/sapdh2dbsm/trace/DB_SUD/backup.log

2.You can also check the aws-backint-agent.log file on the target VM.

tail -f /hana/shared/aws-backint-agent/aws-backint-agent.log

Points to remember:

1. Since we only allowed GetObject operation on the Source S3 bucket, make sure to either disable the target database(s) backup during the restore or change the log backup destination to a local disk for the duration or even increase the duration of the log backup interval.

2.The redirected restore can be used with the S3 VPC endpoints in the same region.

3.Once the recovery completes, remember to switch the aws-backint-agent-config.yaml file of your target system. This is required to ensure that your target system’s backups are sent to the correct S3 bucket.

Conclusion:

We hope that using AWS Backint Agent to perform SAP HANA redirected restore helps you to reduce SAP HANA database refresh times with minimal changes required to the current infrastructure. You can use the same process to perform point in time recovery of multiple SAP systems like ECC and BW. This will help you maintain intact delta pointers between your ECC and BW systems post-refresh.

Please refer to AWS Backint Agent for SAP HANA database. To watch an SAP on AWS expert back up an SAP HANA databased on AWS with AWS Backint Agent, please refer to this demo.