AWS for SAP
Tagging recommendations for SAP on AWS
Customers running SAP on AWS often ask us if we’ve seen reusable trends in tagging strategies for SAP workloads. Tags are simple labels consisting of a customer-defined key and an optional value. Tags enable customers to assign metadata to cloud resources, making it easier to manage, search, and filter existing resources.
In this post, we outline the benefits of tagging and provide recommendations for customers and partners deploying SAP workloads on AWS. Recommended tags are based on practices we’ve seen across a number of our engagements. Customers can directly use all of these tags or modify them to fit their own needs.
Tagging benefits
- Customers use tags for operation and deployment automation activities, such as snapshots of storage volumes, OS patching, and AWS System Manager automation. SAP customers can also use tags for automating the start/stop of SAP servers, running cron jobs, and monitoring/alerting capabilities.
- Partners use AWS tags for solution deployment. High availability cluster, backup, and monitoring solutions often rely on AWS resource tags for their operations.
- AWS billing reports support the use of tags. Customers can create cost allocation tags that help identify pricing of AWS resources based on individual accounts, resources, business units, and SAP environments.
- AWS Identity and Access Management (IAM) policies support tag-based conditions, enabling customers to constrain permissions based on specific tags and their values. IAM user or role permissions can include conditions to limit access to development, test, or production environments or Amazon Virtual Private Cloud (Amazon VPC) networks based on their tags.
- Tags can be assigned to identify resources that require heightened security risk management practices. For example, Amazon Elastic Compute Cloud (Amazon EC2) instances hosting applications that process sensitive or confidential data. This can enable automated compliance checks to ensure that proper access controls are in place or that patch compliance is up-to-date.
Tagging considerations
- Tags can be applied anytime: Tags can be created and applied after a resource is created. However, no information is captured between the time the resource was created and when the tag was applied.
- Tags are not retroactive: Cost allocation reports are only available from the point in time they were activated. If cost allocation is activated in October, no information from September is displayed.
- Tags are static snapshots in time: Changes made to tags after a report is executed are not reflected in previous reports.
- Tags must be denoted for cost allocation: After creating a new tag, it must be asked/activated/added as a cost allocation tag. If it is not, it is not visible in Detailed Billing Reports (DBR) or AWS Cost Explorer.
Tagging strategies
- Define naming convention: Tags are case-sensitive, so define standards for your AWS resources. For example, tag key names should use upper CamelCase (or PascalCase) for manual creation. CamelCase combines words/abbreviations by beginning each word with a capital letter, such as MiscMetadata and SupportEndpoints.
- Standardize delimiters: Do not use delimiters as part of tag values. This works well with case-sensitive tags.
- Use concatenated/compound tagging: Combine multiple values for a tag key (Owner = JohnDoe | johndoe@company.com | 8005551234). PascalCase should be used to standardize compound tags.
Tagging suggestions
Note: We can use a “<customer name>:” prefix – to clearly differentiate company-defined tags from tags defined by AWS or required by third-party tools a customer may use.
| Tag Name | <customer name>:name |
| Purpose | Identifies the resource name. Can be the hostname of the SAP server. |
| Values | String Example: aws2sql01 |
| Cost Allocation Tag? | Yes |
| Tag Name | <customer name>:sap-product |
| Purpose | Identifies the SAP product running for SAP Resource. |
| Values | String Examples: ecc, bw, po, solman, content-server |
| Cost Allocation Tag? | Yes |
| Tag Name | <customer name>:sid |
| Purpose | Identifies the SAP system SID. |
| Values | String |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:landscape-type |
| Purpose | Identifies the SAP landscape type support or project. |
| Values | String Examples: n, n+1, n+2 |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:ha-node |
| Purpose | Identifies the HA cluster node. |
| Values | String Examples: primary, secondary, disaster recovery (DR) |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:backup |
| Purpose | Identifies the backup policy for the server. |
| Values | String Examples: daily-full, daily-incremental, weekly-full |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:environment-type |
| Purpose | Identifies whether the resource is part of a production or non-production type of environment. |
| Values | String Examples: lab, development, staging, production |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:created-by |
| Purpose | For tracking the AWS account ID, IAM user name, or IAM role that created the resource. |
| Values | String Examples: account-id, user name, role session name |
| Cost Allocation Tag? | Yes |
| Tag Name | <customer name>:application |
| Purpose | Identifies the resource application name. |
| Values | String Example: sap |
| Cost Allocation Tag? | Yes |
| Tag Name | <customer name>:app-tier |
| Purpose | The tier key is used to designate the functional tier of the associated AWS resource. This key provides another way to deconstruct AWS spending to understand how each infrastructure subcomponent contributes to overall cost. Also used for determining backup and disaster-recovery requirements. It is also useful for threat modeling when using tools such as AWS Tiros. |
| Values | String Examples: Web, app, data, network, other |
| Cost Allocation Tag? | No |
| Tag Name | <customer name>:cost-center |
| Purpose | Identifies the cost center of the department that is billed for the resource. |
| Values | Numeric cost center code |
| Cost Allocation Tag? | Yes |
Additional tagging options
Customers can also consider tags for poweroff-time, poweron-time, business-stream, resource-owner-email, and support-team-email with their AWS resources.
The screenshot below shows an examples of some tags that have been set up. In this example, abc is the company name.
Figure 1: SAP Server Tagging Example
Conclusion
Tagging strategies differ from customer to customer depending on their needs. Our SAP Professional Services practice has found it useful to provide a prescriptive starting point for customers to build from. The most important aspects of tagging are defining what works for your organization and remaining precise and accurate. Please also review tag restrictions while preparing the tagging strategy for your SAP workloads.
Let us know if you have any comments or questions—we value your feedback.