SAP NetWeaver on Windows Deployment Guide

This deployment guide shows you how to deploy and connect to a VM running SAP NetWeaver on Microsoft Windows Server-based systems on Google Cloud Platform (GCP). To learn how to deploy a Linux-based implementation, see the Linux Deployment Guide.

These instructions give you the details for setting up a 2-tier system, with all the SAP components and the database running on a single VM. During deployment, you also install Google's monitoring agent and can validate that it is sending metrics to SAP. This guide also includes considerations for migrating an existing system and for setting up a 3-tier scale-out system.

For more details on planning your implementation, see the Planning Guide. For an overview of IT ops for your system, see the Operations Guide.

VM deployment options

You have two main options for deploying VMs for SAP NetWeaver on GCP:

  • Create a VM manually in the Google Cloud Platform Console or by using the gcloud command- line tool, and walk through the steps of creating a network, configuring your VM and disks, and setting up firewall rules.
  • Use Cloud Deployment Manager and a template created by Google to automate the deployment process.

For either option, you must first have a Google account to create a GCP project. Any Cloud Platform resources that you use, such as a network or a VM, must belong to a project.

Creating a project

To create a project:

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the Manage resources page

  3. Make sure that billing is enabled for your project.

    Learn how to enable billing

Deploying a VM manually

The following instructions show you how to deploy a VM for an example 2-tier SAP system running Microsoft Windows and Microsoft SQL Server, SAP ASE, or IBM Db2 for Linux, UNIX, and Windows (IBM Db2). All the SAP NetWeaver components and the central database run on one VM.

For general considerations for a 3-tier system, see Deploying a 3-tier scale-out system.

Before you begin, ensure that you have consulted the Planning Guide and, if you are going to use Microsoft SQL Server, that you have decided how you want to install the SQL Server database from the following options:

  • Use a GCP image that includes the database.
  • Install it using installation media.

Installing and configuring the gcloud command-line tool (optional)

The instructions in this guide use Cloud Shell.

We recommend that you install the gcloud command-line tool, which is a part of Google Cloud SDK. Cloud SDK includes features like statement autocompletion, in-place updating, and human-readable and machine-parsable output formats. The gcloud command-line tool allows you to run the commands in this guide from your local machine, instead of in Cloud Shell, if you prefer.

  1. Optionally, install the gcloud command-line tool.

  2. Make sure you are using the correct configuration for your VMs, which you set when you run gcloud init. Configurations are collections of key-value pairs that influence the behavior of the gcloud commands.

    To check your current gcloud configuration, run:

    gcloud config list

    To switch between configurations, run:

    gcloud config configurations activate [CONFIGURATION_NAME]


    • [CONFIGURATION_NAME] is the name of the configuration
  3. If you need to set the default region for the gcloud tool, run:

    gcloud config set compute/region [REGION]


  4. If you need to set the default zone for the gcloud tool, run:

    gcloud config set compute/zone [ZONE]


Creating a network

When you create a project, a default network is created for your project. However, for security purposes, you should create a new network and specify firewall rules to control who has access.

  1. Go to Cloud Shell.


  2. To create a new network in the custom subnetworks mode, run:

    gcloud compute networks create [YOUR_NETWORK_NAME] --subnet-mode custom


    • [YOUR_NETWORK_NAME] is the name of the new network. The network name can contain only lowercase characters, digits, and the dash character (-).

    Make sure to specify the custom flag instead of using an automatic subnetwork. An automatic subnetwork always has the same assigned IP address range, which can cause issues if you have multiple subnetworks and want to use VPN.

  3. Create a subnetwork, and specify the region and IP range:

    gcloud compute networks subnets create [YOUR_SUBNETWORK_NAME]
    --network [YOUR_NETWORK_NAME] --region [YOUR_REGION] --range [YOUR_RANGE]


    • [YOUR_SUBNETWORK_NAME] is the new subnetwork.
    • [YOUR_NETWORK_NAME] is the name of the network you created in the previous step.
    • [REGION] is the region where you want the subnetwork. Use a region that is supported for SAP NetWeaver.
    • [YOUR_RANGE] is the IP address range, specified in CIDR format, such as If you plan to add more than one subnetwork, assign non-overlapping CIDR IP ranges for each subnetwork in the network. Note that each subnetwork and its internal IP ranges are mapped to a single region.
  4. Optionally, repeat the previous step and add additional subnetworks.

  5. Optionally, create a NAT gateway. If you intend to create a VM without a public IP address, you must create a NAT gateway so that your VM can access the Internet to download Google's monitoring agent. If you intend to assign an external public IP address to your VM, you can skip this step.

    1. To create a VM to act as the NAT gateway in the subnet you just created, run the following command:

      gcloud compute instances create [YOUR_VM_NAME] --can-ip-forward
      --zone [YOUR_ZONE]  --image-family [YOUR_IMAGE_FAMILY]
      --image-project [YOUR_IMAGE_PROJECT]
      --machine-type=[YOUR_MACHINE_TYPE] --subnet [YOUR_SUBNETWORK_NAME]
      --metadata startup-script="sysctl -w net.ipv4.ip_forward=1; iptables
      -t nat -A POSTROUTING -o eth0 -j MASQUERADE" --tags [YOUR_VM_TAG]


      • [YOUR_VM_NAME] is the name of the VM you are creating that want to use for the NAT gateway.
      • [YOUR_ZONE] is the zone where you want the VM.
      • [YOUR_IMAGE_FAMILY] and [YOUR_IMAGE_PROJECT] specify the image you want to use for the NAT gateway VM. Because you are using Windows, you don't have to select a premium image for your gateway.
      • [YOUR_MACHINE_TYPE] is any supported machine type. If you expect high network traffic, choose a machine type with that has at least 8 virtual CPUs.
      • [YOUR_SUBNETWORK_NAME] is the name of the subnetwork where you want the VM.
      • [YOUR_VM_TAG] is the tag that is applied to the VM you are creating. If you use this VM as a bastion host, this tag is used to apply the firewall rule only to this VM.
    2. To create a route that is tagged so that traffic passes through the NAT VM instead of the default Internet gateway, run the following command:

      gcloud compute routes create [YOUR_ROUTE_NAME]
      --network [YOUR_NETWORK_NAME] --destination-range
      --next-hop-instance [YOUR_VM_NAME] --next-hop-instance-zone
      [YOUR_ZONE] --tags [YOUR_TAG_NAME] --priority 800


      • [YOUR_ROUTE_NAME] is the name of the route you are creating.
      • [YOUR_NETWORK_NAME] is the network you created.
      • [YOUR_VM_NAME] is the VM you are using for your NAT gateway.
      • [YOUR_ZONE] is the zone where the VM is located.
      • [YOUR_TAG_NAME] is the tag on the route that directs traffic through the NAT VM.
    3. If you also want to use the NAT Gateway VM as a bastion host, run the following command to allow inbound SSH access to this instance from the Internet:

      gcloud compute firewall-rules create allow-ssh --network [YOUR_NETWORK_NAME] --allow tcp:22 --source-ranges --target-tags "[YOUR_VM_TAG]"


      • [YOUR_NETWORK_NAME] is the network you created.
      • [YOUR_VM_TAG] is the tag you specified when you created the NAT gateway VM. This tag is used so this firewall rule applies only to the VM that hosts the NAT gateway, and not to all VMs in the network.

Creating and setting up a VM

When you create a VM, you can specify several options, including the operating system, region, machine type, and persistent disks. You must also specify a start-up script to install Google's monitoring agent on the VM.

To create a VM:

  1. Go to the Images page in Compute Engine:

    Go to the Images page

  2. To use a public image, choose an image from one of the following image families:

    • For Windows Server, select an image that begins with windows-. Select this option if your database software is SQL Server software that is provided by SAP or Microsoft, or SAP ASE, IBM Db2.
    • For the SQL Server image provided by Google, select an image that begins with sql-nnnn, where nnnn is a release version such as 2014, for example: sql-2012-enterprise-windows-2012-r2. Select this option if you want to use SQL Server as your database and want to pay-as-you-go for the SQL Server license. Search for sql and ensure that the Family begins with sql-ent.
  3. Click the Create instance button.

  4. Enter a name for the VM.

    Limit your name to 13 characters, as this is the maximum supported by SAP. For more information, see SAP Note 611361: Hostnames of SAP servers.

  5. Select the zone for your VM based on the location of your internal resources and users, and the CPU platform you want to use.

    For more details on the zones supported for SAP NetWeaver, see the following guides and SAP Notes:

  6. Change the machine type to one of the supported high-memory machine types that begins with n1-highmem.

    To compare the supported machine types and their persistent-disk limitations, see the Planning Guide.

  7. Optionally, in the Boot disk section, click Change to configure your boot disk. You can customize the size of the boot disk. Ensure that the boot disk is at least 50 GB.

    You can change the boot disk from a standard persistent disk to an SSD persistent disk, if you prefer. Be sure to deselect the Delete boot disk when instance is deleted checkbox for the VM instance in the GCP Console.

  8. Under Access Scope, for the Compute Engine default service account, select Set access for each API.

    To ensure that the monitoring agent functions correctly, enable the following APIs for the service account:

    API Access
    Cloud Source Repositories Read Write
    Compute Engine Read
    Service Control Enabled
    Service Management Read Only
    Stackdriver Logging API Full
    Stackdriver Monitoring API Full
    Stackdriver Trace Write Only
    Storage Full

  9. Expand the Management, disks, networking, SSH keys section.

  10. If you are using a NAT gateway, in the Networking tab, under Network tags, add the tag that you specified as [YOUR_TAG_NAME] when you set up the route directing traffic through the gateway.

  11. Specify the start-up script to install the monitoring agent, which sends data to the SAP monitoring system to streamline system metrics for support.

    You must have the monitoring agent installed and running to get support from SAP. For an overview of how the monitoring agent functions, see the Operations Guide.

    In the Management tab, under Automation > Metadata, specify the following Key and Value to define the startup script URL. When you specify this metadata, Windows will run this script as administrator:

    • Key: sysprep-specialize-script-url
    • Value:

    The monitoring agent runs as a Windows service, named GCP Metrics Provider.

  12. In the Management tab, under Availability policy, ensure that you leave the following default settings:

    • To ensure availability of your SAP systems, keep the Preemptibility setting Off (recommended).
    • To ensure that your VM can restart if there's a maintenance or failure event, keep the Automatic restart setting On (recommended) .
    • To ensure that your VM is migrated to other hardware during infrastructure maintenance, keep the On host maintenance setting on Migrate VM instance (recommended).
  13. In the Disks tab, under Additional disks, click Add item to add persistent disks for storage.

    1. Under the Name, select Create disk.

    2. In the Create a disk window, under Disk Type select the following:

      • For SAP NetWeaver binaries, add a standard persistent disk (HDD) or an SSD disk.
      • For the swap disk, add an SSD disk.
      • For SQL Server, add an SSD disk for the database logs.
      • For SQL Server, add an SSD disk for the database data.
    3. Under Source type, select None (blank disk).

    4. Specify the size of your disk.

    5. Click Create to create the disk.

    6. Repeat steps a-e to create all the disks you need for your system.

  14. In the Networking tab, choose the network that you created.

  15. Click Create to create and start the instance.

Adding firewall rules

By default, incoming traffic from outside your GCP network is blocked. To allow incoming traffic, set up a firewall rule for your VM. Firewall rules regulate only incoming traffic to a VM. When a connection is established with a VM, traffic is permitted in both directions over that connection.

Create firewall rules to allow access for:

  • The default ports used by SAP NetWeaver, as documented in TCP/IP of All SAP Products.
  • Connections from your computer or your corporate network environment to your Compute Engine VM instance. Use an IP address such as the one displayed at, or talk to your company's network administrator.
  • SSH from the browser. Allow access in the new GCP network you created through port 22.

To create a firewall rule:

  1. In the GCP Console, go to the Firewall Rules page.


  2. At the top of the page, click Create firewall rule.

  3. You can create a firewall rule to allow access to specified ports, or to allow access between VMs on the same subnetwork.

    • In the Network field, select the network where your VM is located.
    • In the Targets field, select All instances in the network.
    • In the Source filter field, select the range of IPs that you want to allow access on this port.
    • In the Allowed protocols and ports section, specify tcp:[PORT_NUMBER];.
  4. Click Create to create your firewall rule.

To learn more about how to add additional firewall rules to your instance, see the Networking documentation.

Connecting to your VM

To connect to a Windows-based VM, you must first generate a password for the VM. You can then connect to the VM using RDP or PowerShell.

Generating passwords

After you create a Windows VM, you must generate a password for the VM before you can connect to it:

  1. Go to the VM instances page.


  2. Click the Windows instance where you want to generate a new password.

  3. On the instance details page, click the Set Windows Password button. A password is generated for you.

Using RDP

You can use RDP to connect to a Windows instance and start a Remote Desktop session. Alternatively, you can connect to Windows instances using the PowerShell terminal.

Connect to the remote desktop on Windows instances using one of the following methods:

  • If you use the Chrome browser, you can connect through the Chrome RDP for Google Compute Engine extension from Fusion Labs. This extension allows you to connect through the GCP Console.
  • Download the RDP file and manually connect through the Windows Remote Desktop Connection client or a third-party client.


  1. Go to the VM instances page in the in the GCP Console.


  2. Click the RDP button next to the instance that you want to connect to. A new browser window opens with the Chrome RDP for Google Compute Engine extension.

  3. Enter your username and password. If this is your first time connecting to this instance, or if you have forgotten your password, create or reset your Windows password.

  4. Click OK to connect.

RDP Client

  1. Install an RDP client. If you don't have a preference, install the Chrome RDP for Google Compute Engine extension.

  2. Get your Windows VM's external IP address. Go to the VM instances page in the GCP Console or run gcloud compute instances list to see a list of your instances with their external IP values.

  3. In your RDP client, provide your VM's external IP address as the IP address to connect to. For example, in the Chrome RDP extension, you would enter the IP address in the following format:

    Screenshot of the instance creation window with the required options set

  4. Enter your sign-in information and leave the Domain field blank. If this is your first time connecting to this VM, or if you have forgotten your password, create or reset your Windows password.

    Screenshot of the instance creation window with the required options set

Using PowerShell
  1. If you have not created a username and password on the Windows VM yet, create your Windows password.

  2. Add a firewall rule or edit your existing firewall rule to open port 5986 on the GCP network where your Windows Server VM is located.

  3. On your local workstation, open the PowerShell terminal.

  4. Optionally, you can initialize a variable to hold your user credentials so you do not need to enter them each time you connect to the instance. If you skip this step, you receive a prompt for your username and password later.

    PS C:> $credentials = Get-Credential
  5. Use the Enter-PSSession command to start a remote PowerShell session and include the flags to use SSL and skip credentials checks.

    PS C:> Enter-PSSession -ComputerName [IP_ADDRESS] -UseSSL -SessionOption
    (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential $credentials

Formatting and mounting disk drives

After you have connected to your Windows VM, format your disks so that you can begin using them. You also configure the Windows pagefile in the following steps:

  1. From the Start menu, search for and open the Server Manager.

  2. Select File > Storage Services and then select Disks.

    Server Manager

  3. In the Disks dialog box, right-click the first disk, and then select New Volume.

  4. Proceed with the defaults and enter a disk label.

  5. When you get to the file-system-settings step, change the Allocation unit size to a value from the following list:

    • Database disks: 32 KB
    • Pagefile: 8 KB
    • Other disks: default of 4 KB.
  6. Enter a volume label that describes the disk with a meaningful name.

    New Volume Wizard

  7. Repeat the same steps for the additional disks.

Preparing the operating system

After you have created your VM, configure the operating system:

Setting up the database

You now need to set up your database. If you didn't use the GCP image that contains SQL Server, now is the time to install a database.

  1. Use RDP or Windows PowerShell remoting to connect to your Windows-based VM.
  2. Download or copy your installation media from SAP or Microsoft to your VM.
  3. Run the installer.

Configuring the GCP Microsoft SQL Server image

If you are using a Google-provided SQL Server Enterprise image, the default SQL Server collation (SQL_Latin1_General_CP1_CI_AS) is active in the already running DBMS. For SAP, you must configure SQL Server to use the SAP collation (SQL_Latin1_General_CP850_BIN2) so that it is compatible with SAP systems. For more information during server configuration, see the SAP installation guide.

Therefore, you must change the collation after the VM is deployed, as follows:

  1. Connect to your Windows instance by using either RDP or remote PowerShell.
  2. Sign in to Windows as administrator and stop the MSSQLSERVER service.
  3. Navigate to the directory that contains the binaries for your SQL Server instance, for example, C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn.
  4. From an elevated command prompt run:

    sqlservr -m -T4022 -T3659 -s"[SQL_SERVER_INSTANCE_NAME]" -q"SQL_Latin1_General_CP850_BIN2"


    • The parameter -m starts the SQL Server instance in single-user mode.
    • The trace flag 4022 forces SQL Server to skip any stored startup procedures.
    • The trace flag 3659 allows all errors to be logged to the SQL Server logs.
    • The parameter -s specifies the name of the SQL Server instance to start. Replace [SQL_SERVER_INSTANCE_NAME] with your SQL Server instance name.
    • The parameter -q rebuilds all databases and objects to the specified SAP collation, without reinstalling the instance or rebuilding system databases.
  5. Restart the SQL Server Service MSSQLSERVER after the collation is changed.

  6. Confirm your change in the most recent SQL Server ERRORLOG or the server's collation properties.

Installing the Stackdriver logging agent

The Stackdriver Logging agent provides you with a solution for GCP system-activity logging. This is an optional but recommended component. See the SAP NetWeaver on GCP Operations Guide for more information about GCP logging.

To install the Stackdriver logging agent, see these instructions.

Deploying a VM automatically with Deployment Manager

As an alternative to manually creating your VM, you can use Deployment Manager and a template provided by Google to streamline your setup.

The template completes the following tasks:

  • Creates a VM using a Windows Server 2012 R2 image (100 GB with a standard PD). Note that the template also supports certain Linux versions.

  • Adds a persistent disk for SAP binaries (100 GB).

  • Adds a persistent SSD for configuring swap (100 GB).
  • Enables the correct APIs for Google's monitoring agent.
  • Installs and starts Google's monitoring agent.

To learn more about Deployment Manager, see Deployment Manager Fundamentals.

Using the Deployment Manager template

To deploy a VM using the provided Deployment Manager template:

  1. Go to Cloud Shell.


  2. Click the Activate Google Cloud Shell button at the top of the console window.

    Activate Google Cloud Shell

  3. A Cloud Shell session opens inside a new frame at the bottom of the GCP Console and displays a command-line prompt. It can take a few seconds for Cloud Shell session to be initialized.

    Cloud Shell session

    Your Cloud Shell session is ready to use.

  4. Run the following commands to use the template:

    curl -s
    >; chmod +x; ./
  5. At the prompts, specify the following for your deployment:

    • Deployment name. The deployment name will be the name of the VM and the OS host name. The name should be unique. If you reuse a name, Deployment Manager fails. Limit your name to 13 characters, as this is the maximum supported by SAP NetWeaver. For more information, see SAP Note 611361: Hostnames of SAP servers.
    • Machine Type. Enter a supported high-memory machine type. The default is n1-highmem-2.
    • Zone. The zone to deploy your VM. The default is us-central1-c.
    • Operating system. Choose Windows Server 2012 R2 (win).
  6. Optionally, if you need a swap file larger than the default 4 GB size, add more disks as needed.

  7. The monitoring agent runs as a Windows service, named GCP Metrics Provider.

  8. Confirm your VM deployment on the Deployment Manager page.


  9. Click on the deployment to see more details. For example:

    Deployment details

Installing SAP NetWeaver

For instructions on installing SAP NetWeaver, see the SAP help portal and the SAP NetWeaver Master Guide.

After you install SAP NetWeaver, update the SAP kernel to the minimum supported patch level. For details on the supported SAP kernel patch levels, see the SAP Note 2456953 - Windows on Google Cloud Platform (IaaS): Adaptation of your SAP License.

Ensure that the following support package requirements for SAP NetWeaver are met: SAP Note 1409604 - Virtualization on Windows: Enhanced Monitoring.

Installing the SAP Host Agent

The SAP Host Agent has been enhanced for running on GCP. Ensure that you run at least the minimum SAP Host Agent version required for the GCP environment.

For details, refer to the following SAP Notes:

Migrating an existing system

For migrations, SAP recommends following their best practices for copying components from your source system to a newly created target system. Use homogeneous system copy when the source and target systems use the same OS and database system. Use heterogeneous system copy when the source and target systems use different OS or database systems. The basic steps are:

  1. Create your GCP VMs, network, and other infrastructure, as described in Deploying manually.
  2. Shut down the SAP NetWeaver system.
  3. Use SWPM to export the source system.
  4. Copy the data from the system and database export to your Cloud Storage bucket. Depending on the size of the exported objects and the bandwidth you have available to connect to GCP, you might want to choose from different methods of sending the objects to Cloud Storage.

Use SWPM to create a new, target system and to import the artifacts that you exported from the source system. You can mount the Cloud Storage bucket as a file system for use by the target system.

Validating your installation of the monitoring agent

After you have deployed a VM and installed SAP NetWeaver, validate that Google's monitoring agent is functioning properly with SAP's enhanced monitoring.

Verifying that Google's monitoring agent is running

You can check whether the monitoring agent is running by polling for a health check from the server. Follow these steps:

  1. Use RDP to connect to the VM instance you want to monitor.

  2. In a browser, visit http://localhost:18181/health.

If the monitoring agent is functioning properly, the value for status should be UP. For example:


If the monitoring agent isn't running, see the Operations Guide section about restarting Google's monitoring agent.

Verifying that SAP NetWeaver is receiving metrics

To check whether the connection between Google's monitoring agent and SAP NetWeaver works as intended, enter transaction ST06 in your SAP NetWeaver ABAP system. In the overview pane, check the availability and content of the following fields for the correct end-to-end setup of the SAP and Google monitoring infrastructure:

  • Cloud Provider: Google Cloud Platform
  • Enhanced Monitoring Access: TRUE
  • Enhanced Monitoring Details: ACTIVE

Deploying a 3-tier scale-out system

The steps to deploy each VM in a 3-tier system are very similar to the steps for deploying the example system. In a 3-tier scale-out system, you deploy several VMs:

  • A primary VM that runs the SAP NetWeaver application server (AS) and ABAP central services. This VM also hosts a shared file-system that contains the shared profile and must be accessible from each VM that runs SAP NetWeaver in the system.
  • Some number of additional VMs that run the AS, for scaling purposes.
  • A VM that is dedicated to the central database.
  • Everything needs to run in the same zone.

The high-level steps are as follows:

  1. Create the VM that hosts the database and then install the database. Recall that you might have decided to use a Compute Engine image that includes a SQL Server installation.

  2. Create the primary instance.

    • Run SWPM on the first VM that you want to run SAP NetWeaver.
    • Install central services.
    • Install the AS.
    • Point to the existing database.
  3. Create additional instances.

    • Run SWPM on each additional VM that you want to run SAP NetWeaver.
    • Install the AS.
    • Point to the existing database.
    • Point to the network share that contains the profiles and is managed by the primary instance.


This section contains information about how to correct common issues.

Troubleshooting connecting to your VM

If you are having issues connecting to your VM through SSH, ensure that you have created a firewall rule to open port 22 on the GCP network you are using.

For other possible issues, see Known issues for SSH from the browser.

Troubleshooting Google's monitoring agent

To troubleshoot the monitoring agent, see the Operations Guide.

Was this page helpful? Let us know how we did:

Send feedback about...