This guide provides information that you can use to plan for the installation of an IBM Db2 Advanced Enterprise Server Edition (AESE) for Linux, UNIX, and Windows (IBM Db2) system that supports SAP applications on the Google Cloud Platform (GCP).
To deploy IBM Db2 with SAP products on GCP, see the IBM Db2 Deployment Guide.
For links to more information from SAP about IBM Db2, see SAP on IBM Db2 for Linux, UNIX, and Windows.
For more information about the products that SAP certifies to run on GCP, including IBM Db2, see SAP Note 2456432: SAP Applications on Google Cloud Platform: Supported Products and Google VM types.
GCP consists of many cloud-based services and products. When running SAP products on GCP, you mainly use the IaaS-based services offered through Compute Engine and Cloud Storage, as well as some platform-wide features, such as tools.
See the GCP platform overview for important concepts and terminology. This guide duplicates some information from the overview for convenience and context.
For an overview of considerations that enterprise-scale organizations should take into account when running on GCP, see best practices for enterprise organizations.
Interacting with GCP
GCP offers three main ways to interact with the platform, and your resources, in the cloud:
- The Google Cloud Platform Console, which is a web-based user interface.
gcloudcommand-line tool, which provides a superset of the functionality that GCP Console offers.
- Client libraries, which provide APIs for accessing services and management of resources. Client libraries are useful when building your own tools.
SAP deployments typically utilize some or all of the following GCP services:
|VPC Networking||Connects your VM instances to each other and to the Internet. Each instance is a member of either a legacy network with a single global IP range, or a recommended subnet network, where the instance is a member of a single subnetwork that is a member of a larger network. Note that a network cannot span GCP projects, but a GCP project can have multiple networks.|
|Compute Engine||Creates and manages VMs with your choice of operating system and software stack.|
|Persistent disks||Persistent disks are available as either standard hard disk drives (HDD) or solid-state drives (SSD).|
|Google Cloud Platform Console||Browser-based tool for managing Compute Engine resources. Use a template to describe all of the Compute Engine resources and instances you need. You don't have to individually create and configure the resources or figure out dependencies, because the GCP Console does that for you.|
|Cloud Storage||You can back up your SAP database backups into Cloud Storage for added durability and reliability, with replication.|
|Stackdriver Monitoring||Provides visibility into the deployment, performance, uptime, and health of
Compute Engine, network, and persistent disks.
Stackdriver collects metrics, events, and metadata from GCP and uses these to generate insights through dashboards, charts, and alerts. You can monitor the compute metrics at no cost through Stackdriver Monitoring.
|Cloud IAM||Provides unified control over permissions for GCP resources. Control who can perform control-plane operations on your VMs, including creating, modifying, and deleting VMs and persistent disks, and creating and modifying networks.|
Pricing and quotas
GCP resources are subject to quotas. If you plan to use high-CPU or high-memory machines, you might need to request additional quota. For more information, see Compute Engine resource quotas.
An IBM Db2 installation with a single-partition database on GCP comprises the following components:
- One Compute Engine VM running your IBM Db2 database.
Six attached persistent disk drives:
- The root disk.
- The database id volume (
- The instance volume (
/db2/db2<dbsid>), which contains the home directory of user db2
and the IBM Db2 instance data for as well as the IBM Db2 software.
- The log volume (
/db2/<DBSID>/log_dir), which contains at least the online database log files.
- The dump/diagnostic volume (
/db2/<DBSID>/db2dump), which contains Db2 diagnostic log files, Db2 dump files, and further service engineer information.
- The data volume (
/db2/<DBSID>/sapdata/sapdata<n>). This is the storage location for tablespaces with container-type database managed space (DMS) FILE or tablespaces with Db2's automatic storage
- The temporary tablespace volume (
/db2/<DBSID>/saptmp<n> or /db2/ <DBSID>/saptmp/saptmp<n>). This is the storage location for temporary tablespaces.
Depending on the requirements of your installation, you might also need to include the following as well:
- A NAT gateway. A NAT gateway allows you to provide Internet connectivity for your VMs while denying direct Internet connectivity to those VMs. You could also configure this VM as a bastion host that allows you to establish SSH connections to the other VMs on your private subnet. See NAT gateways and bastion hosts for more information.
- A backup volume for storing warm backups.
- A storage volume for storing log archives.
Different use cases might require additional devices or databases. For more information, see:
- SAP Note 1707361 - Inst. Systems Based on NW 7.1 and Higher: UNIX Db2 for LUW.
- The appropriate installation guide for your SAP system with IBM Db2.
In many ways, running IBM Db2 with SAP on GCP is similar to running it in your own data center. You still need to think about computing resources, storage, and networking considerations.
For more information, see the appropriate installation guide for your SAP system with IBM Db2.
IBM Db2 is certified to run on all Compute Engine machine types, including custom types. In most cases, use a machine type with two or more virtual CPUs.
For information about different GCP machine types and their use cases, see Machine Types in the Compute Engine documentation.
The number of vCPUs required varies depending on the application load on IBM Db2 LUW. You should allocate a minimum of two vCPUs to your IBM Db2 installation. To achieve best use of existing resources by your IBM Db2 system, follow the guidance in the SAP on IBM Db2 for Linux, UNIX, and Windows documentation and adjust your computing resources as needed.
Your IBM Db2 VM should have at least 4 GB of RAM per vCPU. Of this amount, approximately 80% of your RAM should be allocated to IBM Db2, with the rest allocated to the OS on which IBM Db2 is running.
The optimal amount of memory for your use case depends on the complexity of the queries you're running, the size of your data, the amount of parallelism you're using, and the level of performance you're expecting. For further guidance about optimizing your memory configuration, see the SAP on IBM Db2 for Linux, UNIX, and Windows documentation.
By default, each Compute Engine VM has a small root persistent disk that contains the operating system. In addition, you should create, attach, format, and mount additional disks for your database, your logs, and your stored procedures.
You can use standard HDD persistent disks or SSD persistent disks as storage for your IBM Db2 VMs. The performance of your persistent disks depends on the disk size and the number of vCPUs in the host machine. For a detailed overview of persistent disk performance benchmarks, see Optimizing Persistent Disk and Local SSD Performance.
Your disk size and performance requirements will depend on your application. Size each device according to your needs. For guidance on disk sizing, see:
- Required File Systems for IBM Db2 for Linux, UNIX, and Windows
- 1707361 - Inst. Systems Based on NW 7.1 and Higher: UNIX Db2 for LUW
For a high-level description of persistent disks, see Persistent disks below.
Supported IBM Db2 versions
SAP certified SAP NetWeaver with the following editions of IBM Db2 on GCP:
- Db2 Advanced Enterprise Server Edition (AESE) version 11.1 for Linux, UNIX, and Windows
- Db2 Advanced Enterprise Server Edition (AESE) version 10.5 for Linux, UNIX, and Windows
You must use the SAP-certified IBM Db2 software fix pack (FP) levels. The use of other IBM Db2 software levels is not allowed.
For more information, see SAP Note 101809 - DB6: Supported Db2 Versions and Fix Pack Levels.
Supported IBM Db2 features
SAP supports most IBM Db2 features on GCP. However, the following features are not currently supported:
- High Availability and Disaster Recovery for Db2
- Multi-partition Db2 databases
- IBM Db2 pureScale feature
Supported operating systems
SAP has certified GCP to run IBM Db2 on the following SUSE Linux Enterprise Server (SLES), Red Hat Enterprise Linux (RHEL), and Windows Server operating system images:
- SLES 12 SP2 and above
- RHEL 7.4
- Windows Server 2012 R2 and above
For more information about Compute Engine images, see Images.
Regions and zones
When you deploy a VM, you must choose a region and zone. A region is a specific geographical location where you can run your resources, and corresponds to a data center location. Each region has one or more zones.
Global resources, such as preconfigured disk images and disk snapshots, can be accessed across regions and zones. Regional resources, such as static external IP addresses, can be accessed only by resources that are in the same region. Zonal resources, such as VMs and disks, can be accessed only by resources that are located in the same zone.
When choosing regions and zones for your VMs, keep the following in mind:
- The location of your users and your internal resources, such as your data center or corporate network. To decrease latency, select a location that is in close proximity to your users and resources.
- The location of your other SAP resources. Your SAP application and your database must be in the same zone.
Persistent disks are durable storage devices that function similarly to the physical disks in a desktop or a server. Google manages the hardware behind these devices to ensure data redundancy and to optimize performance. Persistent disks are available as either standard hard disk drives (HDD) or solid-state drives (SSD). Standard HDD persistent disks are efficient and economical for handling sequential read-write operations, but are not optimized to handle high rates of random input-output operations per second (IOPS).
Persistent disks are located independently from your VMs, so you can detach or move persistent disks to keep your data, even after you delete your VMs. Persistent disk performance scales automatically with disk size, so you can resize your existing persistent disks or add more persistent disks to a VM to meet your performance and storage space requirements.
Local SSD (non-persistent)
GCP also offers local SSD disk drives. Although local SSDs can offer some advantages over persistent disks, don't use them as part of an IBM Db2 system. VM instances with local SSDs attached cannot be stopped and then restarted.
NAT gateways and bastion hosts
If your security policy requires truly internal VMs, you need to set up a NAT proxy manually on your network and a corresponding route so that VMs can reach the Internet. It is important to note that you cannot connect to a fully internal VM instance directly by using SSH. To connect to such internal machines, you must set up a bastion instance that has an external IP address and then tunnel through it. When VMs do not have external IP addresses, they can be reached only by other VMs on the network, or through a managed VPN gateway. You can provision VMs in your network to act as trusted relays for inbound connections, called bastion hosts, or network egress, called NAT gateways. For more transparent connectivity without setting up such connections, you can use a managed VPN gateway resource.
Using bastion hosts for inbound connections
Bastion hosts provide an external facing point of entry into a network containing private-network VMs. This host can provide a single point of fortification or audit and can be started and stopped to enable or disable inbound SSH communication from the Internet.
You can achieve SSH access to VMs that do not have an external IP address by first connecting to a bastion host. A complete hardening of a bastion host is outside the scope of this article, but you can take some initial steps, including:
- Limit the CIDR range of source IPs that can communicate with the bastion.
- Configure firewall rules to allow SSH traffic to private VMs from only the bastion host.
By default, SSH on VMs is configured to use private keys for authentication. When using a bastion host, you log into the bastion host first, and then into your target private VM. Due to this two-step login, you should use SSH-agent forwarding to reach the target VM instead of storing the target VM's private key on the bastion host. You must do this even if you are using the same key-pair for both bastion and target VMs, as the bastion has direct access only to the public half of the key-pair.
Using NAT gateways for traffic egress
When a VM does not have an assigned, external IP address, it cannot make direct connections to external services, including other GCP services. To allow these VMs to reach services on the Internet, you can set up and configure a NAT gateway. The NAT gateway is a VM that can route traffic on behalf of any other VM on the network. You should have one NAT gateway per network. Be aware that a single-VM NAT gateway should not be considered highly available, and cannot support high traffic throughput for multiple VMs. See the IBM Db2 Deployment Guide for SAP NetWeaver for instructions on how to set up a VM to act as a NAT gateway.
After your system is up and running, you can create custom images. You should create these images when you modify the state of your root persistent disk and want to be able to easily restore the new state. You should have a plan for how to manage the custom images you create. For more information, see Image Management Best Practices.
Networking and security
Consider the information in the following sections when planning networking and security.
Minimum privilege model
One of your first lines of defense is to restrict who can reach your network and your VMs by using firewalls. By default, all traffic to VMs, even from other VMs, is blocked by the firewall unless you create rules to allow access. The exception is the default network that is created automatically with each project and has default firewall rules.
By creating firewall rules, you can restrict all traffic on a given set of ports to specific source IP addresses. You should follow the minimum privilege model to restrict access to the specific IP addresses, protocols, and ports that need access. For example, you should always set up a bastion host and allow SSH into your SAP NetWeaver system only from that host.
Understanding how access management works in GCP is key to planning your implementation. You need to make decisions about:
- How to organize your resources in GCP.
- Which team members can access and work with resources.
- Exactly which permissions each team member can have.
- Which services and applications need to use which service accounts, and what level of permissions to grant in each case.
Start by understanding the Cloud Platform Resource Hierarchy. It's important that you understand what the various resource containers are, how they relate to each other, and where the access boundaries are created.
Cloud Identity and Access Management (IAM) provides unified control over permissions for GCP resources. You can manage access control by defining who has what access to resources. For example, you can control who can perform control-plane operations on your SAP instances, such as creating and modifying VMs, persistent disks, and networking.
For more details about IAM, see the Overview of IAM.
For an overview of Cloud IAM in Compute Engine, see Access Control Options.
IAM roles are key to granting permissions to users. For a reference about roles and which permissions they provide, see Identity and Access Management Roles.
GCP's service accounts provide a way for you to give permissions to applications and services. It's important to understand how service accounts work in Compute Engine. For details, see Service Accounts.
Custom networks and firewall rules
You can use a network to define a gateway IP and the network range for the VMs attached to that network. All Compute Engine networks use the IPv4 protocol. Every GCP project is provided with a default network with preset configurations and firewall rules, but you should add a custom subnetwork and firewall rules based on a minimum privilege model. By default, a newly created network has no firewall rules and hence no network access.
Depending on your requirements, you might want to add additional subnetworks to isolate parts of your network. For more information, see Subnetworks.
The firewall rules apply to the entire network and all the VMs in the network. You can add a firewall rule that allows traffic between VMs in the same network and across subnetworks. You can also configure firewalls to apply to specific target VMs by using the tagging mechanism.
Some SAP products, such as SAP NetWeaver, require access to certain ports. Be sure to add firewall rules to allow access to the ports outlined by SAP.
Routes are global resources attached to a single network. User-created routes apply to all VMs in a network. This means you can add a route that forwards traffic from VM to VM within the same network and across subnetworks without requiring external IP addresses.
For external access to Internet resources, launch a VM with no external IP address and configure another virtual machine as a NAT gateway. This configuration requires you to add your NAT gateway as a route for your SAP instance. For more information, see NAT gateways and bastion hosts.
You can securely connect your existing network to GCP through a VPN connection using IPsec by using Cloud VPN. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet. You can dynamically control which VMs can send traffic down the VPN using instance tags on routes. Cloud VPN tunnels are billed at a static monthly rate plus standard egress charges. Note that connecting two networks in the same project still incurs standard egress charges. For more information, see the VPN Overview and Choosing a VPN Routing Option.
Securing a Cloud Storage bucket
If you use Cloud Storage to host your backups for your data and log, make sure you use TLS (HTTPS) while sending data to Cloud Storage from your VMs to protect data in transit. Cloud Storage automatically encrypts data at rest. You can specify your own encryption keys if you have your own key-management system.
For security best practices, see Cloud Storage Security.
Related security documents
Refer to the following additional security resources for your SAP environment on GCP:
- Securely Connecting to VM Instances
- Security Center
- Compliance in the Google Cloud
- Google Cloud security whitepaper
- Google Infrastructure security design
Backup and recovery
You must have a plan for how to restore your system to operating condition if the worst happens.
For information about the backup and recovery of IBM Db2 systems that support SAP, see:
For general guidance about how to plan for disaster recovery using GCP, see:
This section provides information about licensing requirements.
IBM Db2 licenses
When running IBM Db2 on GCP, you must bring your own license (BYOL). You can obtain Db2 licenses from SAP or from IBM. For more information about licensing and support, see the following SAP Notes:
- SAP Note 1168456 - DB6: Support Process and End of Support Dates for IBM DB2 LUW
- SAP Note 1260217 - DB6: Software Components Contained in DB2 License from SAP
- SAP Note 816773 - DB6: Installing an SAP OEM license
For more information about SAP licensing, contact SAP.
Operating system licenses
In Compute Engine, there are two ways to license SLES, RHEL, and Windows Server:
With pay-as-you-go licensing, your Compute Engine VM hourly cost includes licensing. Google manages the licensing logistics. Your hourly costs are higher, but you have complete flexibility to increase and decrease your costs, as needed. This is the licensing model used for GCP public images that include SLES, RHEL, and Windows Server.
With BYOL, your Compute Engine VM costs are lower because the licensing isn't included. You must migrate an existing license or purchase your own license, which means paying up front, and you have less flexibility.
Cloud Platform customers with Gold or Platinum Support can request assistance with IBM Db2 provisioning and configuration questions on Compute Engine. You can find additional information about support options at the GCP Support page. Customers can also contact SAP support for SAP-related issues. SAP does the initial evaluation of the support ticket and transfers the ticket to the Google queue if SAP considers it an infrastructure issue. For information about SAP support for Db2, see SAP Note 1168456 - DB6: Support Process and End of Support Dates for IBM DB2 LUW
To deploy IBM Db2 to GCP, see the IBM Db2 Deployment Guide.