SAP HANA deployment guide

This deployment guide shows you how to deploy a SAP HANA system on Google Cloud Platform (GCP) by using Cloud Deployment Manager and a configuration file template to define your installation. The guide helps you configure Compute Engine virtual machines (VMs) and persistent disks, as well as the Linux operating system, to achieve the best performance for your SAP HANA system. The Deployment Manager template incorporates best practices from both Compute Engine and SAP.

Use this guide to deploy either a single-host scale-up or a multi-host scale-out SAP HANA system that does not include standby hosts.

If you need to include SAP HANA automatic host failover, use the SAP HANA Scale-Out System with Host Auto-Failover Deployment Guide instead.

If you need to deploy a Linux high-availability cluster for a single-host SAP HANA system, use the SAP HANA High Availability Cluster on SLES Deployment Guide.

Prerequisite tasks

If you don't already have them set up, you need to create a GCP account and project. You also need to set up Virtual Private Cloud networking, as well as a method for controlling access to your VMs. Finally, you need to load the SAP HANA installation media into a Cloud Storage bucket.

Setting up your Google account

A Google account is required to work with GCP.

  1. Sign up for a Google account if you don't already have one.
  2. Log in to the Google Cloud Platform Console, and create a new project.
  3. Enable your billing account.
  4. Configure SSH keys so that you are able to use them to SSH into your Compute Engine instances. Use the gcloud command-line tool to create a new SSH key, or, if you already have an existing SSH key, use the tool to format your existing SSH keys.
  5. Use the gcloud command-line tool or GCP Console to add the SSH keys to your project metadata. This allows you to access any Compute Engine instance created within this project, except for instances that explicitly disable project-wide SSH keys.

Creating a network

For security purposes, create a new network. You can control who has access by adding firewall rules or by using another access control method.

If your project has a default VPC network, don't use it. Instead, create your own VPC network so that the only firewall rules in effect are those that you create explicitly.

During deployment, VM instances typically require access to the internet to download Google's monitoring agent. If you are using one of the SAP-certified Linux images that are available from GCP, the VM instance also requires access to the internet in order to register the license and to access OS vendor repositories. A configuration with a NAT gateway and with VM network tags supports this access, even if the target VMs do not have external IPs.

To set up networking:

  1. Go to Cloud Shell.

    Go to Cloud Shell

  2. To create a new network in the custom subnetworks mode, run:

    gcloud compute networks create [YOUR_NETWORK_NAME] --subnet-mode custom

    where [YOUR_NETWORK_NAME] is the name of the new network. The network name can contain only lowercase characters, digits, and the dash character (-).

    Specify --subnet-mode custom to avoid using the default auto mode, which automatically creates a subnet in each Compute Engine region. For more information, see Subnet creation mode.

  3. Create a subnetwork, and specify the region and IP range:

    gcloud compute networks subnets create [YOUR_SUBNETWORK_NAME] \
            --network [YOUR_NETWORK_NAME] --region [YOUR_REGION] --range [YOUR_RANGE]

    where:

    • [YOUR_SUBNETWORK_NAME] is the new subnetwork.
    • [YOUR_NETWORK_NAME] is the name of the network you created in the previous step.
    • [REGION] is the region where you want the subnetwork.
    • [YOUR_RANGE] is the IP address range, specified in CIDR format, such as 10.1.0.0/24. If you plan to add more than one subnetwork, assign non-overlapping CIDR IP ranges for each subnetwork in the network. Note that each subnetwork and its internal IP ranges are mapped to a single region.
  4. Optionally, repeat the previous step and add additional subnetworks.

Setting up a NAT gateway

If you intend to create one or more VMs that will not have public IP addresses, you must create a NAT gateway so that your VMs can access the Internet to download Google's monitoring agent.

If you intend to assign an external public IP address to your VM, you can skip this step.

To create a NAT gateway:

  1. Create a VM to act as the NAT gateway in the subnet you just created:

    gcloud compute instances create [YOUR_VM_NAME] --can-ip-forward \
            --zone [YOUR_ZONE]  --image-family [YOUR_IMAGE_FAMILY] \
            --image-project [YOUR_IMAGE_PROJECT] \
            --machine-type=[YOUR_MACHINE_TYPE] --subnet [YOUR_SUBNETWORK_NAME] \
            --metadata startup-script="sysctl -w net.ipv4.ip_forward=1; iptables \
            -t nat -A POSTROUTING -o eth0 -j MASQUERADE" --tags [YOUR_VM_TAG]

    where:

    • [YOUR_VM_NAME] is the name of the VM you are creating that want to use for the NAT gateway.
    • [YOUR_ZONE] is the zone where you want the VM.
    • [YOUR_IMAGE_FAMILY] and [YOUR_IMAGE_PROJECT] specify the image you want to use for the NAT gateway.
    • [YOUR_MACHINE_TYPE] is any supported machine type. If you expect high network traffic, choose a machine type with that has at least eight virtual CPUs.
    • [YOUR_SUBNETWORK_NAME] is the name of the subnetwork where you want the VM.
    • [YOUR_VM_TAG] is a tag that is applied to the VM you are creating. If you use this VM as a bastion host, this tag is used to apply the related firewall rule only to this VM.
  2. Create a route that is tagged so that traffic passes through the NAT VM instead of the default Internet gateway:

    gcloud compute routes create [YOUR_ROUTE_NAME] \
            --network [YOUR_NETWORK_NAME] --destination-range 0.0.0.0/0 \
            --next-hop-instance [YOUR_VM_NAME] --next-hop-instance-zone \
            [YOUR_ZONE] --tags [YOUR_TAG_NAME] --priority 800

    where:

    • [YOUR_ROUTE_NAME] is the name of the route you are creating.
    • [YOUR_NETWORK_NAME] is the network you created.
    • [YOUR_VM_NAME] is the VM you are using for your NAT gateway.
    • [YOUR_ZONE] is the zone where the VM is located.
    • [YOUR_TAG_NAME] is the tag on the route that directs traffic through the NAT VM.
  3. If you also want to use the NAT gateway VM as a bastion host, run the following command. This command creates a firewall rule that allows inbound SSH access to this instance from the Internet:

    gcloud compute firewall-rules create allow-ssh --network [YOUR_NETWORK_NAME] --allow tcp:22 --source-ranges 0.0.0.0/0 --target-tags "[YOUR_VM_TAG]"

    where:

    • [YOUR_NETWORK_NAME] is the network you created.
    • [YOUR_VM_TAG] is the tag you specified when you created the NAT gateway VM. This tag is used so this firewall rule applies only to the VM that hosts the NAT gateway, and not to all VMs in the network.

Adding firewall rules

By default, an implied firewall rule blocks incoming connections from outside your Virtual Private Cloud (VPC) network. To allow incoming connections, set up a firewall rule for your VM. After an incoming connection is established with a VM, traffic is permitted in both directions over that connection.

You can create a firewall rule to allow external access to specified ports, or to restrict access between VMs on the same network. If the default VPC network type is used, some additional default rules also apply, such as the default-allow-internal rule, which allows connectivity between VMs on the same network on all ports.

Depending on the IT policy that is applicable to your environment, you might need to isolate or otherwise restrict connectivity to your database host, which you can do by creating firewall rules.

Depending on your scenario, you can create firewall rules to allow access for:

  • The default SAP ports that are listed in TCP/IP of All SAP Products.
  • Connections from your computer or your corporate network environment to your Compute Engine VM instance. If you are unsure of what IP address to use, talk to your company's network administrator.
  • Communication between VMs when, for example, your database server and application server are running on different VMs. To enable communication between VMs, you must create a firewall rule to allow traffic that originates from the subnetwork.
  • SSH connections to your VM instance, including SSH from the browser.
  • Connection to your VM by using a third-party tool in Linux. Create a rule to allow access for the tool through your firewall.

To create a firewall rule:

  1. In the GCP Console, go to the Firewall rules page.

    OPEN FIREWALL RULES

  2. At the top of the page, click Create firewall rule.

    • In the Network field, select the network where your VM is located.
    • In the Targets field, specify the resources on GCP that this rule applies to. For example, specify All instances in the network. Or to to limit the rule to specific instances on GCP, enter tags in Specified target tags.
    • In the Source filter field, select one of the following:
      • IP ranges to allow incoming traffic from specific IP addresses. Specify the range of IP addresses in the Source IP ranges field.
      • Subnets to allow incoming traffic from a particular subnetwork. Specify the subnetwork name in the following Subnets field. You can use this option to allow access between the VMs in a 3-tier or scaleout configuration.
    • In the Protocols and ports section, select Specified protocols and ports and enter tcp:[PORT_NUMBER].
  3. Click Create to create your firewall rule.

Creating a Cloud Storage bucket for the SAP HANA installation files

The installation files that contain the SAP HANA binaries must be stored in a Cloud Storage bucket before you can use Deployment Manager to install SAP HANA. Deployment Manager expects the files in the file formats provided by SAP. Depending on your version of SAP HANA, the file format might be a .zip file or .exe and .rar files.

To download the SAP HANA installation files, create a bucket, and upload the files to the bucket:

  1. From SAP Software Downloads, download all parts of the Linux x86_64 distribution of SAP HANA Platform Edition 1.0 or 2.0, as well as any applicable revision upgrades to your local drive.

    If your SAP Support Portal account does not allow access to the software and you believe that you should be entitled to the software, contact the SAP Global Support Customer Interaction Center.

  2. Use the GCP Console to create a Cloud Storage bucket for storing the SAP HANA installation files. Note that the bucket name must be unique across GCP.

    • During bucket creation, choose Standard for your storage class.
  3. Configure bucket permissions. By default, as owner of the bucket, you have read-write access to the bucket. If you want, you can allow other members in your group or individual users to access your bucket, as shown here:

    Bucket Permissions

  4. In the GCP Console, in the Cloud Storage bucket page, choose Upload Files to upload the SAP HANA software and any upgrade revision files to your bucket from your local media:

    Upload Files

  5. Note the name of the bucket that you uploaded the binaries to. You need to use it later when you install SAP HANA.

Creating a VM with SAP HANA installed

The following instructions use the Deployment Manager to install SAP HANA on one or more VM instances with all of the persistent disks that SAP HANA requires. You define the values for the installation in a Deployment Manager configuration file template.

Deployment Manager treats your SAP HANA system and all of the VMs, disks, and other resources that are created for the SAP HANA system as a single entity called a deployment. You can view all of the deployments for your GCP project on the Deployment Manager Deployments page.

The following instructions use Cloud Shell, but are generally applicable to the Cloud SDK.

  1. Confirm that your current quotas for resources such as persistent disks and CPUs are sufficient for the SAP HANA system you are about to install. If your quotas are insufficient, deployment fails. For the SAP HANA quota requirements, see Pricing and quota considerations for SAP HANA.

    Go to the quotas page

  2. Open the Cloud Shell or, if you installed the Cloud SDK on your local workstation, open a terminal.

    Go to the Cloud Shell

  3. Download the template.yaml configuration file template to your working directory by entering the following command in the Cloud Shell or Cloud SDK:

    wget https://storage.googleapis.com/sapdeploy/dm-templates/sap_hana/template.yaml
    
  4. Optionally, rename the template.yaml file to identify the configuration it defines.

  5. Open the template.yaml file in Cloud Shell code editor or, if you are using the Cloud SDK, the text editor of your choice.

    To open the Cloud Shell code editor, click the pencil icon in the upper right corner of the Cloud Shell terminal window.

  6. In the template.yaml file, update the following property values by replacing the brackets and their contents with the values for your installation.

    Some of the property values that you specify for the SAP HANA system, such as [SID] or [PASSWORD], are subject to rules that are defined by SAP. For more information, see the Parameter Reference in the SAP HANA Server Installation and Update Guide.

    If you want to create a VM instance without installing SAP HANA, delete all of the lines that begin with sap_hana_.

    Property Data type Description
    instanceName String The name of the VM instance for the SAP HANA master host. The name must be specified in lowercase letters, numbers, or hyphens. The VM instances for any worker hosts use the same name with a "w" and the host number appended to the name.
    instanceType String The type of Compute Engine virtual machine that you want to run SAP HANA on.
    zone String The zone in which you are deploying your SAP HANA system to run. It must be in the region that you selected for your subnet.
    subnetwork String The name of the subnetwork you created in a previous step. If you are deploying to a shared VPC, specify this value as [SHAREDVPC_PROJECT]/[SUBNETWORK]. For example, myproject/network1.
    linuxImage String The name of the Linux operating-system image or image family that you are using with SAP HANA. To specify an image family, add the prefix family/ to the family name. For example, family/rhel-7-4-sap or family/sles-12-sp2-sap. To specify a specific image, specify only the image name. For the list of available image families, see the Images page in the Cloud console.
    linuxImageProject String The GCP project that contains the image you are going to use. This project might be your own project or a GCP image project, such as rhel-sap-cloud or suse-sap-cloud. For a list of GCP image projects, see the Images page in the Compute Engine documentation.
    sap_hana_deployment_bucket String The name of the GCP storage bucket in your project that contains the SAP HANA installation and revision files that you uploaded in a previous step. Any upgrade revision files in the bucket are applied to SAP HANA during the deployment process.
    sap_hana_sid String The SAP HANA system ID. The ID must consist of three alphanumeric characters and begin with a letter. All letters must be uppercase.
    sap_hana_instance_number Integer The instance number, 0 to 99, of the SAP HANA system. The default is 0.
    sap_hana_sidadm_password String The password for the operating system administrator. Passwords must be at least eight characters and include at least one uppercase letter, one lowercase letter, and one number.
    sap_hana_system_password String The password for the database superuser. Passwords must be at least 8 characters and include at least one uppercase letter, one lowercase letter, and one number.
    sap_hana_scaleout_nodes Integer The number of additional SAP HANA worker hosts that you need. The worker hosts are in addition to the primary SAP HANA instance. For example, if you specify 3, four SAP HANA instances are deployed in a scale-out cluster.
    networkTag String Optional. A network tag that represents your VM instance for firewall or routing purposes. If you specify publicIP: No and do not specify a network tag, be sure to provide another means of access to the internet.
    publicIP Boolean Optional. Determines whether a public IP address is added to your VM instance. The default is Yes.

    The following example shows a completed configuration file, which directs the Deployment Manager to deploy an n1-highmem-96 virtual machine with a scale-out HANA system that includes a master SAP HANA instance with three worker hosts. SAP HANA is running on a SLES 12 SP2 operating system.

    imports:
    ‐ path: https://storage.googleapis.com/sapdeploy/dm-templates/sap_hana/sap_hana.py
    
    resources:
    ‐ name: sap_hana
      type: https://storage.googleapis.com/sapdeploy/dm-templates/sap_hana/sap_hana.py
      properties:
        instanceName: example-vm
        instanceType: n1-highmem-96
        zone: us-central1-f
        subnetwork: default
        linuxImage: family/sles-12-sp2-sap
        linuxImageProject: suse-sap-cloud
        sap_hana_deployment_bucket: mybucketname
        sap_hana_sid: ABC
        sap_hana_instance_number: 00
        sap_hana_sidadm_password: Google123
        sap_hana_system_password: Google123
        sap_hana_scaleout_nodes: 3
    
  7. Create the instances:

    gcloud deployment-manager deployments create [DEPLOYMENT-NAME] --config [TEMPLATE-NAME].yaml
    

    The above command invokes the Deployment Manager, which deploys the VMs, downloads the SAP HANA software from your storage bucket, and installs SAP HANA, all according to the specifications in your template.yaml file. The process takes approximately 10 to 15 minutes to complete. To check the progress of your deployment, follow the steps in the next section.

Verifying deployment

  1. Open Stackdriver Logging to check for errors and monitor the progress of the installation.

    Go to Stackdriver Logging

  2. On the Resources tab, select Global as your logging resource.

    • If "INSTANCE DEPLOYMENT COMPLETE" is displayed for all VMs, Deployment Manager processing is complete and you can proceed to the next step.
    • If you see a quota error:

      1. On the IAM & admin Quotas page, increase any of your quotas that do not meet the SAP HANA requirements that are listed in the SAP HANA Planning Guide.
      2. On the Deployment Manager Deployments page, delete the deployment to clean up the VMs and persistent disks from the failed installation.
      3. Rerun the Deployment Manager.

    Stackdriver logging display.

  3. After the SAP HANA system deploys without errors, connect to your VM by using SSH. From the Compute Engine VM instances page, you can click the SSH button for your VM instance, or you can use your preferred SSH method.

    SSH button on Compute Engine VM instances page.

  4. Change to the root user.

    sudo su -
  5. At the command prompt, enter df -h. Ensure that you see output similar to the following, such as the /hana/data directory.

    Data volumes created by the script.

  6. Change to the SAP admin user. Replace [SID] with the [SID] value that you specified in the configuration file template.

    su - [SID]adm
    
  7. Ensure that SAP HANA services, such as hdbnameserver, hdbindexserver, and others, are running on the instance by entering the following command:

    HDB info
    

If any of the validation steps show that the installation failed, resolve any errors, delete the deployment from the Deployments page, and then recreate the instances, as described in the last step of the previous section.

Completing the NAT gateway installation

If you created a NAT gateway, complete the following steps.

  1. Add tags to all instances, including the worker hosts:

    export INSTANCE_NAME="[YOUR_VM_NAME]"
    export NETWORK_NAME="[YOUR_NETWORK_NAME]"
    export ZONE="[YOUR_ZONE]"
    export TAG="[YOUR_TAG_TEXT]"
    gcloud compute instances add-tags "$INSTANCE_NAME" --tags="$TAG" --zone=$ZONE
    gcloud compute instances add-tags "$INSTANCE_NAME"w1 --tags="$TAG" --zone=$ZONE
    gcloud compute instances add-tags "$INSTANCE_NAME"w2 --tags="$TAG" --zone=$ZONE
    gcloud compute instances add-tags "$INSTANCE_NAME"w3 --tags="$TAG" --zone=$ZONE
  2. Delete external IPs:

    gcloud compute instances delete-access-config "$INSTANCE_NAME" --access-config-name "external-nat" --zone=$ZONE
    gcloud compute instances delete-access-config "$INSTANCE_NAME"w1 --access-config-name "external-nat" --zone=$ZONE
    gcloud compute instances delete-access-config "$INSTANCE_NAME"w2 --access-config-name "external-nat" --zone=$ZONE
    gcloud compute instances delete-access-config "$INSTANCE_NAME"w3 --access-config-name "external-nat" --zone=$ZONE

Installing SAP HANA Studio on a Compute Engine Windows VM

You can connect from a SAP HANA instance outside of GCP or from an instance on GCP. To do so, you might need to enable network access to the target VMs from within SAP HANA Studio.

To install SAP HANA Studio on a Windows VM on GCP, use the following procedure.

  1. Use the Cloud Shell to invoke the following commands.

    OPEN THE CLOUD SHELL

    export NETWORK_NAME="[YOUR_NETWORK_NAME]"
    export REGION="[YOUR_REGION]"
    export ZONE="[YOUR_ZONE]"
    export SUBNET="[YOUR_SUBNETWORK_NAME]"
    gcloud compute instances create "saphanastudio" --zone $ZONE --machine-type "n1-standard-2" \
      --subnet $SUBNET --metadata "tag1=hanastudio" --image-family "windows-2016" \
      --image-project "windows-cloud" --boot-disk-size "100" --boot-disk-type "pd-standard" \
      --boot-disk-device-name "saphanastudio"
    gcloud compute firewall-rules create ${NETWORK_NAME}-allow-rdp --network $NETWORK_NAME --allow tcp:3389 --source-ranges 0.0.0.0/0 --target-tags "hanastudio"

    The above commands create a Windows server in the subnetwork you created earlier, with a firewall rule to allow access to the instance through Remote Desktop Protocol (RDP). Although not shown in this guide, you can whitelist your customer IP address range in the firewall rules.

  2. Install SAP HANA Studio on this server.

    1. Upload the SAP HANA Studio installation files and the SAPCAR extraction tool to a Cloud Storage bucket in your GCP project.
    2. Connect to the new Windows VM by using RDP or your preferred method.
    3. In Windows, with administrator permissions, open the Google Cloud SDK Shell or other command-line interface.
    4. Copy the SAP HANA Studio installation files and the SAPCAR extraction tool from the storage bucket to the VM by entering the gsutil cp command in the command interface. For example:

      gsutil cp gs://[SOURCE_BUCKET]/IMC_STUDIO2_232_0-80000323.SAR C:\[TARGET_DIRECTORY] &
      gsutil cp gs://[SOURCE_BUCKET]/SAPCAR_1014-80000938.EXE C:\[TARGET_DIRECTORY]
      
    5. Change the directory to your target directory.

      cd C:\[TARGET_DIRECTORY]
      
    6. Run the SAPCAR program to extract the SAP HANA Studio installation file.

      SAPCAR_1014-80000938.EXE -xvf IMC_STUDIO2_232_0-80000323.SAR
      
    7. Run the extracted hdbinst program to install SAP HANA Studio.

Setting up Google's monitoring agent for SAP HANA

Optionally, you can set up Google's monitoring agent for SAP HANA, which collects metrics from SAP HANA and sends them to Stackdriver Monitoring. Stackdriver Monitoring allows you to create dashboards for your metrics, set up custom alerts based on metric thresholds, and more. For more information on setting up and configuring Google's monitoring agent for SAP HANA, see the SAP HANA Monitoring Agent User Guide.

Connecting to SAP HANA

Note that because these instructions don't use an external IP for SAP HANA, you can only connect to the SAP HANA instances through the bastion instance using SSH or through the Windows server through SAP HANA Studio.

  • To connect to SAP HANA through the bastion instance, connect to the bastion host, and then to the SAP HANA instance(s) by using an SSH client of your choice.

  • To connect to the SAP HANA database through SAP HANA Studio, use a remote desktop client to connect to the Windows Server instance. After connection, manually install SAP HANA Studio and access your SAP HANA database.

Performing post-deployment tasks

Before using your SAP HANA instance, we recommend that you perform the following post-deployment steps. For more information, see SAP HANA Installation and Update Guide.

  1. Install your permanent SAP HANA license. If you do not, SAP HANA might go into database lockdown after the temporary license expires.

    For more information from SAP about managing your SAP HANA licenses, see License Keys for the SAP HANA Database.

  2. Update the SAP HANA software with the latest patches.

  3. Install any additional components such as Application Function Libraries (AFL) or Smart Data Access (SDA).

  4. Configure and backup your new SAP HANA database. For more information, see the SAP HANA operations guide.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...