Perform Cross-Region, Cross-Account Backup and Restore of SAP HANA database using AWS Backup for SAP

AWS Backup is a fully managed backup service centralizing and automating the backup of data across AWS services. Tçhis centralized, AWS Cloud native solution provides global backup capabilities that can help you achieve your disaster recovery and compliance requirements.

AWS Backup offers a simple, cost-effective, and application-consistent backup and restore solution for SAP HANA databases running on Amazon EC2. The previous launch of AWS Backup for SAP HANA database included support for SAP HANA High Availability databases on Amazon EC2. We continue to innovate on behalf of our customers, and are excited to announce that AWS Backup for SAP HANA databases now support Cross-Region and Cross-Account backup, enabling AWS customers to copy SAP HANA database backups to different regions and accounts. With this new feature you can restore copied backup or create Cross-Region and Cross-Account copies as needed, ensuring disaster recovery and business continuity requirements are met. Snapshot copies provide you with an additional layer of protection should the source account experience disruption from accidental or malicious deletion, disaster, or ransomware.

Getting Started
In this blog we will demonstrate how to perform a Cross-Region and Cross-Account backup copy for SAP HANA databases using AWS Backup by triggering an on-demand backup.

Complete all the prerequisites and the AWS Backup configuration process following all the steps listed here. Opt-in to protect SAP HANA resources before going to the next step. Once the aforementioned steps are complete, take an on-demand backup of your SAP HANA database in source Region following the below steps.

1. Go to AWS Backup console.

2. Click on Dashboard and select Create on-demand backup.

3. Select SAP HANA on Amazon EC2 as Resource type and select your SAP HANA database ID.

Leave the Backup window, Cold storage and Total retention period to default values or adjust them as per your requirements.

For Backup vault, pick either the Default one or use a dedicated one if you have one already.

For IAM role, specify the IAM role that AWS Backup will assume when creating and managing backups on your behalf and then click on Create on-demand backup at the bottom of the page.

4. A screen with the job status opens up automatically.

The job goes through the statuses Pending and Running before it comes to Completed status. Wait, until the job status becomes Completed.

Repeat steps #2-4 to take the backup of TenantDB.

Cross-Region Copy

5. Choose Backup vaults and select the vault that contains the recovery point you want to copy.

6. Under Recovery points, select a recovery point to copy.

7. Using the Actions drop-down button, choose Copy.

8. Under Copy Configuration choose the destination AWS Region for the copy and for the Destination Backup vault choose the destination backup vault for the copy.

( For this demonstration we are using Sydney as the destination AWS Region)

Leave Cold storage and Total retention period to default values or adjust them as per your requirements.

For IAM role, specify the IAM role that AWS Backup will assume when creating and managing backups on your behalf and then click on Create on-demand backup at the bottom of the page.

9. Click on Copy at the bottom

10. A screen with the job status opens up automatically, wait until the status comes to Completed.

Repeat steps #6-9 to copy the recovery point of TenantDB to the destination Region.

You can also use a scheduled backup plan to copy backups across AWS Regions as explained in the AWS documentation Scheduling Cross-Region backup.

11. Go to AWS Backup console in the destination Region.

12. Choose Backup vaults and select the vault that contains the recovery point you copied from the source Region.

13. Make sure the recovery points that you copied from the source Region are present here.

HANA database restore
In the steps below we are going to perform an existing HANA database restore in the destination Region using the recovery points we copied from the source Region..

14. Select the recovery point ID of SystemDB, go to Actions drop-down and choose Restore.

15. On the next screen, under Target database restore location select the SystemDB of the SAP HANA database that you want to be overwritten with the copy from the source Region.

You will also see warnings as shown below, since you are performing a system copy it asks you attach a resource policy to allow-list the source database to be restored into the target database.

16. Click on Copy and execute the command in the target SAP HANA database using AWS CLI.

17. Under Advanced restore settings, select Don’t restore the catalog and click on Restore backup.

.

18. In the next screen, type in overwrite in the box

19.A screen with the job status opens up automatically, wait until the status comes to Completed.

Repeat the steps#14-18 to perform the restore of TenantDB.
Note: The command to attach a resource policy to allow-list the source database to be restored into the target database varies for the TenantDB restore.

Cross-Account Backup and Restore

In this section, you will learn how to perform a Cross-Account backup and restore of SAP HANA database using AWS Backup. The source account is the account where your AWS resources and primary backups reside. The destination account is the account where you would like to keep a copy of your backup.

Steps to Enable Cross-Account Copy of SAP HANA Backup

Follow the steps below to enable the Cross-Account copy of SAP HANA backups, for the detailed documentation refer to Setting up Cross-Account backup

1. Management Account in AWS Organizations

The management account is the primary account in your organization, as defined by AWS Organizations, that you use to manage Cross-Account backup across your AWS accounts.

a. Go to AWS Organizations, and create a management account in AWS organizations.

b. Add your source and destination accounts as part of the AWS Organizations. In this scenario, the source account will be the management account.

c. Make sure that the source and destination accounts are joined.

2. Enable Cross-Account Backup in the AWS Backup Console

Follow the steps below to use Cross-Account backup, you must enable the Cross-Account backup feature in the source account.

a. Log in using your AWS Organizations management account credentials. Cross-Account backup can only be enabled or disabled using these credentials.

b. In the source account, go to AWS Backup console.

c. Under My account, choose Settings.

d. Under Cross-Account management, for Cross-Account backup, choose Enable. Ensure the Cross-Account backup Status shows as On.

3. Enable Destination Vault Access Policy

a. In the Destination account, go to AWS Backup console.

b. In Backup vaults, choose your destination vault.

c. In the Access policy section, choose Add Permissions and then choose Allow access to a Backup vault from organization. Any Cross-Account action other than backup:CopyIntoBackupVault will be rejected.

d. In the next screen “Add permissions: Allow access to a Backup vault from organization”, choose Save
policy.

Steps to perform for Cross-Account copy of the backup and restore
In this example we already have successful on-demand backup of both HANA SystemDB and TenantDB in the source account. You can also use scheduled backup plan to copy backups across AWS accounts as in the AWS documentation Scheduling Cross-Account backup. Follow the steps below to perform a Cross-Account copy of the on-demand HANA database backup from the source account to destination account:

1. In the source account, go to AWS Backup console.

2. In Backup vaults, choose your source backup vault. Select the Recovery Point ID for the SAP HANA database SystemDB backup. Under Actions Click Copy.

3. In the next Screen, under Copy Configuration, specify the Region of the destination account.

4. Toggle the Copy to another account’s vault option and provide the destination account vault ARN.

Also under Allow Backup vault access, click Allow to provide access to the secondary account to copy backups to your Backup vault.

5. In the new pop-up screen under Allow Backup vault access, click Allow to provide the required permissions to the access policy to copy the backup data to your backup vault.

6. You will notice the message “Backup recovery has been enabled in your corresponding backup vault”.

7. Under IAM role, Choose an IAM Role. Specify the IAM role that AWS Backup will assume when creating and managing backups on your behalf.

8. Review the Backup details. Click Copy.

9. A screen with the job status opens up automatically, you will notice the SystemDB Copy Job is In-progress and the Status changing to Running. Wait until the status comes to Completed.

Repeat the steps#4-12 above to perform the copy for TenantDB. You will notice both the copy jobs completed successfully as below.

10. Switch to the destination account, go to AWS Backup console.

11. In Backup vaults, choose your destination vault. You will notice the backup recovery point ID copied from the source account to the destination account.

12. Before you continue with the restore steps, ensure the HANA database on the destination account is stopped with the HDB stop command. Check status of SAP processes with sapcontrol command and note the hdbdaemon status is ‘GRAY’ and ‘Stopped’.

Note: You can also start/stop HANA database systems using the newly released Start/Stop feature of AWS Systems Manager for SAP.

13. In the destination account AWS Backup console, Choose the Recovery Point ID of the copied HANA database SystemDB backup. Under Actions, Choose Restore.

14. In the next screen Restore SAP HANA backup under Target database restore location drop-down choose the target HANA SystemDB as the Target restore location.

15. You will also need to add the required resource policy to allow-list the source database to be restored into the target database. Click on Copy to copy the CLI command to attach the required policies.

16. From the AWS CLI of secondary account, run the copied command as below to attach the required policy and you will notice the output as below.

17. Switch back to the Restore SAP HANA backup console, review the Restore permissions.

18. Under Advanced restore settings, select Don’t restore the catalog and click on Restore backup.

19. Under the Restore backup and overwrite database, type overwrite. Choose Restore backup.

20. You will notice the restore job is in progress as below.

21. Once the SystemDB restore job status shows as Completed. Repeat the steps#14-21 to perform the restore for the TenantDB. Ensure the TenantDB restore job status shows as Completed.

Note: The command to attach a resource policy to allow-list the source database to be restored into the target database varies for the TenantDB restore.

22. Go to EC2 console, login to the HANA database on the destination account using AWS Session manager. Login as <sid>adm user and check status of SAP processes with sapcontrol command. Verify that the HANA SystemDB and TenantDB database is restored successfully and all the process are showing GREEN status as below.

Conclusion

In this blog you have learnt how to perform Cross-Region and Cross-Account database backup and restore using AWS Backup service. Using the Cross-Region and Cross-Account backup feature for SAP HANA database with AWS Backup you can securely copy your backups to one or more regions or Cross-Accounts in your organization for operational or security reasons.

The cross-Region amount billed in a month is the amount of data transferred between two Regions, whether within a single AWS account or across two AWS accounts. You only incur data transfer charges when transferring data out of an AWS Region and there are no charges for transfers within the same AWS Region. The data transfer charges are billed to the AWS account transferring out the data. The backup storage charges are billed to the AWS account receiving the data. The rates for data transfer from backup vaults are the same.

To get started with the AWS Backup service, we recommend that you review the documentation and blog below.

• SAP HANA databases on Amazon EC2 instances backup
• Automate and Simplify SAP HANA Backups with AWS Backup
• Simplify SAP Backups with AWS Services

To learn why thousands of customers trust AWS to migrate, modernize, and innovate with their SAP workloads, visit the SAP on AWS page