# SAP NetWeaver on AWS Deployment and Operations Guide for Windows
<a name="sap-netweaver-windows-guide"></a>

 *SAP specialists, Amazon Web Services* 

 *Last updated: November 2022* 

This guide provides guidance on how to set up AWS resources and the Microsoft Windows Server operating system to deploy SAP NetWeaver on Amazon EC2 instances.

This guide is intended for SAP architects, SAP engineers, IT architects, and IT administrators who want to deploy SAP NetWeaver on AWS.

## About this Guide
<a name="net-win-about-this-guide"></a>

This guide is part of a content series that provides detailed information about hosting, configuring, and using SAP technologies in the AWS Cloud. For the other guides in the series, ranging from overviews to advanced topics, see the [SAP on AWS Technical Documentation home page](https://aws.amazon.com/sap/docs/).

This guide is for users who are responsible for planning, architecting, and deploying SAP NetWeaver on AWS. You should have a good understanding of AWS services, general networking concepts, Windows Server operating systems, and SAP NetWeaver administration. This document guides you through the steps required to successfully launch and configure the resources required for SAP NetWeaver on Windows.

Instructions in this document are based on the recommendations provided by SAP and Microsoft for SAP NetWeaver on Windows as described in the following OSS notes:


**SAP NetWeaver on Windows OSS Notes**  

| SAP OSS Note | Description | 
| --- | --- | 
|  1656099  |  SAP Applications on AWS: Supported DB/OS and Amazon EC2 products  | 
|  1409608  |  Virtualization on Windows  | 
|  1732161  |  SAP Systems on Windows Server 2012 (R2)  | 
|  2384179  |  SAP Systems on Windows Server 2016  | 
|  2751450  |  SAP Systems on Windows Server 2019  | 
|  1564275  |  Install SAP Systems Using Virtual Host Names on Windows  | 
|  3143497  |  SAP Systems on Windows Server 2022  | 

In addition, this document also follows best practices from AWS, Microsoft, and SAP for SAP NetWeaver deployments on Windows. See the recommended reading section for more details.

This document doesn’t provide guidance on how to set up network and security constructs, such as Amazon Virtual Private Cloud (Amazon VPC), subnets, route tables, ACLs, NAT Gateway, AWS Identity and Access Management (IAM) roles, and AWS Security Groups. Instead, it focuses on how to configure and maintain the compute, storage, and operating system constructs for SAP NetWeaver deployment and operation on Windows on AWS.

SAP NetWeaver is also available to deploy on Linux. If you’re considering using Linux, see the [SAP NetWeaver Quick Start](https://aws.amazon.com/quickstart/architecture/sap-netweaver-abap/) for Linux.

# Prerequisites
<a name="net-win-prerequisites"></a>

## Specialized Knowledge
<a name="net-win-specialized-knowledge"></a>

Before you follow the configuration instructions in this guide, we recommend that you become familiar with the following AWS services. (If you are new to AWS, start with the [Getting Started Resource Center](https://aws.amazon.com/getting-started/).)
+  [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) 
+  [Amazon Virtual Private Cloud (Amazon VPC)](https://aws.amazon.com/vpc/) 
+  [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) 
+  [Amazon Elastic Block Store (Amazon EBS)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) 
+  [Amazon FSx](https://aws.amazon.com/fsx/) 
+  [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) 
+  [AWS Systems Manager](https://aws.amazon.com/systems-manager/) 
+  [AWS CloudFormation](https://aws.amazon.com/cloudformation/) 
+  [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) 
+  [AWS Control Tower](https://aws.amazon.com/controltower/) 

# Recommended Reading
<a name="net-win-recommended-reading"></a>

We also recommend reading these overview and best practice guides:
+  [SAP on AWS Overview and Planning](https://docs.aws.amazon.com/sap/latest/general/sap-on-aws-overview.html) 
+  [Getting Started with Architecting SAP on the AWS Cloud](https://aws.amazon.com/blogs/awsforsap/getting-started-with-architecting-sap-on-the-aws-cloud/) 
+  [Best Practices for Windows on Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-best-practices.html) 

# Technical Requirements
<a name="net-win-technical-requirements"></a>

1. Ensure that any [service limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) are high enough and the current usage low enough to be able to launch the resources that you need. If necessary, request a service limit increase for the AWS resource that you’re planning to use. In particular:

   1. Ensure that your [EC2 service limits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) are sufficient to launch the instances that you need for your SAP NetWeaver system.

   1. Ensure that your [VPC service limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_vpc) are sufficient to launch a new VPC (if necessary) or individual network resources within your VPC, such as Elastic IP addresses.

1. Gather the following information about your existing AWS resources. You will need this information to create your Amazon EC2 and Amazon EBS resources using the AWS Command Line Interface (AWS CLI) commands:  
**AWS Resource Information Required**    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/net-win-technical-requirements.html)

   1. Ensure that you have a key pair that you can use to launch your Amazon EC2 instances. To import or create a new key pair, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html).

   1. Ensure that you know the network details, such as VPC-ID and Subnet-ID, of the VPC where you plan to launch your Amazon EC2 instances to host your SAP NetWeaver application.

   1. Ensure that you have the required ports open on the security group attached to your Amazon EC2 instance hosting your database, to allow communication between your database and your SAP NetWeaver application. If needed, create new security groups that allow network traffic over both the database ports and the SAP NetWeaver application ports. For a list of SAP ports, see [TCP/IP Ports of All SAP Products](https://help.sap.com/viewer/ports).

1. If you plan to use the AWS Command Line Interface (AWS CLI) to launch your instances, ensure that you have installed and configured the AWS CLI with the appropriate credentials. See [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) for more details.

1. If you plan to use the AWS Management Console to launch your instances, ensure that your IAM user has permission to launch and configure Amazon EC2, Amazon EBS, etc. See the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) for more details.

1. Ensure that you have the required SAP software available either via an S3 bucket or on a file share accessible from Windows, such as Amazon FSx. For the fastest installation experience, we recommend copying the required software to an EBS volume attached to the relevant EC2 instance before running the install. This is best set up as a separate volume (mapped to a new drive in Windows) that, after completion of the installation, can then be detached and either deleted or re-attached to other EC2 instances for further installations. We recommend using the AWS CLI for this. Be sure to assign the appropriate IAM role permissions to the EC2 instance to allow S3 access.

1. If the installation type is distributed or high availability (HA), it will need to be a domain-based installation and a domain controller is required. If desired, you can use AWS Directory Service for this purpose. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in AWS. For details, see [AWS Directory Service](https://aws.amazon.com/directoryservice/) and [Create Your AWS Managed Microsoft AD directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_create_directory.html).

   When doing a domain-based installation, `sapinst.exe` should be run by a user with domain administration privileges (but not the `<SID>adm` user) or a domain administrator must complete the appropriate preparatory steps. For more details, consult the SAP NetWeaver installation guide for your version of SAP NetWeaver.

1. To create an Amazon FSx file system, you need the following prerequisites:

   1. An AWS account with the permissions necessary to create an Amazon FSx file system and an Amazon EC2 instance. For more information, see [Setting Up](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/setting-up.html).

   1. An Amazon EC2 instance running Microsoft Windows Server in the VPC based on the Amazon VPC service that you want to associate with your Amazon FSx file system. For information on creating an EC2 Windows instance, see [Getting Started with Amazon EC2 Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html).

   1. Amazon FSx works with Microsoft Active Directory to perform user authentication. You join your Amazon FSx file system to an AWS Directory Service for Microsoft Active Directory. For more information, see [Create Your File System](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html#getting-started-step1).

   1. This guide assumes that you haven’t changed the rules on the default security group for your VPC. If you have changed them, you need to ensure that you add the necessary rules to allow network traffic from your Amazon EC2 instance to your Amazon FSx file system. For more details, see [Security](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/security.html).

   1. Install and configure the AWS Command Line Interface (AWS CLI).

For additional details on these prerequisites, see [Prerequisites for Getting Started](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/walkthrough01-prereqs.html).

# Planning the Deployment
<a name="net-win-planning-the-deployment"></a>

Plan your SAP system landscape according to the SAP Master Guide for your version of SAP NetWeaver and your combination of operating system and database.

**Topics**
+ [Select the Region](net-win-select-region.md)
+ [Architecture Options](net-win-architecture-options.md)
+ [Security and Compliance](net-win-security-and-compliance.md)
+ [Sizing](net-win-sizing.md)
+ [Operating System](net-win-operating-system.md)
+ [Compute](net-win-compute-1.md)
+ [Storage](net-win-storage-1.md)
+ [Network](net-win-network-1.md)

# Select the Region
<a name="net-win-select-region"></a>

In choosing the Region for deployment, you’ll need to consider some key factors. For more details, see our [Overview and Planning](https://docs.aws.amazon.com/sap/latest/general/sap-on-aws-overview.html) guide.
+ Service availability
  + Not all AWS services or features are available in all Regions. Verify that all services and features that you want to use in your deployment are available in the Region you choose. You can check [availability on our website](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). If certain services or features are not available in your desired Region, there are alternatives that we mention in the guide.
  + For SAP workloads discussed in this guide, this is particularly true for:
    + EC2 instance types
    + Amazon FSx for Windows File Server
    +  AWS Backup
+ Proximity and connectivity options
+ Data residency
  + You retain complete control and ownership over your data in the Region in which it is physically located, making it easy to meet regional compliance and data residency requirements.

# Architecture Options
<a name="net-win-architecture-options"></a>

**Topics**
+ [Standard System Deployment](net-win-standard-system-deployment.md)
+ [Distributed System Deployment](net-win-distributed-system-deployment.md)
+ [High Availability System Deployment](net-win-high-availability-system-deployment.md)

# Standard System Deployment
<a name="net-win-standard-system-deployment"></a>

Standard system or single host installation: all main instances of SAP NetWeaver (ASCS/SCS, database, and PAS) run on one Amazon EC2 instance. This option is best suited for non-production workloads.

![\[Standard/Single Host SAP Deployment\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/sap-netweaver-windows-std-deployment.png)


# Distributed System Deployment
<a name="net-win-distributed-system-deployment"></a>

Distributed system: every instance of SAP NetWeaver (ASCS/SCS, database, PAS, and optionally AAS) can run on a separate Amazon EC2 instance. This option is suited for both production and non-production workloads.

![\[Distributed SAP Deployment\]](http://docs.aws.amazon.com/sap/latest/sap-netweaver/images/sap-netweaver-windows-dist-deployment.png)


# High Availability System Deployment
<a name="net-win-high-availability-system-deployment"></a>

High availability (HA) system: used for business-critical applications. With this option, all the services that are single points of failure are deployed across multiple Availability Zones for fault tolerance.

For SAP NetWeaver, the key single points of failure are:
+ the central services (ASCS/SCS)
+ the global and transport filesystems

To protect against hardware failure of Amazon EC2 within an Availability Zone, you can enable EC2 instance recovery. See [Recover Your Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-recover.html) for more details on this feature. You can use scripts to start the SAP NetWeaver application automatically after instance recovery. You can further configure SAP application work processes to reconnect to your database after recovery. Consult the documentation for further restrictions. This option is not application aware and does not protect the application against Availability Zone failure, which makes it a good option for non-production systems. It also can be used for production systems but you might want to consider a Multi-AZ solution for this situation as well.

For HA solutions, it’s important to be aware of two concepts within a VPC: shared storage and the Overlay IP address.

## Shared Storage
<a name="net-win-shared-storage"></a>

EBS volumes are specific to a single Availability Zone and can only be attached to a single EC2 instance at a time. However, in distributed or HA deployments, shared storage is required for the global and transport filesystems. On AWS, this storage can be provided by building an NFS server or by using Amazon FSx. Amazon FSx provides shared file storage with full support for the SMB protocol, Windows NTFS, Active Directory integration, and Distributed File System (DFS).

If using such a solution in the context of a high availability installation, the shared storage solution you choose could introduce a single point of failure without appropriate protection. This can be protected against by:
+ Clustering the NFS server providing the shared filesystem
+ Clustering the host that is sharing the filesystems
+ Using Amazon FSx. For workloads that require Multi-AZ redundancy to tolerate temporary AZ unavailability, you can [create multiple file systems in separate AZs](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/multi-az-deployments.html). Amazon FSx supports Microsoft’s Distributed File System (DFS) Replication and Namespaces. DFS Replication allows you to automatically replicate data between two file systems, and DFS Namespaces allows you to configure automatic failover.

## High availability
<a name="net-win-ha-solutions"></a>

You can use a high availability (HA) clustering solution for autonomous failover of the central services across Availability Zones. There are multiple SAP-certified options for this clustering software on Windows [listed on the SAP website](https://wiki.scn.sap.com/wiki/display/SI/Certified+HA-Interface+Partners), and it’s also possible to build and automate your own solution. HA solutions that have been tested and are known to work on AWS include:
+ Veritas InfoScale:
  +  [Veritas InfoScale for SAP on AWS](https://www.veritas.com/content/support/en_US/doc/infoscale_hadr_sap_netweaver_aws) 
  +  [Veritas InfoScale for Windows compatibility list](https://www.veritas.com/content/support/en_US/doc/infoscale_scl_741_win) 
+ SIOS:
  +  [SIOS DataKeeper](https://us.sios.com/solutions/sap-high-availability/) with Windows Server Failover Cluster (WSFC)
  +  [SIOS DataKeeper Cluster Edition on AWS Quick Start](https://aws.amazon.com/quickstart/architecture/sios-datakeeper/) 
  + SAP on AWS Blog: [Implementing HA and DR for Microsoft SQL Server](https://aws.amazon.com/blogs/architecture/field-notes-implementing-ha-and-dr-for-microsoft-sql-server-using-always-on-failover-cluster-instance-and-sios-datakeeper/) 
+ NEC ExpressCluster
+ Windows Server Failover Cluster (WSFC) with native Windows and AWS services
  + SAP on AWS Blog: [How to setup SAP NetWeaver on Windows MSCS for SAP ASCS/ERS on AWS](https://aws.amazon.com/blogs/awsforsap/how-to-setup-sap-netweaver-on-windows-mscs-for-sap-ascs-ers-on-aws-using-amazon-fsx/) 

**Support and certification**  
SAP clustering software is supported by the cluster software vendors themselves, not by SAP. SAP only certifies the solution. Any custom-built solution is **not** certified and will need to be supported by the solution builder.

In this guide, we focus on the distributed installation type on Windows in AWS. More details on how to deploy and operate SIOS, Veritas, and WSFC clusters are available on their respective websites linked above. For effective use of WSFC, Windows Server 2016, or later, is required.

The key features to be aware of with the WSFC solution are:
+ ASCS and a separate ERS instance set up within Windows Cluster Manager
+  [Scale-Out File Server](https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview) is a feature that is designed to provide scale-out file shares that are continuously available for file-based server application storage
+ Storage Spaces Direct uses standard servers with local-attached drives to create highly available, highly scalable software-defined storage. **This requires a minimum of Windows Server 2016 and NVMe storage (so nitro-generation EC2 instances are required).** 
+ Amazon FSx for Windows File Server

Also read the High Availability with Microsoft Failover Clustering section of the SAP NetWeaver installation guide.

# Security and Compliance
<a name="net-win-security-and-compliance"></a>

These additional AWS security resources can help you achieve the level of security that you require for your SAP NetWeaver environment on AWS:
+  [AWS Cloud Security Center](https://aws.amazon.com/security/) 
+  [CIS AWS Foundations Benchmark](https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html) 
+  [Introduction to AWS Security](https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/welcome.html) 
+  [AWS Well-Architected Framework Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) 
+  [Network and Security topic](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-network-and-security.html) from the *Amazon EC2 User Guide for Windows Instances* 

## OS Hardening
<a name="net-win-os-hardening"></a>

You may want to lock down the OS configuration further, for example, to avoid providing a NetWeaver administrator with root credentials when logging into an instance.

We provide guidance on how to best secure your Windows EC2 instances:
+ Read our [best practices guide for securing Windows on EC2](https://aws.amazon.com/answers/security/aws-securing-windows-instances/).
+ Read our general [best practices guide for securing EC2 instances](https://aws.amazon.com/answers/security/aws-securing-ec2-instances/).
+ Use [Amazon Inspector](https://aws.amazon.com/inspector/faqs/), an automated security assessment service that helps you test the network accessibility of your EC2 instances and the security state of your applications running on the instances.

You can also refer to the following SAP note:
+  [1837765](https://me.sap.com/notes/1837765): Security policies for <SID>adm and SapService<SID> on Windows

## Encryption
<a name="net-win-encryption"></a>

Cloud security at AWS is the highest priority. A core aspect of securing your workloads is encrypting your data—​both at rest and in transit.

When you create an [encrypted EBS volume](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) and attach it to a supported instance type, the following types of data are encrypted:
+ Data at rest inside the volume
+ All data moving between the volume and the instance
+ All snapshots created from the volume
+ All volumes created from those snapshots

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data at rest, and data in transit between an instance and its attached EBS storage. You can expect the same IOPS performance on encrypted volumes as on unencrypted volumes, with a minimal effect on latency. Encryption and decryption are handled transparently and require no additional action from you or your applications.

Similarly, all Amazon FSx file systems are encrypted at rest with keys that are managed using AWS Key Management Service (AWS KMS). Data is automatically encrypted before being written to the file system, and automatically decrypted as it is read. These processes are handled transparently by Amazon FSx, so that you don’t have to modify your applications.

For Amazon S3, you can protect data in transit by using SSL/TLS or client-side encryption, and protect data at rest by using either server-side or client-side encryption.

You can find more information about encryption from the specific service documentation:
+  [Encrypting Amazon FSx Data at Rest and Data in Transit](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/encryption.html) 
+  [Protecting Amazon S3 Data Using Encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html) 
+  [Amazon EBS Encryption](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) 

## Security Groups / NACLs
<a name="net-win-security-groups-nacls"></a>

A [security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level.

Customers often separate the SAP system into multiple subnets, with the database in a subnet separate from the application servers, and other components, such as a Web Dispatcher, in another subnet—​possibly with external access.

If workloads are scaled horizontally, or high availability is necessary, you might consider including multiple, functionally similar, EC2 instances in the same security group. In this case, you’ll need to add a rule to your security groups.

If Microsoft Windows Server is used, some configuration changes may be necessary in the security groups, route tables, and network access control lists (ACLs). You can refer to the operating system product documentation or other sources, such as the [Security Group Rules Reference](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-group-rules-reference.html) in the Amazon EC2 documentation, for more information.

A [network access control list (ACL)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (they’re stateless firewalls at the subnet level). You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

For further information on network considerations for SAP workloads, see our SAP on AWS network documentation.

## API Call Logging
<a name="net-win-api-call-logging"></a>

 AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The information recorded includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services, such as AWS CloudFormation. The AWS API call history provided by CloudTrailenables security analysis, resource change tracking, and compliance auditing.

## Notifications on Access
<a name="net-win-notifications-on-access"></a>

You can use Amazon Simple Notification Service (Amazon SNS) or third-party applications to send notifications about SSH logins to your email address or mobile phone number.

# Sizing
<a name="net-win-sizing"></a>

One of the first points to consider is whether this deployment is a completely new project (greenfield) or a migration. Sizing then applies across three key areas: compute, storage, and network.

## Compute
<a name="net-win-compute"></a>

Understanding the compute requirement helps you select the best matching EC2 instance type from the available list of SAP-certified instances.

If this is a greenfield deployment, use the SAP Quick Sizer tool to calculate the SAP Application Performance Standard (SAPS) compute requirement and use that value to select the EC2 instance that is the closest match with the best cost. Also check that the EC2 instance you select provides sufficient EBS and overall network throughput to satisfy your application requirements.

For migrations, you can use a number of data sources to help choose the best instance size:
+ Source system utilization and workload patterns (EarlyWatch alert reports, etc.)
+ Source system specification: CPU, memory, storage size, throughput, IOPS, network
+ Source system SAPS rating

**Selecting EC2 Instance Type**  
It’s important to consider storage and network performance as well as compute, to ensure the selection of the best EC2 instance type.

After the workload is running on AWS, you can use a process called [right sizing](https://docs.aws.amazon.com/aws-technical-content/latest/cost-optimization-right-sizing/identifying-opportunities-to-right-size.html) to refine the size that you actually need. Right sizing is best thought of as an [on-going process](https://docs.aws.amazon.com/aws-technical-content/latest/cost-optimization-right-sizing/right-sizing-ongoing-process.html).

## Storage
<a name="net-win-storage"></a>

Deploying SAP NetWeaver on Windows on AWS requires a minimum amount of storage and storage layout as per the SAP NetWeaver documentation for Windows. See the SAP documentation for further details on minimum and recommended storage sizes and storage layout. The EBS volumes should be created to match these requirements.

Verify that the amount of storage is adequate to provide sufficient I/O performance, as the performance of a General Purpose SSD (gp2) volume is related to the overall volume size. To achieve higher throughput and IOPS performance, the striping of volumes is often considered but this is usually not necessary for the NetWeaver application layer.

## Network
<a name="net-win-network"></a>

Network performance is often not explicitly stated as a requirement in SAP sizing, but you can check the network performance of each [EC2 instance type](https://aws.amazon.com/ec2/instance-types/) to ensure that you are delivering the required performance.

# Operating System
<a name="net-win-operating-system"></a>

If you plan on using Windows other than via Amazon EC2 for Windows Server, then ensure that you have the appropriate licenses and tenancy type selected. For more details, refer to your licensing terms and conditions, and see our [Windows on AWS](https://aws.amazon.com/windows/) webpage.

A base AMI is required to launch an Amazon EC2 instance. For SAP NetWeaver workloads on Windows, you need to run Windows Server 2012 R2, or later, because older versions are no longer supported by SAP. If you are using bring your own license (BYOL) instead of license-included for Windows Server, you will need to create your own AMI. See [Microsoft Licensing on AWS](https://aws.amazon.com/windows/resources/licensing/).

Ensure that you have access to the appropriate Windows Server AMIs before proceeding.

As with any operating system, we recommend that you keep the OS up-to-date with the latest patches. You can also refer to the following SAP Notes:
+  [2325651](https://me.sap.com/notes/2325651): Required Windows Patches for SAP Operations

# Compute
<a name="net-win-compute-1"></a>

 AWS has certified multiple instance families of various sizes for running SAP NetWeaver workloads. For a complete list of the certified EC2 instance types, see [Amazon EC2 Instance Types for SAP](https://aws.amazon.com/sap/instance-types/).

Select the appropriate EC2 instance type based on your CPU, memory, and SAPS requirements. AWS recommends that, when possible, you use the latest generation of your selected instance family that is SAP certified.

# Storage
<a name="net-win-storage-1"></a>

Refer to the sizing section for resources on SAP’s standard recommendations. If no storage performance requirements are available, AWS recommends General Purpose SSD (gp2) as the default EBS volume type for SAP workloads.

In practice, application servers will have a minimum of two volumes, mapped to the `C:` and `D:` drives. The `C:` drive is the boot volume containing the OS, and the `D:` drive is used to host the SAP software. We recommend using an additional, temporary volume for SAP software downloads (typically mapped as the `E:` drive).

If the installation type is distributed or HA, fileshares for the global filesystem and transport directories will need to be used across all relevant EC2 instances. In this guide, we use the standard Windows file sharing features to share these directories from the EC2 instance hosting the central services. The `sapinst.exe` installer creates these shares automatically if it is run as a user with appropriate permissions.

Customers can also use NFS-based solutions, such as [Amazon FSx](https://aws.amazon.com/fsx/), third-party solutions available from the [AWS Marketplace](https://aws.amazon.com/marketplace), or custom-built solutions. Choosing the correct NFS solution is beyond the scope of this guide. If you use such a solution as part of a high availability deployment, consider that the NFS solution could itself be a single point of failure without appropriate protection.

# Network
<a name="net-win-network-1"></a>

Ensure that you have your network constructs set up to deploy resources related to SAP NetWeaver. If you haven’t already set up network components, such as Amazon VPC, subnets, and route tables, you can use the [AWS Quick Start for Modular and Scalable VPC Architecture](https://aws.amazon.com/quickstart/architecture/vpc/) to easily deploy scalable VPC architecture in minutes. See the deployment guide for more details, then set up your EC2 instances for the NetWeaver application server within this VPC.

You also will need to set up a secured network connection between the corporate data center and the VPC, along with the appropriate route table configuration, if this has not already been configured.

# Deployment Steps
<a name="net-win-deployment-steps"></a>

**Topics**
+ [Step 1: Prepare your AWS Account](net-win-step-1-prepare-your-aws-account.md)
+ [Step 2: Prepare Each EC2 Instance for SAP Installation](net-win-step-2-prepare-each-ec2-instance-for-sap-installation.md)
+ [Step 3: Create Amazon FSx Volumes](net-win-step-3-create-amazon-fsx-volumes.md)
+ [Step 4: Prepare and Run the SAP Installation Prerequisites Check](net-win-step-4-prepare-and-run-the-sap-installation-prerequisites-check.md)
+ [Step 5: Install SAP NetWeaver on Amazon EC2](net-win-step-5-install-sap-netweaver-on-amazon-ec2.md)

# Step 1: Prepare your AWS Account
<a name="net-win-step-1-prepare-your-aws-account"></a>

In this example, we step through setting up a sample environment for the installation, which includes a public subnet for RDP and SSH access via the internet. In this scenario, we are using the [AWS Quick Start for Modular and Scalable VPC Architecture](https://aws.amazon.com/quickstart/architecture/vpc/) in a Single-AZ deployment to create the VPC, subnets, security groups, and IAM roles. This setup is just an example and you should follow your own network layout and ensure that you comply with your security standards. This could include:
+ Using an AWS Quick Start that suits their requirements such as a Multi-AZ deployment of the AWS Quick Start for SAP HANA
+ Using a landing zone solution, like [AWS Control Tower](https://aws.amazon.com/controltower/) 
+ Working with your cloud team (for example, a Cloud Center of Excellence or CCoE) to ensure adherence to existing standards

  1. Check the Region where you want to deploy your AWS resources:

     1. You’ll have picked the Region you want to deploy in during your planning phase.

     1. Display the AWS CLI configuration data:

        ```
         $ aws configure list
        ```

        In the command output, make sure that the default Region that’s listed is the same as the target Region where you want to deploy your AWS resources and install SAP NetWeaver.

  1. If this is a distributed or HA installation type:

     1. Create a new security group specifically for the EC2 instances running the NetWeaver application servers that allows traffic over the required ports for remote access from the public subnet, for example, RDP.

     1. Edit that security group to allow traffic over ports required for SAP NetWeaver based on your specific use-case. Specify the source as being the security group itself and ensure that this security group is attached to all EC2 instances that will run application servers.

     1. For distributed or HA installations, ensure that the security group attached to each application and central services server allows communication between them over the required ports. You can create a rule that references a security group as its own source, and allow traffic on the required ports for that rule.

  1. Create a JSON file for the Amazon EBS storage volumes (the volume sizes used are indicative only and should be customized based on your sizing requirements):

     ```
      [
         {
             "DeviceName": "xvdb",
             "Ebs": {
                 "VolumeSize": 50,
                 "VolumeType": "gp2",
                 "DeleteOnTermination": true
             }
         },
         {
             "DeviceName": "xvdc",
             "Ebs": {
                 "VolumeSize": 50,
                 "VolumeType": "gp2",
                 "DeleteOnTermination": true
             }
         }
     ]
     ```

  1.  AWS Windows AMIs provide additional software that prepares an instance when it first boots up. This is either the EC2Config service (Windows AMIs prior to Windows Server 2016) or EC2Launch (Windows Server 2016, or later). After the devices have been mapped to drives, they are initialized and mounted. The root drive is initialized and mounted as `C:\`. By default, when an EBS volume is attached to a Windows instance, it can show up as any drive letter on the instance. You can change the settings to set the drive letters of the volumes per your specifications. For more information, see the [device naming section for storage on Windows](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/device_naming.html).

  1. Install your selected database product. If this is a distributed or high availability deployment, install your selected database product in a separate EC2 instance dedicated to that purpose. Otherwise, install your database in the existing EC2 instance. For more details, see the [AWS Documentation](https://docs.aws.amazon.com/index.html) for your database.

  1. Launch EC2 instances for the SAP installation in your target Region by using the information you gathered in the preparation phase. You will also be creating the storage volumes required for the SAP installation and attaching them to the Amazon EC2 instance for the SAP installation.

     Ensure that you enable detailed monitoring on each instance as this is required for SAP support. (The sample commands provided below enable this.)

     Make sure that you choose one of the [Amazon EC2 Instance Types for SAP](https://aws.amazon.com/sap/instance-types/). Sample AWS CLI syntax is given below.

     ```
     $ aws ec2 run-instances \
     --image-id <AMI-ID> \
     --monitoring Enabled=true \
     --count <number-of-EC2-instances> \
     --instance-type <instance-type> \
     --key-name=<name-of-key-pair> \
     --security-group-ids <security-group-ID> \
     --subnet-id <subnet-ID> \
     --block-device-mappings https://<bucket>.s3.amazonaws.com/<file>.json
     ```  
**Example**  

     This example enables detailed monitoring (data is available in 1-minute periods for an additional cost) which is a support prerequisite for SAP workloads on Amazon EC2.

     ```
     $ aws ec2 run-instances \
     --image-id ami-012345678901234ab \
     --monitoring Enabled=true \
     --count 1 \
     --instance-type m5.2xlarge \
     --key-name=my_key \
     --security-group-ids sg-01234567890abcdef \
     --subnet-id subnet-0123456789abcdefg \
     --block-device-mappings https://example.s3.amazonaws.com/file.json
     ```

# Step 2: Prepare Each EC2 Instance for SAP Installation
<a name="net-win-step-2-prepare-each-ec2-instance-for-sap-installation"></a>

1. Log into the newly created RDP host in the public subnet. We will call this **jumpbox** for easy reference. Do this by either using [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) (for command line tasks), or by doing the following:

   1.  Go to the AWS Management Console, select the EC2 instance **jumpbox**, and choose **Connect**. Download the RDP file from the pop-up that appears.

   1.  Click **Get Password** and provide your private key to decrypt the password. This is the password for the local administrator on **jumpbox**.

   1. Open the RDP file in your preferred RDP program, and connect to **jumpbox**. Log in with user Administrator and the password that you just retrieved in [step 1b](#net-win-substep-getpw).

   1. After you are logged in, go back to the AWS Management Console and repeat [step 1a](#net-win-substep-connect) and [step 1b](#net-win-substep-getpw), but specify the EC2 instance where you will install NetWeaver. We’ll call this **nw-ascs** for reference. Copy the downloaded RDP file to **jumpbox**.

   1. While logged into **jumpbox**, open the RDP file for **nw-ascs** in your preferred RDP program.

1. Log in as a user with administrator privileges but not an existing `<SID>adm` user (as per SAP’s requirements).

1. Install the AWS CLI tools or use the [AWS Tools for PowerShell](https://aws.amazon.com/powershell/) provided with the Windows AMI.

1. Install the Java Runtime Environment (JRE) version that is compatible with your SAP installation software.

1. Install the AWS Data Provider, following the instructions for Windows in the [Installation and Operations Guide](https://s3.amazonaws.com/aws-data-provider/aws-data-provider-ig.pdf).

1.  [Install and configure AWS Systems Management Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) (SSM Agent).

# Step 3: Create Amazon FSx Volumes
<a name="net-win-step-3-create-amazon-fsx-volumes"></a>

1. The global fileshare and transport directories need to be available across all your SAP system’s EC2 instances. In this guide, we assume that you are using Amazon FSx for this purpose.

1. Be sure that you’ve satisfied the prerequisites in the Technical Requirements section of this document. You will need to have already deployed your EC2 instances in each of the Availability Zones where you will create Amazon FSx filesystems.

1. Follow the step-by-step instructions in the [Getting Started with Amazon FSx](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html) documentation

1. For high availability deployments that require Multi-AZ redundancy to tolerate temporary AZ unavailability, follow the instructions to [create multiple file systems in separate AZs](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/multi-az-deployments.html).

# Step 4: Prepare and Run the SAP Installation Prerequisites Check
<a name="net-win-step-4-prepare-and-run-the-sap-installation-prerequisites-check"></a>

1. Download the SAP installation media for SWPM (the latest appropriate version for your desired NetWeaver installation), your desired NetWeaver software version for Windows, the latest compatible SAP kernel, and any other required files (such as: the host agent, IGS, database client tools, SAP GUI, the SAPCAR archiving tool, and the SAP download manager) to an attached EBS volume as described in the prerequisites (usually from Amazon S3 using the AWS CLI tools).

1. Run the SAP prerequisite checker via SWPM on the desired host servers to ensure that you have met SAP’s technical prerequisites. When you first run SWPM, you may have to enter the sign-in credentials of the Windows user that you’re currently logged in as.

1. Launch SWPM by running the `sapinst.exe` executable. Specify `SAPINST_USE_HOSTNAME=<FQDN>` when launching to override the default DNS name if necessary, for example, with `<hostname>.local`.

1. Complete the recommended prerequisite steps as identified by the SAP prerequisite checker as per your specific requirements. Some common prerequisites for Windows Server operating systems are:

   1. Ensure that the hostname is ⇐ 13 characters in an alphanumeric string (hyphens can also be included). This can be done at the command line using Windows PowerShell by executing the following command:

      ```
      Rename-Computer <new-hostname>
      ```

   1. Optionally add the server to your Active Directory domain (this can be done with [AWS Systems Manager](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-dx-domain/)).

   1. Pagefile size will have a minimum recommended value based on services selected.

   1. Continuous Availability feature on Windows Server 2012 R2 can result in long wait times. See [SAP note 1823833](https://me.sap.com/notes/1823833) for a fix.

# Step 5: Install SAP NetWeaver on Amazon EC2
<a name="net-win-step-5-install-sap-netweaver-on-amazon-ec2"></a>

You are now ready to install SAP NetWeaver on this EC2 instance using the downloaded software. Proceed with the instructions in the SAP installation guide for your version of SAP NetWeaver.

You will need to do this for a minimum of:
+ the ASCS instance
+ the DB instance (on the installed database server)
+ the PAS instance

and optionally for:
+ other AAS instances
+ ERS instance on the second ASCS node (in different AZ)

# Operations
<a name="net-win-operations"></a>

**Topics**
+ [Tagging AWS Resources](net-win-tagging-aws-resources.md)
+ [Monitoring](net-win-monitoring.md)
+ [Backup and Restore](net-win-backup-and-restore.md)
+ [Storage](net-win-storage-2.md)
+ [Operating System Maintenance](net-win-operating-system-maintenance.md)
+ [High Availability](net-win-high-availability.md)
+ [Disaster Recovery](net-win-disaster-recovery-1.md)
+ [Compute](net-win-compute-2.md)
+ [Cost Optimization](net-win-cost-optimization.md)
+ [Automation](net-win-automation.md)
+ [Support](net-win-support.md)

# Tagging AWS Resources
<a name="net-win-tagging-aws-resources"></a>

A tag is a label that you assign to an AWS resource. Each tag consists of a *key* and an optional *value*, both of which you define. Adding tags to the various AWS resources will not only make managing your SAP environment much easier but can also be used to quickly search for resources. Many Amazon EC2 API calls can be used with a special tag filter. Refer to [AWS Tagging Strategies](https://aws.amazon.com/answers/account-management/aws-tagging-strategies/) and use it as a starting point to define the tags you need for your resources. Some examples on how you can use tags for operational needs are:
+ You can tag your EBS Volumes to identify their environment (for example Environment= DEV/QAS/PRD etc.) and use these tags to create backup policies for EBS Volumes
+ You can use similar tags as in above example with EC2 instances and use them for patching your operating systems or running scripts to stop/start application or EC2 instances.

# Monitoring
<a name="net-win-monitoring"></a>

 AWS provides multiple native services to monitor and manage your SAP environment. Services like [CloudWatch](https://aws.amazon.com/cloudwatch/) and [CloudTrail](https://aws.amazon.com/cloudtrail/) can be leveraged to monitor your underlying infrastructure and APIs respectively. CloudWatch provides ready-to-use KPIs for CPU, disk utilization and also allows you to create custom metrics if your specific KPIs that you would like to monitor. CloudTrail allows you to log the API calls made to your AWS infrastructure components.

# Backup and Restore
<a name="net-win-backup-and-restore"></a>

## Snapshots and AMIs
<a name="net-win-snapshots-and-amis"></a>

A common approach for backing up your SAP NetWeaver application servers is using snapshots and AMIs.

All your data is stored on Amazon EBS volumes attached to the SAP NetWeaver application servers. You can back up the data on these volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups of Amazon EBS volumes, which means that only the blocks on the device that have changed after your most recent snapshot are saved. For more details on this, see [Creating an Amazon EBS Snapshot.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html) 

An Amazon Machine Image (AMI) provides the information required to launch an instance along with a block device mapping of all EBS volumes attached to it.

Amazon EC2 powers down the instance before creating the AMI to ensure that everything on the instance is stopped and in a consistent state during the creation process. If you’re confident that your instance is in a consistent state appropriate for AMI creation, you can check the No Reboot option.

To take application-consistent snapshots of all EBS volumes attached to your instance using Windows Volume Shadow Copy Service (VSS), see [Creating a VSS Application-Consistent Snapshot](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/application-consistent-snapshots-creating-commands.html). This allows you to create a copy of the image without rebooting the instance.

You can use [AWS Backup](https://aws.amazon.com/backup/) to centrally configure backup policies and monitor backup activity for these snapshots.

After you have completed the SAP installation and post installation steps, you should create an image of the instance. AWS provides a very simple and quick way to copy an SAP system. You can use the AWS Management Console or the AWS CLI to create a new AMI of an existing SAP system. The new AMI contains a complete copy of the operating system and its configuration, software configurations, and all EBS volumes that are attached to the instance. From the new AMI, you can launch exact copies of the original system. For details on how to create an AMI of an existing EC2 instance, see [Creating a Custom Windows AMI](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html).

Example:

```
 $ aws ec2 create-image --instance-id i-1234567890abcdef0
--name "My server" --description "An AMI for my server"
```

**Note**  
When you build an instance using an AMI, make sure that you update the hostname and the `C:\Windows\System32\Drivers\etc\hosts` file with the new metadata. These details usually get copied from the source.

## File Backup to Amazon S3
<a name="net-win-file-backup-to-amazon-s3"></a>

You can perform traditional file-based backups from your EBS volumes to Amazon S3. One way to do this is by using the AWS CLI and trigger this using AWS Systems Manager Run Command so that you can centrally manage these.

## Third-party Options
<a name="net-win-third-party-options"></a>

There are many third-party backup products for AWS services, including many solutions that have been certified by SAP. For more information, see [AWS SAP Partner Solutions](https://aws.amazon.com/sap/partner-solutions/).

## Amazon FSx Backup
<a name="net-win-amazon-fsx-backup"></a>

With Amazon FSx, backups are file-system-consistent, highly durable, and incremental. To ensure file system consistency, Amazon FSx uses the Volume Shadow Copy Service (VSS) in Microsoft Windows. To ensure high durability, Amazon FSx stores backups in Amazon S3. Amazon FSx backups are incremental, which means that only the changes made after your most recent backup are saved.

Amazon FSx automatically takes backups of your file systems once a day. These daily backups are taken during the daily backup window that you established when you created the file system.

If you want to set up a custom backup schedule, you can [deploy our reference solution](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/custom-backup-schedule.html).

# Storage
<a name="net-win-storage-2"></a>

The storage services we use across this guide are:
+ Amazon EBS
  + Provides persistent storage for SAP application and database. The EBS volumes can be resized and even the EBS volume type can be changed without disrupting the applications. For more information, see [Requesting Modifications to Your EBS Volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/requesting-ebs-volume-modifications.html). You will need to [extend the filesystem](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/recognize-expanded-volume-windows.html) to match the extended volume size using the Windows operating system tools.
+ Amazon FSx for Windows File Server
  + Does not need you to explicitly provision storage at all – you simply pay for what you use.
  + Does need regular maintenance, but you can define your own maintenance window as per [Amazon FSx Maintenance Windows](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/maintenance-windows.html).
  + The Amazon FSx Service Level Agreement provides for a service credit if your monthly uptime percentage is below our service commitment in any billing cycle.
+ Amazon S3
  + Does not need you to explicitly provision storage at all – you simply pay for what you use.
  + You can use [Object Lifecycle Management](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html) to set rules that define when objects are transitioned or archived to colder storage, such as S3 Standard-IA, S3 Glacier, or S3 Glacier Deep Archive, and when they expire. These actions happen automatically after being set.

# Operating System Maintenance
<a name="net-win-operating-system-maintenance"></a>

In general, operating system maintenance across large numbers of EC2 instances can be managed by:
+ Tools specific to each operating system, such as Microsoft System Center
+ Third-party products, such as those available in AWS Marketplace
+ Using AWS Systems Manager

## Patching
<a name="net-win-patching"></a>

You can follow SAP recommended patching processes to update your landscape on AWS. For operating system patching, with [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html) you can roll out OS patches as per your corporate policies. There are multiple key features like:
+ Scheduling based on tags
+ Auto-approving patches with lists of approved and rejected patches
+ Defining patch baselines

 AWS Systems Manager Patch Manager integrates with IAM, AWS CloudTrail, and Amazon CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage. For details about the process, see [How Patch Manager Operations Work](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works.html). If AWS Systems Manager Patch Manager does not satisfy your requirements, there are third-party products available as well. Some of these products are available in the [AWS Marketplace](https://aws.amazon.com/marketplace).

## Maintenance Window
<a name="net-win-maintenance-window"></a>

 [AWS Systems Manager Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-maintenance.html) lets you define a schedule for when to perform potentially disruptive actions on your instances, such as patching an operating system, updating drivers, installing software, or applying patches.

## Administrator Access
<a name="net-win-administrator-access"></a>

You can access the backend SAP systems for administration purposes using:
+  [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) 
+ Remote Desktop Protocol (RDP)
+ Secure Shell (SSH)

# High Availability
<a name="net-win-high-availability"></a>

After your HA cluster is deployed and configured successfully on AWS, the operation of the HA software still follows the third-party software interface. This can be best understood by following the operational guides from the respective vendors.

It’s also important to have a test environment available (often called a staging or pre-production environment) that has an identical cluster configuration to your production environment. This environment can be used to test any configuration changes to the cluster before deploying the changes to production.

Two key AWS features that support the cluster software are:
+ Amazon FSx for shared storage: See the storage section for maintenance considerations for Amazon FSx. For Multi-AZ deployments, DFS replication is required across multiple filesystems so ensure that you monitor the replication.
+ Overlay IP for IP failover
  + Ensure that IAM authorizations are in place to minimize update access to the route table so that only the cluster agent can edit it.
  + Ensure that the route table configuration is coupled with your change management process so that any wider environment updates that might affect this feature are captured and can therefore be tested.

# Disaster Recovery
<a name="net-win-disaster-recovery-1"></a>

## Network Fileshare Copy Out-of-Region
<a name="net-win-network-fileshare-copy-out-of-region"></a>

To ensure that you have an independent backup of your data in the secondary Region, you should back up your shared filesystem, as this won’t be included in any AMIs or individual EBS snapshots.

To back up your Amazon FSx filesystem, you can rely on the included backup feature. However, this backs up to Amazon S3 in-region. To support out-of-region disaster recovery (DR), you will need to perform a file-level backup of your Amazon FSx filesystem in your secondary Region. You can do this by accessing the filesystem via cross-region VPC peering and then running a file-level copy from an Amazon EC2 instance running in the secondary Region to Amazon S3. This action can be automated and scheduled using AWS Systems Manager Run Command in combination with Amazon CloudWatch Events.

## Fail-back Plan
<a name="net-win-fail-back-plan"></a>

When your primary Region returns to normal operations, you may consider failing back to it. In the event of a disaster that triggered a recovery to another Region, you copy the AMIs and shared filesystems from the secondary Region back to the primary. In other words, you’ll reverse what was the regular process before the disaster. It’s important to update your change management or change control processes to reflect this.

## AMI Copy
<a name="net-win-ami-copy"></a>

When your primary AWS Region is affected by an availability event, AMIs allow you to quickly recover your SAP NetWeaver application servers in your DR Region. For recovery across Regions, ensure that the latest AMIs are copied to the disaster recovery Region using the [AMI copy](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html) feature. New AMIs should be created when there are filesystem level changes to the SAP NetWeaver application servers. This can be caused by:
+ SAP kernel changes
+ Database client software updates
+ Operating system patches

To ensure that you reliably create a new AMI when these events happen, add the AMI creation as a step in your change management process. It’s important that if using a mechanism like this that you integrate the out-of-region AMI copy with this process.

If having the lowest possible recovery time objective (RTO) is a priority, consider keeping at least one application server running in the secondary Region to minimize the recovery time.

## AWS Elastic Disaster Recovery
<a name="net-win-drs"></a>

 AWS Elastic Disaster Recovery (Elastic Disaster Recovery) minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.

You can increase IT resilience when you use AWS Elastic Disaster Recovery to replicate on-premises or cloud-based applications running on supported operating systems. Use the AWS Management Console to configure replication and launch settings, monitor data replication, and launch instances for drills or recovery.

For more information, see the following resources.
+  [What is Elastic Disaster Recovery?](https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.html) 
+  [Disaster recovery for SAP workloads on AWS using AWS Elastic Disaster Recovery](https://docs.aws.amazon.com/sap/latest/general/dr-sap.html) 

# Compute
<a name="net-win-compute-2"></a>

EBS volumes are exposed as NVMe block devices on [Nitro-based instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances). When changing EC2 instance types from a previous generation to a Nitro generation, and if using a Windows Server 2008 R2, or later, Windows AMI, the AWS NVMe driver is already included as described in the [Amazon EBS and NVMe documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/nvme-ebs-volumes.html). If you are not using the latest Windows AMIs provided by Amazon, see [Installing or Upgrading AWS NVMe Drivers](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/aws-nvme-drivers.html#install-nvme-drivers).

Besides operating system maintenance, there is also maintenance that you can consider for the EC2 instances themselves. This maintenance can be driven by AWS Systems Manager Automation documents. Some examples are:
+ Use the AWS-StopEC2InstanceWithApproval document to request that one or more IAM users approve the instance stop action. After the approval is received, automation stops the instance.
+ Use the AWS-StopEC2Instance document to automatically stop instances based on a schedule by using Amazon CloudWatch Events or a Maintenance Window task. For example, you can configure an automation workflow to stop instances every Friday evening, and then restart them every Monday morning.
+ Use the AWS-UpdateCloudFormationStackWithApproval document to update resources that were deployed using an AWS CloudFormation template. The update applies a new template. You can configure the automation to request approval by one or more IAM users before the update begins.

We also provide an AWS Solution called [AWS Instance Scheduler](https://aws.amazon.com/solutions/instance-scheduler/) that enables you to easily configure custom start and stop schedules for their Amazon EC2 and Amazon Relational Database Service (Amazon RDS) instances.

# Cost Optimization
<a name="net-win-cost-optimization"></a>

We recommend that you make cost optimization an on-going process. This is an extensive topic with many AWS services that help with budgeting, cost control, and proactive cost optimization recommendations.

For more details, see [SAP on AWS Pricing and Optimization](https://docs.aws.amazon.com/sap/latest/general/sap-on-aws-pricing-guide.html) guide.

# Automation
<a name="net-win-automation"></a>

## Automation using Infrastructure as Code with AWS CloudFormation
<a name="net-win-automation-using-infrastructure-as-code-with-aws-cloudformation"></a>

We recommend following the infrastructure as code principle in automating and maintaining your workloads on AWS. [AWS CloudFormation](https://aws.amazon.com/cloudformation/) provides a common language to describe and provision all the infrastructure resources in your cloud environment in a repeatable and automated manner.

## Automation using Documents
<a name="net-win-automation-using-documents"></a>

 [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html) simplifies common maintenance and deployment tasks associated with Amazon EC2 instances and other AWS resources. Automation enables you to do the following:
+ Build Automation workflows to configure and manage instances and AWS resources.
+ Create custom workflows or use pre-defined workflows maintained by AWS.
+ Receive notifications about Automation tasks and workflows by using Amazon CloudWatch Events.
+ Monitor Automation progress and execution details by using the Amazon EC2 or the AWS Systems Manager console.

There are many AWS-provided documents specific to Windows already available.

# Support
<a name="net-win-support"></a>

To get help from SAP, SAP requires, at the minimum, a business support agreement with AWS. [AWS Business Support](https://aws.amazon.com/premiumsupport/business-support/) provides resources and technical support for customers running SAP workloads on AWS. If you have any AWS-related technical issues, you can open a case with either SAP or AWS, and it will be routed to the appropriate teams. AWS also offers [AWS Enterprise Support](https://aws.amazon.com/premiumsupport/enterprise-support/) for customers running mission critical production workloads on AWS.

# Additional Reading
<a name="net-win-additional-reading"></a>

## SAP on AWS Technical Documentation
<a name="net-win-sap-on-aws-technical-documentation"></a>
+  [SAP on AWS Technical Documentation](https://aws.amazon.com/sap/docs/) 
+  [SAP on AWS Whitepapers](https://aws.amazon.com/sap/whitepapers/) 
+  [SAP NetWeaver on AWS Quick Start](https://aws.amazon.com/quickstart/architecture/sap-netweaver-abap/) 

  This is for SAP NetWeaver deployments on Linux, but is a useful point of comparison if you are looking to automate a Windows-based deployment, or implement a standard Multi-AZ network layout.
+  [AWS for SAP Blog](https://aws.amazon.com/blogs/awsforsap/) 
+  [Making Application Failover Seamless by Failing Over Your Private Virtual IP Across Availability Zones](https://aws.amazon.com/blogs/apn/making-application-failover-seamless-by-failing-over-your-private-virtual-ip-across-availability-zones/) 

## SAP Documentation
<a name="net-win-sap-documentation"></a>
+  [SAPS Ratings of AWS Instance types supported for SAP Note 1656099](https://me.sap.com/notes/1656099) 
+  [1588667 - SAP on AWS: Overview of related SAP Notes and Web-Links](https://me.sap.com/notes/1588667) 
+  [1656250 - SAP on AWS: Support prerequisites](https://me.sap.com/notes/1656250) 
+  [2539944 - Windows Server / Microsoft SQL Server on AMI](https://me.sap.com/notes/2539944) 
+  [1409604 - Virtualization on Windows: Enhanced monitoring](https://me.sap.com/notes/1409604) 
+  [2198693 - Key Monitoring Metrics for SAP on Amazon Web Services](https://me.sap.com/notes/2198693) 

# Document Revisions
<a name="net-win-document-revisions"></a>


| Date | Change | 
| --- | --- | 
|  November 2022  |  Added SAP Note 3143497 to SAP NetWeaver on Windows OSS Notes list  | 
|  July 2019  |  Initial publication  |