This is a quick entry, I’ve been helping a friend to review a conectivity problem in their SAP installation on AWS cloud, on every reboot the connectivity is losted.
These are the actions that we’ve taken to solve it.
1. First, automate the saprouter exceution when the EC2 instance is started or stopped, to do this open the CMD terminal and execute this command:
sc create SAPRouter binPath="C:\saprouter\saprouter.exe service -r -R C:\saprouter\saprouttab" start=auto obj="NT AUTHORITY\LocalService"
As you can see the a new service called «SAPRouter» is added as local service and it is managed by Windows.
2. Modify the Windows firewall, go to Control Panel > System and Security > Windows Firewall > Advanced Settings, select Inbound Rules > Actions > New Rule, and add a new Port rule to allow the TCP traffic with Specific ports: 3299, 3200. Then select Allow conenction into Action and select the profiles to apply it, finally set a name as «SAP Router» and click on Finish.
3. Review the network configuration in AWS, the next image shows the arquitecture, there is a VPC with two subnets (one public and another private), the user access from Internet to connect with the Bastion Host and this one is used to redirect the traffic to the SAP server using the SAP Router:
To keep it simple, this is the checklist to complete the configuration:
- Verify the main route table on the VPC, it must to have an entry to route the traffic to internet (Internet Gateway) and the local traffic
- Open the Network ACL and ensure the TCP ports are allowed in Inbound and Outbound rules for TCP ports 3200 and 3299
- Verify the routing table on each Subnet, the Public Subnet has a Route Table A to route traffic to the Internet, the Private Subnet has a Route Table B to route the traffic to the NATGateway for the Appserver
- For Bastion host, add the Inbound and Outbound rules into the Security Group to receive the connections from internet with the SAP Router over the Public IP (using an Elastic IP)
- For the Appserver, add the Inbound and Outbound rules into the Security Group to receive the connections from the Bastion host using only the private IP or the security group from sender
4. An extra tip, to validate the conectivity from the Bastion host to the Appserver a simple test can be executed in AWS, goto VPC > Network Analize > Reachability Analizer > Create and analize path, in source type select the Bastion instance and the target the Appserver with the port 3299, when the analize is finished the path is showed with all network components in AWS.
This is a simplification of the Network configuration for this entry but I consider this is enough for now.
See you next time, bye =)
References
- https://support.sap.com/en/tools/connectivity-tools/saprouter.html
- https://wiki.scn.sap.com/wiki/display/SI/Installing+the+saprouter+as+a+Windows+service+-+ntscmgr+command+not+available
- https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/48/6ca6236c0707dce10000000a42189d/content.htm?no_cache=true
- https://help.sap.com/doc/saphelp_snc700_ehp01/7.0.1/en-US/48/6caa3d6c0707dce10000000a42189d/content.htm?no_cache=true
- https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/48/6caa3d6c0707dce10000000a42189d/content.htm?no_cache=true
Jaehoo Weblog 