This document lists the best practices that Workload Manager supports for evaluating SAP workloads running on Google Cloud. To learn about Workload Manager, see Product overview.
Best practices for SAP workloads
The following table shows the Workload Manager best practices for evaluating SAP workloads that run on Google Cloud.
Note that to enable Workload Manager for evaluating your SAP workloads, you must set up Google Cloud's Agent for SAP on the host VMs.
Category | Best practice name and description | Severity |
---|---|---|
SAP General |
Set up Google Cloud's Agent for SAP on VMs that run SAP applications
Google Cloud's Agent for SAP is required for SAP support on any VM that runs an SAP system. For more information, see Google Cloud's Agent for SAP planning guide. |
Medium |
SAP HANA |
SAP HANA: Use a certified OS
To receive support from SAP and Google Cloud for SAP HANA on a Compute Engine VM, you must use an Operating System version that is certified by SAP and Google Cloud for use with SAP HANA. For more information, see OS support for SAP HANA on Google Cloud. |
Critical |
SAP HANA |
SAP HANA: Use a certified custom VM types
To receive support from SAP and Google Cloud for SAP HANA on a Compute Engine custom VM, you must use a custom VM type that is certified by SAP and Google Cloud for use with SAP HANA. For more information, see Certified custom machine types for SAP HANA. |
Critical |
SAP HANA |
SAP HANA: Map the SAP HANA data and log volumes to the same type of SSD-based persistent disk
For performance reasons, the SAP HANA |
Critical |
SAP HANA |
SAP HANA: Use a certified VM type
To receive support from SAP and Google Cloud for SAP HANA on a Compute Engine VM, you must use a VM type that is certified by SAP and Google Cloud for use with SAP HANA. For more information, see Certified Compute Engine VMs for SAP HANA. |
Critical |
SAP NetWeaver |
SAP NetWeaver: Use a certified OS
To receive support from SAP and Google Cloud for SAP NetWeaver on a Compute Engine VM, you must use an operating system version that is certified by SAP and Google Cloud for use with SAP NetWeaver. For more information, see OS support for SAP NetWeaver on Google Cloud. |
Critical |
SAP HANA |
SAP HANA: SAP Minimum allowable sizes for SSD-based persistent disk options
For block storage, SAP HANA requires a minimum throughput of 400 MB per second. If you are using SSD or balanced persistent disks, use the minimum size for that persistent disk type to provide the necessary throughput. If you are using extreme persistent disks, provision a minimum of 20,000 IOPS. For more information, see Persistent disk storage in the SAP HANA planning guide. |
Critical |
SAP High Availability |
Corosync: Use the recommended value for the join parameter
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud, the Corosync |
High |
SAP High Availability |
Corosync: Use the recommended value for the max_messages parameter
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud, to avoid message flooding between cluster nodes during token processing, set the Corosync |
High |
SAP High Availability |
Corosync: Use the recommended value for the token_retransmits_before_loss_const parameter
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud, set the Corosync parameter |
Critical |
SAP High Availability |
Corosync: Use the recommended value for the token parameter for high-availability
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud, set the value of the Corosync |
Critical |
SAP High Availability |
Corosync: transport protocol is set correctly
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud, set the value of the Corosync transport protocol as appropriate for your Operating System. For Red Hat systems of version 8 and later, the parameter should be set to
|
Critical |
SAP High Availability |
Corosync: Use the recommended value for the consensus parameter for high availability
In a Linux Pacemaker high-availability cluster for SAP on Google Cloud,
the default value of the |
Medium |
SAP High Availability |
Pacemaker: Set pcmk_delay_max on the fencing device cluster resource
To avoid fence race conditions in Linux Pacemaker high-availability clusters for SAP, the |
Critical |
SAP High Availability |
Pacemaker: Use the recommended value for the timeout parameter
The definition of the SAP HANA resource in a Linux Pacemaker HA cluster contains a
timeout value for the
|
Critical |
SAP High Availability |
Pacemaker: High-availability cluster 'migration-threshold' set to recommended value for SAP HANA
To migrate the SAP HANA resource to a new cluster node in the event of a failure in a Linux Pacemaker high-availability cluster, the SAP HANA resource definition must specify the
|
High |
SAP High Availability |
Pacemaker: Update the resource location preference constraints
A Linux Pacemaker HA cluster contains a location preference constraint that has been set on one or more resources. For Linux Pacemaker HA clusters for SAP on Google Cloud, we recommend removing the location preference to avoid situations where the clustering software attempts to set resources with a specific node affinity, such as when a resource is manually moved between nodes in the cluster. For more information, see the guide for your OS:
|
Critical |
SAP High Availability |
Pacemaker: Deactivate maintenance mode
To allow a Linux Pacemaker high-availability cluster configuration to monitor and manage its application resources, the cluster nodes that host those resources must not be in the maintenance mode. For more information, see the guide for your OS:
|
Critical |
SAP High Availability |
Pacemaker: Use the recommended value for the topology monitor setting
A Linux Pacemaker HA cluster contains a SAP HANA topology resource that includes a monitor operation, which has an interval value and a timeout value. For Linux Pacemaker HA clusters for SAP on Google Cloud, we recommend a value between 10 and 60 seconds for the interval, and a value of 600 seconds for the timeout.
|
Critical |
SAP General |
Enable automatic restart for SAP workloads
To ensure that the VM restarts automatically in the event of a failure, enable the Compute Engine automatic restart policy for any VM that is running an SAP workload. For more information, see Set VM host maintenance policy. |
Critical |
SAP HANA |
SAP HANA: Enable SAP HANA Fast Restart
Compute Engine includes functionality based on Intel's Memory RAS that can significantly reduce the impact of all memory errors that would otherwise cause VM crashes. When combined with SAP HANA's fast restart capability (available since HANA 2.0 SP04), SAP HANA systems are able to recover from such failure events. This configuration is recommended on all Memory Optimized virtual machine families. For more information, see SAP HANA Fast Restart option. |
Critical |
SAP General |
Set VM maintenance policy to MIGRATE for SAP workloads
To prevent any platform maintenance events from stopping or restarting a VM that is running SAP workloads, the |
Critical |
SAP High Availability |
High Availability: Set the system replication hook for SAP HANA
In a SAP HANA high-availability configuration the system replication hook provided by the Operating System vendor has not been implemented. This may lead to incorrect reporting of the replication state of SAP HANA System Replication to Linux Pacemaker clusters. For more information, see the guide for your OS:
|
Critical |
SAP High Availability |
High Availability: Ensure multi-zonal setup for SAP HANA
To ensure resiliency of an SAP HANA high-availability configuration, the primary and secondary nodes must exist in different zones in the same region. For more information, see the SAP HANA planning guide. |
Medium |
SAP NetWeaver |
SAP NetWeaver: Use a certified custom VM type
To receive support from SAP and Google Cloud for SAP NetWeaver on a Compute Engine custom VM, you must use a custom VM type that is certified by SAP and Google Cloud for use with SAP NetWeaver. For more information, see Certified machines in the SAP NetWeaver planning guide. |
Critical |
SAP NetWeaver |
SAP NetWeaver: Use a certified VM type
To receive support from SAP and Google Cloud for SAP NetWeaver on a Compute Engine VM, you must use a VM type that is certified by SAP and Google Cloud for use with SAP NetWeaver. For more information, see Machine types in the SAP NetWeaver planning guide. |
Critical |
SAP Security |
SAP HANA Security: Enable encryption for data and log backups
Encryption protects backups from unauthorized access by encrypting the backup data before it is transferred to the backup location. This means that even if an unauthorized user gains access to the backup data, they cannot read it without the decryption key. This is applicable for both file-based backups and backups created using third-party backup tools. We recommend that you enable backup encryption in the SAP HANA system. For more information, see system backup encryption statement in the SAP HANA reference guide. |
Medium |
SAP Security |
SAP HANA Security: Users with DEVELOPMENT privileges in production environment
At least one user or role has the |
Medium |
SAP Security |
SAP HANA Security: Unchanged initial password
The |
Medium |
SAP Security |
SAP HANA Security: Users with SAP_INTERNAL_HANA_SUPPORT privileges in production environment
At least one user has the SAP_INTERNAL_HANA_SUPPORT role in SAP HANA security checklists
and recommendations.
|
Medium |
SAP Security |
SAP HANA Security: Prevention of password reuse
Password reuse is a common security vulnerability. The |
Medium |
SAP Security |
SAP HANA Security: Encryption status of the log volume
Encryption protects SAP HANA logs from unauthorized access. One way to do this is to encrypt the logs at the operating system level. SAP HANA also supports encryption in the persistence layer, which can provide additional security. Recommendation is to encrypt log volumes. For more information, see recommendations for data encryption in SAP HANA security checklists and recommendations. |
Medium |
SAP Security |
SAP HANA Security: Maximum invalid connection attempts
The |
Medium |
SAP Security |
SAP HANA Security: Maximum password lifetime
The |
Medium |
SAP Security |
SAP HANA Security: Maximum unused initial password lifetime
The initial password is only meant to serve a temporary purpose. The |
Medium |
SAP Security |
SAP HANA Security: Maximum unused productive password lifetime
The |
Medium |
SAP Security |
SAP HANA Security: Minimal Password Length
The |
Medium |
SAP Security |
SAP HANA Security: Minimum Password Lifetime
The |
Medium |
SAP Security |
SAP HANA Security: Password Expire Warning Time
Checks the number of days before a password is due to expire that the user receives notification. For more information, see password policy configuration options in the SAP HANA One security guide. |
Medium |
SAP Security |
SAP HANA Security: Password Layout
The |
Medium |
SAP Security |
SAP HANA Security: Password lock time
The |
Medium |
SAP Security |
SAP HANA Security: Encryption status of the persistent data volume
We recommend that you protect SAP HANA data from unauthorized access. One way to do this is to encrypt the data at the operating system level. SAP HANA also supports encryption in the persistence layer, which can provide additional security. We recommend that you encrypt data volumes. For more information, see recommendations for data encryption in SAP HANA security checklists and recommendations. |
Medium |
SAP Security |
SAP HANA Security: HANA versions affected by CVE-2019-0357
CVE-2019-0357 is a vulnerability that allows database users with administrator privileges to run operating system commands as root on particular SAP HANA versions. For more information, see SAP security note for CVE-2019-0357. |
Medium |
SAP Security |
SAP HANA Security: Users with debug privileges in production environment
At least one user has the |
Medium |
SAP Security |
SAP HANA Security: Restricted senders in system replication configuration
System replication is configured with |
Medium |
SAP HANA Insights |
SAP HANA Insights: Enable data and log compression
Data and log compression can be used for the initial full data shipping, the subsequential delta data shipping, as well as for the continuous log shipping. Data and log compression can be configured to reduce the amount of traffic between systems, especially over long distances (for example, when using the ASYNC replication mode). For more information, see Data and Log Compression in the SAP HANA System Replication guide. |
Medium |
SAP HANA Insights |
SAP HANA Insights: Set logshipping_async_buffer_size on the primary site
If system replication is disconnected during a full data shipment, then replication has to start from scratch. In order to reduce the risk of buffer full situations, the |
Medium |
SAP HANA Insights |
SAP HANA Insights: Use the recommended value for the datashipping_parallel_channels parameter
The SAP HANA parameter |
Medium |
SAP HANA Insights |
SAP HANA Insights: Use the recommended value for the logshipping_max_retention_size parameter
In context of logreplay operations modes the |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check the status of the HANA license
A permanent license key is required to operate on a HANA system. If a permanent license key expires, a (second) temporary license key is automatically generated and will be valid for 28 days. For more information, see License Keys for SAP HANA Database in the SAP Knowledge Base. |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check the status of logmode
If |
Medium |
SAP HANA Insights |
SAP HANA Insights: Regular backup catalog housekeeping is needed to improve backup performance
The backup catalog can grow quite large over time, especially if it is not regularly cleaned up. This can lead to performance problems and can make it difficult to find the backups that are needed. For more information, see SAP HANA multiple issue caused by large Log Backups due to large Backup Catalog size in the SAP Knowledge Base. |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check for appropriate configuration of the automatic_reorg_threshold parameter
The |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check for appropriate configuration of the log_disk_usage_reclaim_threshold parameter
If the log partition file system disk usage ('usedDiskSpace' in percent of 'totalDiskSpace') is above the specified threshold, the logger will automatically trigger an internal 'log release' (0 = disabled). As default, the logger will keep all free log segments cached for reuse, segments will only be removed if a reclaim is triggered explicitly via 'ALTER SYSTEM RECLAIM LOG' or if a 'DiskFull'/'LogFull' event is hit on logger level. This threshold parameter can be used to trigger the reclaim internally before a 'DiskFull'/'LogFull' situation occurs. For more information, see log_disk_usage_reclaim_threshold in the SAP HANA Configuration Parameter Reference . |
Medium |
SAP HANA Insights |
SAP HANA Insights: Verify the time of the last table consistency check
Regular consistency checks are required to detect hidden corruptions as early as possible. For more information, see SAP HANA Consistency Checks and Corruptions in the SAP Knowledge Base. |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check for appropriate configuration of garbage collection parameters
In databases with more than 235 GB allocation limit, the |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check for appropriate configuration of the max_cpuload_for_parallel_merge parameter
By default, multiple auto merges (up to |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check for appropriate configuration of the parallel_merge_threads parameter
If |
Medium |
SAP HANA Insights |
SAP HANA Insights: Verify default and worker stack size parameters
The thread stack parameter |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check to see that all hosts in a scale-out environment have a consistent OS version and Kernel version
In a scale-out SAP HANA environment, maintaining consistency in OS and kernel across all nodes within the system is crucial for optimal performance and stability. For more information, see SAP HANA: Supported Operating Systems in the SAP Knowledge Base. |
Medium |
SAP HANA Insights |
SAP HANA Insights: Check to see that all hosts in a scale-out environment have a consistent timezone
In a scale-out SAP HANA environment, maintaining consistency in timezones is crucial to maintain system stability. For more information, see Check HANA DB for DST switch in the SAP Knowledge Base. |
Medium |
SAP HANA Insights |
SAP HANA Performance: Check for appropriate configuration of the tables_preloaded_in_parallel parameter in X4 VMs
The |
Medium |
SAP HANA Insights |
SAP HANA Performance: Enable the load_table_numa_aware parameter
To improve the performance of NUMA-based SAP HANA systems, enable the |
Medium |
SAP General |
SAP General: Configure OS settings for X4 instances
To ensure that X4 instances are optimized to support SAP workloads, you must run the command-line utility provided by Google Cloud's Agent for SAP to verify that the OS configuration matches best practice recommendations. For more information, see Post-deployment tasks in the SAP HANA planning guide. |
Medium |
SAP HANA |
SAP HANA: Check for backups of the SAP HANA database
Creating backups regularly and implementing a proper backup strategy helps you recover your SAP HANA database in situations such as data corruption or data loss due to an unplanned outage or failure in your infrastructure. Google Cloud recommends following a backup strategy that includes creating at least one full system backup of your SAP HANA database weekly, and creating at least one delta backup or snapshot-based backup of the SAP HANA data volume daily. Daily full system backups can also be used as a substitute for delta or snapshot based backups. More frequent backups might be necessary to meet specific RPO requirements. For more information, see Backup and recovery in the SAP HANA operations guide, or Backup and recovery for SAP HANA on bare metal instances. |
Critical |
SAP HANA |
SAP HANA: Use the recommended configuration settings for Hyperdisk
To enable the best performance of the Hyperdisk volumes used with SAP HANA, you must set values recommended by Google Cloud for the following SAP HANA properties: |
Critical |