Prerequisites for deploying an SAP S/4HANA application

This document describes the prerequisites for deploying an SAP S/4HANA application on Google Cloud using Workload Manager.

You must first meet the prerequisites for using the Guided Deployment Automation tool before deploying an SAP S/4HANA application.

Prerequisite Description
Google Cloud network resources Create or select a VPC network and subnetwork for your SAP deployment. You must also configure outbound internet access for your machines to download the required packages. For more information, see Network.
OS Login and SSH keys You must temporarily disable OS Login in your project metadata until the deployment is complete. For more information, see OS login and SSH keys.
Secrets for SAP workload To securely provide the passwords for your workload, you must use a secret created using Secret Manager. For more information, see Secrets for SAP workload.
IAM roles and permissions Users who deploy a SAP workload using the Guided Deployment Automation tool must have or be granted the required roles and permissions to configure the deployment. For more information, see IAM roles and permissions.
Service accounts Attach a service account to the deployment and make sure that the service account has all the roles required for deploying your workload. For more information, see Service accounts.
Quotas Make sure that you have sufficient resource quota in your project to deploy the SAP application. For more information, see Quotas.
Secrets for SAP workload To securely provide the passwords for your workload, you must use a secret created using Secret Manager. For more information, see Secrets for SAP workload.
SAP installation media Create a Cloud Storage bucket in the project in which you deploy the SAP application and upload all the SAP files required for deployment. For more information, see Prepare SAP installation files for deployment.

Network

This section describes the Google Cloud networking resources that you need to configure before deploying the SAP application.

VPC network and subnetwork

If your project has a default VPC network, don't use it for creating a deployment. Instead, we recommend that you create your own VPC network so that the only firewall rules in effect are those that you create explicitly for the network. Create a VPC network and subnet or contact your Google Cloud organization's networking team.

Configure external internet access

During the deployment process, the VMs in your project need outbound internet access to download packages and to register for licensing.

Google recommends that you create a Cloud NAT gateway to provide external internet access for your VMs without creating external IP addresses. You can create a Cloud NAT in each subnet and region in which your VMs are located. If you create a Cloud NAT gateway, we recommended that you allocate at least 256 Minimum ports per VM instance.

If you don't want to use a Cloud NAT gateway, during the deployment process you can specify external IP addresses to provide the required internet access for your VMs.

Firewall rules

During the deployment process, Workload Manager automatically creates the necessary firewall rules for the deployment.

Note that the existing deny rules in your project might take a higher priority and deny the necessary access.
Depending on your existing firewall rules in the project, create firewall rules to allow access for:

  • The default ports used by SAP, as documented in TCP/IP Ports of All SAP Products
  • Connections from your computer or your corporate network environment to your Compute Engine VM instances. If you are unsure of what IP address to use, contact your organization's network administrator.
  • Outgoing connectivity to Google Cloud services, using Google Private Access as appropriate.
  • Communication between machines in the same subnetwork:
    • SSH access between VMs in the same subnet to configure deployed systems and for access by a system administrator.
    • Access to HANA application ports for communication between the application servers and the HANA database.
    • Access to SAP message servers, replication enqueue, gateway services between SAP application servers and central services instances.

For more information, see Create VPC firewall rules.

OS Login and SSH keys

If OS login is enabled in your project metadata, you need to disable OS login temporarily until your deployment is complete. The deployment process configures SSH keys in the instance metadata. When OS Login is enabled, metadata-based SSH key configurations are disabled, and the deployment fails. After the deployment is complete, you can enable OS Login.

To disable OS Login, set the enable-oslogin metadata value to false. See how to set project-wide metadata.

Service accounts

Workload Manager uses the service account attached to your deployment to call other APIs and services for creating resources required for the deployment.

You can either attach an existing service account or create a service account when you configure the deployment. Depending on your application and configuration, Workload Manager prompts you to grant any of the missing roles to your service account.

For more information about the roles required for deploying SAP S/4HANA, see Security Considerations.

IAM roles and permissions for deploying SAP S/4HANA

The Workload Manager Deployment Admin role contains all the permissions required for configuring and deploying SAP S/4HANA on Google Cloud.

For more information about the required IAM roles and permissions to deploy a workload using the Guided Deployment Automation tool, see IAM roles and permissions.

For more information about IAM permissions for running SAP on Google Cloud, see Identity and Access Management for SAP Programs on Google Cloud.

Quotas

Google Cloud uses quotas to protect and control the number of resources that a particular account or organization can use. SAP workloads often consume a large portion of resources. Given the size of the databases and applications, you might experience quota issues during the deployment process.

To avoid quota issues, do the following:

  1. View available resource quota for your project.
  2. If needed, request a higher quota limit or contact your project administrator.

Secrets for SAP workload

The Guided Deployment Automation tool uses Secret Manager to store passwords needed during the deployment and installation process, such as the passwords for administrator and SYSTEM user accounts. Plain text passwords are prohibited in accordance with our Terraform best practices.

Before using the Guided Deployment Automation tool, you must create at least one Secret. If you want to use different secrets for the database and application layers, create separate secrets for each layer.

To ensure that the secrets meet the password requirements from SAP, follow the SAP guidance for creating passwords.

You must create secrets in the project in which you deploy the SAP workload.

What's next