Safeguard your SAP environments with Workload Manager’s evaluation service
As businesses embrace the cloud for their SAP workloads, compliance with best practices is critical. In this blog post, Google dive into Google Cloud’s Workload Manager and show how it can help safeguard your SAP systems by providing automated, rule-based analysis to proactively identify potential misconfigurations and deviations from best practices.
The role of best practices in maintaining SAP system integrity
Configuring and maintaining large-scale deployments in the cloud can be challenging, especially when infrastructure, operating system, and application settings are all involved. Complex configurations, evolving best practices, and the potential for human error that comes with manual effort can negatively impact your SAP systems and ultimately your business.
Historically, detecting and addressing misconfigurations only happens in response to a situation, and often involves time-consuming manual checks. Workload Manager provides an evaluation service for SAP that can dramatically improve how you manage your SAP systems on Google Cloud, allowing you to:
- Reduce preventable mistakes: Many issues and outages could have been avoided or mitigated by following best practices. Run scans to proactively identify potential issues before they might escalate into major problems.
- Safeguard go-lives: Ensure new deployments are validated and configured according to best practices to help increase go-live success rates and resolve issues that may be difficult to change later.
- Detect drift: Run scans on a recurring basis to identify any inconsistencies or misconfigurations over time.
- Reduce operational overhead: Automate the validation process to help save time otherwise spent performing tedious manual checks.
Workload Manager evaluation service: an overview
Workload Manager’s evaluation service is an intelligent rule-based validation service that can automatically assess your SAP systems against an extensive set of best practices from Google Cloud, SAP, and operating system vendors.
The SAP rule catalog is frequently updated as best practices evolve and new learnings are added. The included rules go beyond simple configuration checks, delving into critical aspects of your sap environment in the following categories:
- SAP General: Rules that apply to all types SAP workloads, such as VM configuration settings and requirements for support
- SAP High Availability: Checks that help optimize reliability and availability by analyzing cluster configurations, failover mechanisms, and system architectures
- SAP Netweaver & HANA: Logic that automatically identifies the role of each resource and then validates it against role-specific requirements like certified machine sizes, disk types, and more
- SAP HANA Insights: Intelligent insights and optimizations for compression, maintenance activities, performance checks, memory allocations, and more
- SAP HANA Security Best Practices: Rules that help evaluate the security posture of HANA, including access control, encryption settings, known vulnerabilities, and more
After running a scan, an evaluation report provides a summary of the results, allowing you to drill deeper into each rule to identify which individual resources passed and failed. Each rule includes a description of the issue, its severity, and a recommendation including links to the relevant documentation to help with remediation. You can also choose to be alerted through notification channels such as email or Pub/Sub based on triggers such as when a new issue is identified.
Getting started with the Workload Manager evaluation service
Set up Google Cloud’s agent for SAP on each VM in scope
Google Cloud’s agent for SAP is a consolidated agent that performs a variety of functionality related to running SAP workloads on Google Cloud. The agent is required to be installed and running on all VMs that run SAP workloads on Google Cloud (SAP Note 2456406 – SAP on Google Cloud Platform: Support Prerequisites).
In addition, the agent contains optional functionality, including the Workload Manager collecting information for analysis. Refer to the following checklist to verify the agent is installed and configured correctly: Set up Google Cloud’s Agent for SAP.
The evaluation report also includes an automatic check to verify that each in-scope VM has the agent installed and configured correctly. If you are unsure if you have already completed the above, run an evaluation as described below and check the results for the rule called “Check that Google Cloud’s Agent for SAP is set up correctly on all instances in the evaluation scope.”
Prerequisites and initial enablement
Before beginning, ensure that you have completed the prerequisites to start using the evaluation service within Workload Manager:
- Enable the Workload Manager API
- IAM Roles: Define the appropriate IAM roles to manage access to the evaluation service
Please note that Workload Manager uses a Service Agent, which may need additional IAM permissions based on the projects and configurations selected during the subsequent evaluation creation. It may be helpful for an administrator to create the first evaluation and grant any missing permissions as they are prompted for them; this step is only required one time per project.
Create an evaluation in Workload Manager
Navigate to Workload Manager > Evaluation in the console, which is nested under Compute in the left navigation pane, or can be found in the search bar at the top. Click the New Evaluation button at the top to begin.
On the Evaluation details tab, provide a name and description for the evaluation and select “SAP” from the Workload type dropdown menu.
On the Evaluation Scope tab, you can select which project(s) you wish to evaluate and use filters to refine the scope further.
On the Evaluation rules tab, you can select which rules you wish to include in the evaluation. Only rules that are relevant for each resource in scope will be evaluated, so you may select them all if you are unsure which to choose. For example, rules that are marked for SAP HANA would not be evaluated against rules in the SAP Netweaver category. Similarly, rules related to High Availability (HA) would not be evaluated for a non-HA system.
On the Scheduling tab, you can determine how frequently you wish to run this specific evaluation, or choose “Does not repeat” if you wish to run the evaluation on an ad-hoc basis. Even if you pick a recurring frequency, you can still run additional evaluations as needed which will not interfere with the scheduled scans.
On the Notifications tab, you can choose to receive alerts based on various triggers, such as when a new issue is found, which is integrated with Notification Channels like Email or Slack.
Finally, on the Review tab, you can revisit any selections made and click ‘Create’ to finish. The first evaluation you create in a project may take a few extra minutes to create. You will receive a notification once it has finished, which will take you back to the evaluation dashboard.
Run an evaluation and view your results
After creating a new evaluation, you can run it by selecting it from the evaluation dashboard and clicking ‘Run’, or by waiting for your next scheduled run if you set a recurring frequency.
Upon completion, Workload Manager generates a thorough report highlighting areas of compliance and deviations from best practices. You can then drill down into specific rules for detailed recommendations on the remediation, as well as identification of which resources passed and failed each check.
Best practices validation: Beyond the basics
For organizations running SAP on Google Cloud, Workload Manager and its new evaluation service is a powerful way to identify misconfigurations and deviations from best practices. For troubleshooting tips and answers to common questions, refer to the official documentation or reach out to Google Cloud customer support.