Tutorial: Back up SAP HANA databases in an Azure VM

This tutorial shows you how to back up SAP HANA databases running on Azure VMs to an Azure Backup Recovery Services vault. In this article you'll learn how to:

  • Create and configure a vault
  • Discover databases
  • Configure backups

Here are all the scenarios that we currently support.

Onboard to the public preview

Onboard to the public preview as follows:

  • In the portal, register your subscription ID to the Recovery Services service provider by following this article.

  • For PowerShell, run this cmdlet. It should complete as "Registered".

    Register-AzProviderFeature -FeatureName "HanaBackup" –ProviderNamespace Microsoft.RecoveryServices


Make sure you do the following before configuring backups:

  1. On the VM running the SAP HANA database, install and enable ODBC driver packages from the official SLES package/media using zypper, as follows:
sudo zypper update
sudo zypper install unixODBC


If you are not updating the repositories, make sure the version of unixODBC is minimum 2.3.4. To know the version of uniXODBC, run odbcinst -j as root

  1. Allow connectivity from the VM to the internet, so that it can reach Azure, as described in the procedure below.

  2. Run the pre-registration script in the virtual machine where HANA is installed as a root user. This script will set the right permissions.

Set up network connectivity

For all operations, the SAP HANA VM requires connectivity to Azure public IP addresses. VM operations (database discovery, configure backups, schedule backups, restore recovery points, and so on) fail without connectivity to Azure public IP addresses.

Establish connectivity by using one of the following options:

Allow the Azure datacenter IP ranges

This option allows the IP ranges in the downloaded file. To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. If your safe recipients list only includes region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.

Allow access using NSG tags

If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. In addition, you should also allow connectivity for authentication and data transfer by using rules for Azure AD and Azure Storage. This can be done from the Azure portal or via PowerShell.

To create a rule using the portal:

  1. In All Services, go to Network security groups and select the network security group.
  2. Select Outbound security rules under Settings.
  3. Select Add. Enter all the required details for creating a new rule as described in security rule settings. Ensure the option Destination is set to Service Tag and Destination service tag is set to AzureBackup.
  4. Click Add, to save the newly created outbound security rule.

To create a rule using PowerShell:

  1. Add Azure account credentials and update the national clouds

  2. Select the NSG subscription
    Select-AzureRmSubscription "<Subscription Id>"

  3. Select the NSG
    $nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"

  4. Add allow outbound rule for Azure Backup service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"

  5. Add allow outbound rule for Storage service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"

  6. Add allow outbound rule for AzureActiveDirectory service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"

  7. Save the NSG
    Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg

Allow access by using Azure Firewall tags. If you're using Azure Firewall, create an application rule by using the AzureBackup FQDN tag. This allows outbound access to Azure Backup.

Deploy an HTTP proxy server to route traffic. When you back up an SAP HANA database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. The extensions are the only component that's configured for access to the public internet.

Connectivity options include the following advantages and disadvantages:

Option Advantages Disadvantages
Allow IP ranges No additional costs Complex to manage because the IP address ranges change over time

Provides access to the whole of Azure, not just Azure Storage
Use NSG service tags Easier to manage as range changes are automatically merged

No additional costs

Can be used with NSGs only

Provides access to the entire service
Use Azure Firewall FQDN tags Easier to manage as the required FQDNs are automatically managed Can be used with Azure Firewall only
Use an HTTP proxy Granular control in the proxy over the storage URLs is allowed

Single point of internet access to VMs

Not subject to Azure IP address changes
Additional costs to run a VM with the proxy software

Setting up permissions

The pre-registration script performs the following actions:

  1. Creates AZUREWLBACKUPHANAUSER in the HANA system and adds these required roles and permissions:
    • DATABASE ADMIN: to create new DBs during restore.
    • CATALOG READ: to read the backup catalog.
    • SAP_INTERNAL_HANA_SUPPORT: to access a few private tables.
  2. Adds a key to Hdbuserstore for the HANA plug-in to handle all operations (database queries, restore operations, configuring and running backup).

To confirm the key creation, run the HDBSQL command on the HANA machine with SIDADM credentials:

hdbuserstore list

The command output should display the {SID}{DBNAME} key, with the user shown as AZUREWLBACKUPHANAUSER.


Make sure you have a unique set of SSFS files under /usr/sap/{SID}/home/.hdb/. There should be only one folder in this path.

Create a Recovery Service vault

A Recovery Services vault is an entity that stores the backups and recovery points created over time. The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.

To create a Recovery Services vault:

  1. Sign in to your subscription in the Azure portal.

  2. On the left menu, select All services

Select All services

  1. In the All services dialog box, enter Recovery Services. The list of resources filters according to your input. In the list of resources, select Recovery Services vaults.

Select Recovery Services vaults

  1. On the Recovery Services vaults dashboard, select Add.

Add Recovery Services vault

The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location

Create Recovery Services vault

  • Name: The name is used to identify the recovery services vault and must be unique to the Azure subscription. Specify a name that has at least two, but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens. For this tutorial, we've used the name SAPHanaVault.
  • Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription. Here, we have used the SAP HANA solution lab subscription subscription.
  • Resource group: Use an existing resource group or create a new one. Here, we have used SAPHANADemo.
    To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list box. To create a new resource group, select Create new and enter the name. For complete information about resource groups, see Azure Resource Manager overview.
  • Location: Select the geographic region for the vault. The vault must be in the same region as the Virtual Machine running SAP HANA. We have used East US 2.
  1. Select Review + Create.

    Select Review & Create

The Recovery services vault is now created.

Discover the databases

  1. In the vault, in Getting Started, click Backup. In Where is your workload running?, select SAP HANA in Azure VM.

  2. Click Start Discovery. This initiates discovery of unprotected Linux VMs in the vault region. You will see the Azure VM that you want to protect.

  3. In Select Virtual Machines, click the link to download the script that provides permissions for the Azure Backup service to access the SAP HANA VMs for database discovery.

  4. Run the script on the VM hosting SAP HANA database(s) that you want to back up.

  5. After running the script on the VM, in Select Virtual Machines, select the VM. Then click Discover DBs.

  6. Azure Backup discovers all SAP HANA databases on the VM. During discovery, Azure Backup registers the VM with the vault, and installs an extension on the VM. No agent is installed on the database.

    Discover the databases

Configure backup

Now that the databases we want to back up are discovered, let's enable backup.

  1. Click Configure Backup.

Configure backup

  1. In Select items to back up, select one or more databases that you want to protect, and then click OK.

Select items to back up

  1. In Backup Policy > Choose backup policy, create a new backup policy for the database(s), in accordance with the instructions in the next section.

Choose backup policy

  1. After creating the policy, on the Backup menu, click Enable backup.

    Click Enable backup

  2. Track the backup configuration progress in the Notifications area of the portal.

Creating a backup policy

A backup policy defines when backups are taken, and how long they're retained.

  • A policy is created at the vault level.
  • Multiple vaults can use the same backup policy, but you must apply the backup policy to each vault.

Specify the policy settings as follows:

  1. In Policy name, enter a name for the new policy. In this case, enter SAPHANA.

Enter name for new policy

  1. In Full Backup policy, select a Backup Frequency. You can choose Daily or Weekly. For this tutorial, we chose the Daily backup.

Select a backup frequency

  1. In Retention Range, configure retention settings for the full backup.

    • By default, all options are selected. Clear any retention range limits you don't want to use and set those that you do.
    • The minimum retention period for any type of backup (full/differential/log) is seven days.
    • Recovery points are tagged for retention based on their retention range. For example, if you select a daily full backup, only one full backup is triggered each day.
    • The backup for a specific day is tagged and retained based on the weekly retention range and setting.
    • The monthly and yearly retention ranges behave in a similar way.
  2. In the Full Backup policy menu, click OK to accept the settings.

  3. Then select Differential Backup to add a differential policy.

  4. In Differential Backup policy, select Enable to open the frequency and retention controls. We have enabled a differential backup every Sunday at 2:00 AM, which is retained for 30 days.

    Differential backup policy


Incremental backups aren't currently supported.

  1. Click OK to save the policy and return to the main Backup policy menu.

  2. Select Log Backup to add a transactional log backup policy,

    • Log Backup is by default set to Enable. This cannot be disabled as SAP HANA manages all log backups.
    • We have set 2 hours as the Backup schedule and 15 days of retention period.

    Log backup policy


Log backups only begin to flow after one successful full backup is completed.

  1. Click OK to save the policy and return to the main Backup policy menu.
  2. After you finish defining the backup policy, click OK.

You have now successfully configured backup(s) for your SAP HANA database(s).

Next Steps