备份 Azure VM 中的 SAP HANA 数据库Back up SAP HANA databases in Azure VMs

SAP HANA 数据库是关键工作负荷,要求较低的恢复点目标 (RPO) 和长期保留。SAP HANA databases are critical workloads that require a low recovery-point objective (RPO) and long-term retention. 可以使用 Azure 备份来备份在 Azure 虚拟机 (VM) 上运行的 SAP HANA 数据库。You can back up SAP HANA databases running on Azure virtual machines (VMs) by using Azure Backup.

本文展示了如何将在 Azure VM 上运行的 SAP HANA 数据库备份到 Azure 备份恢复服务保管库。This article shows how to back up SAP HANA databases that are running on Azure VMs to an Azure Backup Recovery Services vault.

本文将指导如何进行以下操作:In this article, you'll learn how to:

  • 创建并配置保管库Create and configure a vault
  • 发现数据库Discover databases
  • 配置备份Configure backups
  • 运行按需备份作业Run an on-demand backup job


自 2020 年 8 月 1 日起,适用于 RHEL 的 SAP HANA 备份(7.4、7.6、7.7 和 8.1)已正式发布。As of August 1st, 2020, SAP HANA backup for RHEL (7.4, 7.6, 7.7 & 8.1) is generally available.


针对 Azure VM 中 SQL 服务器的软删除以及针对 Azure VM 工作负荷中 SAP HANA 的软删除现已推出预览版。Soft delete for SQL server in Azure VM and soft delete for SAP HANA in Azure VM workloads is now available in preview.


若要为备份注册数据库,请参阅先决条件预注册脚本的功能部分。Refer to the prerequisites and the What the pre-registration script does sections to set up the database for backup.

建立网络连接Establish network connectivity

对于所有操作,在 Azure VM 上运行的 SAP HANA 数据库需要连接到 Azure 备份服务、Azure 存储和 Azure Active Directory。For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage, and Azure Active Directory. 这可以通过使用专用终结点,或允许访问所需的公共 IP 地址或 FQDN 来实现。This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. 如果不允许正确连接到所需的 Azure 服务,则可能会导致诸如数据库发现、配置备份、执行备份和还原数据等操作失败。Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data.

下表列出了可用于建立连接的各种备选方案:The following table lists the various alternatives you can use for establishing connectivity:

选项Option 优点Advantages 缺点Disadvantages
专用终结点Private endpoints 允许通过虚拟网络中的专用 IP 进行备份Allow backups over private IPs inside the virtual network

提供网络和保管库端的精细控制Provide granular control on the network and vault side
产生标准专用终结点成本Incurs standard private endpoint costs
NSG 服务标记NSG service tags 由于范围更改会自动合并,因此管理变得更容易Easier to manage as range changes are automatically merged

无额外成本No additional costs
只可用于 NSGCan be used with NSGs only

提供对整个服务的访问Provides access to the entire service
Azure 防火墙 FQDN 标记Azure Firewall FQDN tags 自动管理必需的 FQDN,因此更易于管理Easier to manage since the required FQDNs are automatically managed 只可用于 Azure 防火墙Can be used with Azure Firewall only
允许访问服务 FQDN/IPAllow access to service FQDNs/IPs 无额外成本No additional costs

适用于所有网络安全设备和防火墙Works with all network security appliances and firewalls
可能需要访问一组广泛的 IP 或 FQDNA broad set of IPs or FQDNs may be required to be accessed
使用 HTTP 代理Use an HTTP proxy 对 VM 进行单点 Internet 访问Single point of internet access to VMs 通过代理软件运行 VM 带来的额外成本Additional costs to run a VM with the proxy software

关于使用这些选项的更多细节如下:More details around using these options are shared below:

专用终结点Private endpoints

使用专用终结点,可以从虚拟网络内的服务器安全地连接到恢复服务保管库。Private endpoints allow you to connect securely from servers inside a virtual network to your Recovery Services vault. 专用终结点为保管库使用 VNET 地址空间中的 IP。The private endpoint uses an IP from the VNET address space for your vault. 虚拟网络中的资源与保管库之间的网络流量将通过虚拟网络和 Microsoft 主干网络上的专用链接传输。The network traffic between your resources inside the virtual network and the vault travels over your virtual network and a private link on the Microsoft backbone network. 这样就不会从公共 Internet 泄露信息。This eliminates exposure from the public internet. 此处详细了解 Azure 备份的专用终结点。Read more on private endpoints for Azure Backup here.

NSG 标记NSG tags

如果使用网络安全组 (NSG),请使用 AzureBackup 服务标记以允许对 Azure 备份进行出站访问。If you use Network Security Groups (NSG), use the AzureBackup service tag to allow outbound access to Azure Backup. 除了 Azure 备份标记外,还需要通过为 Azure AD (AzureActiveDirectory) 和 Azure 存储(存储)创建类似的 NSG 规则,以便在连接后进行身份验证和数据传输。In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar NSG rules for Azure AD (AzureActiveDirectory) and Azure Storage(Storage). 以下步骤介绍了为 Azure 备份标记创建规则的过程:The following steps describe the process to create a rule for the Azure Backup tag:

  1. 在“所有服务”中,转到“网络安全组”并选择网络安全组。 In All Services, go to Network security groups and select the network security group.

  2. 在“设置”下选择“出站安全规则”。 Select Outbound security rules under Settings.

  3. 选择“添加” 。Select Add. 根据安全规则设置中所述,输入创建新规则所需的所有详细信息。Enter all the required details for creating a new rule as described in security rule settings. 请确保将选项“目标”设置为“服务标记”,将“目标服务标记”设置为“AzureBackup”。Ensure the option Destination is set to Service Tag and Destination service tag is set to AzureBackup.

  4. 选择“添加”,保存新创建的出站安全规则。Select Add to save the newly created outbound security rule.

同样,可以为 Azure 存储和 Azure AD 创建 NSG 出站安全规则。You can similarly create NSG outbound security rules for Azure Storage and Azure AD. 有关服务标记的详细信息,请参阅此文For more information on service tags, see this article.

Azure 防火墙标记Azure Firewall tags

如果使用 Azure 防火墙,请使用 AzureBackup Azure 防火墙 FQDN 标记创建应用程序规则。If you're using Azure Firewall, create an application rule by using the AzureBackup Azure Firewall FQDN tag. 这允许对 Azure 备份进行所有出站访问。This allows all outbound access to Azure Backup.

允许访问服务 IP 范围Allow access to service IP ranges

如果选择允许访问服务 IP,请参阅此处的 JSON 文件中的 IP 范围。If you choose to allow access service IPs, refer to the IP ranges in the JSON file available here. 你需要允许访问与 Azure 备份、Azure 存储和 Azure Active Directory 对应的 IP。You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Azure Active Directory.

允许访问服务 FQDNAllow access to service FQDNs

还可以使用以下 FQDN 以允许从服务器访问所需的服务:You can also use the following FQDNs to allow access to the required services from your servers:

服务Service 要访问的域名Domain names to be accessed
Azure 备份Azure Backup *.backup.azure.cn
Azure 存储Azure Storage *.blob.core.chinacloudapi.cn

Azure ADAzure AD 根据这篇文章,允许访问第 56 和 59 节下的 FQDNAllow access to FQDNs under sections 56 and 59 according to this article

使用 HTTP 代理服务器路由流量Use an HTTP proxy server to route traffic

备份在 Azure VM 上运行的 SAP HANA 数据库时,该 VM 上的备份扩展将使用 HTTPS API 将管理命令发送到 Azure 备份,并将数据发送到 Azure 存储。When you back up an SAP HANA database running on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. 备份扩展还使用 Azure AD 进行身份验证。The backup extension also uses Azure AD for authentication. 通过 HTTP 代理路由这三个服务的备份扩展流量。Route the backup extension traffic for these three services through the HTTP proxy. 使用上面提到的 IP 和 FQDN 列表,以允许访问所需的服务。Use the list of IPs and FQDNs mentioned above for allowing access to the required services. 不支持已经过身份验证的代理服务器。Authenticated proxy servers aren't supported.

创建恢复服务保管库Create a Recovery Services vault

恢复服务保管库是用于存储在不同时间创建的备份和恢复点的实体。A Recovery Services vault is an entity that stores the backups and recovery points created over time. 恢复服务保管库还包含与受保护虚拟机关联的备份策略。The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.

若要创建恢复服务保管库,请执行以下操作:To create a Recovery Services vault:

  1. Azure 门户中登录到自己的订阅。Sign in to your subscription in the Azure portal.

  2. 在左侧菜单中,选择“所有服务”。On the left menu, select All services.


  3. 在“所有服务”对话框中,输入“恢复服务”。In the All services dialog box, enter Recovery Services. 资源列表根据输入进行筛选。The list of resources filters according to your input. 在资源列表中,选择“恢复服务保管库”。In the list of resources, select Recovery Services vaults.


    此时会显示订阅中的恢复服务保管库列表。The list of Recovery Services vaults in the subscription appears.

  4. 在“恢复服务保管库”仪表板上,选择“添加”。On the Recovery Services vaults dashboard, select Add.


    此时会打开“恢复服务保管库”对话框。The Recovery Services vault dialog box opens. 提供“名称”、“订阅”、“资源组”和“位置”的值。Provide values for the Name, Subscription, Resource group, and Location.


    • 名称:输入一个友好名称以标识此保管库。Name: Enter a friendly name to identify the vault. 名称对于 Azure 订阅必须是唯一的。The name must be unique to the Azure subscription. 指定的名称应至少包含 2 个字符,最多不超过 50 个字符。Specify a name that has at least two, but not more than 50 characters. 名称必须以字母开头且只能包含字母、数字和连字符。The name must start with a letter and consist only of letters, numbers, and hyphens.

    • 订阅:选择要使用的订阅。Subscription: Choose the subscription to use. 如果你仅是一个订阅的成员,则会看到该名称。If you're a member of only one subscription, you'll see that name. 如果不确定要使用哪个订阅,请使用默认的(建议的)订阅。If you're not sure which subscription to use, use the default (suggested) subscription. 仅当工作或学校帐户与多个 Azure 订阅关联时,才会显示多个选项。There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • 资源组:使用现有资源组或创建新组。Resource group: Use an existing resource group or create a new one. 要查看订阅中可用的资源组列表,请选择“使用现有资源”,然后从下拉列表框中选择一个资源。To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list box. 若要创建新资源组,请选择“新建”,然后输入名称。To create a new resource group, select Create new and enter the name. 有关资源组的完整信息,请参阅 Azure 资源管理器概述For complete information about resource groups, see Azure Resource Manager overview.

    • 位置:选择保管库的地理区域。Location: Select the geographic region for the vault. 要创建保管库以保护虚拟机,保管库必须与虚拟机位于同一区域中。To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.


      如果不确定 VM 的位置,请关闭对话框。If you're not sure of the location of your VM, close the dialog box. 转到门户中的虚拟机列表。Go to the list of virtual machines in the portal. 如果虚拟机位于多个区域,请在每个区域中创建一个恢复服务保管库。If you have virtual machines in several regions, create a Recovery Services vault in each region. 先在第一个位置创建保管库,然后再为其他位置创建保管库。Create the vault in the first location, before you create the vault for another location. 无需指定存储帐户即可存储备份数据。There's no need to specify storage accounts to store the backup data. 恢复服务保管库和 Azure 备份服务会自动处理这种情况。The Recovery Services vault and the Azure Backup service handle that automatically.

  5. 准备好创建恢复服务保管库后,选择“创建”。When you're ready to create the Recovery Services vault, select Create.


    创建恢复服务保管库可能需要一段时间。It can take a while to create the Recovery Services vault. 可在门户右上角“通知”区域监视状态通知。Monitor the status notifications in the Notifications area at the upper-right corner of the portal. 创建保管库后,它会显示在“恢复服务保管库”的列表中。After your vault is created, it's visible in the list of Recovery Services vaults. 如果未看到创建的保管库,请选择“刷新”。If you don't see your vault, select Refresh.


发现数据库Discover the databases

  1. 在保管库的“开始使用”中,选择“备份” 。In the vault, in Getting Started, select Backup. 在“工作负荷在哪里运行?”中,选择“Azure VM 中的 SAP HANA” 。In Where is your workload running?, select SAP HANA in Azure VM.

  2. 选择“开始发现”。Select Start Discovery. 这会开始在保管库区域中发现未受保护的 Linux VM。This initiates discovery of unprotected Linux VMs in the vault region.

    • 在发现后,未受保护的 VM 将显示在门户中,按名称和资源组列出。After discovery, unprotected VMs appear in the portal, listed by name and resource group.
    • 如果某个 VM 未按预期列出,请检查它是否已在保管库中备份。If a VM isn't listed as expected, check whether it's already backed up in a vault.
    • 可能有多个 VM 同名,但属于不同的资源组。Multiple VMs can have the same name but they belong to different resource groups.
  3. 在“选择虚拟机”中,选择脚本下载链接。此脚本可为 Azure 备份服务提供访问 SAP HANA VM 的权限,以进行数据库发现。In Select Virtual Machines, select the link to download the script that provides permissions for the Azure Backup service to access the SAP HANA VMs for database discovery.

  4. 在托管要备份的 SAP HANA 数据库的每个 VM 上运行此脚本。Run the script on each VM hosting SAP HANA databases that you want to back up.

  5. 在 VM 上运行此脚本后,在“选择虚拟机”中选择 VM。After running the script on the VMs, in Select Virtual Machines, select the VMs. 然后选择“发现 DB”。Then select Discover DBs.

  6. Azure 备份可发现该 VM 上的所有 SAP HANA 数据库。Azure Backup discovers all SAP HANA databases on the VM. 在发现期间,Azure Backup 将 VM 注册到保管库,并在该 VM 上安装扩展。During discovery, Azure Backup registers the VM with the vault, and installs an extension on the VM. 不会在数据库中安装任何代理。No agent is installed on the database.

    发现 SAP HANA 数据库

配置备份Configure backup

现在启用备份。Now enable backup.

  1. 在步骤 2 中,选择“配置备份”。In Step 2, select Configure Backup.


  2. 在“选择要备份的项”中,选择要保护的所有数据库,然后选择“确定”。In Select items to back up, select all the databases you want to protect > OK.


  3. 在“备份策略” > “选择备份策略”中,按照下面的说明,为数据库创建一个新的备份策略。 In Backup Policy > Choose backup policy, create a new backup policy for the databases, in accordance with the instructions below.


  4. 创建策略后,在“备份菜单”中选择“启用备份” 。After creating the policy, on the Backup menu, select Enable backup.


  5. 在门户的“通知”区域跟踪备份配置进度。Track the backup configuration progress in the Notifications area of the portal.

创建备份策略Create a backup policy

备份策略定义备份创建时间以及这些备份的保留时间。A backup policy defines when backups are taken, and how long they're retained.

  • 策略是在保管库级别创建的。A policy is created at the vault level.
  • 多个保管库可以使用相同的备份策略,但必须向每个保管库应用该备份策略。Multiple vaults can use the same backup policy, but you must apply the backup policy to each vault.


备份在 Azure VM 中运行的 SAP HANA 数据库时,Azure 备份不会针对夏令时更改自动进行调整。Azure Backup doesn’t automatically adjust for daylight saving time changes when backing up a SAP HANA database running in an Azure VM.

请根据需要手动修改策略。Modify the policy manually as needed.

按以下方式指定策略设置:Specify the policy settings as follows:

  1. 在“策略名称”处输入新策略的名称。In Policy name, enter a name for the new policy.


  2. 在“完整备份策略”中选择“备份频率”,然后选择“每日”或“每周”。 In Full Backup policy, select a Backup Frequency, choose Daily or Weekly.

    • 每日:选择开始备份作业的小时和时区。Daily: Select the hour and time zone in which the backup job begins.
      • 你必须运行完整备份。You must run a full backup. 无法关闭此选项。You can't turn off this option.
      • 选择“完整备份”以查看策略。Select Full Backup to view the policy.
      • 对于每日完整备份,无法创建差异备份。You can't create differential backups for daily full backups.
    • 每周:选择运行备份作业的星期、小时和时区。Weekly: Select the day of the week, hour, and time zone in which the backup job runs.


  3. 在“保持期”中,对完整备份配置保留设置。In Retention Range, configure retention settings for the full backup.

    • 默认情况下将选择所有选项。By default all options are selected. 清除你不想使用的所有保持期限制,并设置要使用的选项。Clear any retention range limits you don't want to use, and set those that you do.
    • 任何备份类型(完整/差异/日志)的最短保持期均为七天。The minimum retention period for any type of backup (full/differential/log) is seven days.
    • 恢复点已根据其保留范围标记为保留。Recovery points are tagged for retention based on their retention range. 例如,如果选择每日完整备份,则每天只触发一次完整备份。For example, if you select a daily full backup, only one full backup is triggered each day.
    • 根据每周保持期和设置,将会标记并保留特定日期的备份。The backup for a specific day is tagged and retained based on the weekly retention range and setting.
    • 每月和每年保留范围的行为类似。The monthly and yearly retention ranges behave in a similar way.
  4. 在“完整备份策略”菜单中,选择“确定”接受设置。 In the Full Backup policy menu, select OK to accept the settings.

  5. 选择“差异备份”,以添加差异策略。Select Differential Backup to add a differential policy.

  6. 在“差异备份策略”中,选择“启用”打开频率和保留控件。 In Differential Backup policy, select Enable to open the frequency and retention controls.

    • 每天最多可以触发一次差异备份。At most, you can trigger one differential backup per day.
    • 差异备份最多可以保留 180 天。Differential backups can be retained for a maximum of 180 days. 如果需要保留更长时间,必须使用完整备份。If you need longer retention, you must use full backups.



    目前不支持增量备份。Incremental backups aren't currently supported.

  7. 选择“确定”保存策略,并返回“备份策略”主菜单。 Select OK to save the policy and return to the main Backup policy menu.

  8. 请选择“日志备份”,以添加事务日志备份策略。Select Log Backup to add a transactional log backup policy,

    • 在“日志备份”中,选择“启用”。 In Log Backup, select Enable. 由于 SAP HANA 管理所有日志备份,此类备份无法被禁用。This can't be disabled, since SAP HANA manages all log backups.
    • 设置频率和保留期控制。Set the frequency and retention controls.


    日志备份仅在成功完成一次完整备份之后进行。Log backups only begin to flow after a successful full backup is completed.

  9. 选择“确定”保存策略,并返回“备份策略”主菜单。 Select OK to save the policy and return to the main Backup policy menu.

  10. 完成定义备份策略后,选择“确定”。After you finish defining the backup policy, select OK.


每个日志备份都链接到上一个完整备份,以形成恢复链。Each log backup is chained to the previous full backup to form a recovery chain. 此完整备份将一直保留到最后一个日志备份的保留期结束为止。This full backup will be retained until the retention of the last log backup has expired. 这可能意味着完整备份会保留一段额外的时间,以确保所有日志都可以恢复。This might mean that the full backup is retained for an extra period to make sure all the logs can be recovered. 假设用户有每周完整备份、每日差异备份和 2 小时日志备份。Let's assume a user has a weekly full backup, daily differential and 2 hour logs. 所有这些备份都将保留 30 天。All of them are retained for 30 days. 但是,只有在下一个完整备份可用后(即 30 + 7 天后),才能真正清除/删除这个每周完整备份。But, the weekly full can be really cleaned up/deleted only after the next full backup is available, that is, after 30 + 7 days. 例如,每周完整备份在 11 月 16 日执行。For example, a weekly full backup happens on Nov 16th. 根据保留策略,它应保留到 12 月 16 日。According to the retention policy, it should be retained until Dec 16th. 该完整备份的最后一次日志备份发生在下一次计划的完整备份之前,即 11 月 22 日。The last log backup for this full happens before the next scheduled full, on Nov 22nd. 必须等到 12 月 22 日此日志备份可用后,才能删除 11 月 16 日的完整备份。Until this log is available until Dec 22nd, the Nov 16th full can't be deleted. 因此,11 月 16 日的完整备份将保留到 12 月 22 日。So, the Nov 16th full is retained until Dec 22nd.

运行按需备份Run an on-demand backup

备份根据策略计划运行。Backups run in accordance with the policy schedule. 可以按需运行备份,如下所示:You can run a backup on-demand as follows:

  1. 在保管库菜单中,选择“备份项”。In the vault menu, select Backup items.
  2. 在“备份项”中,选择运行 SAP HANA 数据库的 VM,然后选择“立即备份”。In Backup Items, select the VM running the SAP HANA database, and then select Backup now.
  3. 在“立即备份”中,选择要执行的备份的类型。In Backup Now, choose the type of backup you want to perform. 然后选择“确定”。 Then select OK. 此备份将根据与此备份项关联的策略进行保留。This backup will be retained according to the policy associated with this backup item.
  4. 监视门户通知。Monitor the portal notifications. 可以在保管库仪表板 >“备份作业” > “进行中”监视作业进度。 You can monitor the job progress in the vault dashboard > Backup Jobs > In progress. 创建初始备份可能需要一些时间,具体取决于你的数据库的大小。Depending on the size of your database, creating the initial backup may take a while.

默认情况下,按需备份的保留期为 45 天。By default, the retention of on-demand backups is 45 days.

在启用了 Azure 备份的数据库上运行 SAP HANA Studio 备份Run SAP HANA Studio backup on a database with Azure Backup enabled

如果要使用 Azure 备份创建正在备份的数据库的本地备份(使用 HANA Studio),请执行以下操作:If you want to take a local backup (using HANA Studio) of a database that's being backed up with Azure Backup, do the following:

  1. 等待数据库的所有完整备份或日志备份完成。Wait for any full or log backups for the database to finish. 在 SAP HANA Studio / Cockpit 中检查状态。Check the status in SAP HANA Studio / Cockpit.
  2. 禁用日志备份,并将备份目录设置为相关数据库的文件系统。Disable log backups, and set the backup catalog to the file system for relevant database.
  3. 为此,请双击“systemdb” > “配置” > “选择数据库” > “筛选器(日志)”。 To do this, double-click systemdb > Configuration > Select Database > Filter (Log).
  4. enable_auto_log_backup 设置为 NoSet enable_auto_log_backup to No.
  5. log_backup_using_backint 设置为 FalseSet log_backup_using_backint to False.
  6. 将“catalog_backup_using_backint”设置为“False” 。Set catalog_backup_using_backint to False.
  7. 创建数据库的完整备份。Take an on-demand full backup of the database.
  8. 等待完整备份和目录备份完成。Wait for the full backup and catalog backup to finish.
  9. 将前面的设置恢复为 Azure 的设置:Revert the previous settings back to those for Azure:
    • enable_auto_log_backup 设置为 YesSet enable_auto_log_backup to Yes.
    • 将 log_backup_using_backint 设置为 True 。Set log_backup_using_backint to True.
    • 将“catalog_backup_using_backint”设置为“True” 。Set catalog_backup_using_backint to True.

后续步骤Next steps