教程:备份 Azure VM 中的 SAP HANA 数据库Tutorial: Back up SAP HANA databases in an Azure VM

本教程介绍如何将 Azure VM 上运行的 SAP HANA 数据库备份到 Azure 备份恢复服务保管库。This tutorial shows you how to back up SAP HANA databases running on Azure VMs to an Azure Backup Recovery Services vault. 在本文中,你将学习如何:In this article you'll learn how to:

  • 创建并配置保管库Create and configure a vault
  • 发现数据库Discover databases
  • 配置备份Configure backups

这里有我们目前支持的所有方案。Here are all the scenarios that we currently support.

备注

RHEL(7.4、7.6、7.7 或 8.1)的 SAP HANA 备份预览入门Get started with SAP HANA backup preview for RHEL (7.4, 7.6, 7.7 or 8.1). 如需深入咨询,请通过 AskAzureBackupTeam@microsoft.com 联系我们。For further queries write to us at AskAzureBackupTeam@microsoft.com.

先决条件Prerequisites

在配置备份之前,请确保执行以下操作:Make sure you do the following before configuring backups:

  • 在运行 SAP HANA 的 VM 所在的同一区域和订阅中标识或创建一个恢复服务保管库Identify or create a Recovery Services vault in the same region and subscription as the VM running SAP HANA.
  • 允许从 VM 连接到 Internet,以便 VM 可以访问 Azure,如下面的设置网络连接过程中所述。Allow connectivity from the VM to the internet, so that it can reach Azure, as described in the set up network connectivity procedure below.
  • 对于 Azure 资源管理器,请确保 SAP HANA 服务器 VM 名称和资源组名称的组合长度不超过 84 个字符(对于经典 VM,则不超过 77 个字符)。Ensure that the combined length of the SAP HANA Server VM name and the Resource Group name doesn't exceed 84 characters for Azure Resoure Manager (ARM_ VMs (and 77 characters for classic VMs). 此限制是因为某些字符由该服务预留。This limitation is because some characters are reserved by the service.
  • hdbuserstore 中应存在一个满足以下条件的密钥:A key should exist in the hdbuserstore that fulfills the following criteria:
    • 它应该出现在默认的 hdbuserstore 中。It should be present in the default hdbuserstore. 默认值为安装 SAP HANA 的 <sid>adm 帐户。The default is the <sid>adm account under which SAP HANA is installed.
    • 对于 MDC,该密钥应指向 NAMESERVER 的 SQL 端口。For MDC, the key should point to the SQL port of NAMESERVER. 对于 SDC,它应指向 INDEXSERVER 的 SQL 端口In the case of SDC, it should point to the SQL port of INDEXSERVER
    • 它应该包含用于添加和删除用户的凭据It should have credentials to add and delete users
  • 在安装了 HANA 的虚拟机中,以 root 用户身份运行 SAP HANA 备份配置脚本(注册前脚本)。Run the SAP HANA backup configuration script (pre-registration script) in the virtual machine where HANA is installed, as the root user. 此脚本可使 HANA 系统做好备份的准备。This script gets the HANA system ready for backup. 请参阅注册前脚本的功能部分来详细了解注册前脚本。Refer to the What the pre-registration script does section to understand more about the pre-registration script.

备注

预注册脚本将为 RHEL(7.4、7.6 和 7.7)上运行的 SAP HANA 工作负载安装 compat-unixODBC234,为 RHEL 8.1 上的安装 unixODBC 。The preregistration script installs the compat-unixODBC234 for SAP HANA workloads running on RHEL (7.4, 7.6 and 7.7) and unixODBC for RHEL 8.1. 此包位于 SAP 解决方案 (RPM) 存储库中的 RHEL for SAP HANA(适用于 RHEL 7 服务器)更新服务中This package is located in the RHEL for SAP HANA (for RHEL 7 Server) Update Services for SAP Solutions (RPMs) repo. 对于 Azure 市场 RHEL 映像,存储库应为 rhui-rhel-sap-hana-for-rhel-7-server-rhui-e4s-rpms。For the Azure Marketplace RHEL image the repo would be rhui-rhel-sap-hana-for-rhel-7-server-rhui-e4s-rpms.

设置网络连接Set up network connectivity

对于所有操作,SAP HANA VM 虚拟机需要与 Azure 公共 IP 地址建立连接。For all operations, the SAP HANA VM requires connectivity to Azure public IP addresses. 如果未连接到 Azure 公共 IP 地址,VM 操作(数据库发现、配置备份、计划备份、还原恢复点等)将失败。VM operations (database discovery, configure backups, schedule backups, restore recovery points, and so on) fail without connectivity to Azure public IP addresses.

使用以下选项之一建立连接:Establish connectivity by using one of the following options:

允许 Azure 数据中心 IP 范围Allow the Azure datacenter IP ranges

此选项允许已下载文件中的 IP 范围This option allows the IP ranges in the downloaded file. 若要访问网络安全组 (NSG),请使用 Set-AzureNetworkSecurityRule cmdlet。To access a network security group (NSG), use the Set-AzureNetworkSecurityRule cmdlet. 如果安全收件人列表仅包含特定于区域的 IP,则还需更新 Azure Active Directory (Azure AD) 服务标记的安全收件人列表以启用身份验证。If your safe recipients list only includes region-specific IPs, you'll also need to update the safe recipients list the Azure Active Directory (Azure AD) service tag to enable authentication.

允许使用 NSG 标记进行访问Allow access using NSG tags

如果使用 NSG 来限制连接,则应使用 AzureBackup 服务标记以允许对 Azure 备份进行出站访问。If you use NSG to restrict connectivity, then you should use AzureBackup service tag to allows outbound access to Azure Backup. 此外,还应允许使用 Azure AD 和 Azure 存储的规则,在连接后进行身份验证和数据传输。In addition, you should also allow connectivity for authentication and data transfer by using rules for Azure AD and Azure Storage. 这可以通过 Azure 门户或 PowerShell 来完成。This can be done from the Azure portal or via PowerShell.

若要使用门户创建规则,请执行以下操作:To create a rule using the portal:

  1. 在“所有服务”中转到“网络安全组”,然后选择“网络安全组”。In All Services, go to Network security groups and select the network security group.
  2. 在“设置”下选择“出站安全规则”。Select Outbound security rules under Settings.
  3. 选择“添加” 。Select Add. 根据安全规则设置中所述,输入创建新规则所需的所有详细信息。Enter all the required details for creating a new rule as described in security rule settings. 确保选项“目标”设置为“服务标记”,“目标服务标记”设置为“AzureBackup”。Ensure the option Destination is set to Service Tag and Destination service tag is set to AzureBackup.
  4. 单击“添加”,保存新创建的出站安全规则。Click Add, to save the newly created outbound security rule.

若要使用 PowerShell 创建规则,请执行以下操作:To create a rule using PowerShell:

  1. 添加 Azure 帐户凭据并更新国家/地区云Add Azure account credentials and update the national clouds
    Add-AzureRmAccount

  2. 选择 NSG 订阅Select the NSG subscription
    Select-AzureRmSubscription "<Subscription Id>"

  3. 选择 NSGSelect the NSG
    $nsg = Get-AzureRmNetworkSecurityGroup -Name "<NSG name>" -ResourceGroupName "<NSG resource group name>"

  4. 为 Azure 备份服务标记添加允许出站规则Add allow outbound rule for Azure Backup service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureBackupAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureBackup" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"

  5. 为 Azure 存储服务标记添加允许出站规则Add allow outbound rule for Storage service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "StorageAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "Storage" -DestinationPortRange 443 -Description "Allow outbound traffic to Azure Backup service"

  6. 为 AzureActiveDirectory 服务标记添加允许出站规则Add allow outbound rule for AzureActiveDirectory service tag
    Add-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AzureActiveDirectoryAllowOutbound" -Access Allow -Protocol * -Direction Outbound -Priority <priority> -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix "AzureActiveDirectory" -DestinationPortRange 443 -Description "Allow outbound traffic to AzureActiveDirectory service"

  7. 保存 NSGSave the NSG
    Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg

允许使用 Azure 防火墙标记进行访问Allow access by using Azure Firewall tags. 如果使用 Azure 防火墙,请使用 AzureBackup FQDN 标记创建一个应用程序规则。If you're using Azure Firewall, create an application rule by using the AzureBackup FQDN tag. 此规则允许对 Azure 备份进行出站访问。This allows outbound access to Azure Backup.

部署用于路由流量的 HTTP 代理服务器Deploy an HTTP proxy server to route traffic. 在 Azure VM 中备份 SAP HANA 数据库时,该 VM 上的备份扩展将使用 HTTPS API 将管理命令发送到 Azure 备份,并将数据发送到 Azure 存储。When you back up an SAP HANA database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. 备份扩展还使用 Azure AD 进行身份验证。The backup extension also uses Azure AD for authentication. 通过 HTTP 代理路由这三个服务的备份扩展流量。Route the backup extension traffic for these three services through the HTTP proxy. 该扩展是为了访问公共 Internet 而配置的唯一组件。The extensions are the only component that's configured for access to the public internet.

连接选项包括以下优点和缺点:Connectivity options include the following advantages and disadvantages:

选项Option 优点Advantages 缺点Disadvantages
允许 IP 范围Allow IP ranges 无额外成本No additional costs 管理起来很复杂,因为 IP 地址范围随时会更改Complex to manage because the IP address ranges change over time

允许访问整个 Azure,而不只是 Azure 存储Provides access to the whole of Azure, not just Azure Storage
使用 NSG 服务标记Use NSG service tags 由于范围更改会自动合并,因此管理变得更容易Easier to manage as range changes are automatically merged

无额外成本No additional costs

只可用于 NSGCan be used with NSGs only

提供对整个服务的访问Provides access to the entire service
使用 Azure 防火墙 FQDN 标记Use Azure Firewall FQDN tags 由于可自动管理所需的 FQDN,因此管理变得更容易Easier to manage as the required FQDNs are automatically managed 只可用于 Azure 防火墙Can be used with Azure Firewall only
使用 HTTP 代理Use an HTTP proxy 允许在代理中对存储 URL 进行精细控制Granular control in the proxy over the storage URLs is allowed

对 VM 进行单点 Internet 访问Single point of internet access to VMs

不受 Azure IP 地址变化的影响Not subject to Azure IP address changes
通过代理软件运行 VM 带来的额外成本Additional costs to run a VM with the proxy software

注册前脚本的功能What the pre-registration script does

注册前脚本执行以下功能:Running the pre-registration script performs the following functions:

  • 脚本将基于 Linux 分发安装或更新 Azure 备份代理所需的任何包。Based on your Linux distribution, the script installs or updates any necessary packages required by the Azure Backup agent.
  • 执行与 Azure 备份服务器和相关服务(例如 Azure Active Directory 和 Azure 存储)之间的出站网络连接检查。It performs outbound network connectivity checks with Azure Backup servers and dependent services like Azure Active Directory and Azure Storage.
  • 使用先决条件中列出的用户密钥登录到 HANA 系统。It logs into your HANA system using the user key listed as part of the prerequisites. 此用户密钥用于在 HANA 系统中创建备份用户 (AZUREWLBACKUPHANAUSER),成功运行注册前脚本后,可以删除此用户密钥。The user key is used to create a backup user (AZUREWLBACKUPHANAUSER) in the HANA system and the user key can be deleted after the pre-registration script runs successfully.
  • 为 AZUREWLBACKUPHANAUSER 分配了以下必需的角色和权限:AZUREWLBACKUPHANAUSER is assigned these required roles and permissions:
    • 数据库管理员(如果使用的是 MDC)和备份管理员(如果使用的是 SDC):在还原期间创建新数据库。DATABASE ADMIN (in case of MDC) and BACKUP ADMIN (in case of SDC): to create new databases during restore.
    • 目录读取:读取备份目录。CATALOG READ: to read the backup catalog.
    • SAP_INTERNAL_HANA_SUPPORT:访问一些专用表。SAP_INTERNAL_HANA_SUPPORT: to access a few private tables.
  • 此脚本在 hdbuserstore 中为 HANA 备份插件的 AZUREWLBACKUPHANAUSER 添加一个密钥,以便处理所有操作(数据库查询、还原操作、配置和运行备份)。The script adds a key to hdbuserstore for AZUREWLBACKUPHANAUSER for the HANA backup plug-in to handle all operations (database queries, restore operations, configuring and running backup).

备注

你可以将先决条件中列出的用户密钥作为参数显式传递给预注册脚本:-sk SYSTEM_KEY_NAME, --system-key SYSTEM_KEY_NAMEYou can explicitly pass the user key listed as part of the prerequisites as a parameter to the pre-registration script: -sk SYSTEM_KEY_NAME, --system-key SYSTEM_KEY_NAME

若要了解脚本接受哪些其他参数,请使用命令 bash msawb-plugin-config-com-sap-hana.sh --helpTo learn what other parameters the script accepts, use the command bash msawb-plugin-config-com-sap-hana.sh --help

若要确认创建密钥,请在具有 SIDADM 凭据的 HANA 计算机上运行以下 HDBSQL 命令:To confirm the key creation, run the HDBSQL command on the HANA machine with SIDADM credentials:

hdbuserstore list

命令输出应显示 {SID}{DBNAME} 密钥,用户显示为 AZUREWLBACKUPHANAUSER。The command output should display the {SID}{DBNAME} key, with the user shown as AZUREWLBACKUPHANAUSER.

备注

请确保 /usr/sap/{SID}/home/.hdb/ 下有一组唯一的 SSFS 文件。Make sure you have a unique set of SSFS files under /usr/sap/{SID}/home/.hdb/. 此路径中应只有一个文件夹。There should be only one folder in this path.

创建恢复服务保管库Create a Recovery Service vault

恢复服务保管库是用于存储在不同时间创建的备份和恢复点的实体。A Recovery Services vault is an entity that stores the backups and recovery points created over time. 恢复服务保管库还包含与受保护虚拟机关联的备份策略。The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.

若要创建恢复服务保管库,请执行以下操作:To create a Recovery Services vault:

  1. Azure 门户中登录到自己的订阅。Sign in to your subscription in the Azure portal.

  2. 在左侧菜单中,选择“所有服务”On the left menu, select All services

    选择“所有服务”

  3. 在“所有服务”对话框中,输入“恢复服务” 。In the All services dialog box, enter Recovery Services. 资源列表根据输入进行筛选。The list of resources filters according to your input. 在资源列表中,选择“恢复服务保管库”。In the list of resources, select Recovery Services vaults.

    选择恢复服务保管库

  4. 在“恢复服务保管库”仪表板上,选择“添加” 。On the Recovery Services vaults dashboard, select Add.

    添加恢复服务保管库

    此时会打开“恢复服务保管库”对话框。The Recovery Services vault dialog box opens. 提供“名称”、“订阅”、“资源组”和“位置”的值Provide values for the Name, Subscription, Resource group, and Location

    创建恢复服务保管库

    • 名称:此名称用于标识恢复服务保管库,并且必须对于 Azure 订阅是唯一的。Name: The name is used to identify the recovery services vault and must be unique to the Azure subscription. 指定的名称应至少包含 2 个字符,最多不超过 50 个字符。Specify a name that has at least two, but not more than 50 characters. 名称必须以字母开头且只能包含字母、数字和连字符。The name must start with a letter and consist only of letters, numbers, and hyphens. 对于本教程,我们使用了名称“SAPHanaVault”。For this tutorial, we've used the name SAPHanaVault.
    • 订阅:选择要使用的订阅。Subscription: Choose the subscription to use. 如果你仅是一个订阅的成员,则会看到该名称。If you're a member of only one subscription, you'll see that name. 如果不确定要使用哪个订阅,请使用默认的(建议的)订阅。If you're not sure which subscription to use, use the default (suggested) subscription. 仅当工作或学校帐户与多个 Azure 订阅关联时,才会显示多个选项。There are multiple choices only if your work or school account is associated with more than one Azure subscription. 本教程中,我们使用了“SAP HANA 解决方案实验室订阅”订阅。Here, we have used the SAP HANA solution lab subscription subscription.
    • 资源组:使用现有资源组,或创建一个新的资源组。Resource group: Use an existing resource group or create a new one. 本教程中,我们使用了“SAPHANADemo”。Here, we have used SAPHANADemo.
      要查看订阅中可用的资源组列表,请选择“使用现有资源”,然后从下拉列表框中选择一个资源。To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list box. 若要创建新资源组,请选择“新建”,然后输入名称。To create a new resource group, select Create new and enter the name. 有关资源组的完整信息,请参阅 Azure 资源管理器概述For complete information about resource groups, see Azure Resource Manager overview.
    • 位置:为保管库选择地理区域。Location: Select the geographic region for the vault. 保管库必须与运行 SAP HANA 的虚拟机位于同一区域中。The vault must be in the same region as the Virtual Machine running SAP HANA. 我们已使用“中国东部 2”。We have used China East 2.
  5. 选择“查看 + 创建”。Select Review + Create.

    选择“查看和创建”

现已创建恢复服务保管库。The Recovery services vault is now created.

发现数据库Discover the databases

  1. 在保管库中,单击“开始使用”中的“备份” 。In the vault, in Getting Started, click Backup. 在“工作负荷在哪里运行?”中,选择“Azure VM 中的 SAP HANA” 。In Where is your workload running?, select SAP HANA in Azure VM.

  2. 单击“启动发现”。Click Start Discovery. 这会开始在保管库区域中发现未受保护的 Linux VM。This initiates discovery of unprotected Linux VMs in the vault region. 你将看到要保护的 Azure VM。You will see the Azure VM that you want to protect.

  3. 在“选择虚拟机”中,单击脚本下载链接。此脚本可为 Azure 备份服务提供访问 SAP HANA VM 的权限以进行数据库发现。In Select Virtual Machines, click the link to download the script that provides permissions for the Azure Backup service to access the SAP HANA VMs for database discovery.

  4. 在托管要备份的 SAP HANA 数据库的 VM 上运行此脚本。Run the script on the VM hosting SAP HANA database(s) that you want to back up.

  5. 在 VM 上运行此脚本后,在“选择虚拟机”中选择该 VM。After running the script on the VM, in Select Virtual Machines, select the VM. 然后单击“发现数据库”。Then click Discover DBs.

  6. Azure 备份可发现该 VM 上的所有 SAP HANA 数据库。Azure Backup discovers all SAP HANA databases on the VM. 在发现期间,Azure Backup 将 VM 注册到保管库,并在该 VM 上安装扩展。During discovery, Azure Backup registers the VM with the vault, and installs an extension on the VM. 不会在数据库中安装任何代理。No agent is installed on the database.

    发现数据库

配置备份Configure backup

发现我们要备份的数据库之后,现在可以启用备份。Now that the databases we want to back up are discovered, let's enable backup.

  1. 单击“配置备份”。Click Configure Backup.

    配置备份

  2. 在“选择要备份的项”中,选择一个或多个要保护的数据库,然后单击“确定” 。In Select items to back up, select one or more databases that you want to protect, and then click OK.

    选择要备份的项

  3. 在“备份策略”>“选择备份策略”中,按照下一部分中的说明,为数据库创建一个新的备份策略。In Backup Policy > Choose backup policy, create a new backup policy for the database(s), in accordance with the instructions in the next section.

    选择备份策略

  4. 创建策略后,在“备份”菜单中单击“启用备份” 。After creating the policy, on the Backup menu, click Enable backup.

    单击启用备份

  5. 在门户的“通知”区域跟踪备份配置进度。Track the backup configuration progress in the Notifications area of the portal.

创建备份策略Creating a backup policy

备份策略定义备份创建时间以及这些备份的保留时间。A backup policy defines when backups are taken, and how long they're retained.

  • 策略是在保管库级别创建的。A policy is created at the vault level.
  • 多个保管库可以使用相同的备份策略,但必须向每个保管库应用该备份策略。Multiple vaults can use the same backup policy, but you must apply the backup policy to each vault.

按以下方式指定策略设置:Specify the policy settings as follows:

  1. 在“策略名称”处输入新策略的名称。In Policy name, enter a name for the new policy. 对于本例,请输入“SAPHANA”。In this case, enter SAPHANA.

    输入新策略的名称

  2. 在“完整备份策略”中选择一个备份频率In Full Backup policy, select a Backup Frequency. 可以选择“每日”或“每周” 。You can choose Daily or Weekly. 对于本教程,我们选择了“每日”备份。For this tutorial, we chose the Daily backup.

    选择备份频率

  3. 在“保持期”中,对完整备份配置保留设置。In Retention Range, configure retention settings for the full backup.

    • 默认情况下,选择所有选项。By default, all options are selected. 清除你不想使用的所有保持期限制,并设置要使用的选项。Clear any retention range limits you don't want to use and set those that you do.
    • 任何备份类型(完整/差异/日志)的最短保持期均为七天。The minimum retention period for any type of backup (full/differential/log) is seven days.
    • 恢复点已根据其保留范围标记为保留。Recovery points are tagged for retention based on their retention range. 例如,如果选择每日完整备份,则每天只触发一次完整备份。For example, if you select a daily full backup, only one full backup is triggered each day.
    • 根据每周保持期和设置,将会标记并保留特定日期的备份。The backup for a specific day is tagged and retained based on the weekly retention range and setting.
    • 每月和每年保留范围的行为类似。The monthly and yearly retention ranges behave in a similar way.
  4. 在“完整备份策略”菜单中,单击“确定”接受设置 。In the Full Backup policy menu, click OK to accept the settings.

  5. 然后选择“差异备份”,以添加差异策略。Then select Differential Backup to add a differential policy.

  6. 在“差异备份策略”中,选择“启用”打开频率和保留控件。In Differential Backup policy, select Enable to open the frequency and retention controls. 我们在每个星期日的凌晨 2:00 启用了差异备份,保持期为 30 天 。We have enabled a differential backup every Sunday at 2:00 AM, which is retained for 30 days.

    差异备份策略

    备注

    目前不支持增量备份。Incremental backups aren't currently supported.

  7. 单击“确定”保存策略,并返回“备份策略”主菜单 。Click OK to save the policy and return to the main Backup policy menu.

  8. 请选择“日志备份”,以添加事务日志备份策略。Select Log Backup to add a transactional log backup policy,

    • “日志备份”默认设为“启用” 。Log Backup is by default set to Enable. 由于 SAP HANA 管理所有日志备份,此类备份无法被禁用。This cannot be disabled as SAP HANA manages all log backups.
    • 我们已将备份计划设置为 2 小时,保持期为 15 天 。We have set 2 hours as the Backup schedule and 15 days of retention period.

    日志备份策略

    备注

    日志备份仅在成功完成一次完整备份之后进行。Log backups only begin to flow after one successful full backup is completed.

  9. 单击“确定”保存策略,并返回“备份策略”主菜单 。Click OK to save the policy and return to the main Backup policy menu.

  10. 完成定义备份策略后,单击“确定”。After you finish defining the backup policy, click OK.

现已成功为 SAP HANA 数据库配置备份。You have now successfully configured backup(s) for your SAP HANA database(s).

后续步骤Next Steps