Downtime Announcement: Please note the SAP Community Wiki will be unavailable due to a system upgrade on Thursday, September 24th between 6 and 7 AM CEST
Skip to end of metadata
Go to start of metadata
  • We recommend not modifying SAP Cloud Appliance Library solution instances via the AWS Management Console because such actions can cause solution instances to become non-functional or unsafe. SAP Cloud Appliance Library is not a managed service and therefore all further OS modifications and their consequences are only user’s responsibility.

How to create an AWS account?

You can use the procedure for creating an AWS account from the AWS documentation. For isolation we recommend using a separate AWS account for SAP Cloud Appliance Library. Such type of accounts can be created with the consolidated billing in AWS. For more information about the consolidate billing, see the AWS documentation.


How do I enable the Amazon EC2 Service for the user?

To enable AWS services for your account you have to associate a payment method to your account. Please see the AWS documentation for available payment options.


How do I get the Access/Secret Key for my AWS account?

You can use the procedure from AWS documentation.


How to configure your IAM user?

1. In AWS Identity and Access Management (IAM), create new group with the following policies:

  • AmazonEC2FullAccess
  • AmazonVPCFullAccess
  • ReadOnlyAccess
  • AWSAccountUsageReportAccess

2. Create a new user in IAM and assign to it the new group.

3. Generate the credentials for this new user.

In the SAP Cloud Appliance Library you should use the credentials of the user.


How to configure your IAM user for Kubernetes based solutions?

If you want to use Kubernetes based solutions, you need to add also the following predefined AWS policies:

  • AmazonEC2ContainerRegistryFullAccess
  • AmazonS3FullAccess
  • AutoScalingFullAccess
  • ElasticLoadBalancingFullAccess
  • IAMFullAccess

In addition, you need to create two custom policies:

  • One for the CloudFormation service:


    "Version": "2012-10-17",

    "Statement": [


            "Effect": "Allow",

            "Action": "cloudformation:*",

            "Resource": "*"




  • One for the Elastic Kubernetes service:


    "Version": "2012-10-17",

    "Statement": [


            "Effect": "Allow",

            "Action": "eks:*",

            "Resource": "*"




For more information how to create IAM policies in AWS, see this document.


What is the default AWS region in CAL?

The default AWS region for SAP Cloud Appliance Library content is US-EAST-1.


What is the default Availability Zone (AZ) for the selected region?

The default AZ is a property of the AWS account of the customer. SAP CAL does not specify an AZ when starting an instance. If a default AZ is not set in the account the AWS backend will choose an appropriate AZ for you.


How is the recommended t-shirt sizing calculated?

Every SAP solution available in SAP CAL comes with a recommended t-shirt size. The t-shirt sizes may differ between the solutions. The recommended size is a guidance from SAP to satisfy the minimum requirements to run the solution on AWS. It does not provide any guidance on the maximum amount of application users which are supported, the guaranteed IOPS, response time and storage/network bandwidth. For additional sizing questions please get in touch with Amazon Web Services or take a look at the SAPS ratings of conducted Benchmarks on the AWS infrastructure available here: (SAP S-User credentials required)


When will other AWS regions be supported?

If you have already purchased the SAP Cloud Appliance Library subscription and you need a solution to be available in a region different from US-EAST-1, you can open a normal support ticket within the SAP Cloud Appliance Library (BC-VCM-CAL) component and we enable the solution in your desired AWS region free of charge.


Where do I find information on the configuration of an Amazon VPC / VPN?

There are various ways to do the VPC and VPN configuration on AWS. For example via hardware assisted VPN through routers (external Link - Hardware assisted VPC) or software assisted with OpenVPN as described here ( For more information about Amazon VPC, see the AWS documentation.


Can I use Reserved Instances with CAL?

Yes, you can. Reserved instances are similar to a billing entitlement that you purchase. You need to purchase a suitable Reserved Instance that matches your desired instance within CAL. If the instance in CAL for example is using the instance type r3.8xlarge in the us-east region, you would need to purchase a Reserved Instance of r3.8xlarge with SUSE Linux in the us-east region. Once you purchased the Reserved Instance you can benefit from the new cost structure (e.g. lower hour costs). For more information about Amazon Reserved Instances, see the AWS Reserved Instances Documentation.


Can I restart the SAP System during the initial waiting period?

No, you should not do that at any point in time during the provisioning process. The initial waiting time is required so that mandatory configurations of the SAP system are performed before you can use it. In case you log on with SSH to the instance and execute stopsap on the command line – you corrupted the configuration process and the SAP system is in an unrecoverable state. If this happened you have to terminate the instance in SAP Cloud Appliance Library and start it from scratch.


Can I connect a CAL deployed solution to my on-premise systems?

Yes, you can do that. First you would need a VPC with a functional VPN connection to your corporate network. 


How to proceed when my instance is in the status Undefined and the AWS account that I use is currently being verified?

This issue might occur when a user creates a solution instance in the SAP Cloud Appliance Library and he or she uses a newly created AWS account that is still being verified. In this case the user has to terminate the failed solution instance from the SAP Cloud Appliance Library as it will not be recovered and then to try to create a new instance a few hours later. If the verification of the new AWS account takes more than two hours, please contact the AWS support team.


How to access to backend servers on the Operating System (OS) level?

Depending on the overall requirements your solution may consist of one or more servers running either on a Linux OS and/or on a Windows OS.

Access to Linux OS on Backend

If you need OS access, you can use SSH connectivity:

Parameter IDValueDescription
OS User NamerootThe default Operating System administrator user.
OS Password<none>Use the private key (downloaded during the activation of the SAP instance in SAP Cloud Appliance Library) for logging on with the root user.


Access to Windows OS on Backend

If you need OS access, you can use RDP connectivity:

  • Microsoft Windows : Start the Remote Desktop Connection using the Start Menu (All Programs > Accessories) or executing mstsc.exe.
  • Apple Mac OS X Use the free Microsoft Remote Desktop app available in the Mac App Store to connect to your frontend.
  • Linux : Use your preferred RDP client.
Parameter IDValueDescription
OS User NameAdministratorThe default OS administrator user for Windows.
OS Password<none>

The master password is used for accessing the system. It is provided by the user during the creation of the solution instance in SAP Cloud Appliance Library.





  • No labels