SAP on AWS Innovation Industry News: December 2019

Posted 30 December 2019 by Ben Lingwood

Welcome to our December edition of SAP on AWS Innovation Industry News.

Every week we see new features, capabilities, products and market updates being announced from the AWS innovation dynamo, many of which drive new options and capabilities into the SAP on AWS arena.

At Lemongrass, we are 100% focussed on SAP on AWS innovations, so our customers benefit from constant improvements in the service we provide. Our weekly Innovation Update newsletter contains recommendations from the industry, and is released internally.

Our customers have asked us for more exposure to Innovation Industry Updates. We will now be releasing a quarterly customer “Lemongrass SAP on AWS Innovation Industry News,” containing, in our view, the most relevant updates relating to SAP on AWS.

We hope you enjoy this first edition.

If you have any questions, comments or ideas we’d love to hear from you.

Ben M: +44 (0) 7983 446723 | E:


We drive constant updates into our Cloud Management Platform suite of products and capabilities. These are some of our favourite updates from the last quarter:

  • A new feature release, currently in trial, enables us to design and run (and of course schedule the run times) of Formation template tests. If you are an organisation that needs to ensure templates are governed and validated on a regular basis (e.g. Regulated industries) or want to run validation testing for a template update then this takes all the pain and guesswork out of the execution.
  • We have a new SAP formation that will enable a new application server to be added to an existing NW7.5 template running on HANA, pretty useful!
  • Our Cloud Management Platform CLI introduced – a new Command Line interface for B&O functions. The Lemongrass Cloud Management Platform CLI allows a user to call any REST API of our Cloud Management Platform for Build and Operate in an interactive manner.
  • Our Cloud Management Platform Agent can now perform real-time monitoring of HANA Databases. Part of this real-time feed is current CPU, RAM and Disk Utilization to name just a few of the monitored elements.
  • Data you deem sensitive in your environment can now be encrypted using a Customer Specific data encryption key, so you always hold your own keychain!
  • New Oracle Landscape Automation – we can now auto-deploy SAP Oracle home environments and even drop Netweaver 7.5 in as a fully configurable Automated deployment.

Notable updates from AWS re:Invent 2019, our top updates:

  • Amazon S3 Access Points: We often in the SAP world use S3 to store multiple sets where data is managed and accessed by multiple people, applications or interfaces. The new Access Point functionality allows multiple data access points without the need for complex bucket policies, this is particularly useful in SAP Data Lake scenarios.
  • Amazon Redshift enhancements: Next-Generation Compute Instances based on the Nitro VM, coupled with a new storage model, both can be configured independently and leverages the new night speed networking. Existing Redshift users should see a 2x improvement in performance and storage at the same cost. The new RA3 instance coupled with the new managed storage (Backed by S3) enables data to be automatically placed in the most optimal tier. This is a fantastic update for SAP historical Data. For our customers, the aged SAP data can be managed in native Redshift to maintain their SAP landscape whilst still keeping their business data accessible.
  • AQUA (Advanced Query Accelerator): On top of the RedShift update, AWS also released a new distributed and hardware-accelerated cache that allows Redshift to run up to 10x faster than any other cloud data warehouse, it is under preview presently but should offer in memory rivaling speed acceleration.
  • UltraWarm for Amazon Elasticsearch Service: We’re continuing to keep an eye on the AWS ELK stack service to complement deployment for monitoring. However, another compelling release came at AWS re:Invent with UltraWarm which introduces a fully managed hot to warm storage solution (up to 900TB) making it a brilliant location for storing years of data for analysis. The Hot Tier used for indexing & updating current data, the warm layer for aged data on S3 technology backed storage tiers presented as a fully managed disk.
  • Amazon SageMaker had a number of updates at AWS re:Invent, as a solution we are using more in our Big Data models. The news releases further extend the features and ease of use for manipulating and reporting on data:
    • Deep Graph Library: A new feature to enable graph neural networks to learn patterns in social media, chemical, and Cybersecurity heuristics. We believe this will be the most useful deployment for the SAP learning user and access behaviour.
    • Amazon SageMaker Studio — Enables automation to create the best classification and regression machine learning models
    • Amazon SageMaker Model Monitor — automatically detects concept drifts
    • Amazon SageMaker Notebooks — one-click notebook backed up with elastic compute
    • Amazon SageMaker Experiments — which can capture, organize and search every step within your data experiment
    • Amazon SageMaker Debugger — automatically identifies complex issues developing in machine learning (ML) training jobs.
    • Amazon Kendra: This caught our eye internally at Lemongrass! In summary, Kendra is a sophisticated search service (with ML) that can index application and document stores enabling natural search queries. This could be the perfect solution for indexing unstructured data – imagine being able to ask “Show me documents about SAP S4”. We have already activated this on an internal account and are running tests.
    • AWS Outposts: We spent some time with the outposts team to understand how to now Architect this for SAP workloads. Outposts brings an AWS VPC on-premise, perfect for latency-sensitive customers, customers in remote locations and also for specific workloads e.g running SAP MES on-premise. As of today, Outposts is GA in most regions and can be configured with specific AWS services (not all of them) for some limited EC2 types which are mostly in the Nitro R5, C5 etc families. AWS assumes responsibility for the appliance, the customer simply needs to provide power, the environmental and the recommended 1GB direct connect link back to AWS. The system is managed fully via the console and can be seen as a specific VPC – e.g. production can be fully hybrid with systems back in the customers chosen AZ & region.
    • AWS Local Zones: AWS Local Zones are a new type of AWS infrastructure deployment. They place AWS compute, storage, database, and other select services closer to large population, industry, and IT centres where no AWS Region exists today. With AWS Local Zones, you can easily run latency-sensitive portions of applications local to end-users and resources in a specific geography. The preview is currently in LA but will provide another accelerator for local performance once live in other regions.
    • AWS Compute Optimiser: Is a new dashboard from AWS which recommends AWS compute resources – the clever bit is it deploys ML to take into account historical utilisation metrics and will look at daily load peaks, make recommendations on autoscaling and will show you how the system would perform on other platform types. We’ve had a quick play already on a few accounts and it’s a useful perspective so recommending we add this into the monthly delivery checks.

Aside from the updates from the AWS re:Invent event, we have refined the 100’s of updates over the last few months from our internal updates. The below outlines key new releases that we believe or have seen benefits for SAP on AWS landscape optimisations and extensions. In no particular order, these include:

  • S3 Access Analyser has also just been released – it monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources.
  • AWS are also having a big push on Security Dashboarding and detection with two key new products released in the last quarter:
    • AWS Fraud Detection – which uses ML to identify deviations in normal behaviour against a target system. No Skill required just point and let it learn.
    • AWS Detective – A root cause analysis and dashboarding solution which also uses ML and graphing to enable a real-time security dashboard and investigation toolset which can analyse all key AWS assets in real-time.
    • S3 Replication Control Time has been launched! – S3 Replication Time Control is designed to replicate 99.99% of objects within 15 minutes after upload, with the majority of those new objects replicated in seconds. S3 RTC is backed up by an SLA with a commitment to replicate 99.9% of objects within 15 minutes during any billing month. S3 RTC also provides S3 Replication metrics (via CloudWatch) that can allow you to monitor the time it takes to complete replication, as well as the total number and size of objects that are pending replication – this could be very useful for example with Backup image replication.
    • AWS PrivateLink (essentially a way of sharing data between VPCs and on-premise securely over the AWS network) can now be used to expose EFS shares between AWS and non-AWS locations. This means you could consider EFS over Privatelink as a way of transferring data/system exports between on-premise and your AWS Landing Zone without having to use a public-facing IP or over the transient risk of using internet-based connections.
    • AWS continues to push on Security with Inspector which can now run assessments on Windows 2016 and EC2 against CIS best practice benchmarks, this will certainly be of help for auditing windows instances in landscapes to the Lemongrass CIS centric framework.
    • Bandwidth improvements are being pushed through the Nitro family – from this week M5n, M5dn, R5n, and R5dn instances make 100 Gbps networking available to network-bound workloads without requiring customers to use custom drivers.
    • I am sure you may have seen the announcements about AWS’s new 18-24TB large HANA Metal EC2 instances – but some more data is now out on the architecture behind these certified nodes.
    • A FinOps friendly release: EC2 RI purchases can now be queued – so if you know exactly when you want the RI’s from the storyboard set up the time-based purchase in advance. This will overcome capacity availability concerns and/or setup renewals to automatically rollover.
    • The new EFS price reduction for the infrequently accessed data is now active in all regions – this is great for SAP volumes & stores that leverage EFS volumes as the new IQ tier. This offers a significant price reduction for those files you don’t access often.
    • Amazon GuardDuty is Now SOC Compliant – Nice update for any security-sensitive or validated industry organisation with industry compliance standards now default with GuardDuty deployments.
    • A new default setting means we can now enforce encryption by default for all EBS stores within an account rather than separately as this was historically the case.