-* [Learn how to process your own forms and documents](quickstarts/try-v3-form-recognizer-studio.md) with the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

-> [Learn to create custom models ](quickstarts/try-v3-form-recognizer-studio.md#custom-models)

-[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service into your applications. Use the [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) to get started analyzing documents with pretrained models. Build custom template models and reference the models in your applications using the [Python SDK v3.0](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) and other quickstarts.

-> [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md)

-* `pageResults` node contains the tables and cells extracted with their bounding boxes, confidence, and a reference to the lines and words in "readResults".

-* [Learn how to process your own forms and documents](quickstarts/try-v3-form-recognizer-studio.md) with the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

-1. Start by navigating to the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio). The first time you use the Studio, you need to [initialize your subscription, resource group, and resource](../quickstarts/try-v3-form-recognizer-studio.md). Then, follow the [prerequisites for custom projects](../quickstarts/try-v3-form-recognizer-studio.md#additional-prerequisites-for-custom-projects) to configure the Studio to access your training dataset.

-Once you've put together the set of forms or documents for training, you'll need to upload it to an Azure blob storage container. If you don't know how to create an Azure storage account with a container, following the [Azure Storage quickstart for Azure portal](../../../storage/blobs/storage-quickstart-blobs-portal.md). You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.

-* Once you've gathered and uploaded your training dataset, you're ready to train your custom model. In the following video, we'll create a project and explore some of the fundamentals for successfully labeling and training a model.</br></br>

-1. Start by navigating to the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio). The first time you use the Studio, you'll need to [initialize your subscription, resource group, and resource](../quickstarts/try-v3-form-recognizer-studio.md). Then, follow the [prerequisites for custom projects](../quickstarts/try-v3-form-recognizer-studio.md#additional-prerequisites-for-custom-projects) to configure the Studio to access your training dataset.

-In your project, your first task is to label your dataset with the fields you wish to extract.

-You'll see the files you uploaded to storage on the left of your screen, with the first file ready to be labeled.

-1. To assign a value to the field, choose a word or words in the document and select the field in either the dropdown or the field list on the right navigation bar. You'll see the labeled value below the field name in the list of fields.

-You now have all the documents in your dataset labeled. If you look at the storage account, you'll find a *.labels.json* and *.ocr.json* files that correspond to each document in your training dataset and a new fields.json file. This training dataset will be submitted to train the model.

-When you've put together the set of form documents that you'll use for training, you need to upload it to an Azure blob storage container. If you don't know how to create an Azure storage account with a container, follow the [Azure Storage quickstart for Azure portal](../../../storage/blobs/storage-quickstart-blobs-portal.md). Use the standard performance tier.

-If you want to use manually labeled data, you'll also have to upload the *.labels.json* and *.ocr.json* files that correspond to your training documents. You can use the [Sample Labeling tool](../label-tool.md) (or your own UI) to generate these files.

-By default, the [Train Custom Model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync) API will only use documents that are located at the root of your storage container. However, you can train with data in subfolders if you specify it in the API call. Normally, the body of the [Train Custom Model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync) call has the following format, where `<SAS URL>` is the Shared access signature URL of your container:

-If you add the following content to the request body, the API will train with documents located in subfolders. The `"prefix"` field is optional and will limit the training data set to files whose paths begin with the given string. So a value of `"Test"`, for example, will cause the API to look at only the files or folders that begin with the word "Test".

-See [Form Recognizer Studio: labeling as tables](../quickstarts/try-v3-form-recognizer-studio.md#labeling-as-tables)

-Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents. Once you've them, you can call the training method with the *useTrainingLabels* parameter set to `true`.

-> [Form Recognizer Studio](../quickstarts/try-v3-form-recognizer-studio.md)

-> If your storage data is behind a VNet or firewall, you must deploy the **Form Recognizer Sample Labeling tool** behind your VNet or firewall and grant access by creating a [system-assigned managed identity](managed-identity-byos.md "Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources").

-Select the Analyze icon from the navigation bar to test your model. Select source 'Local file'. Browse for a file and select a file from the sample dataset that you unzipped in the test folder. Then choose the **Run analysis** button to get key/value pairs, text and tables predictions for the form. The tool applies tags in bounding boxes and reports the confidence of each tag.

- **Resolution**: [Configure CORS](quickstarts/try-v3-form-recognizer-studio.md#prerequisites-for-new-users).

-> * [**Form Recognizer Studio v3.0**](quickstarts/try-v3-form-recognizer-studio.md)

-* A new window appears with auto-populated information about your Azure Subscription and Azure Resource

-This example presents the approach we recommend following to mitigate possible request throttling due to [Autoscaling being in progress](#detailed-description-quota-adjustment-and-best-practices). It isn't an "exact recipe", but merely a template we invite to follow and adjust as necessary.

-* System-assigned managed identity support: You can now enable a system-assigned managed identity to grant Form Recognizer limited access to private storage accounts including accounts protected by a Virtual Network (VNet) or firewall or have enabled bring-your-own-storage (BYOS). *See* [Create and use managed identity for your Form Recognizer resource](managed-identity-byos.md) to learn more.

->

-| [Azure Red Hat OpenShift](../../openshift/index.yml) | &#x2705; | &#x2705; | | | |

-| [Azure Stack HCI](/azure-stack/hci/) | &#x2705; | &#x2705; | | | |

-| [Azure Video Indexer](../../azure-video-indexer/index.yml) | &#x2705; | &#x2705; | | | |

-| [VM Image Builder](../../virtual-machines/image-builder-overview.md) | &#x2705; | &#x2705; | | | |

- resource cosmosDBAccountName 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {

- resource cosmosDBAccount 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {

-resource wpAci 'microsoft.containerInstance/containerGroups@2019-12-01' = {

-resource scheduler 'Microsoft.Automation/automationAccounts/schedules@2015-10-31' = {

-resource myRg 'Microsoft.Resources/resourceGroups@2020-10-01' = {

-The following example shows the child resource outside of the parent resource. You might use this approach if the parent resource isn't deployed in the same template, or if want to use [a loop](loops.md) to create more than one child resource. Specify the parent property on the child with the value set to the symbolic name of the parent. With this syntax you still need to declare the full resource type, but the name of the child resource is only the name of the child.

-resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = {

-resource virtualMachine 'Microsoft.Compute/virtualMachines@2020-06-01' = if(deployVM) {

- "apiVersion": "2020-06-01",

-resource netSecurityGroup 'Microsoft.Network/networkSecurityGroups@2020-06-01' = {

-resource nic1 'Microsoft.Network/networkInterfaces@2020-06-01' = {

-resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {

-resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2019-09-01' = {

-resource newMG 'Microsoft.Management/managementGroups@2020-05-01' = {

-resource newMG 'Microsoft.Management/managementGroups@2020-05-01' = {

-resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {

-resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {

-resource exampleResource 'Microsoft.Resources/resourceGroups@2020-10-01' = {

-resource managementGroup 'Microsoft.Management/managementGroups@2020-05-01' = {

-resource newRG 'Microsoft.Resources/resourceGroups@2021-01-01' = {

-resource newRG 'Microsoft.Resources/resourceGroups@2021-01-01' = {

-resource storageAcct 'Microsoft.Storage/storageAccounts@2019-06-01' = {

-resource policyAssign 'Microsoft.Authorization/policyAssignments@2020-09-01' = {

-resource locationPolicy 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {

-resource locationRestrict 'Microsoft.Authorization/policyAssignments@2020-09-01' = {

-resource newResourceGroup 'Microsoft.Resources/resourceGroups@2019-10-01' = {

-resource createRgLock 'Microsoft.Authorization/locks@2016-09-01' = {

-resource roleNameGuid_resource 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {

-resource mgName_resource 'Microsoft.Management/managementGroups@2020-02-01' = {

-resource mgName_resource 'Microsoft.Management/managementGroups@2020-02-01' = {

-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-03-01-preview' = {

-resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {

-resource stg 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {

-resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {

-resource sqlServer 'Microsoft.Sql/servers@2020-11-01-preview' = {

- location: resourceGroup().location

-resource vm 'Microsoft.Compute/virtualMachines@2020-12-01' = {

-resource vm 'Microsoft.Compute/virtualMachines@2020-12-01' = {

-resource vm 'Microsoft.Compute/virtualMachines@2020-12-01' = {

-resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {

-

-resource stg 'Microsoft.Storage/storageAccounts@2021-02-01' = {

-

-resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {

-resource sa 'Microsoft.Storage/storageAccounts@2021-04-01' = {

- location: 'westus'

-By default, this rule uses the following settings for determining which URLs are disallowed.

-resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {

-resource customScriptExtension 'Microsoft.HybridCompute/machines/extensions@2019-08-02-preview' = {

-resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {

-resource customScriptExtension 'Microsoft.HybridCompute/machines/extensions@2019-08-02-preview' = {

-resource vm 'Microsoft.Compute/virtualMachines@2020-06-01' = {

- location: resourceGroup().location

-resource vm 'Microsoft.Compute/virtualMachines@2020-06-01' = {

- location: resourceGroup().location

-```

-resource kv 'Microsoft.KeyVault/vaults@2019-09-01' existing = {

-resource demoParent 'demo.Rp/parentType@2020-01-01' = {

-resource publicIp 'Microsoft.Network/publicIPAddresses@2020-06-01' = {

- >

-resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = {

- resource createTemplateSpec 'Microsoft.Resources/templateSpecs@2021-05-01' = {

- resource createTemplateSpecVersion 'Microsoft.Resources/templateSpecs/versions@2021-05-01' = {

- 'apiVersion': '2021-08-01'

-resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = {

- resource createTemplateSpec 'Microsoft.Resources/templateSpecs@2021-05-01' = {

- resource createTemplateSpecVersion 'Microsoft.Resources/templateSpecs/versions@2021-05-01' = {

- 'apiVersion': '2021-08-01'

-<!--[!INCLUDE [AI attribution](../../../includes/ai-generated-attribution.md)]-->

-* Install the [.NET Core SDK](https://dotnet.microsoft.com/download).

- dotnet new mvc

-1. Open your *csproj* file. Add a `DotNetCliToolReference` element to include *Microsoft.Extensions.SecretManager.Tools*. Also add a `UserSecretsId` element as shown in the following code for *chattest.csproj*, and save the file.

- ```xml

- <Project Sdk="Microsoft.NET.Sdk.Web">

- <PropertyGroup>

- <TargetFramework>netcoreapp3.1</TargetFramework>

- <UserSecretsId>SignalRChatRoomEx</UserSecretsId>

- </PropertyGroup>

- <ItemGroup>

- <DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.4" />

- <DotNetCliToolReference Include="Microsoft.Extensions.SecretManager.Tools" Version="2.0.2" />

- </ItemGroup>

- </Project>

- ```

-## Add Azure SignalR to the web app

-1. Add a reference to the `Microsoft.Azure.SignalR` NuGet package by running the following command:

- ```dotnetcli

- dotnet add package Microsoft.Azure.SignalR

- ```

-1. Run the following command to restore packages for your project:

- ```dotnetcli

- dotnet restore

- ```

-1. Prepare the Secret Manager for use with this project.

- ````dotnetcli

- dotnet user-secrets init

- ````

-1. Open *Startup.cs* and update the `ConfigureServices` method to use Azure SignalR Service by calling the `AddSignalR()` and `AddAzureSignalR()` methods:

- ```csharp

- public void ConfigureServices(IServiceCollection services)

- {

- services.AddSignalR()

- .AddAzureSignalR();

- }

- Not passing a parameter to `AddAzureSignalR()` causes this code to use the default configuration key for the SignalR Service resource connection string. The default configuration key is *Azure:SignalR:ConnectionString*.

-1. In *Startup.cs*, update the `Configure` method by replacing it with the following code.

- public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

- {

- app.UseRouting();

- app.UseFileServer();

- app.UseEndpoints(endpoints =>

- {

- endpoints.MapHub<ChatHub>("/chat");

- });

- }

-* `Broadcast`: This method broadcasts a message to all clients.

-2. Add the following code to *ChatHub.cs* to define your hub class and save the file.

- Update the namespace for this class if you used a project name that differs from *SignalR.Mvc*.

- using System.Threading.Tasks;

-

- namespace SignalR.Mvc

- public class ChatHub : Hub

- {

- public Task BroadcastMessage(string name, string message) =>

- Clients.All.SendAsync("broadcastMessage", name, message);

- public Task Echo(string name, string message) =>

- Clients.Client(Context.ConnectionId)

- .SendAsync("echo", name, $"{message} (echo from server)");

- }

-Create a new file in the *wwwroot* directory named *https://docsupdatetracker.net/index.html*, copy, and paste the following HTML into the newly created file.

- <script src="https://cdn.jsdelivr.net/npm/@microsoft/signalr@3.1.8/dist/browser/signalr.min.js"></script>

-## Add a development runtime profile

-In this section, you'll add a development runtime environment for ASP.NET Core. For more information, see [Work with multiple environments in ASP.NET Core](/aspnet/core/fundamentals/environments).

-1. Create a folder named *Properties* in your project.

-2. Add a new file named *launchSettings.json* to the folder, with the following content, and save the file.

- ```json

- {

- "profiles" : {

- "ChatRoom": {

- "commandName": "Project",

- "launchBrowser": true,

- "environmentVariables": {

- "ASPNETCORE_ENVIRONMENT": "Development"

- },

- "applicationUrl": "http://localhost:5000/"

- }

- }

- }

- ```

-1. To build the app by using the .NET Core CLI, run the following command in the command shell:

- ```dotnetcli

- dotnet build

- ```

-1. After the build successfully finishes, run the following command to run the web app locally:

- The app will be hosted locally on port 5000, as configured in our development runtime profile:

- info: Microsoft.Hosting.Lifetime[0]

- Now listening on: https://localhost:5001

- info: Microsoft.Hosting.Lifetime[0]

- info: Microsoft.Hosting.Lifetime[0]

- Content root path: E:\Testing\chattest

-1. Open two browser windows. In each browser, go to `http://localhost:5000`. You're prompted to enter your name. Enter a client name for both clients and test pushing message content between both clients by using the **Send** button.

-> Deleting a resource group is irreversible and includes all the resources in that group. Make sure that you don't accidentally delete the wrong resource group or resources. If you created the resources this sample in an existing resource group that contains resources you want to keep, you can delete each resource individually from its blade instead of deleting the resource group.

-In this quickstart, you created a new Azure SignalR Service resource. You then used it with an ASP.NET Core web app to push content updates in real time to multiple connected clients. To learn more about using Azure SignalR Service, continue to the tutorial that demonstrates authentication.

- The following diagram shows the preferred site failure or complete partitioning scenario.

-As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/conversational-analysis-authoring) for additional information.

-As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/conversation-analysis-runtime) for additional information.

-As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/text-analysis-authoring) for additional information.

-As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/text-analysis-runtime/analyze-text) for additional information.

- * [Language authoring conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

- * [Language authoring text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

- * [Language authoring conversational language understanding export API](/rest/api/language/2022-05-01/text-analysis-authoring/export)

- * [Language authoring text analysis export API](/rest/api/language/2022-05-01/text-analysis-authoring/export)

- *[Language Runtime CLU APIs](/rest/api/language/2022-05-01/conversation-analysis-runtime)

- *[Language Runtime Text Analysis APIs](/rest/api/language/2022-05-01/text-analysis-runtime/analyze-text)

- * [Language conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

- * [Language text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

- * [Language authoring conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

- * [Language authoring text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

-To submit an asynchronous job, review the [reference documentation](/rest/api/language/2022-05-01/text-analysis-runtime/submit-job) for the JSON body you'll send in your request.

-To [get the status and retrieve the results](/rest/api/language/2022-05-01/text-analysis-runtime/job-status) of the request, send a GET request to the URL you received in the `operation-location` header from the previous API response. Remember to include your key in the `Ocp-Apim-Subscription-Key`. The response will include the results of your API call.

-How to [get started as a customer](./how-to-set-up-sensors-customer.md) to consume sensor data from the supported sensor partners.

-Each sensor partner has their own multi-tenant Azure Active Directory app created and published on the Data Manager for Agriculture platform. The sensor partner supported by default on the platform is Davis Instruments(sensorPartnerId: `DavisInstruments`). However, you're free to add your own sensors by being a sensor partner yourself. Follow [these steps](./how-to-set-up-sensors-partner.md) to sign up being a sensor partner on the platform.

-The below section of this document talks about the onboarding steps needed to integrate with Data Manager for Agriculture, the APIs used to create models & sensors, telemetry format to push the data and finally the IOTHub based data ingestion.

-Below are the set of steps that a partner will be required to do for integrating with Data Manager for Agriculture. This is a one-time integration. At the end of phase 1, partners will have established their identity in Data Manager for Agriculture.

-Partners need to be authenticated and authorized to access the Data Manager for Agriculture customersΓÇÖ data plane APIs. Access to these APIs enables the partners to create sensor models, sensors & device objects within the customersΓÇÖ Data Manager for Agriculture instance. The sensor object information (created by partner) is what will be used by Data Manager for Agriculture to create respective devices (sensors) in IOTHub.

-Hence to enable authentication & authorization, partners will need to do the following

-2. **Create a multi-tenant Azure Active Directory app** - The multi-tenant Azure Active Directory app as the name signifies, it will have access to multiple customersΓÇÖ tenants, provided that the customers have given explicit consent to the partner app (explained in the role assignment step below).

-Partners can access the APIs in customer tenant using the multi-tenant Azure Active Directory App, registered in Azure Active Directory. App registration is done on the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application which in turn accesses Data Manager for Agriculture.

-Once the partner has created a multi-tenant Azure Active Directory app successfully, partners will be manually sharing the APP ID and Partner ID with Data Manager for Agriculture through email madma@microsoft.com alias. Using this information Data Manager for Agriculture will validate if itΓÇÖs an authentic partner and create a partner identity (sensorPartnerId) using the internal APIs. As part of the registration process, partners will be enabled to use their partner ID (sensorPartnerId) while creating the sensor/devices object and also as part of the sensor data telemetry that they would be pushing.

-Getting the partner ID marks the completion of partner-Data Manager for Agriculture integration. Now, the partner will wait for input from any of their sensor customers to initiate their data ingestion into Data Manager for Agriculture.

-Customers using Data Manager for Agriculture will now know all the supported Data Manager for Agriculture sensor partners and their respective APP IDs. This information will be available in the public documentation for all our customers.

-Based on the sensors that customers use and their respective sensor partnerΓÇÖs APP ID, the customer has to provide access to the partner (APP ID) to start pushing their sensor data into their Data Manager for Agriculture instance. This can be done using the following steps:

-Customers who choose to onboard to a specific partner will know the app ID of that specific partner. Now using the app ID customer will need to do the following things in sequence.

-2. **Identity Access Management (IAM)** ΓÇô As part of Identity access management, customers will create a new role assignment to the above app ID which was provided consent. Data Manager for Agriculture will create a new role called Sensor Partner (In addition to the existing Admin, Contributor, Reader roles). Customers will choose the sensor partner role and add the partner app ID and provide access.

-1. **Consent link & Tenant ID** ΓÇô In this step, the customer will provide a consent link & tenant ID. The integration link looks like shown in the example:

- In addition to the consent link, customers would also provide a tenant ID. This tenant ID will be used to fetch the access token required to call into the customerΓÇÖs API endpoint.

- The partners will validate the consent link by making a GET call on the check consent link API. As the link is fully pre-populated request URI as expected by Data Manager for Agriculture. As part of the GET call, the partners will check for a 200 OK response code and IntegrationId to be passed in the response.

- Once the valid response is received, partners will have to store two sets of information

- * API endpoint (This can be extracted from the first part of the integration link)

- * IntegrationId (This will be returned as part of the response to GET call)

- Post validating and storing these data points, partners can start allowing customers to add specific/all sensors for which they want the data to be pushed into Data Manager for Agriculture.

-2. **Add sensors/devices** ΓÇô Now, the partner knows for which customer (API endpoint) do they need to integrate with, however, they still donΓÇÖt know for which all sensors do they need to push the data. Hence, partners will be collecting the sensor/device information for which the data needs to be pushed. This data can be collected either manually or through portal UI.

-As part of integration, partners will be using their own app ID, app secret & customerΓÇÖs tenant ID acquired during the app registration step, to generate an access token using the MicrosoftΓÇÖs oAuth API. Below is curl command to generate the access token

-Using the generated access_token, partners will call the customersΓÇÖ data plane endpoint to create sensor model, sensor, and device objects in that specific Data Manager for Agriculture instance using the APIs built by Data Manager for Agriculture. Refer to the [partner API documentation](/rest/api/data-manager-for-agri/dataplane-version2022-11-01-preview/sensor-partner-integrations) for more information on the partner APIs.

-As part of the sensor creation API, the partners will be providing the sensor ID, once the sensor resource is created, partners will call into the get connection string API to get a connection string for that sensor.

-Partner is now all set to start pushing sensor data for all sensors using the respective connection string provided for each sensor. However, the partner would be sending the sensor data in a JSON format as defined by Data Manager for Agriculture. Refer to the telemetry schema below.

-This marks the completion of the onboarding flow for partners as well. Once the data is pushed to IOTHub, the customers would be able to query sensor data using the egress API.

-You can connect to Azure Data Manager for Agriculture service from your virtual network via a private endpoint, which is a set of private IP addresses in a subnet within the virtual network. You can then limit access to your Azure Data Manager for Agriculture Preview instance over these private IP addresses. [Private Links](how-to-set-up-private-links.md) are now available for your use.

-description: This tutorial provides resources on how to consume events with Logic Apps.

-# Tutorial: Consume events with Logic Apps

-This tutorial shows how to use Azure Logic Apps to process Azure Health Data Services Fast Healthcare Interoperability Resources (FHIR&#174;) events. Logic Apps creates and runs automated workflows to process event data from other applications. You'll learn how to register a FHIR event with your Logic App, meet a specified event criteria, and perform a service operation.

-2. Search for "Logic App".

-3. Select "Add".

-4. Specify Basic details.

-5. Specify Hosting.

-6. Specify Monitoring.

-7. Specify Tags.

-8. Review and create your Logic App.

-Enabling your plan will make it zone redundant.

-Continue specifying your Logic App by clicking "Next: Tags".

-This example won't use tagging.

-Finish specifying your Logic App by clicking "Next: Review + create".

-Your proposed Logic app will display the following details:

-If you're satisfied with the proposed configuration, select "Create". If not, select "Previous" to go back and specify new details.

-Azure creates a dashboard when your Logic App is complete. The dashboard will show you the status of your app. You can return to your dashboard by clicking Overview in the Logic App menu. Here's a Logic App dashboard:

-2. Select "Logic Apps" in Azure services.

-4. Select "Workflows" in the Workflow menu on the left.

-5. Select "Add" to add a workflow.

-For more information about event types, see [What FHIR resource events does Events support?](events-faqs.md).

-In order to specify whether you want to take action for the specific event, begin specifying the criteria by clicking on "Condition" in the workflow on the left. You'll then see a set of condition choices on the right.

-Under the "And" box, add these two conditions:

-4. If it failed, the event will be shaded in red.

-In this tutorial, you learned about how to use Logic Apps to process FHIR events.

-To learn more about FHIR events, see:

-> [What are Events?](./events-overview.md)

-description: This article describes how to deploy the Events feature in the Azure portal.

-In this quickstart, youΓÇÖll learn how to deploy the Azure Health Data Services Events feature in the Azure portal to send Fast Healthcare Interoperability Resources (FHIR&#174;) and DICOM event messages.

-5. Event messages won't be sent until the Event Grid System Topic deployment has successfully completed. Upon successful creation of the Event Grid System Topic, the status of the workspace will change from "Updating" to "Succeeded".

-In this article, you've learned how to deploy events in the Azure portal. For details about supported events, see [Azure Health Data Services as an Event Grid source](../../event-grid/event-schema-azure-health-data-services.md).

-description: This article provides resources on how to disable the Events service and delete workspaces.

-In this article, you'll learn how to disable the Events feature and delete workspaces in the Azure Health Data Services.

-1. Select the **Event Subscription** to be deleted. In this example, we'll be selecting an Event Subscription named **fhir-events**.

-> The Fast Healthcare Interoperability Resources (FHIR&#174;) service will automatically go into an **Updating** status to disable the Events extension when a full delete of Event Subscriptions is executed. The FHIR service will remain online while the operation is completing.

-To successfully delete a workspace, delete all associated child resources first (for example: DICOM services, FHIR services and MedTech services), delete all Event Subscriptions, and then delete the workspace. Not deleting the child resources and Event Subscriptions first will cause an error when attempting to delete a workspace with child resources.

-As an example:

- 1. Delete all workspaces associated child resources - for example: DICOM service(s), FHIR service(s), and MedTech service(s).

- 2. Delete all workspaces associated Event Subscriptions.

- 3. Delete workspace.

-For more information about troubleshooting Events, see the Events troubleshooting guide:

-description: This article provides resources on how to enable Events diagnostic settings for diagnostic logs and metrics exporting.

-In this article, you'll be provided resources to enable the Events diagnostic settings for Azure Event Grid system topics.

-After they're enabled, Event Grid system topics diagnostic logs and metrics will be exported to the destination of your choosing for audit, analysis, troubleshooting, or backup.

-|-|--|

-The throughput of the FHIR or DICOM service and the Event Grid govern the throughput of FHIR and DICOM events. When a request made to the FHIR service is successful, it returns a 2xx HTTP status code. It also generates a FHIR resource or DICOM image changing event. The current limitation is 5,000 events/second per a workspace for all FHIR or DICOM service instances in it.

-Yes. We recommend that you use different subscribers for each individual FHIR or DICOM account to process in isolated scopes.

-description: In this article, you'll learn about Events message structure and required values.

-In this article, you'll learn about the Events message structure, required and non-required elements, and you'll be provided with samples of Events message payloads.

-|topic|string|Yes|The topic is the Azure Resource ID of your Azure Health Data Services workspace.|

-|subject|string|Yes|The Uniform Resource Identifier (URI) of the FHIR resource that was changed. Customer can access the resource with the subject with https:// scheme. Customer should use the dataVersion or data.resourceVersionId to visit specific data version regarding this event.|

-|eventType|string(enum)|Yes|The type of change on the FHIR resource.|

-|eventTime|string(datetime)|Yes|The UTC time when the FHIR resource change committed.|

-|id|string|Yes|Unique identifier for the event.|

-|data|object|Yes|FHIR resource change event details.|

-|data.resourceType|string(enum)|Yes|The FHIR Resource Type.|

-|data.resourceFhirAccount|string|Yes|The service name of FHIR account in the Azure Health Data Services workspace.|

-|data.resourceFhirId|string|Yes|The resource ID of the FHIR account. Note that this ID is randomly generated by the FHIR service of the Azure Health Data Services when a customer creates the Resource. Customer can also use customized ID in FHIR resource creation; however the ID should **not** include or infer any PHI/PII information. It should be a system metadata, not specific to any personal data content.|

-|data.resourceVersionId|string(number)|Yes|The data version of the FHIR resource.|

-|dataVersion|string|No|Same as ΓÇ£data.resourceVersionIdΓÇ¥.|

-|metadataVersion|string|No|The schema version of the event metadata. This is defined by Azure Event Grid and should be constant most of the time.|

-|Name | Type | Required | Description

-|--||-|--|

-| data.serviceHostName | string | Yes | The hostname of the dicom service where the change occurred.

-| data.sequenceNumber | int | Yes | The sequence number of the change in the DICOM service. Every image creation and deletion will have a unique sequence within the service. This number correlates to the sequence number of the DICOM service's Change Feed. Querying the DICOM Service Change Feed with this sequence number will give you the change that created this event.

-For more information about deploying Events, see

->[Deploying Events in the Azure portal](./events-deploy-portal.md)

-description: In this article, you'll learn about Events, its features, integrations, and next steps.

-When Fast Healthcare Interoperability Resources (FHIR&#174;) resource changes or Digital Imaging and Communications in Medicine (DICOM) image changes are successfully written to the Azure Health Data Services, the Events feature sends notification messages to Events subscribers. These event notification occurrences can be sent to multiple endpoints to trigger automation ranging from starting workflows to sending email and text messages to support the changes occurring from the health data it originated from. The Events feature integrates with the [Azure Event Grid service](../../event-grid/overview.md) and creates a system topic for the Azure Health Data Services Workspace.

-> Events currently supports only the following operations:

-Built on a platform that supports protected health information and customer content data compliance with privacy, safety, and security in mind, the Events messages do not transmit sensitive data as part of the message payload.

-For more information about deploying Events, see

-For frequently asks questions (FAQs) about Events, see

-For Events troubleshooting resources, see

->[Events troubleshooting guide](./events-troubleshooting-guide.md)

-description: This article helps Events users troubleshoot error messages, conditions, and provides fixes.

-> Fast Healthcare Interoperability Resources (FHIR&#174;) resource and DICOM image change data is only written and event messages are sent when the Events feature is turned on. The Event feature doesn't send messages on past FHIR resource or DICOM image changes or when the feature is turned off.

-Use this resource to learn about the Events message structure, required and non-required elements, and sample messages:

->[Frequently asked questions about Events](./events-faqs.md)

-description: This article explains how use display Events metrics

-In this article, you'll learn how to use Events metrics in the Azure portal.

-> To learn more about Azure Monitor and metrics, see [Azure Monitor Metrics overview](../../azure-monitor/essentials/data-platform-metrics.md)]

-> For the purposes of this article, an Azure Event Hubs event hub was used as the Events message endpoint.

-3. From this page, you'll notice that the subscription named **fhir-events** has one processed message. To view the Event Hubs metrics, select the name of the Event Hubs (for this example, **azuredocsfhirservice**) from the lower right-hand corner of the page.

-4. From this page, you'll notice that the Event Hubs received the incoming message presented in the previous Events subscription metrics pages.

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-5. Select **+ Select from storage container**. The Storage accounts UI is shown. Select an existing account, or create an account using **+ Storage account**. This account is used for a container to stage your updates for import.

-This TLS certificate migration is critical for the security of our customers and Microsoft's infrastructure, and is time-bound by the expiration of the Baltimore CyberTrust Root certificate. Therefore, there's little extra time that we can provide for customers that don't think their devices will be ready by February 15, 2023. If you absolutely can't meet the February 2023 target date, [fill out this form](https://aka.ms/BaltimoreAllow) with the details of your extension request, and then [email us](mailto:iot-ca-updates@microsoft.com?subject=Requesting%20extension%20for%20Baltimore%20migration) with a message that indicates you've completed the form, along with your company name. We can flag the specific hubs to be migrated later in the rollout window.

-If your labeled training data is in a different format (like, pascal VOC or COCO), you can use a [conversion script](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/coco2jsonl.py) to first convert it to JSONL, and then create an `MLTable`. Alternatively, you can use Azure Machine Learning's [data labeling tool](how-to-create-image-labeling-projects.md) to manually label images, and export the labeled data to use for training your AutoML model.

-If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

-New-AzResourceGroup -Name 'CreatePrivLinkService-rg' -Location 'eastus2'

-In this section, you'll create a virtual network and an internal Azure Load Balancer.

- Name = 'mySubnet'

- AddressPrefix = '10.1.0.0/24'

- Name = 'myVNet'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- AddressPrefix = '10.1.0.0/16'

-$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'CreatePrivLinkService-rg'

- Name = 'myFrontEnd'

- PrivateIpAddress = '10.1.0.4'

-$bepool = New-AzLoadBalancerBackendAddressPoolConfig -Name 'myBackEndPool'

- Name = 'myHealthProbe'

- Name = 'myHTTPRule'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- Name = 'myLoadBalancer'

-$subnet = 'mySubnet'

- Name = 'myVNet'

- ResourceGroupName = 'CreatePrivLinkService-rg'

-$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'CreatePrivLinkService-rg'

- Name = 'myIPconfig'

- PrivateIpAddress = '10.1.0.5'

- Name = 'myLoadBalancer'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- Name = 'myPrivateLinkService'

- ResourceGroupName = 'CreatePrivLinkService-rg'

-In this section, you'll map the private link service to a private endpoint. A virtual network contains the private endpoint for the private link service. This virtual network contains the resources that will access your private link service.

- Name = 'mySubnetPE'

- AddressPrefix = '11.1.0.0/24'

- Name = 'myVNetPE'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- AddressPrefix = '11.1.0.0/16'

- Name = 'myPrivateLinkService'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- Name = 'myPrivateLinkConnection'

- Name = 'myVNetPE'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- Name = 'MyPrivateEndpoint'

- ResourceGroupName = 'CreatePrivLinkService-rg'

-In this section, you'll approve the connection you created in the previous steps.

- Name = 'myPrivateLinkService'

- ResourceGroupName = 'CreatePrivLinkService-rg'

- ServiceName = 'myPrivateLinkService'

- ResourceGroupName = 'CreatePrivLinkService-rg'

-In this section, you'll find the IP address of the private endpoint that corresponds with the load balancer and private link service.

- Name = 'myPrivateEndpoint'

- ResourceGroupName = 'CreatePrivLinkService-rg'

-11.1.0.4

-Remove-AzResourceGroup -Name 'CreatePrivLinkService-rg'

-> | [FHIR Data Importer](#fhir-data-importer) | Role allows user or principal to read and import FHIR Data | 4465e953-8ced-4406-a58e-0f6e3f3b530b |

- "Microsoft.DataProtection/backupVaults/backupInstances/restore/action"

- "Microsoft.DataProtection/operations/read"

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read file backup sematics privilege. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/writeFileBackupSemantics/action | Write file backup sematics privilege. |

- "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",

- "properties": {

- "roleName": "Storage File Data Privileged Contributor",

- "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",

- "assignableScopes": [

- "/"

- ],

- "permissions": [

- {

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

- "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

- "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",

- "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",

- "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",

- "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"

- ],

- "notDataActions": []

- }

- ]

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/readFileBackupSemantics/action | Read file backup sematics privilege. |

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |

- "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",

- "properties": {

- "roleName": "Storage File Data Privileged Reader",

- "description": "Customer has read access on Azure Storage file shares.",

- "assignableScopes": [

- "/"

- ],

- "permissions": [

- {

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

- "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"

- ],

- "notDataActions": []

- }

- ]

-> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/read | Reads replicationcontrollers |

- "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",

-> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/events/read | Reads events |

-> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/replicationcontrollers/* | |

- "Microsoft.ContainerService/managedClusters/events/read",

- "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",

-> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/featurestores/read | Gets the Machine Learning Services FeatureStore(s) |

-> | [Microsoft.MachineLearningServices](resource-provider-operations.md#microsoftmachinelearningservices)/featurestores/checkNameAvailability/read | Checks the Machine Learning Services FeatureStore name availability |

- "Microsoft.MachineLearningServices/workspaces/*/write",

- "Microsoft.MachineLearningServices/featurestores/read",

- "Microsoft.MachineLearningServices/featurestores/checkNameAvailability/read"

- "Microsoft.MachineLearningServices/workspaces/listKeys/action"

-> | Microsoft.HealthcareApis/services/fhir/resources/* | |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | |

-### FHIR Data Importer

-Role allows user or principal to read and import FHIR Data [Learn more](../healthcare-apis/azure-api-for-fhir/configure-azure-rbac.md)

-> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/services/fhir/resources/import/action | Import operation ($export). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | Import operation ($export). |

- "description": "Role allows user or principal to read and import FHIR Data",

- "id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b",

- "name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",

- "Microsoft.HealthcareApis/services/fhir/resources/import/action",

- "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"

- "roleName": "FHIR Data Importer",

-### FHIR Data Exporter

-Role allows user or principal to read and export FHIR Data [Learn more](../healthcare-apis/azure-api-for-fhir/configure-azure-rbac.md)

-> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | Export operation ($export). |

- "description": "Role allows user or principal to read and export FHIR Data",

- "id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",

- "name": "3db33094-8700-4567-8da5-1501d4e7e843",

- "Microsoft.HealthcareApis/services/fhir/resources/read",

- "Microsoft.HealthcareApis/services/fhir/resources/export/action",

- "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"

- "roleName": "FHIR Data Exporter",

-> | Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |

-> | Microsoft.HealthcareApis/services/fhir/resources/* | |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | |

-> | Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | Hard Delete (including version history). |

-> | Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action | Hard Delete (including version history). |

- "Microsoft.KeyVault/vaults/certificates/*"

- "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action"

-tags: azure-resource-manager

-keywords: ''

- The SBD device requires at least one additional virtual machine (VM) that acts as an Internet Small Computer System Interface (iSCSI) target server and provides an SBD device. These iSCSI target servers can, however, be shared with other Pacemaker clusters. The advantage of using an SBD device is that if you're already using SBD devices on-premises, they don't require any changes to how you operate the Pacemaker cluster.

- > When you're planning and deploying Linux Pacemaker clustered nodes and SBD devices, do not allow the routing between your virtual machines and the VMs that are hosting the SBD devices to pass through any other devices, such as a [network virtual appliance (NVA)](https://azure.microsoft.com/solutions/network-appliances/).

- >Maintenance events and other issues with the NVA can have a negative impact on the stability and reliability of the overall cluster configuration. For more information, see [User-defined routing rules](../../virtual-network/virtual-networks-udr-overview.md).

- Here are some important considerations about SBD devices when you're using an Azure shared disk:

- - An Azure shared disk with Premium SSD is supported as an SBD device.

- - SBD devices that use an Azure shared disk are supported on SLES High Availability 15 SP01 and later.

- - SBD devices that use an Azure premium shared disk are supported on [locally redundant storage (LRS)](../../virtual-machines/disks-redundancy.md#locally-redundant-storage-for-managed-disks) and [zone-redundant storage (ZRS)](../../virtual-machines/disks-redundancy.md#zone-redundant-storage-for-managed-disks).

- - Depending on the [type of your deployment](./sap-high-availability-architecture-scenarios.md#comparison-of-different-deployment-types-for-sap-workload), choose the appropriate redundant storage for an Azure shared disk as your SBD device.

- - An SBD device using LRS for Azure premium shared disk (skuName - Premium_LRS) is only supported with deployment in availability set.

- - An SBD device using ZRS for an Azure premium shared disk (skuName - Premium_ZRS) is recommended with deployment in availability zones.

- - A ZRS for managed disk is currently unavailable in all regions with availability zones. For more information, review the ZRS "Limitations" section in [Redundancy options for managed disks](../../virtual-machines/disks-redundancy.md#limitations).

- - The Azure shared disk that you use for SBD devices doesnΓÇÖt need to be large. The [maxShares](../../virtual-machines/disks-shared-enable.md#disk-sizes) value determines how many cluster nodes can use the shared disk. For example, you can use P1 or P2 disk sizes for your SBD device on two-node cluster such as SAP ASCS/ERS or SAP HANA scale-up.

- - For [HANA scale-out with HANA system replication (HSR) and Pacemaker](sap-hana-high-availability-scale-out-hsr-suse.md), you can use an Azure shared disk for SBD devices in clusters with up to four nodes per replication site because of the current limit of [maxShares](../../virtual-machines/disks-shared-enable.md#disk-sizes).

- - We do *not* recommend attaching an Azure shared disk SBD device across Pacemaker clusters.

- - If you use multiple Azure shared disk SBD devices, check on the limit for a maximum number of data disks that can be attached to a VM.

- - For more information about limitations for Azure shared disks, carefully review the "Limitations" section of [Azure shared disk documentation](../../virtual-machines/disks-shared.md#limitations).

-You can set up fencing by using an Azure fence agent. Azure fence agent require managed identities for the cluster VMs or a service principal, that manages restarting failed nodes via Azure APIs. Azure fence agent doesn't require the deployment of additional virtual machines.

-1. On **iSCSI target virtual machines**, run the following commands:

- <pre><code>sudo zypper update

- </code></pre>

- > [!NOTE]

- > You might need to reboot the OS after you upgrade or update the OS.

- To avoid a known issue with targetcli and SLES 12 SP3, uninstall the following packages. You can ignore errors about packages that can't be found.

- <pre><code>sudo zypper remove lio-utils python-rtslib python-configshell targetcli

- </code></pre>

- <pre><code>sudo zypper install targetcli-fb dbus-1-python

- </code></pre>

- <pre><code>sudo systemctl enable targetcli

- sudo systemctl start targetcli

- </code></pre>

-* **nfs**: Identifies the NFS cluster.

-* **ascsnw1**: Identifies the ASCS cluster of **NW1**.

-* **dbnw1**: Identifies the database cluster of **NW1**.

-* **nfs-0** and **nfs-1**: The hostnames of the NFS cluster nodes.

-* **nw1-xscs-0** and **nw1-xscs-1**: The hostnames of the **NW1** ASCS cluster nodes.

-* **nw1-db-0** and **nw1-db-1**: The hostnames of the database cluster nodes.

- <pre><code>sudo mkdir /sbd</code></pre>

- <pre><code>sudo targetcli backstores/fileio create sbdnfs /sbd/sbdnfs 50M write_back=false

- sudo targetcli iscsi/iqn.2006-04.nfs.local:nfs/tpg1/acls/ create iqn.2006-04.<b>nfs-0.local:nfs-0</b>

- sudo targetcli iscsi/iqn.2006-04.nfs.local:nfs/tpg1/acls/ create iqn.2006-04.<b>nfs-1.local:nfs-1</b></code></pre>

- <pre><code>sudo targetcli backstores/fileio create sbdascs<b>nw1</b> /sbd/sbdascs<b>nw1</b> 50M write_back=false

- sudo targetcli iscsi/ create iqn.2006-04.ascs<b>nw1</b>.local:ascs<b>nw1</b>

- sudo targetcli iscsi/iqn.2006-04.ascs<b>nw1</b>.local:ascs<b>nw1</b>/tpg1/luns/ create /backstores/fileio/sbdascs<b>nw1</b>

- sudo targetcli iscsi/iqn.2006-04.ascs<b>nw1</b>.local:ascs<b>nw1</b>/tpg1/acls/ create iqn.2006-04.<b>nw1-xscs-0.local:nw1-xscs-0</b>

- sudo targetcli iscsi/iqn.2006-04.ascs<b>nw1</b>.local:ascs<b>nw1</b>/tpg1/acls/ create iqn.2006-04.<b>nw1-xscs-1.local:nw1-xscs-1</b></code></pre>

- <pre><code>sudo targetcli backstores/fileio create sbddb<b>nw1</b> /sbd/sbddb<b>nw1</b> 50M write_back=false

- sudo targetcli iscsi/ create iqn.2006-04.db<b>nw1</b>.local:db<b>nw1</b>

- sudo targetcli iscsi/iqn.2006-04.db<b>nw1</b>.local:db<b>nw1</b>/tpg1/luns/ create /backstores/fileio/sbddb<b>nw1</b>

- sudo targetcli iscsi/iqn.2006-04.db<b>nw1</b>.local:db<b>nw1</b>/tpg1/acls/ create iqn.2006-04.<b>nw1-db-0.local:nw1-db-0</b>

- sudo targetcli iscsi/iqn.2006-04.db<b>nw1</b>.local:db<b>nw1</b>/tpg1/acls/ create iqn.2006-04.<b>nw1-db-1.local:nw1-db-1</b></code></pre>

- <pre><code>sudo targetcli saveconfig</code></pre>

- <pre><code>sudo targetcli ls

- | | o- <b>sbdascsnw1</b> ................................................ [/sbd/sbdascsnw1 (50.0MiB) write-thru activated]

- | | o- <b>sbddbnw1</b> .................................................... [/sbd/sbddbnw1 (50.0MiB) write-thru activated]

- | | o- <b>sbdnfs</b> ........................................................ [/sbd/sbdnfs (50.0MiB) write-thru activated]

- | o- <b>iqn.2006-04.ascsnw1.local:ascsnw1</b> .................................................................. [TPGs: 1]

- | | | o- <b>iqn.2006-04.nw1-xscs-0.local:nw1-xscs-0</b> ............................................... [Mapped LUNs: 1]

- | | | | o- mapped_lun0 ............................................................ [lun0 fileio/<b>sbdascsnw1</b> (rw)]

- | | | o- <b>iqn.2006-04.nw1-xscs-1.local:nw1-xscs-1</b> ............................................... [Mapped LUNs: 1]

- | | | o- mapped_lun0 ............................................................ [lun0 fileio/<b>sbdascsnw1</b> (rw)]

- | o- <b>iqn.2006-04.dbnw1.local:dbnw1</b> ...................................................................... [TPGs: 1]

- | | | o- <b>iqn.2006-04.nw1-db-0.local:nw1-db-0</b> ................................................... [Mapped LUNs: 1]

- | | | | o- mapped_lun0 .............................................................. [lun0 fileio/<b>sbddbnw1</b> (rw)]

- | | | o- <b>iqn.2006-04.nw1-db-1.local:nw1-db-1</b> ................................................... [Mapped LUNs: 1]

- | | | o- mapped_lun0 .............................................................. [lun0 fileio/<b>sbddbnw1</b> (rw)]

- | o- <b>iqn.2006-04.nfs.local:nfs</b> .......................................................................... [TPGs: 1]

- | | o- <b>iqn.2006-04.nfs-0.local:nfs-0</b> ......................................................... [Mapped LUNs: 1]

- | | | o- mapped_lun0 ................................................................ [lun0 fileio/<b>sbdnfs</b> (rw)]

- | | o- <b>iqn.2006-04.nfs-1.local:nfs-1</b> ......................................................... [Mapped LUNs: 1]

- | | o- mapped_lun0 ................................................................ [lun0 fileio/<b>sbdnfs</b> (rw)]

- </code></pre>

-> * **[A]**: Applies to all nodes.

-> * **[1]**: Applies only to node 1.

-> * **[2]**: Applies only to node 2.

- <pre><code>sudo systemctl enable iscsid

- </code></pre>

- <pre><code>sudo vi /etc/iscsi/initiatorname.iscsi

- </code></pre>

- <pre><code>InitiatorName=<b>iqn.2006-04.nfs-0.local:nfs-0</b></code></pre>

- <pre><code>sudo vi /etc/iscsi/initiatorname.iscsi

- </code></pre>

- <pre><code>InitiatorName=<b>iqn.2006-04.nfs-1.local:nfs-1</b>

- </code></pre>

- <pre><code>sudo systemctl restart iscsid

- </code></pre>

-1. **[A]** Connect the iSCSI devices. In the following example, 10.0.0.17 is the IP address of the iSCSI target server, and 3260 is the default port. <b>iqn.2006-04.nfs.local:nfs</b> is one of the target names that's listed when you run the first command, `iscsiadm -m discovery`.

- <pre><code>sudo iscsiadm -m discovery --type=st --portal=<b>10.0.0.17:3260</b>

- sudo iscsiadm -m node -T <b>iqn.2006-04.nfs.local:nfs</b> --login --portal=<b>10.0.0.17:3260</b>

- sudo iscsiadm -m node -p <b>10.0.0.17:3260</b> -T <b>iqn.2006-04.nfs.local:nfs</b> --op=update --name=node.startup --value=automatic</code></pre>

-

- <pre><code>sudo iscsiadm -m discovery --type=st --portal=<b>10.0.0.18:3260</b>

- sudo iscsiadm -m node -T <b>iqn.2006-04.nfs.local:nfs</b> --login --portal=<b>10.0.0.18:3260</b>

- sudo iscsiadm -m node -p <b>10.0.0.18:3260</b> -T <b>iqn.2006-04.nfs.local:nfs</b> --op=update --name=node.startup --value=automatic</code></pre>

-

- <pre><code>sudo iscsiadm -m discovery --type=st --portal=<b>10.0.0.19:3260</b>

- sudo iscsiadm -m node -T <b>iqn.2006-04.nfs.local:nfs</b> --login --portal=<b>10.0.0.19:3260</b>

- sudo iscsiadm -m node -p <b>10.0.0.19:3260</b> -T <b>iqn.2006-04.nfs.local:nfs</b> --op=update --name=node.startup --value=automatic

- </code></pre>

- <pre><code>lsscsi

- # <b>[6:0:0:0] disk LIO-ORG sbdnfs 4.0 /dev/sdd</b>

- # <b>[7:0:0:0] disk LIO-ORG sbdnfs 4.0 /dev/sde</b>

- # <b>[8:0:0:0] disk LIO-ORG sbdnfs 4.0 /dev/sdf</b>

- </code></pre>

- <pre><code>ls -l /dev/disk/by-id/scsi-* | grep <b>sdd</b>

-

- # lrwxrwxrwx 1 root root 9 Aug 9 13:20 /dev/disk/by-id/scsi-1LIO-ORG_sbdnfs:afb0ba8d-3a3c-413b-8cc2-cca03e63ef42 -> ../../sdd

- # <b>lrwxrwxrwx 1 root root 9 Aug 9 13:20 /dev/disk/by-id/scsi-36001405afb0ba8d3a3c413b8cc2cca03 -> ../../sdd</b>

- # lrwxrwxrwx 1 root root 9 Aug 9 13:20 /dev/disk/by-id/scsi-SLIO-ORG_sbdnfs_afb0ba8d-3a3c-413b-8cc2-cca03e63ef42 -> ../../sdd

-

- ls -l /dev/disk/by-id/scsi-* | grep <b>sde</b>

-

- # lrwxrwxrwx 1 root root 9 Feb 7 12:39 /dev/disk/by-id/scsi-1LIO-ORG_cl1:3fe4da37-1a5a-4bb6-9a41-9a4df57770e4 -> ../../sde

- # <b>lrwxrwxrwx 1 root root 9 Feb 7 12:39 /dev/disk/by-id/scsi-360014053fe4da371a5a4bb69a419a4df -> ../../sde</b>

- # lrwxrwxrwx 1 root root 9 Feb 7 12:39 /dev/disk/by-id/scsi-SLIO-ORG_cl1_3fe4da37-1a5a-4bb6-9a41-9a4df57770e4 -> ../../sde

-

- ls -l /dev/disk/by-id/scsi-* | grep <b>sdf</b>

-

- # lrwxrwxrwx 1 root root 9 Aug 9 13:32 /dev/disk/by-id/scsi-1LIO-ORG_sbdnfs:f88f30e7-c968-4678-bc87-fe7bfcbdb625 -> ../../sdf

- # <b>lrwxrwxrwx 1 root root 9 Aug 9 13:32 /dev/disk/by-id/scsi-36001405f88f30e7c9684678bc87fe7bf -> ../../sdf</b>

- # lrwxrwxrwx 1 root root 9 Aug 9 13:32 /dev/disk/by-id/scsi-SLIO-ORG_sbdnfs_f88f30e7-c968-4678-bc87-fe7bfcbdb625 -> ../../sdf

- </code></pre>

- The command lists three device IDs for every SBD device. We recommend using the ID that starts with scsi-1. In the preceding example, the IDs are:

- * **/dev/disk/by-id/scsi-36001405afb0ba8d3a3c413b8cc2cca03**

- * **/dev/disk/by-id/scsi-360014053fe4da371a5a4bb69a419a4df**

- * **/dev/disk/by-id/scsi-36001405f88f30e7c9684678bc87fe7bf**

- a. Use the device ID of the iSCSI devices to create the new SBD devices on the first cluster node.

- <pre><code>sudo sbd -d <b>/dev/disk/by-id/scsi-36001405afb0ba8d3a3c413b8cc2cca03</b> -1 60 -4 120 create</code></pre>

-

- b. Also create the second and third SBD devices if you want to use more than one.

- <pre><code>sudo sbd -d <b>/dev/disk/by-id/scsi-360014053fe4da371a5a4bb69a419a4df</b> -1 60 -4 120 create

- sudo sbd -d <b>/dev/disk/by-id/scsi-36001405f88f30e7c9684678bc87fe7bf</b> -1 60 -4 120 create

- </code></pre>

- a. Open the SBD config file.

- <pre><code>sudo vi /etc/sysconfig/sbd

- </code></pre>

- b. Change the property of the SBD device, enable the Pacemaker integration, and change the start mode of SBD.

- <pre><code>[...]

- <b>SBD_DEVICE="/dev/disk/by-id/scsi-36001405afb0ba8d3a3c413b8cc2cca03;/dev/disk/by-id/scsi-360014053fe4da371a5a4bb69a419a4df;/dev/disk/by-id/scsi-36001405f88f30e7c9684678bc87fe7bf"</b>

- [...]

- <b>SBD_PACEMAKER="yes"</b>

- [...]

- <b>SBD_STARTMODE="always"</b>

- [...]

- </code></pre>

- <pre><code>echo softdog | sudo tee /etc/modules-load.d/softdog.conf

- </code></pre>

- <pre><code>sudo modprobe -v softdog

- </code></pre>

- <pre><code>$ResourceGroup = "<b>MyResourceGroup</b>"

- $Location = "<b>MyAzureRegion</b>"</code></pre>

- <pre><code>$DiskSizeInGB = <b>4</b>

- $DiskName = "<b>SBD-disk1</b>"</code></pre>

- <pre><code>$ShareNodes = <b>2</b></code></pre>

- <pre><code>$SkuName = "<b>Premium_LRS</b>"</code></pre>

- <pre><code>$SkuName = "<b>Premium_ZRS</b>"</code></pre>

- <pre><code>$diskConfig = New-AzDiskConfig -Location $Location -SkuName $SkuName -CreateOption Empty -DiskSizeGB $DiskSizeInGB -MaxSharesCount $ShareNodes

- $dataDisk = New-AzDisk -ResourceGroupName $ResourceGroup -DiskName $DiskName -Disk $diskConfig</code></pre>

- <pre><code>$VM1 = "<b>prod-cl1-0</b>"

- $VM2 = "<b>prod-cl1-1</b>"</code></pre>

- <pre><code>$vm = Get-AzVM -ResourceGroupName $ResourceGroup -Name $VM1

- $vm = Add-AzVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $dataDisk.Id -Lun <b>0</b>

- Update-AzVm -VM $vm -ResourceGroupName $ResourceGroup -Verbose</code></pre>

- <pre><code>$vm = Get-AzVM -ResourceGroupName $ResourceGroup -Name $VM2

- $vm = Add-AzVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $dataDisk.Id -Lun <b>0</b>

- Update-AzVm -VM $vm -ResourceGroupName $ResourceGroup -Verbose</code></pre>

- <pre><code># lsblk

- <b>sdc 8:32 0 4G 0 disk</b>

- <b>[5:0:0:0] disk Msft Virtual Disk 1.0 /dev/sdc</b>

- </code></pre>

- <pre><code># ls -l /dev/disk/by-id/scsi-* | grep sdc

- <b>lrwxrwxrwx 1 root root 9 Nov 8 16:55 /dev/disk/by-id/scsi-3600224804208a67da8073b2a9728af19 -> ../../sdc</b>

- </code></pre>

- <pre><code># sudo sbd -d <b>/dev/disk/by-id/scsi-3600224804208a67da8073b2a9728af19</b> -1 60 -4 120 create

- </code></pre>

- <pre><code>sudo vi /etc/sysconfig/sbd

- </code></pre>

- <pre><code>[...]

- <b>SBD_DEVICE="/dev/disk/by-id/scsi-3600224804208a67da8073b2a9728af19"</b>

- <b>SBD_PACEMAKER="yes"</b>

- <b>SBD_STARTMODE="always"</b>

- </code></pre>

- <pre><code>echo softdog | sudo tee /etc/modules-load.d/softdog.conf

- </code></pre>

- <pre><code>sudo modprobe -v softdog

- </code></pre>

-This section applies only if you're using a fencing device that's based on an Azure fence agent. The fencing device uses either a managed identity or a service principal to authorize against Microsoft Azure.

-To create a managed identity (MSI), [create a system-assigned](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time. Azure fence agent, based on managed identity is supported for SLES 12 SP5 and SLES 15 SP1 and above.

-1. Select **App registrations**.

-1. Select **New registration**.

-1. Enter a name for the registration, and then select **Accounts in this organization directory only**.

-1. For **Application type**, select **Web**, enter a sign-on URL (for example, <code>*http://</code><code>localhost*</code>), and then select **Add**.

- The sign-on URL is not used and can be any valid URL.

-1. Select **Certificates and secrets**, and then select **New client secret**.

-1. Enter a description for a new key, select **Never expires**, and then select **Add**.

-1. Write down the value, which you'll use as the password for the service principal.

-1. Select **Overview**, and then write down the application ID, which you'll use as the username of the service principal.

-By default, neither managed identity nor service principal have permissions to access your Azure resources. You need to give the managed identity or service principal permissions to start and stop (deallocate) all virtual machines in the cluster. If you didn't already create the custom role, you can do so by using [PowerShell](../../role-based-access-control/custom-roles-powershell.md#create-a-custom-role) or the [Azure CLI](../../role-based-access-control/custom-roles-cli.md).

-Assign the custom role *Linux fence agent Role* that you already created to the service principal. Do *not* use the *Owner* role anymore. For more information, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-> * **[A]**: Applies to all nodes.

-> * **[1]**: Applies only to node 1.

-> * **[2]**: Applies only to node 2.

- <pre><code>sudo zypper update

- </code></pre>

-2. **[A]** Install the component, which you'll need for the cluster resources.

- <pre><code>sudo zypper in socat

- </code></pre>

-3. **[A]** Install the azure-lb component, which you'll need for the cluster resources.

- <pre><code>sudo zypper in resource-agents

- </code></pre>

- > Check the version of the *resource-agents* package, and make sure that the minimum version requirements are met:

- <pre><code># Edit the configuration file

- </code></pre>

- <pre><code>sudo vi /etc/sysctl.conf

- </code></pre>

-

- <pre><code>sudo vi /etc/sysctl.conf

- </code></pre>

- >[!NOTE]

- To prevent the cloud network plug-in from removing the virtual IP address (Pacemaker must control the assignment), change the configuration file for the network interface as shown in the following code. For more information, see [SUSE KB 7023633](https://www.suse.com/support/kb/doc/?id=7023633).

- <pre><code># Edit the configuration file

- </code></pre>

- <pre><code>sudo ssh-keygen

- </code></pre>

- <pre><code>sudo ssh-keygen

- </code></pre>

- <pre><code># insert the public key you copied in the last step into the authorized keys file on the first server

- </code></pre>

-

- <pre><code>sudo zypper install fence-agents

- </code></pre>

- >[!IMPORTANT]

- >[!IMPORTANT]

- > If using managed identity, the installed version of the *fence-agents* package must be

- > SLES 12 SP5: fence-agents 4.9.0+git.1624456340.8d746be9-3.35.2 or later

- > SLES 15 SP1 and higher: fence-agents 4.5.2+git.1592573838.1eee0863 or later.

-

- <pre><code># You might need to activate the public cloud extension first

- </code></pre>

- <pre><code># You might need to activate the public cloud extension first. In this example, the SUSEConnect command is for SLES 15 SP1

- </code></pre>

- >[!IMPORTANT]

- >Depending on your version and image type, you might need to activate the public cloud extension for your OS release before you can install the Azure Python SDK.

- >You can check the extension by running `SUSEConnect list-extensions`.

- >To achieve the faster failover times with the Azure fence agent:

-

- <pre><code>sudo vi /etc/hosts

- </code></pre>

- <pre><code># IP address of the first cluster node

- <b>10.0.0.6 prod-cl1-0</b>

- <b>10.0.0.7 prod-cl1-1</b>

- </code></pre>

-

- <pre><code>sudo crm cluster init

- # Do you want to continue anyway (y/n)? <b>y</b>

- # /root/.ssh/id_rsa already exists - overwrite (y/n)? <b>n</b>

- # Address for ring0 [10.0.0.6] <b>Select Enter</b>

- # Port for ring0 [5405] <b>Select Enter</b>

- # SBD is already configured to use /dev/disk/by-id/scsi-36001405639245768818458b930abdf69;/dev/disk/by-id/scsi-36001405afb0ba8d3a3c413b8cc2cca03;/dev/disk/by-id/scsi-36001405f88f30e7c9684678bc87fe7bf - overwrite (y/n)? <b>n</b>

- # Do you wish to configure an administration IP (y/n)? <b>n</b>

- </code></pre>

-

-

- <pre><code>sudo crm cluster init

- # Do you want to continue anyway (y/n)? <b>y</b>

- # /root/.ssh/id_rsa already exists - overwrite (y/n)? <b>n</b>

- # Address for ring0 [10.0.0.6] <b>Select Enter</b>

- # Port for ring0 [5405] <b>Select Enter</b>

- # Do you wish to use SBD (y/n)? <b>n</b>

- # Do you wish to configure an administration IP (y/n)? <b>n</b>

- </code></pre>

-

- <pre><code>sudo crm cluster join

- # Do you want to continue anyway (y/n)? <b>y</b>

- # IP address or hostname of existing node (for example, 192.168.1.1) []<b>10.0.0.6</b>

- # /root/.ssh/id_rsa already exists - overwrite (y/n)? <b>n</b>

- </code></pre>

- <pre><code>sudo passwd hacluster

- </code></pre>

- <pre><code>sudo vi /etc/corosync/corosync.conf

- </code></pre>

- a. Add the following bold-formatted content to the file if the values are not there or are different. Be sure to change the token to 30000 to allow memory-preserving maintenance. For more information, see the "Maintenance for virtual machines in Azure" article for [Linux][virtual-machines-linux-maintenance] or [Windows][virtual-machines-windows-maintenance].

- <pre><code>[...]

- <b>token: 30000

- max_messages: 20</b>

-

- <b>expected_votes: 2</b>

- <b>two_node: 1</b>

- </code></pre>

- <pre><code>sudo service corosync restart

- </code></pre>

- <pre><code>sudo crm configure property stonith-timeout=144

- sudo crm configure delete <b>stonith-sbd</b>

- sudo crm configure primitive <b>stonith-sbd</b> stonith:external/sbd \

- </code></pre>

-

- <pre><code>sudo crm configure property stonith-enabled=true

- </code></pre>

-

- <pre><code>

- params <b>msi=true</b> subscriptionId="<b>subscription ID</b>" resourceGroup="<b>resource group</b>" \

- pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 <b>pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name"</b> \

- </code></pre>

- <pre><code>

- params subscriptionId="<b>subscription ID</b>" resourceGroup="<b>resource group</b>" tenantId="<b>tenant ID</b>" login="<b>application ID</b>" passwd="<b>password</b>" \

- pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 <b>pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name"</b> \

- </code></pre>

- If you are using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.

-Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md). Scheduled events are provided via the metadata service and allow time for the application to prepare for such events. Resource agent [azure-events-az](https://github.com/ClusterLabs/resource-agents/blob/main/heartbeat/azure-events-az.in) monitors for scheduled Azure events. If events are detected and the resource agent determines that another cluster node is available, it sets a cluster health attribute. When the cluster health attribute is set for a node, the location constraint triggers and all resources, whose name doesnΓÇÖt start with ΓÇ£health-ΓÇ£ are migrated away from the node with scheduled event. Once the affected cluster node is free of running cluster resources, scheduled event is acknowledged and can execute its action, such as restart.

-> Previously, this document described the use of resource agent [azure-events](https://github.com/ClusterLabs/resource-agents/blob/main/heartbeat/azure-events.in). New resource agent [azure-events-az](https://github.com/ClusterLabs/resource-agents/blob/main/heartbeat/azure-events-az.in) fully supports Azure environments deployed in different availability zones.

-The following items are prefixed with either **[A]** - applicable to all nodes, including majority maker VM for HANA scale-out, **[1]** - only applicable to cluster node 1.

-1. **[A]** Make sure that the package for the azure-events-az agent is already installed and up to date.

-

- <pre><code>sudo zypper info resource-agents

- </code></pre>

- Minimum version requirements:

- SLES 12 SP5: `resource-agents-4.3.018.a7fb5035-3.98.1`

- SLES 15 SP1: `resource-agents-4.3.0184.6ee15eb2-150100.4.72.1`

- SLES 15 SP2: `resource-agents-4.4.0+git57.70549516-150200.3.56.1`

- SLES 15 SP3: `resource-agents-4.8.0+git30.d0077df0-150300.8.31.1`

- SLES 15 SP4 and newer: `resource-agents-4.10.0+git40.0f4de473-150400.3.19.1`

-1. **[1]** Configure the resources in Pacemaker.

-

- <pre><code>sudo crm configure property maintenance-mode=true

- </code></pre>

-1. **[1]** Set the Pacemaker cluster health node strategy and constraint

-

- <pre><code>sudo crm configure property node-health-strategy=custom

- </code></pre>

-1. **[1]** Set initial value of the cluster attributes.

- Run for each cluster node. For scale-out environments including majority maker VM.

- <pre><code>sudo crm_attribute --node <b>prod-cl1-0</b> --name '#health-azure' --update 0

- sudo crm_attribute --node <b>prod-cl1-1</b> --name '#health-azure' --update 0

- </code></pre>

-1. **[1]** Configure the resources in Pacemaker.

- <pre><code>sudo crm configure primitive health-azure-events \

- </code></pre>

-1. Take the Pacemaker cluster out of maintenance mode

- <pre><code>sudo crm configure property maintenance-mode=false

- </code></pre>

-1. Clear any errors during enablement and verify that the health-azure-events resources have started successfully on all cluster nodes.

-

- <pre><code>sudo crm resource cleanup

- </code></pre>

- > After you've configured the Pacemaker resources for the azure-events agent, if you place the cluster in or out of maintenance mode, you might get warning messages such as:

- WARNING: cib-bootstrap-options: unknown attribute 'hostName_ <strong> hostname</strong>'

- WARNING: cib-bootstrap-options: unknown attribute 'azure-events_globalPullState'

- WARNING: cib-bootstrap-options: unknown attribute 'hostName_ <strong>hostname</strong>'

-* [Azure Virtual Machines planning and implementation for SAP][planning-guide]

-* [Azure Virtual Machines deployment for SAP][deployment-guide]

-* [Azure Virtual Machines DBMS deployment for SAP][dbms-guide]

-* [High availability for NFS on Azure VMs on SUSE Linux Enterprise Server][sles-nfs-guide]

-* [High availability for SAP NetWeaver on Azure VMs on SUSE Linux Enterprise Server for SAP applications][sles-guide]

-* To learn how to establish high availability and plan for disaster recovery of SAP HANA on Azure VMs, see [High availability of SAP HANA on Azure Virtual Machines][sap-hana-ha]

- - The list of Azure VM sizes that are supported for the deployment of SAP software.

- - Important capacity information for Azure VM sizes.

- - The supported SAP software, and operating system (OS) and database combinations.

- - The required SAP kernel version for Windows and Linux on Microsoft Azure.

- - [Setting up SAP HANA Cluster](https://documentation.suse.com/sles-sap/15-SP1/html/SLES4SAP-guide/cha-s4s-cluster.html).

- - [SLES High Availability Extension 15 SP3 Release Notes](https://www.suse.com/releasenotes/x86_64/SLE-HA/15-SP3/https://docsupdatetracker.net/index.html)

- - [Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15](https://documentation.suse.com/sbp/all/html/OS_Security_Hardening_Guide_for_SAP_HANA_SLES15/https://docsupdatetracker.net/index.html).

- - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 Guide](https://documentation.suse.com/sles/15-SP3/)

- - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 SAP Automation](https://documentation.suse.com/sles-sap/15-SP3/html/SLES-SAP-automation/article-sap-automation.html)

- - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 SAP Monitoring](https://documentation.suse.com/sles-sap/15-SP3/html/SLES-SAP-monitoring/article-sap-monitoring.html)

- - [Getting Started with SAP HANA High Availability Cluster Automation Operating on Azure](https://documentation.suse.com/sbp/all/html/SBP-SAP-HANA-PerOpt-HA-Azure/https://docsupdatetracker.net/index.html)

- - [SUSE and Microsoft Solution Templates for SAP Applications Simplified Deployment on Microsoft](https://documentation.suse.com/sbp/all/html/SBP-SAP-AzureSolutionTemplates/https://docsupdatetracker.net/index.html)

-## Set up the Azure NetApp File infrastructure

-2. Set up Azure NetApp Files capacity pool by following the instructions in [Set up an Azure NetApp Files capacity pool](../../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md).

- The HANA architecture presented in this article uses a single Azure NetApp Files capacity pool at the *Ultra* Service level. For HANA workloads on Azure, we recommend using Azure NetApp Files *Ultra* or *Premium* [service Level](../../azure-netapp-files/azure-netapp-files-service-levels.md).

-3. Delegate a subnet to Azure NetApp Files, as described in the instructions in [Delegate a subnet to Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-delegate-subnet.md).

-4. Deploy Azure NetApp Files volumes by following the instructions in [Create an NFS volume for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-create-volumes.md).

- As you deploy the volumes, be sure to select the NFSv4.1 version. Deploy the volumes in the designated Azure NetApp Files subnet. The IP addresses of the Azure NetApp volumes are assigned automatically.

- Keep in mind that the Azure NetApp Files resources and the Azure VMs must be in the same Azure virtual network or in peered Azure virtual networks. For example, hanadb1-data-mnt00001, hanadb1-log-mnt00001, and so on, are the volume names and nfs://10.3.1.4/hanadb1-data-mnt00001, nfs://10.3.1.4/hanadb1-log-mnt00001, and so on, are the file paths for the Azure NetApp Files volumes.

-

- On **hanadb1**

- - Volume hanadb1-data-mnt00001 (nfs://10.3.1.4:/hanadb1-data-mnt00001)

- - Volume hanadb1-log-mnt00001 (nfs://10.3.1.4:/hanadb1-log-mnt00001)

- - Volume hanadb1-shared-mnt00001 (nfs://10.3.1.4:/hanadb1-shared-mnt00001)

- On **hanadb2**

-

- - Volume hanadb2-data-mnt00001 (nfs://10.3.1.4:/hanadb2-data-mnt00001)

- - Volume hanadb2-log-mnt00001 (nfs://10.3.1.4:/hanadb2-log-mnt00001)

- - Volume hanadb2-shared-mnt00001 (nfs://10.3.1.4:/hanadb2-shared-mnt00001)

-| /hana/shared | 1 x RAM | 1 x RAM | v3 or v4.1 |

-## Deploy Linux virtual machine via Azure portal

-First you need to create the Azure NetApp Files volumes. Then do the following steps:

-1. Create a resource group.

-2. Create a virtual network.

-3. Choose a [suitable deployment type](./sap-high-availability-architecture-scenarios.md#comparison-of-different-deployment-types-for-sap-workload) for SAP virtual machines. Typically a virtual machine scale set with flexible orchestration.

-4. Create a load balancer (internal). We recommend standard load balancer.

- Select the virtual network created in step 2.

-5. Create Virtual Machine 1 (**hanadb1**).

-6. Create Virtual Machine 2 (**hanadb2**).

-7. While creating virtual machine, we won't be adding any disk as all our mount points will be on NFS shares from Azure NetApp Files.

-> Floating IP is not supported on a NIC secondary IP configuration in load-balancing scenarios. For details see [Azure Load balancer Limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need additional IP address for the VM, deploy a second NIC.

-> [!NOTE]

-> When VMs without public IP addresses are placed in the backend pool of internal (no public IP address) Standard Azure load balancer, there will be no outbound internet connectivity, unless additional configuration is performed to allow routing to public end points. For details on how to achieve outbound connectivity see [Public endpoint connectivity for Virtual Machines using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md).

-8. To set up standard load balancer, follow these configuration steps:

- 1. First, create a front-end IP pool:

- 1. Open the load balancer, select **frontend IP configuration**, and select **Add**.

- 1. Enter the name of the new front-end IP (for example, **hana-frontend**).

- 1. Set the **Assignment** to **Static** and enter the IP address (for example, **10.3.0.50**).

- 1. Select **OK**.

- 1. After the new front-end IP pool is created, note the pool IP address.

- 1. Create a single back-end pool:

- 1. Enter the name of the new back-end pool (for example, **hana-backend**).

- 2. Select **NIC** for Backend Pool Configuration.

- 1. Select **Add a virtual machine**.

- 1. Select the virtual machines of the HANA cluster.

- 1. Select **Add**.

- 2. Select **Save**.

-

- 1. Next, create a health probe:

- 1. Open the load balancer, select **health probes**, and select **Add**.

- 1. Enter the name of the new health probe (for example, **hana-hp**).

- 1. Select TCP as the protocol and port 625**03**. Keep the **Interval** value set to 5.

- 1. Select **OK**.

-

- 1. Next, create the load-balancing rules:

- 1. Open the load balancer, select **load balancing rules**, and select **Add**.

- 1. Enter the name of the new load balancer rule (for example, **hana-lb**).

- 1. Select the front-end IP address, the back-end pool, and the health probe that you created earlier (for example, **hana-frontend**, **hana-backend** and **hana-hp**).

- 2. Increase idle timeout to 30 minutes

- 1. Select **HA Ports**.

- 1. Make sure to **enable Floating IP**.

- 1. Select **OK**.

-1.**[A]** Create mount points for the HANA database volumes.

- ```bash

- sudo mkdir -p /hana/data/HN1/mnt00001

- sudo mkdir -p /hana/log/HN1/mnt00001

- sudo mkdir -p /hana/shared/HN1

- ```

-2.**[A]** Verify the NFS domain setting. Make sure that the domain is configured as the default Azure NetApp Files domain, that is, **defaultv4iddomain.com** and the mapping is set to **nobody**.

- ```output

-3.**[A]** Edit the /etc/fstab on both nodes to permanently mount the volumes relevant to each node. Below is an example of how you mount the volumes permanently.

- Add the following entries in /etc/fstab on both nodes

-

- ```output

-

- ```output

-

- For workloads, that require higher throughput, consider using the `nconnect` mount option, as described in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#nconnect-mount-option). Check if `nconnect` is [supported by Azure NetApp Files](../../azure-netapp-files/performance-linux-mount-options.md#nconnect) on your Linux release.

-4.**[A]** Verify that all HANA volumes are mounted with NFS protocol version NFSv4.

- Verify that flag vers is set to 4.1

-

- Example from hanadb1

- ```output

-5.**[A]** Verify **nfs4_disable_idmapping**. It should be set to **Y**. To create the directory structure where **nfs4_disable_idmapping** is located, execute the mount command. You won't be able to manually create the directory under /sys/modules, because access is reserved for the kernel / drivers.

- Check nfs4_disable_idmapping

- ```

- If you need to set nfs4_disable_idmapping to Y

- ```bash

- ```

- Make the configuration permanent

- ```bash

-1.**[A]** Set up host name resolution for all hosts.

- Insert the following lines in the /etc/hosts file. Change the IP address and hostname to match your environment

- ```output

-2.**[A]** Prepare the OS for running SAP HANA on Azure NetApp with NFS, as described in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). Create configuration file */etc/sysctl.d/91-NetApp-HANA.conf* for the NetApp configuration settings.

- ```config

-3.**[A]** Create configuration file */etc/sysctl.d/ms-az.conf* with additional optimization settings.

- ```config

-> [!TIP]

-> Avoid setting net.ipv4.ip_local_port_range and net.ipv4.ip_local_reserved_ports explicitly in the sysctl configuration files to allow SAP Host Agent to manage the port ranges. For more information, see SAP note [2382421](https://launchpad.support.sap.com/#/notes/2382421).

-4.**[A]** Adjust the sunrpc settings, as recommended in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346).

- ```config

-5.**[A]** SLES for HANA Configuration

-ΓÇï Configure SLES as described in below SAP Note based on your SLES version

-6.**[A]** Install the SAP HANA

- Starting with HANA 2.0 SPS 01, MDC is the default option. When you install HANA system, SYSTEMDB and a tenant with same SID will be created together. In some cases, you do not want the default tenant. In case, if you donΓÇÖt want to create initial tenant along with the installation you can follow SAP Note [2629711](https://launchpad.support.sap.com/#/notes/2629711).

-a. Start the hdblcm program from the HANA installation software directory.

- ```bash

- ./hdblcm

- ```

- b. At the prompt, enter the following values:

-7.**[A]** Upgrade SAP Host Agent

-

-Follow the steps in setup [SAP HANA System Replication](./sap-hana-high-availability.md#configure-sap-hana-20-system-replication) to configure SAP HANA System Replication.

-This section describes necessary steps required for cluster to operate seamlessly when SAP HANA is installed on NFS shares using Azure NetApp Files.

-This is an important step to optimize the integration with the cluster and improve the detection, when a cluster failover is needed. It is highly recommended to configure both SAPHanaSR and susChkSrv Python hooks. Follow the steps mentioned in, [Implement the Python System Replication hooks SAPHanaSR and susChkSrv](./sap-hana-high-availability.md#implement-hana-hooks-saphanasr-and-suschksrv)

-Create a dummy file system cluster resource, which will monitor and report failures, in case there is a problem accessing the NFS-mounted file system `/hana/shared`. That allows the cluster to trigger failover, in case there is a problem accessing `/hana/shared`. For more information, see [Handling failed NFS share in SUSE HA cluster for HANA system replication](https://www.suse.com/support/kb/doc/?id=000019904).

-1.**[A]** Create the directory structure on both nodes.

-2.**[1]** Configure the cluster to add the directory structure for monitoring

-3.**[1]** Clone and check the newly configured volume in the cluster

- ```bash

- sudo crm status

- ```

- ```output

- #Cluster Summary:

- # Stack: corosync

- # Current DC: hanadb1 (version 2.0.5+20201202.ba59be712-4.9.1-2.0.5+20201202.ba59be712) - partition with quorum

- # Last updated: Tue Nov 2 17:57:39 2021

- # Last change: Tue Nov 2 17:57:38 2021 by root via crm_attribute on hanadb1

- # 2 nodes configured

- # 11 resource instances configured

-# Node List:

- # Online: [ hanadb1 hanadb2 ]

-# Full List of Resources:

- # Clone Set: cln_azure-events [rsc_azure-events]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: cln_SAPHanaTopology_HN1_HDB03 [rsc_SAPHanaTopology_HN1_HDB03]:

- # rsc_SAPHanaTopology_HN1_HDB03 (ocf::suse:SAPHanaTopology): Started hanadb1 (Monitoring)

- # rsc_SAPHanaTopology_HN1_HDB03 (ocf::suse:SAPHanaTopology): Started hanadb2 (Monitoring)

- # Clone Set: msl_SAPHana_HN1_HDB03 [rsc_SAPHana_HN1_HDB03] (promotable):

- # rsc_SAPHana_HN1_HDB03 (ocf::suse:SAPHana): Master hanadb1 (Monitoring)

- # Slaves: [ hanadb2 ]

- # Resource Group: g_ip_HN1_HDB03:

- # rsc_ip_HN1_HDB03 (ocf::heartbeat:IPaddr2): Started hanadb1

- # rsc_nc_HN1_HDB03 (ocf::heartbeat:azure-lb): Started hanadb1

- # rsc_st_azure (stonith:fence_azure_arm): Started hanadb2

- # Clone Set: cln_fs_check_HN1_HDB03 [rsc_fs_check_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- ```

-`OCF_CHECK_LEVEL=20` attribute is added to the monitor operation, so that monitor operations perform a read/write test on the file system. Without this attribute, the monitor operation only verifies that the file system is mounted. This can be a problem because when connectivity is lost, the file system may remain mounted, despite being inaccessible.

-`on-fail=fence` attribute is also added to the monitor operation. With this option, if the monitor operation fails on a node, that node is immediately fenced.

-This section describes how you can test your setup.

-1.Before you start a test, make sure that Pacemaker does not have any failed action (via crm status), no unexpected location constraints (for example leftovers of a migration test) and that HANA system replication is sync state, for example with systemReplicationStatus:

-2.Verify the status of the HANA Resources using the command below

- ```output

-3.Verify the cluster configuration for a failure scenario when a node is shutdown (below, for example shows shutting down node 1)

- ```

- Example output

- ```output

- #Cluster Summary:

- # Stack: corosync

- # Current DC: hanadb2 (version 2.0.5+20201202.ba59be712-4.9.1-2.0.5+20201202.ba59be712) - partition with quorum

- # Last updated: Mon Nov 8 23:25:36 2021

- # Last change: Mon Nov 8 23:25:19 2021 by root via crm_attribute on hanadb2

- # 2 nodes configured

- # 11 resource instances configured

-

- #Node List:

-

- # Online: [ hanadb1 hanadb2 ]

- #Full List of Resources:

- # Clone Set: cln_azure-events [rsc_azure-events]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: cln_SAPHanaTopology_HN1_HDB03 [rsc_SAPHanaTopology_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: msl_SAPHana_HN1_HDB03 [rsc_SAPHana_HN1_HDB03] (promotable):

- # Masters: [ hanadb2 ]

- # Stopped: [ hanadb1 ]

- # Resource Group: g_ip_HN1_HDB03:

- # rsc_ip_HN1_HDB03 (ocf::heartbeat:IPaddr2): Started hanadb2

- # rsc_nc_HN1_HDB03 (ocf::heartbeat:azure-lb): Started hanadb2

- # rsc_st_azure (stonith:fence_azure_arm): Started hanadb2

- # Clone Set: cln_fs_check_HN1_HDB03 [rsc_fs_check_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- ```

- ```bash

- ```output

-4.Verify the cluster configuration for a failure scenario when a node loses access to the NFS share (/hana/shared)

- The SAP HANA resource agents depend on binaries stored on `/hana/shared` to perform operations during failover. File system `/hana/shared` is mounted over NFS in the presented scenario.

- It is difficult to simulate a failure, where one of the servers loses access to the NFS share. A test that can be performed is to re-mount the file system as read-only.

- This approach validates that the cluster will be able to failover, if access to `/hana/shared` is lost on the active node.

- **Expected Result:** On making `/hana/shared` as read-only file system, the `OCF_CHECK_LEVEL` attribute of the resource `hana_shared1`, which performs read/write operation on file system will fail as it is not able to write anything on the file system and will perform HANA resource failover. The same result is expected when your HANA node loses access to the NFS shares.

- ```

- Example output

- ```output

- # Stack: corosync

- # Current DC: hanadb2 (version 2.0.5+20201202.ba59be712-4.9.1-2.0.5+20201202.ba59be712) - partition with quorum

- # Last updated: Mon Nov 8 23:01:27 2021

- # Last change: Mon Nov 8 23:00:46 2021 by root via crm_attribute on hanadb1

- # 2 nodes configured

- # 11 resource instances configured

- #Node List:

- # Online: [ hanadb1 hanadb2 ]

- #Full List of Resources:

- # Clone Set: cln_azure-events [rsc_azure-events]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: cln_SAPHanaTopology_HN1_HDB03 [rsc_SAPHanaTopology_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: msl_SAPHana_HN1_HDB03 [rsc_SAPHana_HN1_HDB03] (promotable):

- # Masters: [ hanadb1 ]

- # Slaves: [ hanadb2 ]

- # Resource Group: g_ip_HN1_HDB03:

- # rsc_ip_HN1_HDB03 (ocf::heartbeat:IPaddr2): Started hanadb1

- # rsc_nc_HN1_HDB03 (ocf::heartbeat:azure-lb): Started hanadb1

- # rsc_st_azure (stonith:fence_azure_arm): Started hanadb2

- # Clone Set: cln_fs_check_HN1_HDB03 [rsc_fs_check_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- sudo mount -o ro 10.3.1.4:/hanadb1-shared-mnt00001 /hana/shared

- ```

- ```

- Example output

- ```output

- # Stack: corosync

- # Current DC: hanadb2 (version 2.0.5+20201202.ba59be712-4.9.1-2.0.5+20201202.ba59be712) - partition with quorum

- # Last updated: Wed Nov 10 22:00:27 2021

- # Last change: Wed Nov 10 21:59:47 2021 by root via crm_attribute on hanadb2

- # 2 nodes configured

- # 11 resource instances configured

- #Node List:

- # Online: [ hanadb1 hanadb2 ]

- #Full List of Resources:

- # Clone Set: cln_azure-events [rsc_azure-events]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: cln_SAPHanaTopology_HN1_HDB03 [rsc_SAPHanaTopology_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

- # Clone Set: msl_SAPHana_HN1_HDB03 [rsc_SAPHana_HN1_HDB03] (promotable):

- # Masters: [ hanadb2 ]

- # Stopped: [ hanadb1 ]

- # Resource Group: g_ip_HN1_HDB03:

- # rsc_nc_HN1_HDB03 (ocf::heartbeat:azure-lb): Started hanadb2

- # rsc_st_azure (stonith:fence_azure_arm): Started hanadb2

- # Clone Set: cln_fs_check_HN1_HDB03 [rsc_fs_check_HN1_HDB03]:

- # Started: [ hanadb1 hanadb2 ]

-We recommend testing the SAP HANA cluster configuration thoroughly, by also doing the tests described in [SAP HANA System Replication](./sap-hana-high-availability.md#test-the-cluster-setup).

-* [Azure Virtual Machines planning and implementation for SAP](./planning-guide.md)

-* [Azure Virtual Machines deployment for SAP](./deployment-guide.md)

-* [Azure Virtual Machines DBMS deployment for SAP](./dbms-guide-general.md)

-* [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md)

-tags: azure-resource-manager

-# High availability for SAP HANA scale-out system with HSR on SUSE Linux Enterprise Server

-[anf-avail-matrix]:https://azure.microsoft.com/global-infrastructure/services/?products=netapp&regions=all

-[1410736]:https://launchpad.support.sap.com/#/notes/1410736

-[sap-swcenter]:https://support.sap.com/en/my-support/software-downloads.html

-[suse-drbd-guide]:https://www.suse.com/documentation/sle-ha-12/singlehtml/book_sleha_techguides/book_sleha_techguides.html

-[suse-ha-12sp3-relnotes]:https://www.suse.com/releasenotes/x86_64/SLE-HA/12-SP3/

-[nfs-ha]:high-availability-guide-suse-nfs.md

-The HANA shared file system `/han). The HANA shared file system is NFS mounted on each HANA node in the same HANA system replication site. File systems `/hana/data` and `/hana/log` are local file systems and are not shared between the HANA DB nodes. SAP HANA will be installed in non-shared mode.

-> For recommended SAP HANA storage configurations, see [SAP HANA Azure VMs storage configurations](./hana-vm-operations-storage.md).

-In the preceding diagram, three subnets are represented within one Azure virtual network, following the SAP HANA network recommendations:

-As `/hana/data` and `/hana/log` are deployed on local disks, it is not necessary to deploy separate subnet and separate virtual network cards for communication to the storage.

-If you are using Azure NetApp Files, the NFS volumes for `/han): `anf` 10.23.1.0/26.

-1. Deploy the Azure VMs.

-For the configuration presented in this document, deploy seven virtual machines:

- - three virtual machines to serve as HANA DB nodes for HANA replication site 1: **hana-s1-db1**, **hana-s1-db2** and **hana-s1-db3**

- - three virtual machines to serve as HANA DB nodes for HANA replication site 2: **hana-s2-db1**, **hana-s2-db2** and **hana-s2-db3**

- - a small virtual machine to serve as *majority maker*: **hana-s-mm**

- For the majority maker node, you can deploy a small VM, as this VM doesn't run any of the SAP HANA resources. The majority maker VM is used in the cluster configuration to achieve odd number of cluster nodes in a split-brain scenario. The majority maker VM only needs one virtual network interface in the `client` subnet in this example.

- > Make sure that the OS you select is SAP-certified for SAP HANA on the specific VM types you're using. For a list of SAP HANA certified VM types and OS releases for those types, go to the [SAP HANA certified IaaS platforms](https://www.sap.com/dmc/exp/2014-09-02-hana-hardware/enEN/#/solutions?filters=v:deCertified;ve:24;iaas;v:125;v:105;v:99;v:120) site. Click into the details of the listed VM type to get the complete list of SAP HANA-supported OS releases for that type.

- > If you choose to deploy `/hana/shared` on NFS on Azure Files, we recommend to deploy on SLES15 SP2 and above.

-4. Attach the newly created virtual network interfaces to the corresponding virtual machines:

- a. Go to the virtual machine in the [Azure portal](https://portal.azure.com/#home).

- b. In the left pane, select **Virtual Machines**. Filter on the virtual machine name (for example, **hana-s1-db1**), and then select the virtual machine.

- c. In the **Overview** pane, select **Stop** to deallocate the virtual machine.

- d. Select **Networking**, and then attach the network interface. In the **Attach network interface** drop-down list, select the already created network interfaces for the `inter` and `hsr` subnets.

-

- e. Select **Save**.

-

- f. Repeat steps b through e for the remaining virtual machines (in our example, **hana-s1-db2**, **hana-s1-db3**, **hana-s2-db1**, **hana-s2-db2** and **hana-s2-db3**).

-

- g. Leave the virtual machines in stopped state for now. Next, we'll enable [accelerated networking](../../virtual-network/create-vm-accelerated-networking-cli.md) for all newly attached network interfaces.

-5. Enable accelerated networking for the additional network interfaces for the `inter` and `hsr` subnets by doing the following steps:

- a. Open [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/) in the [Azure portal](https://portal.azure.com/#home).

- b. Execute the following commands to enable accelerated networking for the additional network interfaces, which are attached to the `inter` and `hsr` subnets.

- ```azurecli

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db1-inter --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db2-inter --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db3-inter --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db1-inter --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db2-inter --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db3-inter --accelerated-networking true

-

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db1-hsr --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db2-hsr --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s1-db3-hsr --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db1-hsr --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db2-hsr --accelerated-networking true

- az network nic update --id /subscriptions/your subscription/resourceGroups/your resource group/providers/Microsoft.Network/networkInterfaces/hana-s2-db3-hsr --accelerated-networking true

- ```

-7. Start the HANA DB virtual machines

- 1. Enter the name of the new front-end IP pool (for example, **hana-frontend**).

- 1. Set the **Assignment** to **Static** and enter the IP address (for example, **10.23.0.27**).

- 1. Select **OK**.

- 1. After the new front-end IP pool is created, note the pool IP address.

- 1. Create a single back-end pool:

-

- 1. Enter the name of the new back-end pool (for example, **hana-backend**).

- 2. Select **NIC** for Backend Pool Configuration.

- 1. Select **Add a virtual machine**.

- 1. Select the virtual machines of the HANA cluster (the NICs for the `client` subnet).

- 1. Select **Add**.

- 2. Select **Save**.

- 1. Next, create a health probe:

- 1. Enter the name of the new health probe (for example, **hana-hp**).

- 1. Select **TCP** as the protocol and port 625**03**. Keep the **Interval** value set to 5.

- 1. Select **OK**.

- 1. Next, create the load-balancing rules:

-

- 1. Enter the name of the new load balancer rule (for example, **hana-lb**).

- 1. Select the front-end IP address, the back-end pool, and the health probe that you created earlier (for example, **hana-frontend**, **hana-backend** and **hana-hp**).

- 2. Increase idle timeout to 30 minutes.

- 1. Select **HA Ports**.

- 1. Make sure to **enable Floating IP**.

- 1. Select **OK**.

- > Floating IP is not supported on a NIC secondary IP configuration in load-balancing scenarios. For details see [Azure Load balancer Limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need additional IP address for the VM, deploy a second NIC.

-

- > [!Note]

-There are two options for deploying Azure native NFS for `/han). Azure files supports NFSv4.1 protocol, NFS on Azure NetApp files supports both NFSv4.1 and NFSv3.

-The next sections describe the steps to deploy NFS - you'll need to select only *one* of the options.

-#### Deploy the Azure NetApp Files infrastructure

-Deploy ANF volumes for the `/han#set-up-the-azure-netapp-files-infrastructure).

-In this example, the following Azure NetApp Files volumes were used:

-Deploy Azure Files NFS shares for the `/han?tabs=azure-portal).

-In this example, the following Azure Files NFS shares were used:

-* **[A]**: Applicable to all nodes, including majority maker

-* **[AH]**: Applicable to all HANA DB nodes

-* **[M]**: Applicable to the majority maker node only

-* **[AH1]**: Applicable to all HANA DB nodes on SITE 1

-* **[AH2]**: Applicable to all HANA DB nodes on SITE 2

-* **[1]**: Applicable only to HANA DB node 1, SITE 1

-* **[2]**: Applicable only to HANA DB node 1, SITE 2

- # Client subnet

- 10.23.0.19 hana-s1-db1

- 10.23.0.20 hana-s1-db2

- 10.23.0.21 hana-s1-db3

- 10.23.0.22 hana-s2-db1

- 10.23.0.23 hana-s2-db2

- 10.23.0.24 hana-s2-db3

- 10.23.0.25 hana-s-mm

- # Internode subnet

- 10.23.1.132 hana-s1-db1-inter

- 10.23.1.133 hana-s1-db2-inter

- 10.23.1.134 hana-s1-db3-inter

- 10.23.1.135 hana-s2-db1-inter

- 10.23.1.136 hana-s2-db2-inter

- 10.23.1.137 hana-s2-db3-inter

- # HSR subnet

- 10.23.1.196 hana-s1-db1-hsr

- 10.23.1.197 hana-s1-db2-hsr

- 10.23.1.198 hana-s1-db3-hsr

- 10.23.1.199 hana-s2-db1-hsr

- 10.23.1.200 hana-s2-db2-hsr

- 10.23.1.201 hana-s2-db3-hsr

- <pre><code>

- </code></pre>

- > Avoid setting net.ipv4.ip_local_port_range and net.ipv4.ip_local_reserved_ports explicitly in the sysctl configuration files to allow SAP Host Agent to manage the port ranges. For more details see SAP note [2382421](https://launchpad.support.sap.com/#/notes/2382421).

- # Uninstall scale-up packages and patterns

- sudo zypper remove patterns-sap-hana

- sudo zypper remove SAPHanaSR SAPHanaSR-doc yast2-sap-ha

- # Install the scale-out packages and patterns

- sudo zypper in SAPHanaSR-ScaleOut SAPHanaSR-ScaleOut-doc

- sudo zypper in -t pattern ha_sles

-In this example, the shared HANA file systems are deployed on Azure NetApp Files and mounted over NFSv4.1. Follow the steps in this section, only if you are using NFS on Azure NetApp Files.

- <pre><code>

- </code></pre>

- <pre><code>

- </code></pre>

-In this example, the shared HANA file systems are deployed on NFS on Azure Files. Follow the steps in this section, only if you are using NFS on Azure Files.

-6. **[AH1]** Mount the shared Azure NetApp Files volumes on the SITE1 HANA DB VMs.

-7. **[AH2]** Mount the shared Azure NetApp Files volumes on the SITE2 HANA DB VMs.

-8. **[AH]** Verify that the corresponding `/hana/shared/` file systems are mounted on all HANA DB VMs with NFS protocol version **NFSv4.1**.

-In the presented configuration, file systems `/hana/data` and `/hana/log` are deployed on managed disk and are locally attached to each HANA DB VM.

-You will need to execute the steps to create the local data and log volumes on each HANA DB virtual machine.

-3. **[AH]** Create a volume group for the data files. Use one volume group for the log files and one for the shared directory of SAP HANA:

-4. **[AH]** Create the logical volumes.

-> Make sure that cluster property `concurrent-fencing` is enabled, so that node fencing is deserialized.

-2. **[1,2]** Change the permissions on `/hana/shared`

-3. **[1]** Verify that you can log in via SSH to the HANA DB VMs in this site **hana-s1-db2** and **hana-s1-db3**, without being prompted for a password. If that is not the case, exchange ssh keys as described in [Enable SSH Access via Public Key](https://documentation.suse.com/sbp/all/html/SLES4SAP-hana-scaleOut-PerfOpt-12/https://docsupdatetracker.net/index.html#_enable_ssh_access_via_public_key_optional).

- If that is not the case, exchange ssh keys.

-5. **[AH]** Install additional packages, which are required for HANA 2.0 SP4 and above. For more information, see SAP Note [2593824](https://launchpad.support.sap.com/#/notes/2593824) for your SLES version.

-1. **[1]** Install SAP HANA by following the instructions in the [SAP HANA 2.0 Installation and Update guide](https://help.sap.com/docs/SAP_HANA_PLATFORM/2c1988d620e04368aa4103bf26f17727/7eb0167eb35e4e2885415205b8383584.html?version=2.0.05). In the instructions that follow, we show the SAP HANA installation on the first node on SITE 1.

- * For **System Administrator Login Shell** [/bin/sh]: press Enter to accept the default

- * For **System Administrator User ID** [1001]: press Enter to accept the default

- * For **Enter ID of User Group (sapsys)** [79]: press Enter to accept the default

- * For **Restart system after machine reboot?** [n]: enter **n**

-2. **[2]** Repeat the preceding step to install SAP HANA on the first node on SITE 2.

-4. **[1,2]** Restart SAP HANA to activate the changes.

-8. **[1]** Install the secondary HANA nodes. The example instructions in this step are for SITE 1.

- a. Start the resident **hdblcm** program as `root`.

-9. **[2]** Repeat the preceding step to install the secondary SAP HANA nodes on SITE 2.

-

- sudo su - hn1adm -c "python /usr/sap/HN1/HDB03/exe/python_support/systemReplicationStatus.py"

- # | Database | Host | Port | Service Name | Volume ID | Site ID | Site Name | Secondary | Secondary | Secondary | Secondary | Secondary | Replication | Replication | Replication |

- # | | | | | | | | Host | Port | Site ID | Site Name | Active Status | Mode | Status | Status Details |

- # | -- | - | -- | | | - | | - | | | | - | -- | -- | -- |

- # | HN1 | hana-s1-db3 | 30303 | indexserver | 5 | 1 | HANA_S1 | hana-s2-db3 | 30303 | 2 | HANA_S2 | YES | SYNC | ACTIVE | |

- # | SYSTEMDB | hana-s1-db1 | 30301 | nameserver | 1 | 1 | HANA_S1 | hana-s2-db1 | 30301 | 2 | HANA_S2 | YES | SYNC | ACTIVE | |

- # | HN1 | hana-s1-db1 | 30307 | xsengine | 2 | 1 | HANA_S1 | hana-s2-db1 | 30307 | 2 | HANA_S2 | YES | SYNC | ACTIVE | |

- # | HN1 | hana-s1-db1 | 30303 | indexserver | 3 | 1 | HANA_S1 | hana-s2-db1 | 30303 | 2 | HANA_S2 | YES | SYNC | ACTIVE | |

- # | HN1 | hana-s1-db2 | 30303 | indexserver | 4 | 1 | HANA_S1 | hana-s2-db2 | 30303 | 2 | HANA_S2 | YES | SYNC | ACTIVE | |

- #

- # status system replication site "2": ACTIVE

- # overall system replication status: ACTIVE

- #

- # Local System Replication State

- #

- # mode: PRIMARY

- # site id: 1

- # site name: HANA_S1

-4. **[1,2]** Change the HANA configuration so that communication for HANA system replication is directed through the HANA system replication virtual network interfaces.

- - Stop HANA on both sites

- ```bash

- sudo -u hn1adm /usr/sap/hostctrl/exe/sapcontrol -nr 03 -function StopSystem HDB

- ```

- - Edit global.ini to add the host mapping for HANA system replication: use the IP addresses from the `hsr` subnet.

- ```bash

- sudo vi /usr/sap/HN1/SYS/global/hdb/custom/config/global.ini

- #Add the section

- [system_replication_hostname_resolution]

- 10.23.1.196 = hana-s1-db1

- 10.23.1.197 = hana-s1-db2

- 10.23.1.198 = hana-s1-db3

- 10.23.1.199 = hana-s2-db1

- 10.23.1.200 = hana-s2-db2

- 10.23.1.201 = hana-s2-db3

- ```

- - Start HANA on both sites

- ```bash

- sudo -u hn1adm /usr/sap/hostctrl/exe/sapcontrol -nr 03 -function StartSystem HDB

- ```

-Create a dummy file system cluster resource, which will monitor and report failures, in case there is a problem accessing the NFS-mounted file system `/hana/shared`. That allows the cluster to trigger failover, in case there is a problem accessing `/hana/shared`. For more details see [Handling failed NFS share in SUSE HA cluster for HANA system replication](https://www.suse.com/support/kb/doc/?id=000019904)

-1. **[1]** Place pacemaker in maintenance mode, in preparation for the creation of the HANA cluster resources.

-2. **[1,2]** Create the directory on the NFS mounted file system /hana/shared, which will be used in the special file system monitoring resource. The directories need to be created on both sites.

-2. **[AH]** Create the directory, which will be used to mount the special file system monitoring resource. The directory needs to be created on all HANA cluster nodes.

-3. **[1]** Create the file system cluster resources.

-

- `on-fail=fence` attribute is also added to the monitor operation. With this option, if the monitor operation fails on a node, that node is immediately fenced.

-This important step is to optimize the integration with the cluster and detection when a cluster failover is possible. It is highly recommended to configure SAPHanaSrMultiTarget Python hook. For HANA 2.0 SP5 and higher, implementing both SAPHanaSrMultiTarget and susChkSrv hooks is recommended.

-> [!NOTE]

-Provided steps for SAPHanaSrMultiTarget hook are for a new installation. Upgrading an existing environment from SAPHanaSR to SAPHanaSrMultiTarget provider requires several changes and are _NOT_ described in this document. If the existing environment uses no third site for disaster recovery and [HANA multi-target system replication](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/ba457510958241889a459e606bbcf3d3.html) is not used, SAPHanaSR HA provider can remain in use.

-|-| -- | |

-```bash

-sapcontrol -nr 03 -function StopSystem

-```

- Default location of the HA hooks as dalivered by SUSE is /usr/share/SAPHanaSR-ScaleOut. Using the standard location brings a benefit, that the python hook code is automatically updated through OS or package updates and gets used by HANA at next restart. With an optional own path, such as /hana/shared/myHooks you can decouple OS updates from the used hook version.

-5. **[A]** Verify the hook installation is active on all cluster nodes. Execute as <sid\>adm.

-1. **[1]** Create the HANA cluster resources. Execute the following commands as `root`.

-

- 2. Next, create the HANA Topology resource.

- 3. Next, create the HANA instance resource.

- > [!NOTE]

-

- > We recommend as a best practice that you only set AUTOMATED_REGISTER to **no**, while performing thorough fail-over tests, to prevent failed primary instance to automatically register as secondary. Once the fail-over tests have completed successfully, set AUTOMATED_REGISTER to **yes**, so that after takeover system replication can resume automatically.

- 4. Create Virtual IP and associated resources.

- 5. Create the cluster constraints

-2. **[1]** Configure additional cluster properties

-3. **[1]** Place the cluster out of maintenance mode. Make sure that the cluster status is ok and that all of the resources are started.

-## Test SAP HANA failover

-1. Before you start a test, check the cluster and SAP HANA system replication status.

- a. Verify that there are no failed cluster actions

-

- ```

- In this example the command was executed on hana-s1-db1 for ANF volume `/hana/shared`.

- The cluster resources will be migrated to the other HANA system replication site.

-

- If you set AUTOMATED_REGISTER="false", you will need to configure SAP HANA system replication on secondary site. In this case, you can execute these commands to reconfigure SAP HANA as secondary.

- The state of the resources, after the test:

- Started: [ hana-s1-db1 hana-s1-db2 hana-s1-db3 hana-s2-db1 hana-s2-db2 hana-s2-db3 ]

-* To learn how to establish high availability and plan for disaster recovery of SAP HANA on Azure VMs, see [High Availability of SAP HANA on Azure Virtual Machines (VMs)][sap-hana-ha].

-[template-multisid-db]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-db-md%2Fazuredeploy.json

-[template-converged]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-converged-md%2Fazuredeploy.json

-The resource agent for SAP HANA is included in SUSE Linux Enterprise Server for SAP Applications.

-An image for SUSE Linux Enterprise Server for SAP Applications 12 or 15 is available in Azure Marketplace. You can use the image to deploy new VMs.

-### Deploy by using a template

-You can use one of the quickstart templates that are on GitHub to deploy the SAP HANA solution. The templates install all the required resources, including the VMs, the load balancer, and the availability set.

-To deploy the template:

-1. In the Azure portal, open the [database template][template-multisid-db] or the [converged template][template-converged].

- The *database template* creates the load-balancing rules only for a database. The *converged template* creates load-balancing rules for a database, and also for an SAP ASCS/SCS instance and an SAP ERS (Linux only) instance. If you plan to install an SAP NetWeaver-based system and you want to install the ASCS/SCS instance on the same machines, use the [converged template][template-converged].

-1. Enter the following parameters in the template you choose:

- - **Sap System ID**: Enter the SAP system ID (SAP SID) of the SAP system you want to install. The ID is used as a prefix for the resources that are deployed.

- - **Stack Type** (*converged template only*): Select the SAP NetWeaver stack type.

- - **Os Type**: Select one of the Linux distributions. For this example, select **SLES 12**.

- - **Db Type**: Select **HANA**.

- - **Sap System Size**: Enter the number of SAP Application Performance Standard units (SAPS) the new system will provide. If you're not sure how many SAPS the system requires, ask your SAP Technology Partner or System Integrator.

- - **System Availability**: Select **HA**.

- - **Admin Username and Admin Password**: Create a new user and password that you can use to sign in to the machine.

- - **New Or Existing Subnet**: If you already have a virtual network that's connected to your on-premises network, select **Existing**. Otherwise, select **New** and create a new virtual network and subnet.

- - **Subnet ID**: If you want to deploy the VM to an existing virtual network that has a defined subnet, the VM should be assigned to the name the ID of that specific subnet. The ID usually is in this format:

- /subscriptions/\<subscription ID\>/resourceGroups/\<resource group name\>/providers/Microsoft.Network/virtualNetworks/\<virtual network name\>/subnets/\<subnet name\>

-### Manual deployment

-To manually deploy SAP HANA system replication:

-1. Create a resource group.

-1. Create a virtual network.

-1. Choose a [suitable deployment type](./sap-high-availability-architecture-scenarios.md#comparison-of-different-deployment-types-for-sap-workload) for SAP virtual machines. Typically a virtual machine scale set with flexible orchestration.

-1. Create a load balancer (internal).

- - We recommend that you use the [standard load balancer](../../load-balancer/load-balancer-overview.md).

- - Select the virtual network you created in step 2.

-1. Create virtual machine 1.

- - Use an SLES4SAP image in the Azure gallery that's supported for SAP HANA on the VM type you selected.

- - Select the scale set, availability zone or availability set created in step 3.

-1. Create virtual machine 2.

- - Use an SLES4SAP image in the Azure gallery that's supported for SAP HANA on the VM type you selected.

- - Select the scale set, availability zone or availability set created in step 3.

-1. Add data disks.

- > [!IMPORTANT]

- > A floating IP address isn't supported on a network interface card (NIC) secondary IP configuration in load-balancing scenarios. For details, see [Azure Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need another IP address for the VM, deploy a second NIC.

- > [!NOTE]

- > When VMs that don't have public IP addresses are placed in the back-end pool of an internal (no public IP address) standard instance of Azure Load Balancer, the default configuration is no outbound internet connectivity. You can take extra steps to allow routing to public endpoints. For details on how to achieve outbound connectivity, see [Public endpoint connectivity for VMs by using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md).

- 1. Enter the name of the new front-end IP pool (for example, **hana-frontend**).

- 1. Set **Assignment** to **Static** and enter the IP address (for example, **10.0.0.13**).

- 1. Select **OK**.

- 1. After the new front-end IP pool is created, note the pool IP address.

- 1. Create a single back-end pool:

- 1. Enter the name of the new back-end pool (for example, **hana-backend**).

- 1. For **Backend Pool Configuration**, select **NIC**.

- 1. Select **Add a virtual machine**.

- 1. Select the VMs that are in the HANA cluster.

- 1. Select **Add**.

- 1. Select **Save**.

- 1. Create a health probe:

- 1. Enter the name of the new health probe (for example, **hana-hp**).

- 1. For **Protocol**, select **TCP** and select port **625\<instance number\>**. Keep **Interval** set to **5**.

- 1. Select **OK**.

- 1. Create the load-balancing rules:

- 1. Enter the name of the new load balancer rule (for example, **hana-lb**).

- 1. Select the front-end IP address, the back-end pool, and the health probe that you created earlier (for example, **hana-frontend**, **hana-backend**, and **hana-hp**).

- 1. Increase the idle timeout to 30 minutes.

- 1. Select **HA Ports**.

- 1. Enable **Floating IP**.

- 1. Select **OK**.

- For more information about the required ports for SAP HANA, read the chapter [Connections to Tenant Databases](https://help.sap.com/viewer/78209c1d3a9b41cd8624338e42a12bf6/latest/en-US/7a9343c9f2a2436faa3cfdb5ca00c052.html) in the [SAP HANA Tenant Databases](https://help.sap.com/viewer/78209c1d3a9b41cd8624338e42a12bf6) guide or [SAP Note 2388694][2388694].

-To proceed with extra steps to provision the second virtual IP, make sure that you configured Azure Load Balancer as described in [Manual deployment](#manual-deployment).

- 1. Enter the name of the second front-end IP pool (for example, **hana-secondaryIP**).

- 1. Set the **Assignment** to **Static** and enter the IP address (for example, **10.0.0.14**).

- 1. Select **OK**.

- 1. After the new front-end IP pool is created, note the front-end IP address.

-1. Create a health probe:

- 1. Enter the name of the new health probe (for example, **hana-secondaryhp**).

- 1. Select **TCP** as the protocol and port **626\<instance number\>**. Keep the **Interval** value set to **5**, and the **Unhealthy threshold** value set to **2**.

- 1. Select **OK**.

-1. Create the load-balancing rules:

- 1. Enter the name of the new load balancer rule (for example, **hana-secondarylb**).

- 1. Select the front-end IP address, the back-end pool, and the health probe that you created earlier (for example, **hana-secondaryIP**, **hana-backend**, and **hana-secondaryhp**).

- 1. Select **HA Ports**.

- 1. Increase idle timeout to 30 minutes.

- 1. Make sure that you **enable floating IP**.

- 1. Select **OK**.

- hn1-db-0:~ # SAPHanaSR-showAttr

- crm resource move msl_SAPHana_<HANA SID>_HDB<instance number> hn1-db-1 force

- Online: [ hn1-db-0 hn1-db-1 ]

- su - <hana sid>adm

- # Switch back to root and clean up the failed state

- hn1-db-0:~ # crm resource cleanup msl_SAPHana_<HANA SID>_HDB<instance number> hn1-db-0

- Online: [ hn1-db-0 hn1-db-1 ]

- hn1-db-0:~ # ps aux | grep sbd

- service pacemaker stop

- service pacemaker start

-# Deploy a SAP HANA scale-out system with standby node on Azure VMs by using Azure NetApp Files on SUSE Linux Enterprise Server

-[anf-avail-matrix]:https://azure.microsoft.com/global-infrastructure/services/?products=netapp&regions=all

-[1410736]:https://launchpad.support.sap.com/#/notes/1410736

-[sap-swcenter]:https://support.sap.com/en/my-support/software-downloads.html

-[suse-drbd-guide]:https://www.suse.com/documentation/sle-ha-12/singlehtml/book_sleha_techguides/book_sleha_techguides.html

-[nfs-ha]:high-availability-guide-suse-nfs.md

-In the example configurations, installation commands, and so on, the HANA instance is **03** and the HANA system ID is **HN1**. The examples are based on HANA 2.0 SP4 and SUSE Linux Enterprise Server for SAP 12 SP4.

-* [Azure NetApp Files documentation][anf-azure-doc]

-> The standby node needs access to all database volumes. The HANA volumes must be mounted as NFSv4 volumes. The improved file lease-based locking mechanism in the NFSv4 protocol is used for `I/O` fencing.

-

-In the preceding diagram, which follows SAP HANA network recommendations, three subnets are represented within one Azure virtual network:

- - `client` 10.23.0.0/24

- - `storage` 10.23.2.0/24

- - `hana` 10.23.3.0/24

- - `anf` 10.23.1.0/26

-## Set up the Azure NetApp Files infrastructure

-Before you proceed with the setup for Azure NetApp Files infrastructure, familiarize yourself with the [Azure NetApp Files documentation][anf-azure-doc].

- As you're deploying the volumes, be sure to select the **NFSv4.1** version. Currently, access to NFSv4.1 requires being added to an allowlist. Deploy the volumes in the designated Azure NetApp Files [subnet](/rest/api/virtualnetwork/subnets). The IP addresses of the Azure NetApp volumes are assigned automatically.

-

-

-The throughput of an Azure NetApp Files volume is a function of the volume size and service level, as documented in [Service level for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-service-levels.md).

-| Volume | Size of<br>Premium Storage tier | Size of<br>Ultra Storage tier | Supported NFS protocol |

-| Volume | Size of<br>Ultra Storage tier | Supported NFS protocol |

-1. Create the [Azure virtual network subnets](../../virtual-network/virtual-network-manage-subnet.md) in your [Azure virtual network](../../virtual-network/virtual-networks-overview.md).

-1. Deploy the VMs.

-1. Create the additional network interfaces, and attach the network interfaces to the corresponding VMs.

- Each virtual machine has three network interfaces, which correspond to the three Azure virtual network subnets (`client`, `storage` and `hana`).

-> For SAP HANA workloads, low latency is critical. To achieve low latency, work with your Microsoft representative to ensure that the virtual machines and the Azure NetApp Files volumes are deployed in close proximity. When you're [onboarding new SAP HANA system](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRxjSlHBUxkJBjmARn57skvdUQlJaV0ZBOE1PUkhOVk40WjZZQVJXRzI2RC4u) that's using SAP HANA Azure NetApp Files, submit the necessary information.

-

-The next instructions assume that you've already created the resource group, the Azure virtual network, and the three Azure virtual network subnets: `client`, `storage` and `hana`. When you deploy the VMs, select the client subnet, so that the client network interface is the primary interface on the VMs. You will also need to configure an explicit route to the Azure NetApp Files delegated subnet via the storage subnet gateway.

-2. Create three virtual machines (**hanadb1**, **hanadb2**, **hanadb3**) by doing the following steps:

- a. Use a SLES4SAP image in the Azure gallery that's supported for SAP HANA. We used a SLES4SAP 12 SP4 image in this example.

- b. Select the availability set that you created earlier for SAP HANA.

- When you deploy the virtual machines, the network interface name is automatically generated. In these instructions for simplicity we'll refer to the automatically generated network interfaces, which are attached to the client Azure virtual network subnet, as **hanadb1-client**, **hanadb2-client**, and **hanadb3-client**.

-5. Attach the newly created virtual network interfaces to the corresponding virtual machines by doing the following steps:

- a. Go to the virtual machine in the [Azure portal](https://portal.azure.com/#home).

- b. In the left pane, select **Virtual Machines**. Filter on the virtual machine name (for example, **hanadb1**), and then select the virtual machine.

- c. In the **Overview** pane, select **Stop** to deallocate the virtual machine.

- d. Select **Networking**, and then attach the network interface. In the **Attach network interface** drop-down list, select the already created network interfaces for the `storage` and `hana` subnets.

-

- e. Select **Save**.

-

- f. Repeat steps b through e for the remaining virtual machines (in our example, **hanadb2** and **hanadb3**).

-

- g. Leave the virtual machines in stopped state for now. Next, we'll enable [accelerated networking](../../virtual-network/create-vm-accelerated-networking-cli.md) for all newly attached network interfaces.

-6. Enable accelerated networking for the additional network interfaces for the `storage` and `hana` subnets by doing the following steps:

- a. Open [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/) in the [Azure portal](https://portal.azure.com/#home).

- b. Execute the following commands to enable accelerated networking for the additional network interfaces, which are attached to the `storage` and `hana` subnets.

- <pre><code>

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb1-storage</b> --accelerated-networking true

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb2-storage</b> --accelerated-networking true

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb3-storage</b> --accelerated-networking true

-

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb1-hana</b> --accelerated-networking true

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb2-hana</b> --accelerated-networking true

- az network nic update --id /subscriptions/<b>your subscription</b>/resourceGroups/<b>your resource group</b>/providers/Microsoft.Network/networkInterfaces/<b>hanadb3-hana</b> --accelerated-networking true

- </code></pre>

-7. Start the virtual machines by doing the following steps:

- a. In the left pane, select **Virtual Machines**. Filter on the virtual machine name (for example, **hanadb1**), and then select it.

- b. In the **Overview** pane, select **Start**.

- <pre><code>

- 10.23.2.4 hanadb1-storage

- 10.23.2.5 hanadb2-storage

- 10.23.2.6 hanadb3-storage

- # Client

- 10.23.0.5 hanadb1

- 10.23.0.6 hanadb2

- 10.23.0.7 hanadb3

- # Hana

- 10.23.3.4 hanadb1-hana

- 10.23.3.5 hanadb2-hana

- 10.23.3.6 hanadb3-hana

- </code></pre>

- The following instructions assume that the storage network interface is `eth1`.

- <pre><code>

- vi /etc/sysconfig/network/dhcp

- vi /etc/sysconfig/network/ifcfg-<b>eth1</b>

- </code></pre>

-2. **[A]** Add a network route, so that the communication to the Azure NetApp Files goes via the storage network interface.

- <pre><code>

- vi /etc/sysconfig/network/ifroute-<b>eth1</b>

- <b>10.23.2.1</b>

- <b>10.23.1.0/26</b> <b>10.23.2.1</b> - -

- </code></pre>

-3. **[A]** Prepare the OS for running SAP HANA on NetApp Systems with NFS, as described in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). Create configuration file */etc/sysctl.d/91-NetApp-HANA.conf* for the NetApp configuration settings.

- <pre><code>

- </code></pre>

-4. **[A]** Create configuration file */etc/sysctl.d/ms-az.conf* with Microsoft for Azure configuration settings.

- <pre><code>

- </code></pre>

-> [!TIP]

-> Avoid setting net.ipv4.ip_local_port_range and net.ipv4.ip_local_reserved_ports explicitly in the sysctl configuration files to allow SAP Host Agent to manage the port ranges. For more details see SAP note [2382421](https://launchpad.support.sap.com/#/notes/2382421).

-4. **[A]** Adjust the sunrpc settings for NFSv3 volumes, as recommended in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346).

- <pre><code>

- </code></pre>

- <pre><code>

- mkdir -p /hana/data/<b>HN1</b>/mnt00001

- mkdir -p /hana/data/<b>HN1</b>/mnt00002

- mkdir -p /hana/log/<b>HN1</b>/mnt00001

- mkdir -p /hana/log/<b>HN1</b>/mnt00002

- mkdir -p /usr/sap/<b>HN1</b>

- </code></pre>

- <pre><code>

- # Create a temporary directory to mount <b>HN1</b>-shared

- mount <b>10.23.1.4</b>:/<b>HN1</b>-shared /mnt/tmp

- mount -t nfs -o sec=sys,nfsvers=4.1 <b>10.23.1.4</b>:/<b>HN1</b>-shared /mnt/tmp

- mkdir shared usr-sap-<b>hanadb1</b> usr-sap-<b>hanadb2</b> usr-sap-<b>hanadb3</b>

- </code></pre>

- <pre><code>

- Domain = <b>defaultv4iddomain.com</b>

- Nobody-User = <b>nobody</b>

- Nobody-Group = <b>nobody</b>

- </code></pre>

- <pre><code>

- </code></pre>

- <pre><code>

- sudo useradd <b>hn1</b>adm -u 1001 -g 1001 -d /usr/sap/<b>HN1</b>/home -c "SAP HANA Database System" -s /bin/sh

- </code></pre>

- <pre><code>

- sudo vi /etc/fstab

- # Add the following entries

- 10.23.1.5:/<b>HN1</b>-data-mnt00001 /hana/data/<b>HN1</b>/mnt00001 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- 10.23.1.6:/<b>HN1</b>-data-mnt00002 /hana/data/<b>HN1</b>/mnt00002 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- 10.23.1.4:/<b>HN1</b>-log-mnt00001 /hana/log/<b>HN1</b>/mnt00001 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- 10.23.1.6:/<b>HN1</b>-log-mnt00002 /hana/log/HN1/mnt00002 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- 10.23.1.4:/<b>HN1</b>-shared/shared /hana/shared nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- # Mount all volumes

- sudo mount -a

- </code></pre>

- <pre><code>

- 10.23.1.4:/<b>HN1</b>-shared/usr-sap-<b>hanadb1</b> /usr/sap/<b>HN1</b> nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- sudo mount -a

- </code></pre>

- <pre><code>

- 10.23.1.4:/<b>HN1</b>-shared/usr-sap-<b>hanadb2</b> /usr/sap/<b>HN1</b> nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- sudo mount -a

- </code></pre>

- <pre><code>

- 10.23.1.4:/<b>HN1</b>-shared/usr-sap-<b>hanadb3</b> /usr/sap/<b>HN1</b> nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0

- sudo mount -a

- </code></pre>

- <pre><code>

- # Verify that flag vers is set to <b>4.1</b>

- # Example from <b>hanadb1</b>

- /hana/data/<b>HN1</b>/mnt00001 from 10.23.1.5:/<b>HN1</b>-data-mnt00001

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.5

- /hana/log/<b>HN1</b>/mnt00002 from 10.23.1.6:/<b>HN1</b>-log-mnt00002

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.6

- /hana/data/<b>HN1</b>/mnt00002 from 10.23.1.6:/<b>HN1</b>-data-mnt00002

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.6

- /hana/log/<b>HN1</b>/mnt00001 from 10.23.1.4:/<b>HN1</b>-log-mnt00001

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.4

- /usr/sap/<b>HN1</b> from 10.23.1.4:/<b>HN1</b>-shared/usr-sap-<b>hanadb1</b>

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.4

- /hana/shared from 10.23.1.4:/<b>HN1</b>-shared/shared

- Flags: rw,noatime,vers=<b>4.1</b>,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.23.2.4,local_lock=none,addr=10.23.1.4

- </code></pre>

- <pre><code>

- ssh root@<b>hanadb2</b>

- ssh root@<b>hanadb3</b>

- </code></pre>

-3. **[A]** Install additional packages, which are required for HANA 2.0 SP4. For more information, see SAP Note [2593824](https://launchpad.support.sap.com/#/notes/2593824).

- <pre><code>

- sudo zypper install libgcc_s1 libstdc++6 libatomic1

- </code></pre>

-4. **[2], [3]** Change ownership of SAP HANA `data` and `log` directories to **hn1**adm.

- <pre><code>

- sudo chown hn1adm:sapsys /hana/data/<b>HN1</b>

- sudo chown hn1adm:sapsys /hana/log/<b>HN1</b>

- </code></pre>

- a. Start the **hdblcm** program from the HANA installation software directory. Use the `internal_network` parameter and pass the address space for subnet, which is used for the internal HANA inter-node communication.

- <pre><code>

- ./hdblcm --internal_network=10.23.3.0/24

- </code></pre>

- b. At the prompt, enter the following values:

- * For **Choose an action**: enter **1** (for install)

- * For **Additional components for installation**: enter **2, 3**

- * For installation path: press Enter (defaults to /hana/shared)

- * For **Local Host Name**: press Enter to accept the default

- * Under **Do you want to add hosts to the system?**: enter **y**

- * For **comma-separated host names to add**: enter **hanadb2, hanadb3**

- * For **Root User Name** [root]: press Enter to accept the default

- * For **Root User Password**: enter the root user's password

- * For roles for host hanadb2: enter **1** (for worker)

- * For **Host Failover Group** for host hanadb2 [default]: press Enter to accept the default

- * For **Storage Partition Number** for host hanadb2 [\<\<assign automatically\>\>]: press Enter to accept the default

- * For **Worker Group** for host hanadb2 [default]: press Enter to accept the default

- * For **Select roles** for host hanadb3: enter **2** (for standby)

- * For **Host Failover Group** for host hanadb3 [default]: press Enter to accept the default

- * For **Worker Group** for host hanadb3 [default]: press Enter to accept the default

- * For **SAP HANA System ID**: enter **HN1**

- * For **Instance number** [00]: enter **03**

- * For **Local Host Worker Group** [default]: press Enter to accept the default

- * For **Select System Usage / Enter index [4]**: enter **4** (for custom)

- * For **Location of Data Volumes** [/hana/data/HN1]: press Enter to accept the default

- * For **Location of Log Volumes** [/hana/log/HN1]: press Enter to accept the default

- * For **Restrict maximum memory allocation?** [n]: enter **n**

- * For **Certificate Host Name For Host hanadb1** [hanadb1]: press Enter to accept the default

- * For **Certificate Host Name For Host hanadb2** [hanadb2]: press Enter to accept the default

- * For **Certificate Host Name For Host hanadb3** [hanadb3]: press Enter to accept the default

- * For **System Administrator (hn1adm) Password**: enter the password

- * For **System Database User (system) Password**: enter the system's password

- * For **Confirm System Database User (system) Password**: enter system's password

- * For **Restart system after machine reboot?** [n]: enter **n**

- * For **Do you want to continue (y/n)**: validate the summary and if everything looks good, enter **y**

-2. **[1]** Verify global.ini

- <pre><code>

- sudo cat /usr/sap/<b>HN1</b>/SYS/global/hdb/custom/config/global.ini

- # Example

- #global.ini last modified 2019-09-10 00:12:45.192808 by hdbnameserve

- [communication]

- internal_network = <b>10.23.3/24</b>

- listeninterface = .internal

- [internal_hostname_resolution]

- <b>10.23.3.4</b> = <b>hanadb1</b>

- <b>10.23.3.5</b> = <b>hanadb2</b>

- <b>10.23.3.6</b> = <b>hanadb3</b>

- </code></pre>

- <pre><code>

- sudo vi /usr/sap/HN1/SYS/global/hdb/custom/config/global.ini

- #Add the section

- [public_hostname_resolution]

- map_<b>hanadb1</b> = <b>10.23.0.5</b>

- map_<b>hanadb2</b> = <b>10.23.0.6</b>

- map_<b>hanadb3</b> = <b>10.23.0.7</b>

- </code></pre>

- <pre><code>

- sudo -u <b>hn1</b>adm /usr/sap/hostctrl/exe/sapcontrol -nr <b>03</b> -function StopSystem HDB

- sudo -u <b>hn1</b>adm /usr/sap/hostctrl/exe/sapcontrol -nr <b>03</b> -function StartSystem HDB

- </code></pre>

- <pre><code>

- sudo -u hn1adm /usr/sap/HN1/HDB03/exe/hdbsql -u SYSTEM -p "<b>password</b>" -i 03 -d SYSTEMDB 'select * from SYS.M_HOST_INFORMATION'|grep net_publicname

- # Expected result

- "<b>hanadb3</b>","net_publicname","<b>10.23.0.7</b>"

- "<b>hanadb2</b>","net_publicname","<b>10.23.0.6</b>"

- "<b>hanadb1</b>","net_publicname","<b>10.23.0.5</b>"

- </code></pre>

- - `max_parallel_io_requests` **128**

- - `async_read_submit` **on**

- - `async_write_submit_active` **on**

- - `async_write_submit_blocks` **all**

-

-7. The storage that's used by Azure NetApp Files has a file size limitation of 16 terabytes (TB). SAP HANA is not implicitly aware of the storage limitation, and it won't automatically create a new data file when the file size limit of 16 TB is reached. As SAP HANA attempts to grow the file beyond 16 TB, that attempt will result in errors and, eventually, in an index server crash.

- > To prevent SAP HANA from trying to grow data files beyond the [16-TB limit](../../azure-netapp-files/azure-netapp-files-resource-limits.md) of the storage subsystem, set the following parameters in `global.ini`.

- > - datavolume_striping = true

- > - datavolume_striping_size_gb = 15000

- > Be aware of SAP Note [2631285](https://launchpad.support.sap.com/#/notes/2631285).

-## Test SAP HANA failover

-1. Simulate a node crash on an SAP HANA worker node. Do the following:

- a. Before you simulate the node crash, run the following commands as **hn1**adm to capture the status of the environment:

- <pre><code>

- # Check the landscape status

- python /usr/sap/<b>HN1</b>/HDB<b>03</b>/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | ok | | | 1 | 1 | default | default | master 1 | master | worker | master | worker | worker | default | default |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | yes | ignore | | | 0 | 0 | default | default | master 3 | slave | standby | standby | standby | standby | default | - |

- # Check the instance status

- sapcontrol -nr <b>03</b> -function GetSystemInstanceList

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GREEN

- </code></pre>

- b. To simulate a node crash, run the following command as root on the worker node, which is **hanadb2** in this case:

-

- <pre><code>

- echo b > /proc/sysrq-trigger

- </code></pre>

- c. Monitor the system for failover completion. When the failover has been completed, capture the status, which should look like the following:

- <pre><code>

- # Check the instance status

- sapcontrol -nr <b>03</b> -function GetSystemInstanceList

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GREEN

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GRAY

- # Check the landscape status

- /usr/sap/HN1/HDB03/exe/python_support> python landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | ok | | | 1 | 1 | default | default | master 1 | master | worker | master | worker | worker | default | default |

- | hanadb2 | no | info | | | 2 | 0 | default | default | master 2 | slave | worker | standby | worker | standby | default | - |

- | hanadb3 | yes | info | | | 0 | 2 | default | default | master 3 | slave | standby | slave | standby | worker | default | default |

- </code></pre>

- > [!IMPORTANT]

- > When a node experiences kernel panic, avoid delays with SAP HANA failover by setting `kernel.panic` to 20 seconds on *all* HANA virtual machines. The configuration is done in `/etc/sysctl`. Reboot the virtual machines to activate the change. If this change isn't performed, failover can take 10 or more minutes when a node is experiencing kernel panic.

- a. Prior to the test, check the status of the environment by running the following commands as **hn1**adm:

- <pre><code>

- #Landscape status

- python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | ok | | | 1 | 1 | default | default | master 1 | master | worker | master | worker | worker | default | default |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | no | ignore | | | 0 | 0 | default | default | master 3 | slave | standby | standby | standby | standby | default | - |

- # Check the instance status

- sapcontrol -nr 03 -function GetSystemInstanceList

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GRAY

- </code></pre>

- b. Run the following commands as **hn1**adm on the active master node, which is **hanadb1** in this case:

- <pre><code>

- hn1adm@hanadb1:/usr/sap/HN1/HDB03> HDB kill

- </code></pre>

-

- The standby node **hanadb3** will take over as master node. Here is the resource state after the failover test is completed:

- <pre><code>

- # Check the instance status

- sapcontrol -nr 03 -function GetSystemInstanceList

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GRAY

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GREEN

- # Check the landscape status

- python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | no | info | | | 1 | 0 | default | default | master 1 | slave | worker | standby | worker | standby | default | - |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | yes | info | | | 0 | 1 | default | default | master 3 | master | standby | master | standby | worker | default | default |

- </code></pre>

- c. Restart the HANA instance on **hanadb1** (that is, on the same virtual machine, where the name server was killed). The **hanadb1** node will rejoin the environment and will keep its standby role.

- <pre><code>

- hn1adm@hanadb1:/usr/sap/HN1/HDB03> HDB start

- </code></pre>

- After SAP HANA has started on **hanadb1**, expect the following status:

- <pre><code>

- # Check the instance status

- sapcontrol -nr 03 -function GetSystemInstanceList

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GREEN

- # Check the landscape status

- python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | info | | | 1 | 0 | default | default | master 1 | slave | worker | standby | worker | standby | default | - |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | yes | info | | | 0 | 1 | default | default | master 3 | master | standby | master | standby | worker | default | default |

- </code></pre>

- d. Again, kill the name server on the currently active master node (that is, on node **hanadb3**).

-

- <pre><code>

- hn1adm@hanadb3:/usr/sap/HN1/HDB03> HDB kill

- </code></pre>

- Node **hanadb1** will resume the role of master node. After the failover test has been completed, the status will look like this:

- <pre><code>

- # Check the instance status

- sapcontrol -nr 03 -function GetSystemInstanceList & python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GRAY

- # Check the landscape status

- python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | ok | | | 1 | 1 | default | default | master 1 | master | worker | master | worker | worker | default | default |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | no | ignore | | | 0 | 0 | default | default | master 3 | slave | standby | standby | standby | standby | default | - |

- </code></pre>

- e. Start SAP HANA on **hanadb3**, which will be ready to serve as a standby node.

- <pre><code>

- hn1adm@hanadb3:/usr/sap/HN1/HDB03> HDB start

- </code></pre>

- After SAP HANA has started on **hanadb3**, the status looks like the following:

- <pre><code>

- # Check the instance status

- sapcontrol -nr 03 -function GetSystemInstanceList & python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- GetSystemInstanceList

- OK

- hostname, instanceNr, httpPort, httpsPort, startPriority, features, dispstatus

- hanadb1, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb2, 3, 50313, 50314, 0.3, HDB|HDB_WORKER, GREEN

- hanadb3, 3, 50313, 50314, 0.3, HDB|HDB_STANDBY, GRAY

- # Check the landscape status

- python /usr/sap/HN1/HDB03/exe/python_support/landscapeHostConfiguration.py

- | Host | Host | Host | Failover | Remove | Storage | Storage | Failover | Failover | NameServer | NameServer | IndexServer | IndexServer | Host | Host | Worker | Worker |

- | | Active | Status | Status | Status | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual | Config | Actual |

- | | | | | | Partition | Partition | Group | Group | Role | Role | Role | Role | Roles | Roles | Groups | Groups |

- | - | | | -- | | | | -- | -- | - | - | -- | -- | - | - | - | - |

- | hanadb1 | yes | ok | | | 1 | 1 | default | default | master 1 | master | worker | master | worker | worker | default | default |

- | hanadb2 | yes | ok | | | 2 | 2 | default | default | master 2 | slave | worker | slave | worker | worker | default | default |

- | hanadb3 | no | ignore | | | 0 | 0 | default | default | master 3 | slave | standby | standby | standby | standby | default | - |

- </code></pre>

-3. Enter the **JiraAccessToken**, **JiraUsername**, **JiraHomeSiteName** (short site name part, as example HOMESITENAME from https://HOMESITENAME.atlassian.net) and deploy.

-1. [Follow these instructions](https://help.symantec.com/cs/DLP15.7/DLP/v27591174_v133697641/Configuring-the-Log-to-a-Syslog-Server-action?locale=EN_US) to configure the Symantec DLP to forward syslog

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cisco.cisco-firepower-estreamer?tab=Overview) in the Azure Marketplace.

-The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/continuous-threat-detection/) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.

-| **Supported by** | [Morphisec](https://support.morphisec.com/support/home) |

-| **Supported by** | [NXLog](https://nxlog.co/user?destination=node/add/support-ticket) |

-| **Supported by** | [NXLog](https://nxlog.co/user?destination=node/add/support-ticket) |

-| **Supported by** | [NXLog](https://nxlog.co/user?destination=node/add/support-ticket) |

- [Follow the instructions](https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/GenerateAPIKey.htm) to obtain the required API credentials.

-> 1. If you have not installed the vCenter solution from ContentHub then [Follow the steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VCenter/Parsers/vCenter.txt) to use the Kusto function alias, **vCenter**

-The [Zoom](https://zoom.us/) Reports data connector provides the capability to ingest [Zoom Reports](https://marketplace.zoom.us/docs/api-reference/zoom-api/reports/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://marketplace.zoom.us/docs/api-reference/introduction) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

- [Follow the instructions](https://marketplace.zoom.us/docs/guides/auth/jwt) to obtain the credentials.