Overlay IP with shared Amazon VPC - SAP HANA on Amazon
Overlay IP addressIAM roles and policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Overlay IP with shared Amazon VPC

Using the overlay IP agent with a shared Amazon VPC requires a different set of IAM permissions to be granted on both Amazon accounts (sharing and consumer). The cluster resource agent aws-vpc-move-ip also uses a different configuration syntax.

Overlay IP address

Create an overlay IP address on the Amazon VPC routing table which will be used by the Amazon VPC subnets and will be accessible to the cluster. This must be created on the Amazon account sharing the Amazon VPC.

IAM roles and policies

Amazon VPC account

Create an IAM role to delegate permissions to the Amazon EC2 instances that will be a part of the cluster. When creating the IAM role, select Another Amazon account for the type of trusted entity and enter the Amazon Account ID where the Amazon EC2 instances will be deployed.

Create the following IAM policy on the Amazon VPC account and attach it to the IAM role. Add or remove route table entries as needed. 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": “ec2:ReplaceRoute”,
            "Resource": [
			"arn:aws:ec2:<AWS Region>:<VPC-Account-Number>:route-table/rtb-xxxxxxxxxxxxxxxxx",
			"arn:aws:ec2:<AWS Region>:<VPC-Account-Number>:route-table/rtb-xxxxxxxxxxxxxxxxx"
			],
        },
        {
            "Effect": "Allow",
            "Action": “ec2:DescribeRouteTables”,
            "Resource": “*”
        }
    ]
}

Cluster account

Create a new IAM role and select Amazon EC2 as the use case. Associate this IAM role to the two Amazon EC2 instances which are a part of the cluster. Attach the following IAM policies (Amazon STS and STONITH) to the IAM role.

Amazon STS policy


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<VPC-Account-Number>:role/<Sharing-VPC-Account-Cluster-Role>"
        }
    ]
}

Replace VPC-Account-Number with your Amazon account number that owns the Amazon VPC. Replace Sharing-VPC-Account-Cluster-Role with the IAM role that was created in the Amazon account owning the Amazon VPC.

STONITH policy

Both instances of the cluster require access to start and stop other nodes within the cluster. Create the following STONITH policy and attach it to the IAM role that is assigned to both of the cluster instances. 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:<Region-name>:<account-id>:instance/<instance-id>",
                "arn:aws:ec2: <Region-name>:<account-id>:instance/<instance-id>"
            ]
        }
    ]
}

Replace Region-name, account-id, and instance-id with the appropriate values.