Settings and prerequisites - SAP NetWeaver on Amazon
Define reference parameters for setupAmazon EC2 instance settingsOperating system prerequisitesIP and hostname resolution prerequisitesFile system prerequisitesShared VPC – optional
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Settings and prerequisites

The cluster setup uses parameters, including SID and System Number that are unique to your setup. It is useful to predetermine the values with the following examples and guidance.

Define reference parameters for setup

The cluster setup relies on the following parameters.

Global Amazon parameters

Name Parameter Example
Amazon Web Services account ID <account_id> 123456789100
Amazon Web Services Region <region_id> us-east-1

Amazon EC2 instance parameters

Name Parameter Primary example Secondary example
Amazon EC2 instance ID <instance_id> i-xxxxinstidforhost1 i- xxxxinstidforhost2
Hostname <hostname> rhxhost01 rhxhost02
Host IP <host_ip> 10.1.10.1 10.1.20.1
Host additional IP <host_additional_ip> 10.1.10.2 10.1.20.2
Configured subnet <subnet_id> subnet-xxxxxxxxxxsubnet1 subnet-xxxxxxxxxxsubnet2

  • Hostname – Hostnames must comply with SAP requirements outlined in SAP Note 611361 - Hostnames of SAP ABAP Platform servers (requires SAP portal access).

    Run the following command on your instances to retrieve the hostname.

    hostname

  • Amazon EC2 instance ID – run the following command (IMDSv2 compatible) on your instances to retrieve instance metadata.

    /usr/bin/curl --noproxy '*' -w "\n" -s -H "X-aws-ec2-metadata-token: $(curl --noproxy '*' -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")" http://169.254.169.254/latest/meta-data/instance-id

    For more details, see Retrieve instance metadata and Instance identity documents.

SAP and Pacemaker resource parameters

Name Parameter Example
SID <SID> or <sid> RHX
ASCS Alias <ascs_virt_hostname> rhxascs
ASCS System Number <ascs_sys_nr> 00
ASCS Overlay IP <ascs_oip> 172.16.30.5
ASCS NFS Mount Point <ascs_nfs_mount_point> /RHX_ASCS00
ERS Alias <ers_virt_hostname> rhxers
ERS System Number <ers_sys_nr> 10
ERS Overlay IP <ers_oip> 172.16.30.6
ERS NFS Mount Point <ers_nfs_mount_point> /RHX_ERS10
ENSA Type <ensa_type> ENSA2/ENSA1
VPC Route Tables <rtb_id> rtb-xxxxxroutetable1
Sapmnt NFS ID or CNAME <sapmnt_nfs_id> fs-xxxxxxxxxxxxxefs1

  • SAP details – SAP parameters, including SID and instance number must follow the guidance and limitations of SAP and Software Provisioning Manager. Refer to SAP Note 1979280 - Reserved SAP System Identifiers (SAPSID) with Software Provisioning Manager for more details.

    Post-installation, use the following command to find the details of the instances running on a host.

    sudo /usr/sap/hostctrl/exe/saphostctrl -function ListInstances

  • Overlay IP – This value is defined by you. For more information, see Overlay IP.

  • NFS mount points – This value is defined by you. Consider which systems are going to share an NFS file system (Amazon EFS or Amazon FSx), and ensure that your naming standards allow it.

RHEL cluster parameters

Name Parameter Example
Cluster name cluster_name rhelha
Cluster user cluster_user hacluster
Cluster password cluster_password
Cluster connector cluster_connector sap-cluster-connector

Amazon EC2 instance settings

Amazon EC2 instance settings can be applied using Infrastructure as Code or manually using Amazon Command Line Interface or Amazon Web Services Management Console. We recommend Infrastructure as Code automation to reduce manual steps, and ensure consistency.

Create IAM roles and policies

In addition to the permissions required for standard SAP operations, two IAM policies are required for the cluster to control Amazon resources on ASCS. These policies must be assigned to your Amazon EC2 instance using an IAM role. This enables Amazon EC2 instance, and therefore the cluster to call Amazon Web Services.

Create these policies with least-privilege permissions, granting access to only the specific resources that are required within the cluster. For multiple clusters, you need to create multiple policies.

For more information, see IAM roles for Amazon EC2.

STONITH policy

The RHEL STONITH agent requires permission to start and stop both the nodes of the cluster. Create a policy as shown in the following example. Attach this policy to the IAM role assigned to both Amazon EC2 instances in the cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [              
              "arn:aws:ec2:<region>:<account_id>:instance/<instance_id_1>",
              "arn:aws:ec2:<region>:<account_id>:instance/<instance_id_2>"
            ]
        }
    ]
}

Amazon Overlay IP policy

The RHEL Overlay IP resource agent (aws-vpc-move-ip) requires permission to modify a routing entry in route tables. Create a policy as shown in the following example. Attach this policy to the IAM role assigned to both Amazon EC2 instances in the cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:ReplaceRoute",
            "Resource": [
                 "arn:aws:ec2:<region>:<account_id>:route-table/<rtb_id_1>",
                 "arn:aws:ec2:<region>:<account_id>:route-table/<rtb_id_2>"
                        ]
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeRouteTables",
            "Resource": "*"
        }
    ]
}
Note

If you are using a Shared VPC, see Shared VPC – optional.

Assign IAM role

The two cluster resource IAM policies must be assigned to an IAM role associated with your Amazon EC2 instance. If an IAM role is not associated to your instance, create a new IAM role for cluster operations. To assign the role, go to https://console.amazonaws.cn/ec2/, select each or both instance(s), and then choose Actions > Security > Modify IAM role.

Modify security groups for cluster communication

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For more information, see Control traffic to your Amazon resources using security groups.

In addition to the standard ports required to access SAP and administrative functions, the following rules must be applied to the security groups assigned to both Amazon EC2 instances in the cluster.

Inbound
Source Protocol Port range Description
The security group ID (its own resource ID) UDP 5405 Allows UDP traffic between cluster resources for corosync communication
Note

Note the use of the UDP protocol.

If you are running a local firewall, such as iptables, ensure that communication on the preceding ports is allowed between two Amazon EC2 instances.

Disable source/destination check

Amazon EC2 instances perform source/destination checks by default, requiring that an instance is either the source or the destination of any traffic it sends or receives.

In the pacemaker cluster, source/destination check must be disabled on both instances receiving traffic from the Overlay IP. You can disable check using Amazon CLI or Amazon Web Services Management Console.

Amazon CLI

Use the modify-instance-attribute command to disable source/destination check.

Run the following commands on both instances in the cluster.

  • Primary example –

    aws ec2 modify-instance-attribute --instance-id i-xxxxinstidforhost1 --no-source-dest-check

  • Secondary example –

    aws ec2 modify-instance-attribute --instance-id i-xxxxinstidforhost2 --no-source-dest-check
Amazon Web Services Management Console

Ensure that the Stop option is checked in https://console.amazonaws.cn/ec2/.

Review automatic recovery and stop protection

After a failure, cluster-controlled operations must be resumed in a coordinated way. This helps ensure that the cause of failure is known and addressed, and the status of the cluster is as expected. For example, verifying that there are no pending fencing actions.

This can be achieved by not enabling pacemaker to run as a service at the operating system level or by avoiding auto restarts for hardware failure.

If you want to control the restarts resulting from hardware failure, disable simplified automatic recovery and do not configure Amazon CloudWatch action-based recovery for Amazon EC2 instances that are part of a pacemaker cluster. Use the following commands on both Amazon EC2 instances in the pacemaker cluster, to disable simplified automatic recovery via Amazon CLI. If making the change via Amazon CLI, run the command for both Amazon EC2 instances in the cluster.

Note

Modifying instance maintenance options will require admin privileges not covered by the IAM instance roles defined for operations of the cluster.

aws ec2 modify-instance-maintenance-options --instance-id i-xxxxinstidforhost1 --auto-recovery disabled
aws ec2 modify-instance-maintenance-options --instance-id i-xxxxinstidforhost2 --auto-recovery disabled

To ensure that STONITH actions can be executed, you must ensure that stop protection is disabled for Amazon EC2 instances that are part of a pacemaker cluster. If the default settings have been modified, use the following commands for both instances to disable stop protection via Amazon CLI.

Note

Modifying instance attributes will require admin privileges not covered by the IAM instance roles defined for operations of the cluster.

aws ec2 modify-instance-attribute --instance-id i-xxxxinstidforhost1 --no-disable-api-stop
aws ec2 modify-instance-attribute --instance-id i-xxxxinstidforhost2 --no-disable-api-stop

Operating system prerequisites

This section covers the following topics.

Root access

Verify root access on both cluster nodes. The majority of the setup commands in this document are performed with the root user. Assume that commands should be run as root unless there is an explicit call out to choose otherwise.

Install missing operating system packages

This is applicable to both cluster nodes. You must install any missing operating system packages.

The following packages and their dependencies are required for the pacemaker setup. Depending on your baseline image, for example, RHEL for SAP, these packages may already be installed.

awscli
chrony
corosync
pcs
pacemaker
fence-agents-aws
resource-agents-sap (Version resource-agents-sap-3.9.5-124.el7.x86_64 or higher)
sap-cluster-connector

We highly recommend installing the following additional packages for troubleshooting.

sysstat
pcp-system-tools
sos

See Red Hat documentation What are all the Performance Co-Pilot (PCP) RPM packages in RHEL?

Note

The preceding list of packages is not a complete list required for running SAP applications. For the complete list, see SAP and Red Hat references.

Use the following command to check packages and versions.

for package in awscli chrony corosync pcs pacemaker fence-agents-aws resource-agents-sap sap-cluster-connector sysstat pcp-system-tools sos; do
echo "Checking if ${package} is installed..."
RPM_RC=$(rpm -q ${package} --quiet; echo $?)
if [ ${RPM_RC} -ne 0 ];then
echo "   ${package} is missing and needs to be installed"
fi
done

If a package is not installed, and you are unable to install it using yum, it may be because Red Hat Enterprise Linux for SAP extension is not available as a repository in your chosen image. You can verify the availability of the extension using the following command.

yum repolist

To install or update a package or packages with confirmation, use the following command.

yum install <package_name(s)>

Update and check operating system versions

You must update and confirm versions across nodes. Apply all the latest patches to your operating system versions. This ensures that bugs are addresses and new features are available.

You can update the patches individually or use the yum update. A clean reboot is recommended prior to setting up a cluster.

yum update
reboot

Compare the operating system package versions on the two cluster nodes and ensure that the versions match on both nodes.

Stop and disable nm-cloud-setup

This is applicable on both cluster nodes. If you are using Red Hat 8.6 or later, the following services must be stopped and disabled on both the cluster nodes. This prevents the NetworkManager from removing the overlay IP address from the network interface.

systemctl disable nm-cloud-setup.timer
systemctl stop nm-cloud-setup.timer
systemctl disable nm-cloud-setup
systemctl stop nm-cloud-setup

Time synchronization services

This is applicable to both cluster nodes. Time synchronization is important for cluster operation. Ensure that chrony rpm is installed, and configure appropriate time servers in the configuration file.

You can use Amazon Time Sync Service that is available on any instance running in a VPC. It does not require internet access. To ensure consistency in the handling of leap seconds, don't mix Amazon Time Sync Service with any other ntp time sync servers or pools.

Create or check the /etc/chrony.d/ec2.conf file to define the server.

# Amazon EC2 time source config
server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4

Start the chronyd.service, using the following command.

systemctl enable --now chronyd.service
systemctl status chronyd

For more information, see Set the time for your Linux instance.

Amazon CLI profile

This is applicable to both cluster nodes. The cluster resource agents use Amazon Command Line Interface (Amazon CLI). You need to create an Amazon CLI profile for the root account on both instances.

You can either edit the config file at /root/.aws manually or by using aws configure Amazon CLI command.

You can skip providing the information for the access and secret access keys. The permissions are provided through IAM roles attached to Amazon EC2 instances.

# aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: <region_id>
Default output format [None]:

Pacemaker proxy settings

This is applicable to both cluster nodes. If your Amazon EC2 instance has been configured to access the internet and/or Amazon Web Services Cloud through proxy servers, then you need to replicate the settings in the pacemaker configuration. For more information, see Use an HTTP proxy.

Add the following lines to /etc/sysconfig/pacemaker.

http_proxy=http://<proxyhost>:<proxyport>
https_proxy= http://<proxyhost>:<proxyport>
no_proxy=127.0.0.1,localhost,169.254.169.254,fd00:ec2::254

Modify proxyhost and proxyport to match your settings. Ensure that you exempt the address used to access the instance metadata. Configure no_proxy to include the IP address of the instance metadata service – 169.254.169.254 (IPV4) and fd00:ec2::254 (IPV6). This address does not vary.

IP and hostname resolution prerequisites

This section covers the following topics.

Add initial VPC route table entries for overlay IPs

You need to add initial route table entries for overlay IPs. For more information on overlay IP, see Overlay IP.

Add entries to the VPC route table or tables associated with the subnets of your Amazon EC2 instance for the cluster. The entries for destination (overlay IP CIDR) and target (Amazon EC2 instance or ENI) must be added manually for ASCS and ERS. This ensures that the cluster resource has a route to modify. It also supports the install of SAP using the virtual names associated with the overlay IP before the configuration of the cluster.

Modify or add a route to a route table using Amazon Web Services Management Console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Route Tables, and select the route table associated with the subnets where your instances have been deployed.

  3. Choose Actions, Edit routes.

  4. To add a route, choose Add route. You must choose Add route twice to add two routes, one for ASCS and another for ERS.

    1. Add your chosen overlay IP address CIDR and the instance ID of your primary instance for ASCS. See the following table for an example.

      Destination 172.16.30.5/32
      Target i-xxxxinstidforhost1

    2. Add your chosen overlay IP address CIDR and the instance ID of your secondary instance for ERS. See the following table for an example.

      Destination 172.16.30.6/32
      Target i-xxxxinstidforhost2

  5. Choose Save changes.

    You route table now has two entries, each for ASCS and ERS, in addition to the standard routes. The selected instances IDs resolve to the corresponding primary Elastic Network Interface (ENI).

The preceding steps can also be performed programmatically. We suggest performing the steps using administrative privileges, instead of instance-based privileges to preserve least privilege. CreateRoute API isn't necessary for ongoing operations.

Run the following command as a dry run on both nodes to confirm that the instances have the necessary permissions.

aws ec2 replace-route --route-table-id rtb-xxxxxroutetable1 --destination-cidr-block 172.16.30.5/32 --instance-id i-xxxxinstidforhost1 --dry-run --profile <aws_cli_cluster_profile>

Add overlay IPs to host IP configuration

You must configure the overlay IP as an additional IP address on the standard interface to enable SAP install. This action is managed by the cluster IP resource. However, to install SAP using the correct IP addresses prior to having the cluster configuration in place, you need to add these entries manually.

If you need to reboot the instance during setup, the assignment is lost, and must be re-added.

See the following examples. You must update the commands with your chosen IP addresses.

On EC2 instance 1, where you are installing ASCS, add the overlay IP allocated for ASCS.

ip addr add 172.16.30.5/32 dev eth0

On EC2 instance 2, where you are installing ERS, add the overlay IP allocated for ERS.

ip addr add 172.16.30.6/32 dev eth0

Hostname resolution

This is applicable to both cluster nodes. You must ensure that both instances can resolve all hostnames in use. Add the hostnames for cluster nodes to /etc/hosts file on both cluster nodes. This ensures that hostnames for cluster nodes can be resolved even in case of DNS issues. See the following example.

# cat /etc/hosts
10.1.10.1 rhxhost01.example.com rhxhost01
10.1.20.1 rhxhost02.example.com rhxhost02
172.16.30.5 rhxascs.example.com rhxascs
172.16.30.6 rhxers.example.com rhxers
Important

The overlay IP is out of VPC range, and cannot be reached from locations not associated with the route table, including on-premises.

File system prerequisites

This section covers the following topics.

Shared file systems

Amazon Elastic File System and Amazon FSx for NetApp ONTAP support SAP NetWeaver file systems on Linux. For more information, see Getting started with Amazon Elastic File System and Getting started with Amazon FSx for NetApp ONTAP. You can evaluate both of these options, and select one based on resilience, performance, and cost.

We recommend sharing a single Amazon EFS or FSx for ONTAP file system across multiple SIDs within an account.

The file system's DNS name is the simplest mounting option. The DNS automatically resolves to the mount target's IP address in the Availability Zone of the connecting Amazon EC2 instance. You can also create an alias to help with identifying the purpose of the shared file system. We have used <nfs.fqdn> in this document. The following are some examples.

  • file-system-id.efs.aws-region.amazonaws.com

  • svm-id.fs-id.fsx.aws-region.amazonaws.com

  • qas_sapmnt_share.example.com

Note

Review the enableDnsHostnames and enableDnsSupport DNS attributes for your VPC. For more information, see View and update DNS attributes for your VPC.

Create file systems

The following shared file systems are covered in this document.

Unique NFS Location (example) File system location
RHX_sapmnt /sapmnt/RHX
RHX_ASCS00 /usr/sap/RHX/ASCS00
RHX_ERS10 /usr/sap/RHX/ERS10

For more information, see SAP Documentation – SAP System Directories on UNIX.

The following options can differ depending on how you architect and operate your systems.

  • /usr/sap/trans is not listed as a required file system for ASCS. You can add this to your setup.

  • A shared home directory has not been included. This enables you to log on locally as the <sid>adm user, in the event of NFS issues. A shared home directory can be the suitable option if your administrators have root access.

Using the NFS ID created in the previous step, temporarily mount the root directory of the NFS with the following command. /mnt is available by default; it can also be substituted with another temporary location.

mount <nfs.fqdn>.amazonaws.com:/ /mnt

Create the directories using the following command.

mkdir -p /mnt/RHX_sapmnt
mkdir -p /mnt/RHX_ASCS00
mkdir -p /mnt/RHX_ERS10

Change the ownership or permissions to ensure that the install as <sid>adm can write to the directories. If <sid>adm is going to be created by the installer, temporarily change the permissions to 777, as seen in the following command.

chmod 777 /mnt/RHX_sapmnt /mnt/RHX_ASCS00 /mnt/RHX_ERS10

Unmount the temporary mount using the following command.

umount /mnt

Update /etc/fstab

This is applicable to both cluster nodes. /etc/fstab is a configuration table containing the details required for mounting and unmounting file systems to a host.

Create the directories for the required mount points (permanent or cluster controlled), using the following commands.

mkdir /sapmnt
mkdir /usr/sap/RHX/ASCS00
mkdir /usr/sap/RHX/ERS10

Add the file systems not managed by the cluster to /etc/fstab.

Prepare and append an entry for the sapmnt file system to /etc/fstab.

<nfs.fqdn>/RHX_sapmnt  /sapmnt   nfs nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0

Review the mount options to ensure that they match with your operating system, NFS file system type, and latest recommendations from SAP.

Use the following command to mount the file systems defined in /etc/fstab.

mount -a

Use the following command to check that the required file systems are available.

df -h

Temporarily mount ASCS and ERS directories for installation (classic only)

This is only applicable to the classic architecture. Simple-mount architecture has these directories permanently available in /etc/fstab.

You must temporarily mount ASCS and ERS directories for installation.

Use the following command on the instance where you to plan to install ASCS.

mount <nfs.fqdn>:/RHX_ASCS00  /usr/sap/RHX/ASCS00

Use the following command on the instance where you to plan to install ERS.

mount <nfs.fqdn>:/RHX_ERS10  /usr/sap/RHX/ERS10

Shared VPC – optional

Amazon VPC sharing enables you to share subnets with other Amazon Web Services accounts within the same Amazon Organizations. Amazon EC2 instances can be deployed using the subnets of the shared Amazon VPC.

In the pacemaker cluster, the aws-vpc-move-ip resource agent has been enhanced to support a shared VPC setup while maintaining backward compatibility with previous existing features.

The following checks and changes are required. We refer to the Amazon Web Services account that owns Amazon VPC as the sharing VPC account, and to the consumer account where the cluster nodes are going to be deployed as the cluster account.

This section covers the following topics.

Minimum version requirements

The latest version of the aws-vpc-move-ip agent shipped with Red Hat 8.2 supports the shared VPC setup by default. The following are the minimum version required to support a shared VPC Setup:

  • Red Hat 7.9 - resource-agents-4.1.1-61.10

  • Red Hat 8.1 - resource-agents-4.1.1-33.10

  • Red Hat 8.2 - resource-agents-4.1.1-44.12

IAM roles and policies

Using the overlay IP agent with a shared Amazon VPC requires a different set of IAM permissions to be granted on both Amazon Web Services accounts (sharing VPC account and cluster account).

Sharing VPC account

In sharing VPC account, create an IAM role to delegate permissions to the EC2 instances that will be part of the cluster. During the IAM Role creation, select “Another Amazon Web Services account” as the type of trusted entity, and enter the Amazon Web Services account ID where the EC2 instances will be deployed/running from.

After the IAM role has been created, create the following IAM policy on the sharing VPC account, and attach it to an IAM role. Add or remove route table entries as needed.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:ReplaceRoute",
"Resource": [
"arn:aws:ec2:<region>:<sharing_vpc_account_id>:route_table/<rtb_id_1>",
"arn:aws:ec2:<region>:<sharing_vpc_account_id>:route_table/<rtb_id_2>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:DescribeRouteTables",
"Resource": "*"
}
]
}

Next, edit move to the “Trust relationships” tab in the IAM role, and ensure that the Amazon Web Services account you entered while creating the role has been correctly added.

Cluster account

In cluster account, create the following IAM policy, and attach it to an IAM role. This is the IAM Role that is going to be attached to the EC2 instances.

Amazon STS policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<sharing_vpc_account_id>:role/<sharing _vpc-account-cluster-role>"
}
]
}

STONITH policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:<region>:<cluster_account_id>:instance/<instance_id_1>",
"arn:aws:ec2:<region>:<cluster_account_id>:instance/<instance_id_2>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]

Shared VPC cluster resources

The cluster resource agent aws-vpc-move-ip also uses a different configuration syntax. When configuring the aws-vpc-move-ip resource agent, the following new parameters must be used:

  • lookup_type=NetworkInterfaceId

  • routing_table_role="arn:aws:iam::<account_id>:role/<VPC-Account-Cluster-Role>"

The following IP Resource for ASCS needs to be created.

pcs resource create rsc_ip_RHX_ASCS00 ocf:heartbeat:aws-vpc-move-ip ip=172.16.30.5 interface=eth0  routing_table=rtb-xxxxxroutetable1 lookup_type=NetworkInterfaceId  routing_table_role="arn:aws:iam::<sharing_vpc_account_id>:role/<sharing_vpc_account_cluster_role>" op monitor interval=20s timeout=40s --group grp_RHX_ASCS00

The following IP Resource for ERS needs to be created.

pcs resource create rsc_ip_RHX_ERS10 ocf:heartbeat:aws-vpc-move-ip params ip=172.16.30.6 interface=eth0  routing_table=rtb-xxxxxroutetable1 lookup_type=NetworkInterfaceId routing_table_role="arn:aws:iam::<sharing_vpc_account_id>:role/<sharing_vpc_account_cluster_role>" op monitor interval=20s timeout=40s --group grp_RHX_ERS10