Task 02. Connect to Overlay IP

When configuring High Availability Cluster in Multi-AZ environment, VIP used by Application Server and HANA Database use Overlay IP outside of VPC CIDR. Transit Gateway can be used to access this in other VPCs or OnPremise environment. In this Lab, you are going to create a Custom VPC through CloudFormation, set up a transit gateway, and connect to HANA Database’s Overlay IP through Bastion Host.

This task consists of 5 steps.

  • Create a Custom VPC and a Bastion Host using CloudFormation
  • Create and configure a Transit Gateway
  • Update route table of subnet with HANA Instances
  • Update Security Group for HANA Instance
  • Test Overlay IP connection at Bastion Host

Create a Custom VPC and a Bastion Host using CloudFormation

  1. After log in to AWS Management Console, Connect to CloudFormation for Customer VPC
  2. If Network Configuration setting does not overlap with the existing one, the default setting is used. image03-01
  3. Check two checkboxes of Capabilities at the bottom of the screen and click Create stack. image03-02
  4. CustomVPC stack has been created. Wait until the Status changes CREATE_COMPLTE. image03-03
  5. Connect to EC2 Instance Console. You can see that Bastion Host (Windows Sever 2019) was created on Custom VPC-Public Subnet. image03-04

Create and configure a Transit Gateway

Create a transit gateway to associate SAP HANA VPC and Custom VPC.

  1. Connect to Transit Gateways Console, create a transit gateway, and associate SAP HANA VPC and Custom VPC. then register the entry for connecting the Overlay IP to Routing Table on Transit Gateway.

  2. Click Create Transit Gateway. image03-05

  3. Enter HANA-TGW in Name Tag, Click Create Transit Gateway. then click Close. image03-06

  4. Wait until the State of HANA-TGW you just created changes available. image03-07

  5. To attach SAP HANA VPC and Custom VPC, Connect to Transit Gateways Attachment Console. Click Create Transit Gateway Attachment. image03-08

  6. Select created HANA-TGW, and enter HANA VPC as Attachment name tag. Choose a VPC ID that starts with SAP-HANA. image03-09

  7. Select Subnet ID as Private Subnet 1,2 and click the Create attachment at the bottom right. Click the Close. image03-10-01

  8. Click Create Transit Gateway Attachment again. image03-11

  9. Similarly, select HANA-TGW, and enter Custom VPC as Attachment name tag. Select Custom as VPC ID. image03-12

  10. Select Subnet ID as Custom Public Subnet AZ1, AZ2, and click Create attachment at the bottom right. Click Close button image03-13-01

  11. Wait for both attachments to change State as available (After a certain period of time, click the Refresh button to check the State.) image03-14

  12. Connect to Transit Gateways Route Tables Console and register the routing for Overlay IP.

  13. Select created route table and select Routes tab, then click Create static route image03-15

  14. For CIDR option, enter 192.168.1.99/32.

  15. For Choose attachment option, choose HANA VPC and click Create static route. image03-16

  16. Click Close.

  17. You can check that static route for Overlay IP is registered. image03-17

Update Instance route table

Updated each route table so that HANA DB Instance and Bastion Host can communicate with each other through Transit Gateway.

  1. Connect to Route Tables Console
  2. Firstly, update the route table of HANA DB Instance. Choose Private subnet route table and select Routes tab. then click Edit routes. image03-18
  3. Click Add routes and enter Destination as 10.1.0.0/16, then choose Target as Transit Gateway.
  4. Choose HANA-TGW and click Save routes. image03-19 image03-20
  5. Click Close.
  6. Next, update the route table of Bastion Host. Choose Custom Public Routes and select Routes tab, then click Edit routes. image03-21
  7. Click Add routes and enter Destination as 10.0.0.0/16, then choose Target as Transit Gateway. Choose HANA-TGW
  8. Click Add routes again, enter Destination as 192.168.1.99/32, then choose Target as Transit Gateway. Choose HANA-TGW
  9. Confirm both routes are registered and click Save routes. image03-22
  10. Click Close.

Update Instance Security Group

Allows inbound traffic for Bastion Host to the Security Group of Primary and Secondary HANA DB Instances.

  1. First, check Bastion Host IP. Connect to EC2 Instance Console. Check the Private IP of Custom Bastion Host (e.g 10.1.3.154) image03-23
  2. Update Primary instance. Choose HANA-HDB-Primary instance and click Security Groups link below. image03-24
  3. Select Inbound rules tab at the bottom and click Edit inbound rules. image03-25
  4. Click Add rule at the bottom, select All traffic as Type, and enter the CIDR of Bastion Host found above(e.g 10.1.3.154/32)
    • Because it is a lab environment, Bastion Host is allowed with All traffic. It is recommended to allow only the necessary ports in a real environment. image03-26
  5. Click Save rules at the bottom.
  6. Same as Primary Instance, update Security Group for Secondary Instance. Connect to EC2 Instance Console.
  7. Choose HANA-HDB-Secondary instance and click the Security Groups link. image03-27
  8. Select Inbound rules tab at the bottom and click Edit inbound rules.
  9. Click Add rule at the bottom, select All traffic as Type, and enter the CIDR of Bastion Host found above(e.g 10.1.3.154/32)
    • Because it is a lab environment, Bastion Host is allowed with All traffic. It is recommended to allow only the necessary ports in a real environment. image03-26
  10. Click Save rules at the bottom.

Connect to Bastion Host and Test Overlay IP

Connect to Bastion Host and perform a ping test to see if it is possible to connect to the Overlay IP.

  1. Connect to EC2 Instance Console and check the Public IP of Custom Bastion Host. (e.g 35.173.137.37) image03-28
  2. Choose Custom Bastion Host and click Connect. image03-29
  3. Click Get Password. image03-30
  4. Click Select File and select SAP-ImmersionDay-Lab.pem file saved in Lab01.
    • The screen below may look different depending on the OS. The screenshot below is a MacBook screen. image03-31 image03-32
  5. Click Decrypt Password to confirm Administrator Password.(e.g qRPIUIXXSI5ceUhLuntol%WhZ&WFzCT$) image03-33 image03-34
  6. Click Close.
  7. Connect to Bastion Host using a remote access program.
  8. When connected successfully, search for Windows PowerShell in the Search window and run it. image03-35
  9. When PowerShell is launched, execute ping 192.168.1.99 to check if communication with Overlay IP is possible. image03-36

Shut down the PowerShell and proceed with Task03 while maintaining the remote connection.

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.