How on-premises users can access a SUSE HAE-protected SAP HANA instance through Amazon Route 53
Stefan Schneider is a solutions architect at Amazon Web Services (AWS).
This blog post describes the Amazon Route 53 agent, which enables on-premises users to access an SAP HANA database that is protected by SUSE Linux Enterprise High Availability Extension (SLES HAE) in the AWS Cloud. The agent provides this functionality by dispatching users through Amazon Route 53.
The agent requires setting up SUSE HAE for high availability (HA) failover, implemented through the overlay IP address agent, as described in SAP Note 2309342, SUSE Linux Enterprise High Availability Extension on AWS. (SAP notes require SAP Service Marketplace credentials.)
The Route 53 agent extends the features of SLES HAE, including the Pacemaker cluster resource management framework, beyond protecting SAP HANA databases. Using this agent jointly with the overlay IP address agent enables SAP users to use SLES HAE for all SLES-supported configurations in the AWS Cloud, including SAP Central Instances (CIs).
The Route 53 agent is currently available as an unsupported open-source tool, and the source code is provided in this blog post. AWS is currently working with SUSE to make the agent available in the upstream repository as a supported tool. You can install the agent after you set up SAP HANA in your AWS account.
How the Route 53 agent works
The current overlay IP address agent allows application servers inside a virtual private computer (VPC) to access a protected SAP HANA server in that VPC, but doesn’t provide access to on-premises applications.
This causes some inconvenience for on-premises users, because it requires applications like HANA Studio to be managed inside the VPC via RDP or a jump server. The Route 53 agent works around this restriction by using a name-based approach to allow on-premises users to connect to the VPC. The two agents operate in parallel: The overlay IP agent routes traffic from the overlay IP address to the active node. The Route 53 agent updates the name of the SAP HANA server with the current IP address.
I’ve described the internal workings of this agent in my article DNS Name Failover for Highly Available AWS Services on the Scaling Bits website. The article describes how the Route 53 hosted zone gets updated.
The Route 53 agent is independent of SAP. It also works with the SAP NetWeaver Central Instance (CI) components of SLES HAE.
This article assumes that you’ve already installed the overlay IP address agent, including the SLES Pacemaker cluster. In addition, the Route 53 agent requires:
- Policies for your SLES HAE cluster instances to update Route 53 records
- A profile for your root user
- A Route 53 private hosted zone
Add the following policy to your SLES HAE cluster instances, to enable them to update Route 53 A records.
Creating an AWS profile for your root user
The agent calls AWS CLI commands by using an AWS profile, and will use the same profile as the overlay IP agent. It may need a proxy configuration as well, as described in the Scaling Bits website.
You can choose any profile name. The agent uses cluster as the default name, so you must change any references as necessary.
Creating a Route 53 private hosted zone
The agent updates an A record in a Route 53 hosted zone. This means that you‘ll need the required infrastructure in your AWS account. For information about how to create a private hosted zone, see the AWS documentation.
You will need the following (shown here with example values):
suse-service.awslab.cloud.mylab.corp.(The very last dot matters!)
Installing the agent
Copy the source code listed at the end of this blog post into a text file and place it in the directory /usr/lib/ocf/resource.d/aws. This source code is available under the MIT license.
Configuring the cluster
In Pacemaker, edit the configuration of your cluster (crm configure edit) as follows:
Replace the following required parameters with the appropriate values:
- hostedzoneid: The host zone ID of Route 53. This is the Route 53 record table.
- ttl: Time to live (TTL) for the ARECORD in Route 53, in seconds. (10 is a reasonable default value.)
- fullname: The full name of the service that will host the IP address; for example,
suse-service.awslab.cloud.mylab.corp.(The last period is important!)
- profile: The name of the AWS CLI profile of the root account.The file /root/.aws/config should have an entry which looks like this:
[profile cluster]– where cluster represents your profile name
region = us-east-1(specify your current region)
output = text(this setting is required)
Configuring AWS-specific contraints
The Route 53 agent has to operate in the same node as the SAP HANA database. You can use a constraint to force it to be in the same node.
Create a file called aws-route53-constraint.txt with the following content. Make sure that you use the same resource identifier as before.
In this example, the SAP SID is encoded as part of the resource name. This will differ in your configuration.
Add this file to the configuration, and run the following command as a super user. It uses the file name aws-constraint.txt:
The Route 53 agent is used with the Pacemaker cluster resource management framework to extend the features of SLES HAE beyond protecting SAP HANA databases. It allows users to protect SAP Central Instances by dispatching end-users through Route 53 to find the active ABAP SAP Central Services (ASCS) server.
The agent runs as a dependent agent to the HAE SAP agents. It doesn’t require individual administration.
If you need on-premises access to your SLES HAE systems, we encourage you to install the agent, and let us know if you have any questions or feedback.