Is the Overlay IP CIDR range for SAP on AWS just a secondary CIDR range added to same VPC?


I was reading the docs on HA configurations for SAP on AWS, and I see that you need a non-overlapping CIDR range to draw your overlay IP from. Is that just a secondary CIDR range that you need to add to the VPC in which your SAP cluster lives?

gefragt vor 2 Jahren723 Aufrufe
1 Antwort
Akzeptierte Antwort

Hi, Good question! The overlay IP has to be assigned from a range that is explicitly outside of the CIDR ranges assigned to your VPC. I suggest getting your network administrator to allocate a CIDR that is not assigned within AWS or on-prem for this purpose but is still with the RFC 1918 ranges.

  • – (10/8 prefix)
  • – (172.16/12 prefix)
  • – (192.168/16 prefix)

If you use the 10/8 prefix in AWS we often see a 172 or a 192 IP address used as an overlay to help differentiate.

To explain further, the purpose of an overlay is to be able to make a connection, regardless of which AZ (and subnet) your primary node is running in. Subnets can not span across AZs, so the connection is made using a pointer in a route table which routes the overlay IP to the primary node and is updated using clustering software. If the IP address was allocated from a CIDR within the VPC this would conflict with standard routes.

Hope that helps.

NOTE: This answer is provided by the SAP on AWS specialty team and is accurate at the time of publish. Please check comments as the answer may have changed/services evolved.

beantwortet vor 2 Jahren
profile picture
überprüft vor 2 Monaten
profile picture
überprüft vor 4 Monaten
  • Got it--the OIP is not just not a part of primary CIDR range of VPC but also not part of any CIDR range from the VPC. Having learned all of my networking knowledge in an AWS context, I could still use more clarification on what the network admin would do when I get them to "allocate a CIDR that is not assigned within AWS or on-prem for this purpose but is still within the RFC 1918 ranges." Is this purely logical: like, it only lives in the network admin's documentation/spreadsheet, route tables in AWS, and the HA extension server's configurations? Like, there's no actual "provisioning" of a network or subnet anywhere?

  • Yes, your assumptions are correct. It is not actually provisioned. An IPAM might help but the only purpose is so that it is not used elsewhere.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen