Menu
SAP Business One, Version for SAP HANA, on AWS
Quick Start Reference Deployment Guide

Appendix B: Security Groups

The following tables show the configured inbound and outbound protocols and ports allowed for the various instances deployed by this Quick Start.

RDP Security Group
Inbound:
Source Protocol Port Range (Service) Comments
Restricted to CIDR block specified during the deployment process TCP 3389 (RDP) Allows inbound RDP access to Windows instances from your network (over the Internet gateway).
Outbound:
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 1-65535 Allows outbound access from RDP server to anywhere.

NAT Security Group
Inbound:
Source Protocol Port Range (Service) Comments
Restricted to CIDR block specified during the deployment process TCP 22 (SSH) Allows inbound SSH access to Linux instances from your network (over the Internet gateway).
10.0.0.0/16 TCP 80 (HTTP) Allows inbound HTTP access only from instances deployed in the VPC.
10.0.0.0/16 TCP 443 (HTTPS) Allows inbound HTTPS access only from instances deployed in the VPC.
Outbound:
Destination Protocol Port Range Comments
10.0.1.0/24 TCP 22 (SSH) Allows SSH access from the NAT instance to the 10.0.1.0 subnet.
0.0.0.0/0 TCP 80 (HTTP) Allows outbound HTTP access from instances deployed in the VPC to anywhere.
0.0.0.0/0 TCP 443 (HTTPS) Allows outbound HTTPS access from instances deployed in the VPC to anywhere.

SAP HANA Master and SAP Business One Security Groups
Inbound (## corresponds to the SAP instance number):
Source Protocol Port Range (Service) Comments
10.0.1.0/24 TCP 1-65535 Communication between instances within the private subnet.
10.0.1.0/24 TCP/UDP 111, 2049, 4000-4002 Ports used for NFS communication.
10.0.1.0/24 TCP 3##00–3##10 Database internal communication and SAP support access.
10.0.1.0/24 TCP 22 (SSH) Allows SSH access from other SAP HANA nodes.
10.0.2.0/24 TCP 22 (SSH) Allows SSH access from NAT instances.
10.0.2.0/24 TCP 1128-1129 Host agent access.
10.0.2.0/24 TCP 43## Access to XSEngine (HTTPS) from the 10.0.2.0 subnet.
10.0.2.0/24 TCP 80## Access to XSEngine (HTTP) from the 10.0.2.0 subnet.
10.0.2.0/24 TCP 8080 (HTTP) Software Update Manager (SUM) access (HTTP).
10.0.2.0/24 TCP 8443 (HTTPS) Software Update Manager (SUM) access (HTTPS).
10.0.2.0/24 TCP 3##15 Database client access.
10.0.2.0/24 TCP 3##17 Database client access.
10.0.2.0/24 TCP 5##13–5##14 Allows access for HANA Studio from RDP instance.
Outbound:
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 1-65535 Allows outbound access from SAP HANA master to anywhere.