Menu
SAP HANA on AWS
Quick Start Reference Deployment Guide

Appendix C: Security Groups

The following are the configured inbound and outbound protocols and ports allowed for the various instances deployed as part of this solution:

RDP Security Group
Inbound:
Source Protocol Port Range (Service) Comments
Restricted to CIDR block specified during the deployment process TCP 3389 (RDP) Allows inbound RDP access to Windows instances from your network (over the Internet gateway).
Outbound:
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 1-65535 Allows outbound access from RDP server to anywhere.

Bastion Host Security Group
Inbound:
Source Protocol Port Range (Service) Comments
Restricted to CIDR block specified during the deployment process TCP 22 (SSH) Allows inbound SSH access to Linux instances from your network (over the Internet gateway).
Outbound:
Destination Protocol Port Range Comments
10.0.1.0/24 TCP 22 (SSH) Allows SSH access from the bastion host to the 10.0.1.0 subnet.
0.0.0.0/0 TCP 80 (HTTP) Allows outbound HTTP access from instances deployed in the VPC to anywhere.
0.0.0.0/0 TCP 443 (HTTPS) Allows outbound HTTPS access from instances deployed in the VPC to anywhere.

SAP HANA Master and Worker** Security Groups
Inbound (## corresponds to the SAP instance number):
Source Protocol Port Range (Service) Comments
10.0.1.0/24 TCP 1-65535 Communication between instances within the private subnet.
10.0.1.0/24 TCP/UDP 111, 2049, 4000-4002 Ports used for NFS communication.
10.0.1.0/24 TCP 3##00–3##10 Database internal communication and SAP support access.
**10.0.1.0/24 TCP 22 (SSH) Allows SSH access from other SAP HANA nodes.
10.0.2.0/24 TCP 22 (SSH) Allows SSH access from the bastion host placed in the public subnet.
10.0.2.0/24 TCP 1128-1129 Host agent access.
10.0.2.0/24 TCP 43## Access to XSEngine (HTTPS) from the 10.0.2.0 subnet.
10.0.2.0/24 TCP 80## Access to XSEngine (HTTP) from the 10.0.2.0 subnet.
10.0.2.0/24 TCP 8080 (HTTP*) Software Update Manager (SUM) access (HTTP).
10.0.2.0/24 TCP 8443 (HTTPS*) Software Update Manager (SUM) access (HTTPS).
10.0.2.0/24 TCP 3##13 Database client access to system database.
10.0.2.0/24 TCP 3##15 Database client access.
10.0.2.0/24 TCP 3##17 Database client access.
10.0.2.0/24 TCP 3##41-3##44 Database client access to tenant database.
10.0.2.0/24 TCP 5##13–5##14 Allows access for HANA Studio from RDP instance.
Outbound:
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 1-65535 Allows outbound access from SAP HANA master to anywhere.