Appendix C: Security Groups
The following are the configured inbound and outbound protocols and ports allowed for the various instances deployed as part of this solution:
| RDP Security Group | |||
|---|---|---|---|
| Inbound: | |||
| Source | Protocol | Port Range (Service) | Comments |
| Restricted to CIDR block specified during the deployment process | TCP | 3389 (RDP) | Allows inbound RDP access to Windows instances from your network (over the Internet gateway). |
| Outbound: | |||
| Destination | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 1-65535 | Allows outbound access from RDP server to anywhere. |
| Bastion Host Security Group | |||
|---|---|---|---|
| Inbound: | |||
| Source | Protocol | Port Range (Service) | Comments |
| Restricted to CIDR block specified during the deployment process | TCP | 22 (SSH) | Allows inbound SSH access to Linux instances from your network (over the Internet gateway). |
| Outbound: | |||
| Destination | Protocol | Port Range | Comments |
| 10.0.1.0/24 | TCP | 22 (SSH) | Allows SSH access from the bastion host to the 10.0.1.0 subnet. |
| 0.0.0.0/0 | TCP | 80 (HTTP) | Allows outbound HTTP access from instances deployed in the VPC to anywhere. |
| 0.0.0.0/0 | TCP | 443 (HTTPS) | Allows outbound HTTPS access from instances deployed in the VPC to anywhere. |
| SAP HANA Master and Worker** Security Groups | |||
|---|---|---|---|
| Inbound (## corresponds to the SAP instance number): | |||
| Source | Protocol | Port Range (Service) | Comments |
| 10.0.1.0/24 | TCP | 1-65535 | Communication between instances within the private subnet. |
| 10.0.1.0/24 | TCP/UDP | 111, 2049, 4000-4002 | Ports used for NFS communication. |
| 10.0.1.0/24 | TCP | 3##00–3##10 | Database internal communication and SAP support access. |
| **10.0.1.0/24 | TCP | 22 (SSH) | Allows SSH access from other SAP HANA nodes. |
| 10.0.2.0/24 | TCP | 22 (SSH) | Allows SSH access from the bastion host placed in the public subnet. |
| 10.0.2.0/24 | TCP | 1128-1129 | Host agent access. |
| 10.0.2.0/24 | TCP | 43## | Access to XSEngine (HTTPS) from the 10.0.2.0 subnet. |
| 10.0.2.0/24 | TCP | 80## | Access to XSEngine (HTTP) from the 10.0.2.0 subnet. |
| 10.0.2.0/24 | TCP | 8080 (HTTP*) | Software Update Manager (SUM) access (HTTP). |
| 10.0.2.0/24 | TCP | 8443 (HTTPS*) | Software Update Manager (SUM) access (HTTPS). |
| 10.0.2.0/24 | TCP | 3##13 | Database client access to system database. |
| 10.0.2.0/24 | TCP | 3##15 | Database client access. |
| 10.0.2.0/24 | TCP | 3##17 | Database client access. |
| 10.0.2.0/24 | TCP | 3##41-3##44 | Database client access to tenant database. |
| 10.0.2.0/24 | TCP | 5##13–5##14 | Allows access for HANA Studio from RDP instance. |
| Outbound: | |||
| Destination | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 1-65535 | Allows outbound access from SAP HANA master to anywhere. |
