• SAP HANA

saphana
  1. Help Center
  2. SAP HANA
  3. User Guide (API)
  4. Creating a HANA ECS
  5. Creating a Security Group Rule

Creating a Security Group Rule

After creating a security group, you must configure security group rules for it.

API Format

Method

URI

Description

POST

/v2.0/security-group-rules

Creates a security group rule.

Restrictions

None

Request Parameters

Parameter

Type

Mandatory or Not

Description

security_group_rule

Dict

Yes

Specifies a security group rule. For details, see the Security Group Rule table.

Mandatory parameters: direction and security_group_id

[1] Security Group Rule

Attribute

Type

CRUD

Default Value

Restriction

Description

id

Uuid-str

R

None

N/A

Specifies a security group rule ID.

security_group_id

Uuid-str

CR

None

Mandatory

Specifies the ID of a security group in which the security group rule requires configuration.

remote_group_id

Uuid-str

CR

None

Optional

Specifies the peer ID of a security group.

This parameter is alternative to remote_ip_prefix.

direction

String

CR

ingress

ingress/egress

Specifies a rule application direction.

remote_ip_prefix

String (255)

CR

None

CIDR format

Specifies a peer network segment.

This parameter is alternative to remote_group_id.

protocol

String (40)

CR

None

TCP, UDP, ICMP, or IP protocol ID

Specifies a protocol type or an IP protocol ID.

port_range_max

Int

CR

None

Range: 0-65535 (0-255 for code)

Specifies the maximum port number. When ICMP is used, the value is the ICMP code.

port_range_min

Int

CR

None

Range: 0-65535 (0-255 for type)

Specifies the minimum port number. When ICMP is used, the value is the ICMP type.

ethertype

String (40)

CR

IPv4

IPv4 or IPv6

Supports IPv4 only.

tenant_id

String (255)

CR

None

N/A

Specifies a tenant ID.

Response Parameters

Parameter

Type

Mandatory or Not

Description

security_group_rule

Dict

Yes

Specifies a security group rule. For details, see the Security Group Rule table.

Request Example

POST/v2.0/security-group-rules
{
    "security_group_rule":{
      "security_group_id":"5cb9c1ee-00e0-4d0f-9623-55463cd26ff8",
      "direction":"ingress",
      "protocol":"tcp",
      "port_range_max":5##14,
      "port_range_min":5##13,
      "remote_ip_prefix": "10.10.3.0/24"
      }
}

Response Example

{
    "security_group_rule": {
       "remote_group_id": null,
       "direction": "ingress",
       "remote_ip_prefix": "10.10.3.0/24",
       "protocol": "tcp",
       "tenant_id": "6fbe9263116a4b68818cf1edce16bc4f",
       "port_range_max": 5##14,
       "security_group_id": "5cb9c1ee-00e0-4d0f-9623-55463cd26ff8",
       "port_range_min": 5##13,
       "ethertype": "IPv4",
       "id": "7c336b04-1603-4911-a6f4-f2af1d9a0488"
     }
}

In SAP HANA network planning, four types of security groups are supported. These security groups use different security group policies. After creating a security group, you must create security group rules for it one by one. For details, see the SAP HANA User Guide (Single-Node Deployment) and SAP HANA User Guide (Cluster Deployment).

NOTE:

In the following table, ## stands for the SAP HANA instance ID. Ensure that this ID is the same as that specified when you installed the SAP HANA software.

Table 1 Security group rules (SAP HANA)

Source

Protocol

Port Range

Description

Inbound

10.0.3.0/24

TCP

5##13 to 5##14

Allows the SAP HANA Studio to access SAP HANA.

10.0.3.0/24

TCP

3##15 to 3##17

Provides ports for the service plane.

10.0.2.0/24

TCP

3##00 to 3##10

Provides ports for internal communication between SAP HANA nodes.

10.0.3.0/24

TCP

22

Allows SAP HANA to be accessed using SSH.

10.0.3.0/24

UDP

123

Allows other servers to synchronize time with SAP HANA.

Determined by Open Telekom Cloud

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access SAP HANA.

Table 2 Security group rules (SAP HANA Studio)

Source

Protocol

Port Range

Description

Inbound

0.0.0.0/0

TCP

3389

Allows users to access the SAP HANA Studio using RDP.

This rule is required only when the SAP HANA Studio is deployed on a Windows ECS.

0.0.0.0/0

TCP

22

Allows users to access the SAP HANA Studio using SSH.

This rule is required only when the SAP HANA Studio is deployed on a Linux ECS.

Determined by Open Telekom Cloud

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access the SAP HANA Studio.

Table 3 Security group rules (NAT server)

Source

Protocol

Port Range

Description

Inbound

0.0.0.0/0

TCP

22

Allows users to access the NAT server using SSH.

Determined by Open Telekom Cloud

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access the NAT server.

Table 4 Security group rules (NFS server)

Source

Protocol

Port Range

Description

Inbound

10.0.1.0/24

TCP/UDP

1 to 65535

Allows SAP HANA nodes to access the NFS server using TCP or UDP.

10.0.3.0/24

TCP

22

Allows NFS servers to be accessed using SSH.

10.0.3.0/24

UDP

123

Allows the NFS server that functions as an NTP client to communicate.

Determined by Open Telekom Cloud

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access the NFS server.