• SAP HANA

saphana
  1. Help Center
  2. SAP HANA
  3. User Guide (API)
  4. Deployment Solutions and Data Planning
  5. Network Planning

Network Planning

Network Plane Planning in the Single-Node Scenario Where HA Is Not Required

Figure 1 shows the network plane planning in the single-node scenario where HA is not required.

NOTE:

The network segments and IP addresses are for reference only.

Figure 1 Network plane planning in the single-node scenario where HA is not required

In this scenario, only one NIC is used for network communication.

Table 1 shows the planned network information.

Table 1 Network planning in the single-node scenario where HA is not required

Parameter

Description

Example Value

IP address of the server/client plane

Allows an SAP HANA node to communicate with service software (such as SFS and ERP) or SAP HANA Studio client software.

SAP HANA node: 10.0.3.2

SAP HANA Studio: 10.0.0.102

NAT server: 10.0.0.202

Elastic IP address

Allows you to access the SAP HANA Studio and NAT server.

Automatically allocated

Network Plane Planning in the Single-Node Scenario Where HA Is Required

Figure 2 shows the network plane planning in the single-node scenario where HA is required.

NOTE:
  • The network segments and IP addresses are for reference only.
  • Figure 2 applies to performing active/standby switchovers using scripts. (This only applies to SAP HANA nodes running the OS SUSE Linux Enterprise Server 12 SP1 for SAP.) If active/standby switchovers are manually performed, no heartbeat plane NIC is required.
Figure 2 Network plane planning in the single-node scenario where HA is required

Security Group Rules

NOTE:

The network segments and IP addresses are for reference only. The following security group rules are recommended practices. You can configure your own security group rule as you need.

Table 2Table 3, and Table 4 list security group rules.

NOTE:

In the following table, ## stands for the SAP HANA instance ID, such as 00. Ensure that this ID is the same as the instance ID specified when you install the SAP HANA software.

Table 2 Security group rules (SAP HANA)

Source

Protocol

Port Range

Description

Inbound

10.0.0.0/24

TCP

5##13 to 5##14

Allows the SAP HANA Studio to access SAP HANA.

10.0.0.0/24

TCP

3##15

Provides ports for the service plane.

10.0.0.0/24

TCP

3##17

Provides ports for the service plane.

10.0.2.0/24

TCP

3##00 to 3##10

Provides ports for internal communication between SAP HANA nodes.

10.0.0.0/24

TCP

22

Allows SAP HANA to be accessed using SSH.

10.0.2.0/24

TCP

22

Allows NAT servers to be accessed using SSH.

10.0.0.0/24

TCP

43##

Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTPS.

10.0.0.0/24

TCP

80##

Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTP.

10.0.0.0/24

TCP

8080 (HTTP)

Allows Software Update Manager (SUM) to access SAP HANA using HTTP.

10.0.0.0/24

TCP

8443 (HTTPS)

Allows Software Update Manager (SUM) to access SAP HANA using HTTPS.

10.0.0.0/24

TCP

1128-1129

Allows access to SAP Host Agent using SOAP/HTTP.

Automatically specified by the system

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access SAP HANA.

Table 3 Security group rules (SAP HANA Studio)

Source

Protocol

Port Range

Description

Inbound

0.0.0.0/0

TCP

3389

Allows users to access the SAP HANA Studio using RDP.

This rule is required only when the SAP HANA Studio is deployed on a Windows ECS.

0.0.0.0/0

TCP

22

Allows users to access the SAP HANA Studio using SSH.

This rule is required only when the SAP HANA Studio is deployed on a Linux ECS.

Automatically specified by the system

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

ANY

ANY

ANY

Security group rule created by the system by default

Allows all peers to access the SAP HANA Studio.

Table 4 Security group rules (NAT server)

Source

Protocol

Port Range

Description

Inbound

0.0.0.0/0

TCP

22

Allows users to access the NAT server using SSH.

10.0.3.0/24

TCP

80 (HTTP)

Allows access to instances in the same VPC using HTTP.

10.0.3.0/24

TCP

443 (HTTPS)

Allows access to instances in the same VPC using HTTPS.

Automatically specified by the system

ANY

ANY

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

Outbound

10.0.3.0/24

TCP

22 (SSH)

Allows the NAT server to access the 10.0.3.0 subnet using SSH.

0.0.0.0/0

TCP

80 (HTTP)

Allows instances in a VPC to access any network.

0.0.0.0/0

TCP

443 (HTTPS)

Allows instances in a VPC to access any network.