Help Center/ SAP Cloud/ SAP Security White Paper/ Production Environment Security Solution/ Network Border Security/ Border Between the Production Environment and the Development and Test Environment
Updated on 2022-03-04 GMT+08:00

Border Between the Production Environment and the Development and Test Environment

The development and test environment has a low security level and a high security risk. If you need to connect the production environment to the development and test environment, configure strict ACL rules for their border. Use ACL rules to strictly control (deny by default) access from the development and test environment to the production environment, allowing access to only required IP addresses and ports in the production environment. You can configure relatively loose ACL rules for access from the production environment to the development and test environment.

Security Policies

Network ACLs NACL-PRD-DMZ, NACL-PRD-APP, and NACL-PRD-SAPDB-BUSI are associated with subnets in the production environment, respectively. Configure inbound rules of these network ACLs to strictly control access from the development and test environment according to the "minimum permission" principle, allowing access to only specified IP addresses and ports in the production environment. You can configure relatively loose outbound ACL rules for access from the production environment to the development and test environment.

Stronger, securer, and complexer ACL rules mean higher deployment and configuration and O&M costs. You can configure looser ACL rules based on your actual enterprise requirements.

Network ACLs configured between the production environment and the development and test environment are mainly used in the DEV-DMZ, DEV-application, and DEV-DB zones. For details, see Table 1, Table 2, Table 3, Table 4, Table 5 and Table 6.

IP addresses and ports in this section are only used as examples. If there are other services, you can add ACL rules as required. This section describes only network ACLs configured between the production environment and the development and test environment.

Table 1 Inbound rules of network ACL NACL-PRD-APP

Rule

Source IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-application zone

172.22.4.0/24

TCP

2433

Allow

Allows VMs in the DEV-application zone in the development and test environment to access port 2433 of servers in the application zone in the production environment for software and codes update pushing.

*

0.0.0.0/0

Any

Any

Deny

Denies all inbound traffic that is not processed based on preset rules.

Table 2 Outbound rules of network ACL NACL-PRD-APP

Rule

Destination IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-application zone

172.22.8.0/24

TCP

Any

Allow

Allows VMs in the PRD-application zone in the production environment to access any TCP port of servers in the DEV-application zone.

*

0.0.0.0/0

Any

Any

Deny

Denies all outbound traffic that is not processed using preset fixed rules.

Table 3 Inbound rules of network ACL NACL-PRD-DMZ

Rule

Source IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-DMZ zone

172.22.3.0/24

TCP

1433

Allow

Allows VMs in the DMZ zone in the development and test environment to access port 1433 of servers in the PRD-DMZ zone in the production environment for software and codes update pushing.

*

0.0.0.0/0

Any

Any

Deny

Denies all inbound traffic that is not processed based on preset rules.

Table 4 Outbound rules of network ACL NACL-PRD-DMZ

Rule

Destination IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-DMZ zone

172.22.4.0/24

TCP

Any

Allow

Allows VMs in the PRD-DMZ zone in the production environment to access any TCP port of servers in the DEV-DMZ zone.

*

0.0.0.0/0

Any

Any

Deny

Denies all outbound traffic that is not processed using preset fixed rules.

Table 5 Inbound rules of network ACL NACL-PRD-SAPDB-BUSI

Rule

Source IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-SAP DB zone

172.22.5.0/24

TCP

3433

Allow

Allows VMs in the DEV-SAP DB zone in the development and test environment to access port 3433 of servers in the PRD-SAP-DB zone in the production environment for software and codes update pushing.

*

0.0.0.0/0

Any

Any

Deny

Denies all inbound traffic that is not processed based on preset rules.

Table 6 Outbound rules of network ACL NACL-PRD-SAPDB-BUSI

Rule

Destination IP Address

Protocol

Destination Port

Allow or Deny

Description

For the DEV-SAP DB zone

172.22.5.0/24

TCP

Any

Allow

Allows VMs in the PRD-SAP DB zone in the production environment to access any TCP port of servers in the DEV-SAP DB zone in the development and test environment.

*

0.0.0.0/0

Any

Any

Deny

Denies all outbound traffic that is not processed using preset fixed rules.