Network Planning

Figure 1 shows the network plane planning in the single node scenario.

The network segments and IP addresses are for reference only.

Figure 1 Network plane planning in the single node scenario

In this scenario, only one NIC is used for network communication.

Table 1 shows the planned network information.

**Table 1** Network planning in the single node scenario where HA is not required
Parameter	Description	Example Value
IP address of the server/client plane	Allows an SAP Business One node to communicate with service software or SAP Business One Client software. Allows an SAP HANA node to communicate with service software or SAP HANA Studio client software.	SAP Business One: 10.0.3.2 SAP Business One Client: 10.0.3.3 SAP HANA Studio: 10.0.3.4 NAT server: 10.0.3.5
Elastic IP address	Allows you to access the SAP HANA Studio and NAT server.	Automatically allocated

The network segments and IP addresses are for reference only. The following security group rules are recommended practices. You can configure your own security group rules as needed.
In the following table, ## stands for the SAP HANA instance ID, such as 00. Ensure that this ID is the same as the instance ID specified when you install the SAP HANA software.
For more information about specific ports and security group rules to be accessed by SAP, see https://help.sap.com/viewer/575a9f0e56f34c6e8138439eefc32b16/2.0/en-US/616a3c0b1cc748238de9c0341b15c63c.html.

**Table 2** Security group rules (SAP HANA & SAP Business One)
Source	Protocol	Port Range	Description
Inbound
10.0.0.0/24	TCP	5##13 to 5##14	Allows the SAP HANA Studio to access SAP HANA.
10.0.0.0/24	TCP	3##15	Provides ports for the service plane.
10.0.0.0/24	TCP	3##17	Provides ports for the service plane.
10.0.0.0/24	TCP	22	Allows SAP HANA to be accessed using SSH.
10.0.0.0/24	TCP	43##	Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTPS.
10.0.0.0/24	TCP	80##	Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTP.
10.0.0.0/24	TCP	8080 (HTTP)	Allows Software Update Manager (SUM) to access SAP HANA using HTTP.
10.0.0.0/24	TCP	8443 (HTTPS)	Allows Software Update Manager (SUM) to access SAP HANA using HTTPS.
10.0.0.0/24	TCP	1128-1129	Allows access to SAP Host Agent using SOAP/HTTP.
Automatically specified by the system	ANY	ANY	Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other.
Outbound
ANY	ANY	ANY	Security group rule created by the system by default Allows SAP HANA to access all peers.

**Table 3** Security group rules (SAP HANA Studio)
Source	Protocol	Port Range	Description
Inbound
0.0.0.0/0	TCP	3389	Allows users to access the SAP HANA Studio using RDP. This rule is required only when the SAP HANA Studio is deployed on a Windows ECS.
0.0.0.0/0	TCP	22	Allows users to access the SAP HANA Studio using SSH. This rule is required only when the SAP HANA Studio is deployed on a Linux ECS.
Automatically specified by the system	ANY	ANY	Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other.
Outbound
ANY	ANY	ANY	Security group rule created by the system by default Allows SAP HANA Studio to access all peers.

**Table 4** Security group rules (NAT server)
Source	Protocol	Port Range	Description
Inbound
0.0.0.0/0	TCP	22	Allows users to access the NAT server using SSH.
10.0.3.0/24	TCP	80 (HTTP)	Allows access to instances in the same VPC using HTTP.
10.0.3.0/24	TCP	443 (HTTPS)	Allows access to instances in the same VPC using HTTPS.
Automatically specified by the system	ANY	ANY	Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other.
Outbound
10.0.3.0/24	TCP	22 (SSH)	Allows the NAT server to access the 10.0.3.0 subnet using SSH.
0.0.0.0/0	TCP	80 (HTTP)	Allows instances in a VPC to access any network.
0.0.0.0/0	TCP	443 (HTTPS)	Allows instances in a VPC to access any network.