Border Between the Production Environment and the Development and Test Environment
The development and test environment has a low security level and a high security risk. If you need to connect the production environment to the development and test environment, configure strict ACL rules for their border. Use ACL rules to strictly control (deny by default) access from the development and test environment to the production environment, allowing access to only required IP addresses and ports in the production environment. You can configure relatively loose ACL rules for access from the production environment to the development and test environment.
Security Policies
Network ACLs NACL-PRD-DMZ, NACL-PRD-APP, and NACL-PRD-SAPDB-BUSI are associated with subnets in the production environment, respectively. Configure inbound rules of these network ACLs to strictly control access from the development and test environment according to the "minimum permission" principle, allowing access to only specified IP addresses and ports in the production environment. You can configure relatively loose outbound ACL rules for access from the production environment to the development and test environment.
Stronger, securer, and complexer ACL rules mean higher deployment and configuration and O&M costs. You can configure looser ACL rules based on your actual enterprise requirements.
Network ACLs configured between the production environment and the development and test environment are mainly used in the DEV-DMZ, DEV-application, and DEV-DB zones. For details, see Table 1, Table 2, Table 3, Table 4, Table 5 and Table 6.
IP addresses and ports in this section are only used as examples. If there are other services, you can add ACL rules as required. This section describes only network ACLs configured between the production environment and the development and test environment.
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-application zone |
172.22.4.0/24 |
TCP |
2433 |
Allow |
Allows VMs in the DEV-application zone in the development and test environment to access port 2433 of servers in the application zone in the production environment for software and codes update pushing. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Rule |
Destination IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-application zone |
172.22.8.0/24 |
TCP |
Any |
Allow |
Allows VMs in the PRD-application zone in the production environment to access any TCP port of servers in the DEV-application zone. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all outbound traffic that is not processed using preset fixed rules. |
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-DMZ zone |
172.22.3.0/24 |
TCP |
1433 |
Allow |
Allows VMs in the DMZ zone in the development and test environment to access port 1433 of servers in the PRD-DMZ zone in the production environment for software and codes update pushing. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Rule |
Destination IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-DMZ zone |
172.22.4.0/24 |
TCP |
Any |
Allow |
Allows VMs in the PRD-DMZ zone in the production environment to access any TCP port of servers in the DEV-DMZ zone. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all outbound traffic that is not processed using preset fixed rules. |
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-SAP DB zone |
172.22.5.0/24 |
TCP |
3433 |
Allow |
Allows VMs in the DEV-SAP DB zone in the development and test environment to access port 3433 of servers in the PRD-SAP-DB zone in the production environment for software and codes update pushing. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Rule |
Destination IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For the DEV-SAP DB zone |
172.22.5.0/24 |
TCP |
Any |
Allow |
Allows VMs in the PRD-SAP DB zone in the production environment to access any TCP port of servers in the DEV-SAP DB zone in the development and test environment. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all outbound traffic that is not processed using preset fixed rules. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot