Help Center/ SAP Cloud/ SAP S/4HANA HA Deployment Guide/ Resource Preparation/ Creating a Subnet and Configuring a Security Group
Updated on 2022-03-04 GMT+08:00

Creating a Subnet and Configuring a Security Group

Scenarios

To ensure proper communication between all SAP S/4HANA ECSs, create subnet for the ECSs and configure a proper security group.

Procedure

  1. Create a subnet.

    1. Log in to the public cloud management console.
    2. In the navigation pane on the left, click and choose Virtual Private Cloud under Network.
    3. Choose Subnets in the left navigation pane.
    4. In the upper right corner of the displayed page, click Create Subnet.
    5. In the Create Subnet pane, configure parameters as prompted.
      • VPC: Select the VPC where SAP HANA is located.
      • AZ: specifies the AZ of the subnet.
      • Name: Configure the subnet name that is easy to identify, for example, service_subnet.
      • CIDR Block: Configure the subnet segment based on Network Plane Planning and Security Group Planning.
      • Advanced Settings: Use the default settings.
    6. Click OK to complete the subnet configuration.
    7. Repeat 1.a to 1.f to create all required subnets according to the requirements specified in sections Network Plane Planning and Security Group Planning.

  2. Set security groups.

    SAP S/4HANA, NAT Server, and SAP HANA require security groups.
    1. Choose Access Control > Security Groups on the left and then click Create Security Group in the upper right corner. The Create Security Group dialog box is displayed.
    2. Set the following parameters as prompted:
      • Template: The template contains security group rules, which help you quickly create a security group. The following templates are provided:
        • Custom: This template allows you to create security groups with custom security group rules.
        • General-purpose web server: The security group that will be created using this template is for general-purpose web servers and includes default rules that allow all inbound ICMP traffic and allow inbound traffic on ports 22, 80, 443, and 3389.
        • All ports open: The security group that will be created using this template includes default rules that allow inbound traffic on any port. Allowing inbound traffic on any port may pose security risks. Exercise caution when using this template.
      • Name: specifies the name of the security group. Name the security group that is easy to identify, for example, studio_security_group.
      • Enterprise Project: You can add the security group to an enabled enterprise project. You can select an enterprise project from the drop-down list.
    3. Click OK.
    4. Repeat 2.a to 2.c to create other security groups.
    5. In the navigation pane on the left, choose Access Control > Security Groups. In the security group list, click the security group to which you want to add an access rule.
    6. Click Add Rule on the Inbound Rules or Outbound Rules tab as planned.
    7. In the displayed dialog box, add the rule based on the requirements specified in section Security Group Planning.

      The default security group rules cannot be deleted.

    8. Repeat 2.e to 2.g to configure all security groups.