Service Border
The production environment needs to provide services for the public network and interconnect with other IDCs. Therefore, set up virtual private network (VPN) channels between the production environment and enterprise intranets (IDCs). Configure access control policies between the cloud and the on-premises system and between the cloud and the Internet.
Take border protection measures in the DMZ, internal network application, and management zones because they can be accessed from external networks.
VPN
Static connections are usually used by enterprise intranets. When security and latency are taken into consideration, the recommended priority is as follows: Direct Connect > Internet Protocol security virtual private network (IPsec VPN) > virtual private network over Secure Sockets Layer (SSL VPN).
Currently, the HUAWEI CLOUD VPN service supports only Direct Connect and IPsec VPN. If you need to use SSL VPN, you can deploy it using a third-party image.
Security Policies
The production environment needs to communicate with enterprise intranets and allow access from the Internet. Therefore, networks ACLs are used for access control.
Network ACL NACL-DMZ-SAP-Router is associated with the subnet for the DEV&PRD SAP router in the production environment. Configure inbound rules of network ACL NACL-DMZ-SAP-Router to strictly control access from the Internet, allowing access from only specified external network segments to specified IP addresses and ports.
IP addresses and ports in this section are only used as examples. If the public IP address is not fixed, you can create an ACL rule to allow access from a specified public source IP address to meet your service requirements (such as technical support) and then delete the rule when it is not required. If there are other services, you can add ACL rules as required.
Rule |
Destination IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For SAP technical support personnel (SAP GUI or software server) |
123.123.123.0/24 |
TCP |
3299 |
Allow |
Allows Internet SAP technical support personnel (SAP GUI or software server) from specified source IP addresses to access the DEV&PRD SAP router and then access backend services. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Network ACL NACL-PRD-DMZ is associated with the subnet for the PRD-DMZ zone in the production environment. Configure inbound rules of network ACL NACL-PRD-DMZ to strictly control access from the Internet and IDCs, allowing access from external networks to only specified IP addresses and ports in the production environment.
Rule |
Destination IP Address |
Protocol |
Destination port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For AD or ADFS servers |
IP address of an AD or ADFS network in the IDC |
TCP |
AD or ADF port |
Allow |
Allows access to AD or ADFS servers in IDCs. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all outbound traffic that is not processed based on preset rules. |
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For Internet users |
0.0.0.0/0 |
TCP |
80 |
Allow |
Allows Internet users and IDC users to access web services in the production environment. |
For Internet users |
0.0.0.0/0 |
TCP |
443 |
Allow |
Allows Internet users and IDC users to access web services in the production environment. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
Network ACL NACL-PRD-APP is associated with the subnet for the PRD-application zone in the production environment. Configure inbound rules of network ACL NACL-PRD-APP to strictly control access from IDCs, allowing access from only specified IDC networks to specified IP addresses and ports in the production environment. Configure outbound rules of network ACL NACL-PRD-APP to strictly control access to IDCs, allowing access from the production environment to only specified IDC networks.
Rule |
Destination IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For AD or ADFS servers |
IP address of an AD or ADFS network in the IDC |
TCP |
AD or ADF port |
Allow |
Allows access to AD or ADFS servers in IDCs. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all outbound traffic that is not processed based on preset rules. |
Rule |
Source IP Address |
Protocol |
Destination Port |
Allow or Deny |
Description |
---|---|---|---|---|---|
For IDC users and consultants |
A subnet (subnet b) in an IDC |
TCP |
8080 |
Allow |
Allows internal users and consultants in a subnet (subnet b) in an IDC to access service port 8080 in the application zone in the production environment. |
For IDC users and consultants |
A subnet (subnet b) in an IDC |
TCP |
8443 |
Allow |
Allows internal users and consultants in a subnet (subnet b) in an IDC to access service port 8443 in the application zone in the production environment. |
* |
0.0.0.0/0 |
Any |
Any |
Deny |
Denies all inbound traffic that is not processed based on preset rules. |
The PRD-SAP-DB zone does not need to communicate with external networks. Therefore, configure only internal rules of network ACLs NACL-PRD-SAPDB-BUSI and NACL-PRD-SAPDB-INTERNEL by referring to Network Isolation and Access Control.
For security group rule configuration, see the related content in Network Isolation and Access Control.
Security Services
- Anti-DDoS
The production environment needs to access the public network. Therefore, you need to deploy Anti-DDoS on SAP router, SRM, and Hybrids servers. It is recommended that you use HUAWEI CLOUD Anti-DDoS to protect elastic IP addresses (EIPs).
- Web application firewall (WAF)
The production environment needs to provide web applications for the Internet. Therefore, you need to install WAF to defend against OWASP TOP10 and other web attacks. It is recommended that you use the HUAWEI CLOUD WAF service to create WAF instances to protect EIPs and load balancers.
- Virtual next-generation firewall (vNGFW)
The SAP router will be used by a third-party system to connect to the internal system. SRM and Hybrids in the development and test environment will be available for simulation tests. These points are subject to network attacks, and it is recommended that you install vNGFW on them.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot