Network Isolation and Access Control

Security Policies

Network ACLs for the development and test environment are NACL-DEV-MGMT, NACL-DEV-APP, and NACL-DMZ-SAP-Router. Each network ACL is associated with a subnet, as shown in Figure 3. By default, a network ACL denies all access ("deny by default"). If you need to enable communication across network ACLs, add ACL rules to allow required access ("minimum permission").

Figure 3 Network ACL layout in the development and test environment

Network ACL NACL-DEV-MGMT is associated with the subnet for the DEV-management zone in the development and test environment. Configure rules of network ACL NACL-DEV-MGMT to allow access to management ports (such as port 22) of servers in other zones through the bastion host in the management zone and deny access from other zones to the bastion host in the management zone.

IP addresses and ports in this section are only used as examples. If there are other management ports, you can add ACL rules as required. This section describes only access control policies for the development and test environment.

Network ACL NACL-DEV-APP is associated with the subnets for the DEV-DMZ, DEV-application, and DEV-SAP-DB zones. Configure inbound rules of network ACL NACL-DEV-APP to allow access to management ports (such as port 22) of servers in the zones through the bastion host in the management zone and allow access to service ports of servers in the zones through the SAP router.

Network ACL NACL-DMZ-SAP-Router is associated with the subnet for the DEV&PRD-SAP router. Configure inbound rules of network ACL NACL-DMZ-SAP-Router to allow access to management ports (such as port 22) of servers in the zone through the bastion host in the management zone. Configure outbound rules of network ACL NACL-DMZ-SAP-Router to allow access to specified service ports in the application zone and SAP-DB zone in the development and test environment through the SAP router.

Security groups, such as SG_DEV_MGMT and SG_DEV_DB (which do not interact with the public network), are associated with ECSs in the subnets in the development and test environment. The security groups must be configured according to the "minimum permission" principle so that a minimum number of ECS ports are opened. Figure 4 shows an example for configuring the security groups. You need to configure them based on your own ports. Network ACLs are used for IP address access control. Other security groups in the development and test environment (for details, see Figure 1) that do not interact with the public network can be configured similarly.

Figure 4 Security group rule example

Security groups, such as SG_DEV_SRM, SG_DEV_Hybrids, and SG_SAP_ROUTER (which interact with the public network), are associated with ECSs in the subnets in the development and test environment. The security groups must be configured according to the "minimum permission" principle so that a minimum number of ECS ports and source IP addresses are opened. If the public IP address is fixed, you can refer to Figure 5 for configuring the security groups. You need to configure them based on your own ports.

Figure 5 Security group rule example

If the public IP address is not fixed, you can create a security group rule to allow access from a specified public source IP address to meet your service requirements (such as the simulation test or technical support) and then delete the rule when it is not required.