Scribd
Upload
3 views14 pages

GCP SAP Application and Database Connectivity

The document outlines the network configuration for connecting various servers and services between on-premise and Google Cloud Platform (GCP), detailing source and destination profiles, ports, protocols, and firewall types. It includes specific justifications for each connection, emphasizing the need for secure communication and data transfer, particularly for SAP applications and HANA databases. Additionally, it highlights the importance of using bastion hosts for administrative access and the requirement for encrypted connections.

Uploaded by

Mofizur Rahman
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
3 views14 pages

GCP SAP Application and Database Connectivity

The document outlines the network configuration for connecting various servers and services between on-premise and Google Cloud Platform (GCP), detailing source and destination profiles, ports, protocols, and firewall types. It includes specific justifications for each connection, emphasizing the need for secure communication and data transfer, particularly for SAP applications and HANA databases. Additionally, it highlights the importance of using bastion hosts for administrative access and the requirement for encrypted connections.

Uploaded by

Mofizur Rahman
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd

Profile Source Destination

?
CSAP Application Server in GCP HANA
HDB Database Server in On Premise Database Server in GCP
HTTPS ILB -
CSAP WebDispatcher
Web Dispatcher
CSAP F5 ILB
TCP ILB - ASCS
CSAP Application Server in GCP
passthrough
CSAP Cockpit HANA DB in GCP
CSAP Solman GCP ( HANA and ABAP )
CSAP Application Server in GCP ADS

CSAP CCMS Application server On Premise GCP ( HANA and ABAP )

CSAP SAP IDM server On Premise Application Server in GCP

CSAP Application Server in GCP GCP

CSAP Database Server in GCP GCP


FileStore GCP
CSAP Corporate Network F5 / ILB

CSAP Corporate Network F5 / ILB / SAPGUI

CSAP Corporate Network Webdispatcher

CSAP SAProuter on Premise Application Server in GCP

SAProuter on Premise Database Server in GCP


Port Protocol Firewall Type Direction
TCP Internal
30013 , 30041 , 30015 TCP Internal Permenant Uni
30013 , 30041 , 30015 TCP Bi
443
TCP Internal Permenant
443 TCP Internal Permenant
3600 / 3900 TCP Internal Permenant
30013 , 30041 , 30015 TCP Internal
30013 , 30041 , 30015,3600, 3900
TCP Internal
3300 , 3200 , 4800
443 TCP Internal
30013 , 30041 , 30015,3600, 3900
3300 , 3200 , 4800 TCP Internal

3600, 3900
3300 , 3200 , 4800

5106 TCP

443 TCP Internal Permenant

3203,3303,4833 TCP Internal Permenant


3600, 3900
80 TCP Internal Temporary

3203,3303,4833 TCP Internal Permenant


3600, 3900,443
30013 , 30041 , 30015 TCP Internal Permenant
Is encrypted?
Description / Justification
Software Copy to GCP
Application to Database to perform the installation
To set up HSR ( HANA System Replicaiton ) to copy the HANA Database
To setup ILB which will act as point of access of SAP via web for end users
F5 will forward the traffic to backend
To setup ILB which will act as point of access of SAPGUI for end users
To manage Hana Databases from HANA Cockpit
Solution Manager Managed system Configuration
Adobe document server services

Solution Manager Managed system Configuration

Port 5106 must be open for UDSAgent to ensure that the backup/recovery appliance can communicate with the
Backup and DR agent on the host. This requires an ingress firewall rule where the backup/recovery appliance is the
source, the host running the agent is the target, and the target port is 5106. Also, you don't need to add port 5106 to
the default ingress rule created for the appliance, as this specifies the appliance as the target.
Backup
Backup
End users to access backend via Web

End user to access backend via SAPGUI ( SNC )

Required temprarily to configure SSL ( By default only http is enabled )


Justificaiton
This port is required to copy the softwares from On premise to GCP
The Ports are required for establishing connection between Application and the Database in GCP

The ports are required for Process chain and Central User Administration
The ports are required for Process chain and Central User Administration

To establish SLT replication for NGRP Reporting.


Configure the STMS for the HANA Changes from the domain controller ( Solution Manager )
NGRP report access for the end users

[Link]

The ports are required for Process chain and Central User Administration

The ports are required for Process chain and Central User Administration
Profile Source Destination Port

CSAP On-Prem Admin / Jump Host Application Server in GCP (CSAP) 22

30013,
CSAP Application Server in GCP (CSAP) SAP HANA Database in GCP 30015,
30041
30013,
HDB Database Server in On-Premise SAP HANA Database in GCP 30015,
30041

CSAP HTTPS Internal Load Balancer Web Dispatcher (CSAP VM) 443

CSAP Bastion / Admin Network Application Server in GCP (CSAP) 22

HDB Bastion / Admin Network SAP HANA Database in GCP 22

CSAP Application Server in GCP (CSAP) DNS Servers 53

HDB SAP HANA Database in GCP DNS Servers 53

CSAP Application Server in GCP (CSAP) NTP Server 123

HDB SAP HANA Database in GCP NTP Server 123

CSAP Application Server in GCP (CSAP) Red Hat Repositories / Satellite 443

HDB SAP HANA Database in GCP Red Hat Repositories / Satellite 443

HDB SAP HANA Database in GCP Google Cloud Storage 443

CSAP Application Server in GCP (CSAP) Google Cloud APIs / Ops Agent 443
Profile Source Destination Port
CSAP SAProuter (On-Prem) Application Server in GCP (CSAP) 3299

HDB SAProuter (On-Prem) SAP HANA Database in GCP 3299


Application Server in GCP (CSAP) SAProuter (On-Prem)
SAP HANA Database in GCP SAProuter (On-Prem)

3xx15,
HDB HANA Cockpit (On-Prem) SAP HANA Database in GCP
43xx
Protocol Firewall Type Direction Is encrypted? Description / Justification

Software copy and


TCP Internal Temporary Yes (SSH) administrative access during
migration to GCP
SAP application to HANA
TCP Internal Permanent Yes (HANA native) database communication for
installation and runtime
HANA system replication /
TCP Internal / VPN Temporary Yes (HANA native) database migration from on-
premise to GCP
Internal HTTPS Load Balancer
TCP Internal Permanent Yes (TLS) acting as access point for SAP
web applications
SAP BASIS administrative
TCP Internal Permanent Yes (SSH)
access via bastion host
SAP HANA OS-level
TCP Internal Permanent Yes (SSH)
administration
Name resolution for SAP and
TCP / UDP Internal Permanent N/A
OS services
Name resolution for SAP
TCP / UDP Internal Permanent N/A
HANA
Time synchronization required
UDP Internal Permanent N/A
for SAP
Time synchronization critical
UDP Internal Permanent N/A
for HANA consistency
RHEL 9.6 OS patching and
TCP Internal Permanent Yes (TLS)
updates
RHEL 9.6 OS patching and
TCP Internal Permanent Yes (TLS)
updates
SAP HANA database backup to
TCP Internal Permanent Yes (TLS)
GCS
Logging, monitoring, and GCP
TCP Internal Permanent Yes (TLS)
agent communication
Protocol Firewall Type Is encrypted? Description / Justification
Required for SAP support
TCP VPN / Interconnect Permanent Yes
connectivity via SAProuter
Enables SAP support access
TCP VPN / Interconnect Permanent Yes
for HANA database

SAP HANA monitoring and


TCP VPN / Interconnect Ingress Yes (TLS) administration via HANA
Cockpit
Destinati
# Source Port Protocol Purpose Scope
on
SSH
SAP- Permane
1 SAP-CSAP 22 TCP admin
ADMIN nt
access
SSH
SAP- SAP- Permane
2 22 TCP admin
ADMIN HANA nt
access
No public IPs on SAP VMs

Access via Bastion / IAP only

OS Login + MFA recommended


Destinati
# Source Port Protocol Purpose
on
SAP- HANA
7 SAP-CSAP 30013 TCP
HANA SQL
SAP- HANA
8 SAP-CSAP 30015 TCP
HANA System
SAP- HANA
9 SAP-CSAP 30041 TCP
HANA Internal
Source Destination
? [Link]
Port Protocol Firewall
22 TCP Internal
Description
Connection from Application server to LTLFT Server
Justification
This is needed to transfer logs and otehr files

You might also like