nerdexam
Amazon

PAS-C01 · Question #58

A company's SAP solutions architect is configuring a network architecture for an SAP HANA multi-node environment. The company requires isolation of the logical network zones: client, internal, and sto

The correct answer is B. Attach a secondary elastic network interface to each instance for the internal communications C. Attach a secondary elastic network interface to each instance for the storage communications. D. Configure a security group with rules that allow only TCP connections within the security group on. SAP HANA multi-node environments require isolation of three logical network zones: client (application server to HANA communication), internal (HANA inter-node replication and communication), and storage (HANA to EBS volume I/O). On AWS with EC2, the way to achieve multi-zone net

Design of SAP Workloads on AWS

Question

A company's SAP solutions architect is configuring a network architecture for an SAP HANA multi-node environment. The company requires isolation of the logical network zones: client, internal, and storage. The database runs on X1 (memory optimized) Amazon EC2 instances and uses Amazon Elastic Block Store (Amazon EBS) volumes for persistent storage. Which combination of actions will provide the required isolation? (Choose three.)

Options

  • AAttach an AWS Network Firewall policy for each zone to the subnet for the node cluster.
  • BAttach a secondary elastic network interface to each instance for the internal communications
  • CAttach a secondary elastic network interface to each instance for the storage communications.
  • DConfigure a security group with rules that allow only TCP connections within the security group on
  • EConfigure a security group with rules that allow only TCP connections with the external customer
  • FConfigure a security group with rules that allow Non-Volatile Memory Express (NVMe) connections

How the community answered

(60 responses)
  • A
    3% (2)
  • B
    70% (42)
  • E
    8% (5)
  • F
    18% (11)

Explanation

SAP HANA multi-node environments require isolation of three logical network zones: client (application server to HANA communication), internal (HANA inter-node replication and communication), and storage (HANA to EBS volume I/O). On AWS with EC2, the way to achieve multi-zone network isolation without additional appliances is through multiple Elastic Network Interfaces (ENIs) per instance and security groups. (B) Attaching a secondary ENI dedicated to internal HANA communications separates inter-node traffic (scale-out replication, shared memory access) from client-facing traffic on the primary ENI. (C) Attaching another secondary ENI for storage communications isolates EBS I/O traffic to its own network interface, separating it from both client and internal zones. (D) Configuring a security group that allows only TCP connections within the security group enforces microsegmentation - only instances that are members of the security group can communicate with each other on the internal network, preventing unauthorized access. Option A (AWS Network Firewall policy per subnet) adds unnecessary cost and complexity for intra-cluster isolation. Option E (security group for external customers) describes client-zone access control but does not address the internal/storage isolation. Option F (NVMe connections in security group) is incorrect - EBS NVMe is a local virtualized block device that is not managed through security group rules.

Topics

#SAP HANA Networking#Network Isolation#EC2 Network Interfaces#Security Groups

Community Discussion

No community discussion yet for this question.

Full PAS-C01 Practice