Security Group Planning
The security group planning needs to meet the requirements for communication between SAP nodes, management plane, and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP Applications.
You can configure the security group by referring to Table 1, Table 2, and Table 3.
- The network segments and IP addresses are for reference only. The following security group rules are recommended practices. You can configure your own security group rules as you need.
- In the following table, ## stands for the SAP NetWeaver instance ID. Ensure that this ID is the same as that specified when you installed the SAP NetWeaver software.
|
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
10.0.3.0/24 |
TCP |
32## |
Allows SAP GUI to access SAP NetWeaver. |
|
10.0.3.0/24 |
TCP |
5##13 to 5##14 |
Allows ASCS to access SAP application server. |
|
10.0.3.0/24 |
TCP |
33## and 48## |
The ports are used by CPIC and RFC. |
|
10.0.3.0/24 |
TCP |
22 |
Allows SAP NetWeaver to be accessed using SSH. |
|
10.0.3.0/24 |
UDP |
123 |
Allows other servers to synchronize time with SAP NetWeaver. |
|
Determined by the public cloud |
All |
All |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
|
Outbound |
|||
|
0.0.0.0/0 |
All |
All |
The security group rule is created by the system by default. Allows SAP NetWeaver to access all peers. |
|
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
10.0.3.0/24 |
TCP |
36## |
Specifies the message server ports. |
|
10.0.3.0/24 |
TCP |
5##13 to 5##14 |
Allows ASCS to access SAP Application Server. |
|
10.0.3.0/24 |
TCP |
33## and 38## |
The ports are used by CPIC and RFC. |
|
10.0.3.0/24 |
TCP |
22 |
Allows SAP NetWeaver to be accessed using SSH. |
|
10.0.3.0/24 |
UDP |
123 |
Allows other servers to synchronize time with SAP NetWeaver. |
|
Determined by the public cloud |
All |
All |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
|
Outbound |
|||
|
0.0.0.0/0 |
All |
All |
The security group rule is created by the system by default. Allows SAP NetWeaver to access all peers. |
|
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
0.0.0.0/0 |
TCP |
22 |
Allows users to access the NAT server using SSH. |
|
Determined by the public cloud |
All |
All |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
|
Outbound |
|||
|
0.0.0.0/0 |
All |
All |
The security group rule is created by the system by default. Allows the NAT server to access all peers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
