Security Group Planning
SAP Security Group Planning
The security group planning needs to meet the requirements for communication between SAP nodes over the management plane and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP applications.
You can configure the security group by referring to Table 1.
- Plan the network segments and IP addresses based on the site requirements. The following security group rules are for reference only. You can configure your own security group rules as needed.
- In the following table, ## stands for the SAP instance number, which must be consistent with the instance number specified when the SAP software is installed.
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
Inbound |
|||
Automatically specified by the system |
All |
All |
Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other. |
10.10.0.0/24 |
TCP |
32## |
Allows SAP GUI to access SAP. |
10.10.0.0/24 |
TCP |
36## |
Message port with profile parameter rdisp/msserv |
10.10.0.0/24 |
TCP |
5##13 ~ 5##14 |
Allows ASCS to access SAP application server. |
10.10.0.0/24 |
TCP |
33##, 38##, 48## |
Port used by CPIC and RFC |
10.10.0.0/24 |
TCP |
22 |
Allows SAP to be accessed using SSH. |
10.10.0.0/24 |
TCP |
123 |
Allows other servers to synchronize time with SAP. |
Outbound |
|||
All |
All |
All |
Security group rule created by the system by default Allows SAP to access all peers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
