Security Group Planning
SAP Security Group Planning
The security group planning needs to meet the requirements for communication between SAP nodes over the management plane and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP applications.
You can configure the security group by referring to the following table.
- Plan the network segments and IP addresses based on the site requirements. The following security group rules are for reference only. You can configure your own security group rules as needed.
- In the following table, ## stands for the SAP instance number, which must be consistent with the instance number specified when the SAP software is installed. If there are multiple instance numbers, enter them in sequence.
|
Source |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
10.10.1.0/24 |
TCP |
1-65535 |
Allows instances to communicate with each other in the subnet. |
|
10.10.1.0/24 |
TCP |
5##13 to 5##14 |
Allows the SAP HANA Studio to access SAP HANA. |
|
10.10.1.0/24 |
TCP |
3##00 to 3##10 |
Communication in the database |
|
10.10.1.0/24 |
TCP |
3##15 and 3##17 |
DB Client access port |
|
10.10.1.0/24 |
TCP |
111,2049,4000-4002 |
For NFS communication |
|
10.10.1.0/24 |
TCP |
40000~40001 |
SAP Business One server port |
|
10.10.1.0/24 |
TCP |
22 |
Allows SAP to be accessed using SSH. |
|
10.10.1.0/24 |
TCP |
43## |
Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTPS. |
|
10.10.1.0/24 |
TCP |
80## |
Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTP. |
|
10.10.1.0/24 |
TCP |
8080 (HTTP) |
Allows Software Update Manager (SUM) to access SAP HANA using HTTP. |
|
10.10.1.0/24 |
TCP |
8443 (HTTPS) |
Allows Software Update Manager (SUM) to access SAP HANA using HTTPS. |
|
10.10.1.0/24 |
TCP |
1128-1129 |
Allows access to SAP Host Agent using SOAP/HTTP. |
|
Automatically specified by the system |
ANY |
ANY |
Security group rule created by the system by default Allows ECSs in the same security group to communicate with each other. |
|
Outbound |
|||
|
ANY |
ANY |
ANY |
Security group rule created by the system by default Allows SAP HANA to access all peers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
