Security Group Rules
SAP HANA Security Group Planning
Table 1 describes the SAP HANA security group rules.
- The network segments and IP addresses are for reference only. The following security group rules are recommended practices. You can configure your own security group rules as needed.
- In the following table, ## stands for the SAP HANA instance ID, such as 00. The instance ID must be the same as that specified during SAP HANA software installation. For details about SAP HANA instance ID planning, see SAP HANA ECS Planning.
- For more information about the specific ports to be accessed by SAP software and security group rules, see SAP official documents.
|
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
Automatically specified by the system |
All |
All |
Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other. |
|
0.0.0.0 |
TCP |
22 |
Allows users to access the SAP HANA Studio using Secure Shell (SSH) protocol. This rule is required only when SAP HANA Studio is deployed on a Linux ECS. |
|
0.0.0.0 |
TCP |
3389 |
Allows users to access the SAP HANA Studio using Remote Desktop Protocol (RDP). This rule is required only when the SAP HANA Studio is deployed on a Windows ECS. |
|
10.0.0.0/24 |
TCP |
80 (HTTP) |
Allows users to access the NAT server using Hypertext Transfer Protocol (HTTP). |
|
10.0.0.0/24 |
TCP |
443 (HTTPS) |
Allows users to access the NAT server using Hypertext Transfer Protocol Secure (HTTPS). |
|
10.0.0.0/24 |
TCP |
1128-1129 |
Allows access to SAP Host Agent using SOAP/HTTP. |
|
10.0.0.0/24 |
TCP |
43## |
Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTPS. |
|
10.0.0.0/24 |
TCP |
80## |
Allows access to XS Engine from the 10.0.0.0/24 subnet using HTTP. |
|
10.0.0.0/24 |
TCP |
8080 |
Allows Software Update Manager (SUM) to access SAP HANA using HTTP. |
|
10.0.0.0/24 |
TCP |
8443 |
Allows Software Update Manager (SUM) to access SAP HANA using HTTPS. |
|
10.0.0.0/24 |
TCP |
3##13 |
Allows SAP HANA Studio to access SAP HANA. |
|
10.0.0.0/24 |
TCP |
3##15 |
Provides ports for the service plane. |
|
10.0.0.0/24 |
TCP |
3##17 |
Provides ports for the service plane. |
|
10.0.0.0/24 |
TCP |
5##13 |
Allows SAP HANA Studio to access sapstartsrv. |
|
Outbound |
|||
|
All |
All |
All |
Security group rule created by the system by default Allows SAP HANA to access all peers. |
SAP S/4HANA Security Group Planning
The security group planning needs to meet the requirements for communication between SAP nodes over the management plane and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP applications.
You can configure the security group by referring to Table 2.
- Plan the network segments and IP addresses based on the site requirements. The following security group rules are recommended practices. You can configure your own security group rules as needed.
- In the following table, ## stands for the SAP S/4HANA instance ID, which must be consistent with the instance ID specified when the SAP S/4HANA software is installed.
|
Source/Destination |
Protocol |
Port Range |
Description |
|---|---|---|---|
|
Inbound |
|||
|
Automatically specified by the system |
All |
All |
Security group rule created by the system by default It enables ECSs in the same security group to communicate with each other. |
|
10.0.3.0/24 |
TCP |
32## |
Allows SAP GUI to access SAP S/4HANA. |
|
10.0.3.0/24 |
TCP |
36## |
Message Port with profile parameter rdisp/msserv |
|
10.0.3.0/24 |
TCP |
5##13 ~ 5##14 |
Allows ASCS to access SAP application server. |
|
10.0.3.0/24 |
TCP |
33##, 38##, 48## |
Port used by CPIC and RFC |
|
10.0.3.0/24 |
TCP |
22 |
Allows SAP S/4HANA to be accessed using SSH. |
|
10.0.3.0/24 |
TCP |
123 |
Allows other servers to synchronize time with SAP S/4HANA. |
|
Outbound |
|||
|
All |
All |
All |
Security group rule created by the system by default Allows SAP 4/HANA to access all peers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
