Security Group Planning
The security group planning needs to meet the requirements for communication between SAP nodes, management plane, and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP Applications.
You can configure the security group by referring to Table 1, Table 2, and Table 3.
The network segments and IP addresses are for reference only. The following security group rules are recommended best practices. You can configure your own security group rules as you need.
In the following table, ## stands for the SAP S/4HANA instance ID. Ensure that this ID is the same as that specified when you installed the SAP S/4HANA software.
Source |
Protocol |
Port range |
Description |
---|---|---|---|
Inbound |
|||
10.0.3.0/24 |
TCP |
32## |
Allows SAP GUI to access SAP S/4HANA. |
10.0.3.0/24 |
TCP |
5##13 to 5##14 |
Allows ASCS to access SAP application server. |
10.0.3.0/24 |
TCP |
33## and 48## |
The ports are used by CPIC and RFC. |
10.0.3.0/24 |
TCP |
22 |
Allows SAP S/4HANA to be accessed using SSH. |
10.0.3.0/24 |
UDP |
123 |
Allows other servers to synchronize time with SAP S/4HANA. |
Determined by the public cloud |
ANY |
ANY |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
Outbound |
|||
0.0.0.0/0 |
ANY |
ANY |
The security group rule is created by the system by default. Allows SAP S/4HANA to access all peers. |
Source |
Protocol |
Port range |
Description |
---|---|---|---|
Inbound |
|||
10.0.3.0/24 |
TCP |
36## |
Message Port with profile parameter rdisp/msserv |
10.0.3.0/24 |
TCP |
5##13 to 5##14 |
Allows ASCS to access SAP Application Server. |
10.0.3.0/24 |
TCP |
33## and 38## |
The ports are used by CPIC and RFC. |
10.0.3.0/24 |
TCP |
22 |
Allows SAP S/4HANA to be accessed using SSH. |
10.0.3.0/24 |
UDP |
123 |
Allows other servers to synchronize time with SAP S/4HANA. |
Determined by the public cloud |
ANY |
ANY |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
Outbound |
|||
0.0.0.0/0 |
ANY |
ANY |
The security group rule is created by the system by default. Allows SAP S/4HANA to access all peers. |
Source |
Protocol |
Port range |
Description |
---|---|---|---|
Inbound |
|||
0.0.0.0/0 |
TCP |
22 |
Allows users to access the NAT server using SSH. |
Determined by the public cloud |
ANY |
ANY |
The security group rule is created by the system by default. Allows ECSs in the same security group to communicate with each other. |
Outbound |
|||
0.0.0.0/0 |
ANY |
ANY |
The security group rule is created by the system by default. Allows the NAT server to access all peers. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot