Updated on 2022-03-04 GMT+08:00

Security Group Planning

The security group planning needs to meet the requirements for communication between SAP nodes, management plane, and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP Applications.

You can configure the security group by referring to Table 1, Table 2, and Table 3.

The network segments and IP addresses are for reference only. The following security group rules are recommended best practices. You can configure your own security group rules as you need.

In the following table, ## stands for the SAP S/4HANA instance ID. Ensure that this ID is the same as that specified when you installed the SAP S/4HANA software.

Table 1 Security group rules (SAP Application Server nodes)

Source

Protocol

Port range

Description

Inbound

10.0.3.0/24

TCP

32##

Allows SAP GUI to access SAP S/4HANA.

10.0.3.0/24

TCP

5##13 to 5##14

Allows ASCS to access SAP application server.

10.0.3.0/24

TCP

33## and 48##

The ports are used by CPIC and RFC.

10.0.3.0/24

TCP

22

Allows SAP S/4HANA to be accessed using SSH.

10.0.3.0/24

UDP

123

Allows other servers to synchronize time with SAP S/4HANA.

Determined by the public cloud

ANY

ANY

The security group rule is created by the system by default.

Allows ECSs in the same security group to communicate with each other.

Outbound

0.0.0.0/0

ANY

ANY

The security group rule is created by the system by default.

Allows SAP S/4HANA to access all peers.

Table 2 Security group rules (SAP ASCS nodes)

Source

Protocol

Port range

Description

Inbound

10.0.3.0/24

TCP

36##

Message Port with profile parameter rdisp/msserv

10.0.3.0/24

TCP

5##13 to 5##14

Allows ASCS to access SAP Application Server.

10.0.3.0/24

TCP

33## and 38##

The ports are used by CPIC and RFC.

10.0.3.0/24

TCP

22

Allows SAP S/4HANA to be accessed using SSH.

10.0.3.0/24

UDP

123

Allows other servers to synchronize time with SAP S/4HANA.

Determined by the public cloud

ANY

ANY

The security group rule is created by the system by default.

Allows ECSs in the same security group to communicate with each other.

Outbound

0.0.0.0/0

ANY

ANY

The security group rule is created by the system by default.

Allows SAP S/4HANA to access all peers.

Table 3 Security group rules (NAT Server nodes)

Source

Protocol

Port range

Description

Inbound

0.0.0.0/0

TCP

22

Allows users to access the NAT server using SSH.

Determined by the public cloud

ANY

ANY

The security group rule is created by the system by default.

Allows ECSs in the same security group to communicate with each other.

Outbound

0.0.0.0/0

ANY

ANY

The security group rule is created by the system by default.

Allows the NAT server to access all peers.