Updated on 2023-05-29 GMT+08:00

Security Group Planning

SAP Security Group Planning

The security group planning needs to meet the requirements for communication between SAP nodes over the management plane and internal communication plane. You need to configure the security group together with the network department. For details about SAP's requirements for security group rules, see TCP/IP ports used by SAP applications.

You can configure the security group by referring to Table 1.

  • Plan the network segments and IP addresses based on the site requirements. The following security group rules are for reference only. You can configure your own security group rules as needed.
  • In the following table, ## stands for the SAP instance number, which must be consistent with the instance number specified when the SAP software is installed.
Table 1 SAP node security group rules

Source/Destination

Protocol

Port Range

Description

Inbound

Automatically specified by the system

All

All

Security group rule created by the system by default

It enables ECSs in the same security group to communicate with each other.

10.10.0.0/24

TCP

32##

Allows SAP GUI to access SAP.

10.10.0.0/24

TCP

36##

Message port with profile parameter rdisp/msserv

10.10.0.0/24

TCP

5##13 ~ 5##14

Allows ASCS to access SAP application server.

10.10.0.0/24

TCP

33##, 38##, 48##

Port used by CPIC and RFC

10.10.0.0/24

TCP

22

Allows SAP to be accessed using SSH.

10.10.0.0/24

TCP

123

Allows other servers to synchronize time with SAP.

Outbound

All

All

All

Security group rule created by the system by default

Allows SAP to access all peers.