When managing SAP HANA Cloud, network security is a critical responsibility for administrators. To keep your data and applications secure, SAP HANA Cloud offers flexible IP allowlisting options that let you control which IP addresses can access your instance. Currently, HANA Cloud supports three configurations for network access:

1. Allow access only from Business Technology Platform (BTP) — the default setting.
2. Allow access from all IP addresses — open access.
3. Allow access only from specific, trusted IP addresses — customized access.

Why IP Allowlisting Matters

In a secure HANA Cloud environment, controlling who can connect to your instance is essential. Allowlisting IP addresses adds a layer of protection by limiting network access to only those addresses you deem trusted. This is especially important in production environments, where even minor security oversights can result in unintended exposure or unauthorized access.

For HANA Cloud admins, it’s recommended to use the most restrictive allowlisting option possible for their needs. Let’s explore the IP allowlisting options available and when to use each one.

1. Allow Only BTP IP Addresses

This option restricts access to IP addresses associated with Cloud Foundry within the same BTP region. When selected, only applications and tools within the SAP Business Technology Platform (BTP) Cloud Foundry environment in the same region as your HANA Cloud instance can connect.

• Use Case: This option is ideal for instances that exclusively interact with BTP applications or tools. For example, a HANA instance in the EU10 region will only accept connections from Cloud Foundry IPs in EU10.

• Limitation: Tools or applications located in different regions (e.g., a tool in US10 trying to connect to EU10) will not be able to access the instance. This restriction ensures a high degree of security by preventing external access from other BTP regions.

• Recommendation: This is the default setting and is suited for applications tightly bound to a specific regional environment within BTP.

2. Allow All IP Addresses

This option opens access to the HANA Cloud instance from any IP address, effectively allowing worldwide connectivity.

• Use Case: Use this setting only for instances requiring global access, such as development or testing environments where multiple teams across regions may need connectivity.

• Limitation: This is the least secure option, as it does not restrict access based on IP addresses, which can expose your instance to unwanted traffic or attacks.

• Recommendation: It’s generally recommended to avoid this option in production environments due to the high security risk. Only use it if absolutely necessary for unrestricted access, such as in short-term or non-critical environments.

3. Allow Specific IP Addresses and IP Ranges

This option allows you to specify trusted IP addresses or IP ranges (using CIDR notation) that can access your HANA Cloud instance. With this setup, only applications or users from these allowed addresses, as well as the default Cloud Foundry IPs in your region, can connect.

• Use Case: This option is highly recommended especially for production environments where you want to tightly control access, ensuring only known IPs can connect. For example, you might specify the IP range 192.168.1.0/24 to permit only addresses within this private range.

• Flexibility: You can define multiple IP ranges to accommodate dynamic or changing IPs within a subnet. If Jenkins nodes or other services have dynamic IPs, consider using ranges like 172.17.0.0/24 to cover IPs that might vary across this subnet.

IP ranges are defined by CIDR (Classless Inter-Domain Routing) notation, which uses a suffix (like /24, /32, etc.) to determine how many IP addresses are included in a range. Here’s a brief overview of some common options and where you can learn more.

Common CIDR Notations and Their Ranges

• /32: Single IP address (e.g., 192.168.1.1/32 includes only 192.168.1.1).
• /31: Two IP addresses (typically used for point-to-point links).
• /30: Four IP addresses (often used for very small networks).
• /29: Eight IP addresses, e.g., 192.168.1.0 to 192.168.1.7.
• /28: Sixteen IP addresses, e.g., 192.168.1.0 to 192.168.1.15.
• /27: Thirty-two IP addresses, e.g., 192.168.1.0 to 192.168.1.31.
• /26: Sixty-four IP addresses, e.g., 192.168.1.0 to 192.168.1.63.
• /25: 128 IP addresses, e.g., 192.168.1.0 to 192.168.1.127.
• /24: 256 IP addresses, covering a whole "C class" subnet, e.g., 192.168.1.0 to 192.168.1.255.
• /16: 65,536 IP addresses (a full "B class" network), e.g., 192.168.0.0 to 192.168.255.255.

Where to Learn More

1. Online CIDR Calculators:

   • Websites like CIDR.xyz or IP Calculator let you input any CIDR notation and show the full range of IPs it includes.

2. Documentation and Tutorials:

   • Cisco's Guide to Subnetting provides thorough explanations of CIDR and subnetting: Cisco Subnetting Guide.
   • AWS Documentation on CIDR is also a great source, especially if you’re working with cloud environments: Amazon VPC Documentation on CIDR.

• Additional Configuration for Multi-Region Access: If you need to connect from different BTP regions, be sure to add the necessary NAT IP addresses for those regions to your allowlist.

• Recommendation: This is the best practice for production environments, as it provides the highest level of control over network access.

Implementing User Group-Specific Connect Restrictions for IP Range Control

In SAP HANA Cloud, connect restrictions provide an additional layer of security by enabling administrators to apply tailored security policies for different user groups, enhancing overall network protection. These policies allow administrators to specify access conditions based on user roles, such as limiting administrator access to a particular IP range or granting technical users access only to specific applications.

These connect restrictions are enforced during the user authentication process. If a user group has connect restrictions in place, only members who meet these predefined access conditions will be able to connect. This ensures that access is not only role-based but also tightly controlled based on trusted networks and applications, reducing the risk of unauthorized access.

Reference  : sap-hana-cloud-sap-hana-database-security-guide 

Summary of Recommendations for HANA Cloud Admins

SAP HANA Cloud provides flexible and secure network options for controlling instance access:

1. Use "Allow only BTP IP addresses" for single-region setups where only Cloud Foundry applications need access.
2. Avoid "Allow all IP addresses" in production due to its open access policy, which can expose your instance to risk.
3. "Allow specific IP addresses and IP ranges" is recommended for production environments, where security is essential. Use CIDR notation (like 192.168.1.0/24) to define trusted IP ranges efficiently.

By implementing strict IP allowlisting, HANA Cloud admins can secure their environments while maintaining flexibility in development, testing, and production scenarios. In any setup, remember that IP allowlisting alone is one part of your security toolkit—continue to monitor and manage access as part of a comprehensive security strategy.

Additional Reference : 

sap-hana-cloud-network-and-security 

hana-cloud-domains-and-ip-ranges 

Thank you for reading this blog post!  If you have found this blog post beneficial in your learning journey, please consider giving it a ‘‘Like’ ,‘Share’ it with your friends and followers, and ‘Follow’ me for more content like this. Your support means a lot to me!

If you encounter any problems, have feedback, or need help, feel free to leave a comment or contact the SAP Community for assistance.

https://www.linkedin.com/in/showkath/