Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Add restriction when logging to SAP Public Cloud

JastinC1
Explorer

on ‎2025 Nov 27 10:01 AM

0 Likes
236

Are there ways in restricting access to SAP Public Cloud using VPN or through IP Address?

Client would like to make sure that their users can access SAP Public Cloud using their company network.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
dawid90
Contributor
‎2025 Nov 28 12:47 PM
0 Likes

Dear @JastinC1,

In Public Cloud you generally can’t put the system behind your own VPN the way you would with an IaaS/private landscape. SAP manages the environment and network edge, so you don’t get a customer-controlled network firewall/VPN termination in front of the tenant

More details from SAP Community:

https://community.sap.com/t5/enterprise-resource-planning-q-a/how-to-setup-vpn-in-sap-s-4hana-cloud-...

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-conditional-auth...

IP-based restriction directly in SAP Cloud Identity Services (IAS) using Risk-Based / Conditional Authentication. IAS supports policies that can use IP ranges as conditions for allow/deny or step-up

SAP community guidance for Public Cloud calls out using IP-range risk-based authentication for this kind of restriction

More details below:

https://community.sap.com/t5/enterprise-resource-planning-q-a/ip-listing-restriction-in-sap-s-4-hana...

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/what-is-identity-authentic...

https://community.sap.com/t5/technology-blog-posts-by-sap/how-to-define-risk-based-authentication-ru...

Important practical information:

  • You must use the public IP address seen on the internet (corporate NAT/VPN egress), not internal RFC1918 ranges like 10.x.x.x.
  • If you have proxies make sure you allowlist the actual egress IPs users will appear from

More details below:

https://community.sap.com/t5/technology-q-a/risk-based-authentication-in-sap-cis/qaq-p/13700362

https://me.sap.com/notes/0003469077

Summary:

If the requirement is users must be on company network implement:

  • Corporate IdP Conditional Access (preferred, centralized) or
  • IAS Risk-Based/Conditional Authentication with IP allowlist + default denny and require VPN for offsite users so their egress IP matches the allowed range

Best Regards,

Dawid

Show replies
Show replies
Ask a Question