Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP CPI IP Ranges for Cloud Foundry Environment

SinhaSouvik
Active Participant

‎2021 Jun 26 6:13 PM - edited ‎2025 Aug 03 5:59 PM

35,488

Hi Experts,

Our customer is not using Cloud Connector, So we need to enable the firewall by white list SAP CPI IPs to connect to other On-Premise systems or setting never expiry password in Successfactor Application.

Our CPI instances are in Cloud Foundry Environment.

I found out the help documents for Region specific IPs. Please find the document link below.

https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/f344a57233d34199b2123b9620d0bb41.html

As we know for NEO identifying IP ranges is straight cut. But in Cloud Foundry there are two sections for identify IPs, NAT IPs and LB IPs.

Our tenets are in eu10 Region. To avoid the unnecessary whitelisting of IPs, could you please confirm the below points.

  • To set never expiry password in SuccessFactors which IPs need to be whitelisted under "Password and Login policy settings". LB IPs or NAT IPs or Both?
  • For connecting to on-premise systems, which IPs need to be whitelisted, LB IPs or NAT IPs or Both?
  • What are the significance of cf-eu10-002 and cf-eu10-003 under NAT Ips and LB IPs section?

Please find the help doc screenshot as well for reference.

Regards,

Souvik

Update 2025:

  1. IP address allowlist for Cloud Integration: https://me.sap.com/notes/0002808441
  2. API Management IP allow listing: https://me.sap.com/notes/0003355225
  3. You want to receive notification about connectivity IP Address changes in regions from SAP Business Technology Platform: https://me.sap.com/notes/0003286695

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

D_Olderdissen
Product and Topic Expert
Product and Topic Expert
‎2021 Jul 05 5:01 PM

Hi Souvik,

well, I haven`t configured this one myself. I would read the table that you need to white list all NAT'IPs (engress = outgoing) in the firewall.

Hyperscalers tend to think in availability zones - the way I read the table is that our EU10 is in one availability zone and the services we deploy can be in any of the three data centers CF-eu10-001..003. As you never know what component is currently residing in what specific DC (hyperscaler trademark), you simply will need to enable them all.

Standing recommendation for that reason is to use the Cloud Connector. It is "free", it is proven, used by many other customers and you can nail it down much nicer as you can with those lame IP addresses. Did your customer google ip-spoofing once? 😉

It might make sense to look into an mTLS setup for those outbound calls. That would make things a lot more secure then riding this old school IP filtering.

What I don`t get where this SuccessFactors things you mention comes from. Isn`t OICD or SAML Bearer Assertion one way to go?

Just my two cents.

Cheers,
Dirk

Show replies
Show replies
Subit
Product and Topic Expert
Product and Topic Expert
‎2025 Mar 11 1:06 PM
0 Likes
To allow SCC to connect to BTP, it needs to have access to the hosts listed in the Network section of the Prerequisites according to your region. i.e., the IP allow-listing mechanism (Firewall, proxy, etc.) on the Cloud Connector server should allow outbound (to BTP) traffic towards the listed host / IP addresses in the document. The port number is 443. There is no need to open port in the firewall for inbound (from BTP) requests.
SinhaSouvik
Active Participant
‎2025 Aug 03 5:57 PM
0 Likes
  1. IP address allowlist for Cloud Integration: https://me.sap.com/notes/0002808441
  2. API Management IP allow listing: https://me.sap.com/notes/0003355225
  3. You want to receive notification about connectivity IP Address changes in regions from SAP Business Technology Platform: https://me.sap.com/notes/0003286695

 

Show replies
Show replies
Ask a Question