Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Vitaliy-R
Developer Advocate
Developer Advocate

"Dance like nobody is watching.
Secure like everyone is."


 

When you create a new instance of SAP HANA Cloud, a free trial instance for example, then a system suggests to "Deny all IP addresses (except SAP Cloud Platform)" by default.

But if you are like me and need to connect to your instance from clients, like Python code in Jupyter or local DBeaver IDE, then you need to allow external access to your instance: at least from your computer at the beginning. Allowing access from all IP addresses sounds tempting, but it is not the right path.

You may find an external IP address of your laptop, which other systems on the Internet see, using numerous services, like http://checkip.dyndns.org/ or https://whatismyipaddress.com/. My favorite is https://ifconfig.co/ip, especially for the fact that it can be used with command-line tools, as we will use later.

This IPv4 address shown is an IP address used by your Internet provider on the gateway to the public Internet.



Change allowed IP addresses from the command line


But then I switch to a corporate VPN and that changes my laptop's external IP address as seen in https://ifconfig.co/ip. Or I deploy a VM in a cloud that hosts a client who needs to connect to my SAP HANA Cloud instance. Or I travel to an event, where I need to present something (ok, this is purely hypothetical under the current circumstances...) In cases like these, my client programs cannot connect to my SAP HANA Cloud instance anymore as their IP addresses are not on the list.

For the sake of time, I might not want to go to the SAP Cloud Platform website and to click through the UI to a place where I can add a new IP address. Or, I might not even be able to run a web browser from a VM in a cloud.

Changing allowed IP addresses from the command line is a convenient way to do it in such cases.

Step 1. Find the IP address


Notes: I am using macOS here. You might need to adjust some commands when running them on different operating systems, but the approach should be the same.

I have CloudFoundry CLI cf version 7 already installed. Please note this version is not fully compatible with version 6.

To display the external IP of a machine I use curl or wget (e.g. Jupyter Docker images have only wget pre-installed) running on that machine:
curl ifconfig.co/ip

or
wget -qO- ifconfig.co/ip

Here is the example of both commands returning IP addresses before and after switching to a VPN on my laptop. I use both just for demo purposes; you should pick the one you prefer and available.


And to illustrate hdbsql can connect to the database at first, but then a connection is refused with the error message -10709: Connection failed (RTE:[89008] Socket closed by peer, when I switched to VPN and my external IP address had changed to 193.16.xxx.xxx.

Step 2. Update the SAP HANA Cloud service


I have logged already to the region/subaccount/space, where my SAP HANA Cloud trial instance has been deployed and started with:
cf login -a https://api.cf.eu10.hana.ondemand.com

The name of my instance is vital-hc-hana, that I could see either in web UI or by running the command
cf s | grep "hana "


Having the second IP address that I need to enable too, I can run the update-service command of the Cloud Foundry CLI program cf. We need to pass an array of IP addresses as keys in the payload {"data":{"whitelistIPs":[<IP addresses>]}} for a change -c of the service definition.
cf update-service vital-hc-hana \
-c '{"data":{"whitelistIPs":["128.127.12.xxx", "193.16.224.xxx/24"]}}'

As the VPN address is usually selected from a range of addresses in a subnet, I am using a CIDR notation /24 for it in the command to match not just current address, but as well IP addresses assigned in the future when login to the same VPN region.


Please note, that the database instance is not available for a few minutes while the service instance is updated.

Step 3. Connect to the db instance



The goal is achieved and we can connect to the SAP HANA Cloud instance from a client on a machine with another IP address!

But that's not the end. If you are like me, then you should have a lot of questions in your head about what just had happened, how did it work, and what this notation was. All are good questions and we go geekier and will dig into them in the next post.




Enjoy your weekend!
-Vitaliy (aka @Sygyzmundovych)
7 Comments