cancel
Showing results for 
Search instead for 
Did you mean: 

SAP CPI IP Ranges for Cloud Foundry Environment

sinhasouvik
Participant

Hi Experts,

Our customer is not using Cloud Connector, So we need to enable the firewall by white list SAP CPI IPs to connect to other On-Premise systems or setting never expiry password in Successfactor Application.

Our CPI instances are in Cloud Foundry Environment.

I found out the help documents for Region specific IPs. Please find the document link below.

https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/f344a57233d34199b2123b9620d0bb41.html

As we know for NEO identifying IP ranges is straight cut. But in Cloud Foundry there are two sections for identify IPs, NAT IPs and LB IPs.

Our tenets are in eu10 Region. To avoid the unnecessary whitelisting of IPs, could you please confirm the below points.

  • To set never expiry password in SuccessFactors which IPs need to be whitelisted under "Password and Login policy settings". LB IPs or NAT IPs or Both?
  • For connecting to on-premise systems, which IPs need to be whitelisted, LB IPs or NAT IPs or Both?
  • What are the significance of cf-eu10-002 and cf-eu10-003 under NAT Ips and LB IPs section?

Please find the help doc screenshot as well for reference.

Regards,

Souvik

Accepted Solutions (0)

Answers (1)

Answers (1)

D_Olderdissen
Advisor
Advisor

Hi Souvik,

well, I haven`t configured this one myself. I would read the table that you need to white list all NAT'IPs (engress = outgoing) in the firewall.

Hyperscalers tend to think in availability zones - the way I read the table is that our EU10 is in one availability zone and the services we deploy can be in any of the three data centers CF-eu10-001..003. As you never know what component is currently residing in what specific DC (hyperscaler trademark), you simply will need to enable them all.

Standing recommendation for that reason is to use the Cloud Connector. It is "free", it is proven, used by many other customers and you can nail it down much nicer as you can with those lame IP addresses. Did your customer google ip-spoofing once? 😉

It might make sense to look into an mTLS setup for those outbound calls. That would make things a lot more secure then riding this old school IP filtering.

What I don`t get where this SuccessFactors things you mention comes from. Isn`t OICD or SAML Bearer Assertion one way to go?

Just my two cents.

Cheers,
Dirk