3456052 - FAQ: About IP Addresses used in SAP Datasphere

• You have questions or require clarifications on the IP Allowlist topic in SAP Datasphere.
• This is about the external SAP Datasphere IP address information required to add them to an IP allowlisting.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental. 

SAP Datasphere 

More information in Obtain SAP Datasphere IP addresses For Allowlisting in Remote Systems | SAP Help Portal.

In SAP Datasphere there are 3 parts of IP addresses used for Allowlisting requirements:

1. Replication/Data Flow NAT and LB IP (egress/ingress)

   • This is the egress and ingress IP used by Datasphere Replication Flows and Data Flows.
   • This IP can be found in the "About" popup.
   • To allow SAP Datasphere access to a protected remote system and using the corresponding connection with data flows or replication flows, the Replication/Data Flow NAT IP (egress) must be added to the allowlist in the remote system.
   • If you use SAP Datasphere with SAP Cloud Connector to access On-Premise data and the firewall blocks outbound traffic, allowlist the appropriate Replication/Data Flow LB IP (ingress) in the firewall rules.
         

2. Outbound (from Datasphere) IP Addresses of Datasphere's HANA Cloud Database instance

   • This is the outbound IP address of the SAP Datasphere's HANA Cloud Database instance. 
   • These are used in the below 2 scenarios:
   • If connecting a REST remote source to the HANA Cloud instance through SDI (for example, OData Adapter), then he REST remote source is accessed using one of the NAT / egress IPs.
   • If connecting a remote source using SDA to the HANA Cloud instance, then the connection uses the NAT / egress IP in case the Cloud Connector is not used in the scenario.  
   • This IP can be found in the "SAP HANA Cloud NAT IP (egress)" in the "About" popup.
         

3. Load Balancer IP Addresses of Datasphere's HANA Cloud Database    

   • These are the SAP Load Balancer (LB) IP addresses for incoming requests (ingress) to the Datasphere's HANA Cloud Database.
   • They are required for any connection established to SAP HANA Cloud including the Data Provisioning Agent and the SAP Cloud Connector.
   • Most connections to SAP Datasphere are through the LB/ingress IPs with the exception of the 2 scenarios with NAT IPs explained the above. 
   • These IPs are NOT listed in the "About" popup but can be found in the SAP HANA Cloud Administration Guide Domains and IP Ranges.
     

4. For connections using SAP Cloud Connector  

• • Add the Cloud Connector IP address in SAP Datasphere (System -> Configuration -> IP Allowlist -> Trusted Cloud Connector IPs).
  • If you are using egress firewalling, add the following domains (wildcard) to the firewall/proxy allowlist in your On-Premise network (where SCC installed):
    • *.hanacloud.ondemand.com
    • *.k8s-hana.ondemand.com
  • Refer to Set up Cloud Connector in SAP Datasphere and Prerequisites -> Network for more details.
    

Q: Can we know the Kubernetes endpoint of SAP Datasphere in advance before Datasphere provisioning?

A: No. SAP Datasphere does not expose Kubernetes endpoints in advance. If you need this information for network allowlisting, there is no need to identify individual endpoints manually. The recommended approach is to follow the official guidance and allowlist the wildcard domains:

• *.hanacloud.ondemand.com

• *.k8s-hana.ondemand.com

Allowlisting *.k8s-hana.ondemand.com automatically covers all Kubernetes-related subdomains used by Datasphere.

However, some customers prefer to allowlist only specific endpoints instead of using the wildcard domain. In such cases, you can refer to the Replication/Data Flow NAT and LB IPs (egress/ingress) provided in the About section. Please note that this information becomes available only after the Datasphere tenant has been provisioned.

• For both NAT IPs and LB IPs information, they can be checked in SAP HANA Cloud Administration Guide Domains and IP Ranges as below.

• SAP Datasphere Help page Finding SAP Datasphere IP addresses
• SAP Datapshere Help page Add IP address to IP Allowlist 
• SAP Note 2894588 IP Allowlist in SAP Datasphere
• KBA 3369433 How to troubleshoot Cloud Connector related issues when creating connection in Datasphere 
• SAP Help pages: Add IP address to IP Allowlist and Finding SAP Datasphere IP addresses
• SAP Help Configure Cloud Connector
• SAP Help Cloud Connector Prerequisites
• SAP Community Cloud Connector Guided Answers and Troubleshooting 

Datasphere, IP Address, IP Addresses, outbound, whitelist, allow list, firewall, network, router, device , KBA , DS-DI-CON , Connections , CA-DI-EMB , Data Intelligence Embedded in Data Warehouse Cloud , How To