Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists IP addresses and domains for Azure Databricks services and assets.
You may need this information if your Azure Databricks workspace is deployed to your own virtual network (VNet) and you use custom routes, also known as user-defined routes (UDR), to manage network traffic using a virtual appliance or firewall.
See User-defined route settings for Azure Databricks.
Databricks strongly recommends that you use the Azure Databricks service tag instead of specific IP addresses. Azure service tags represent a group of IP address prefixes from a given Azure service. The Azure Databricks service tag represents IP addresses for the required outbound connections to the Azure Databricks control plane, the secure cluster connectivity (SCC), and the Azure Databricks web application. Azure Databricks manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. This helps to prevent service outages due to IP changes and removes the need to periodically look up these IPs and update them.
Azure Databricks control plane addresses
The IP addresses you use to route network traffic depend on whether or not your Azure Databricks workspace uses secure cluster connectivity (SCC):
- Secure cluster connectivity enabled: use the SCC relay value and the Control Plane IPs, including default storage and webapp values for the workspace region. These values are in the Inbound to Azure Databricks control plane section.
- Secure cluster connectivity disabled : use the Control plane services, including default storage and webapp values for the workspace region from the Inbound to Azure Databricks control plane section and the Control Plane NAT values for the workspace region in the Outbound IPs from Azure Databricks control plane section.
Most regions have multiple IP address ranges for the control plane IPs, Webapp, and NAT. This is because those regions contain more infrastructure services than others. Your workspace will be assigned to infrastructure services at one IP address for the control plane NAT and one for the Webapp during workspace creation. Your workspace will not be accessible by the infrastructure services at the other IP addresses, because data and secrets are not shared between infrastructure services within a region. There are therefore no security issues with having multiple IP addresses specified in your network security groups.
Inbound to Azure Databricks control plane
Note
Databricks will deploy new components for our control plane service to improve security and zone support availability. To ensure uninterrupted service, you must add the new IPs by July 7th, 2025. Add new IPs for the following regions:
- China East 2
- China East 3
- China North 2
- China North 3
Warning
Always allowlist the provided domain names (FQDNs) for secure cluster connectivity (SCC) relay endpoints, rather than individual IP addresses. IP addresses behind these domains change periodically due to infrastructure updates and multi-availability zone deployments. Customers who allowlist specific IP addresses may experience service disruptions when infrastructure changes occur. If you must use IP addresses, implement automated DNS resolution and regularly update your firewall rules.
| Azure Databricks Region | Service | Public IP or domain name |
|---|---|---|
| China East 2 | Control Plane IPs, including default storage and webapp | 163.228.200.0/26, 52.130.1.64/29, 52.130.2.232/29 |
| SCC relay | tunnel.chinaeast2.databricks.azure.cn | |
| China East 3 | Control Plane IPs, including default storage and webapp | 163.228.32.0/26, 52.131.144.32/29, 52.130.1.64/32 |
| SCC relay | tunnel.chinaeast2.databricks.azure.cn | |
| China North 2 | Control Plane IPs, including default storage and webapp | 139.217.120.0/26, 52.130.16.112/29 |
| SCC relay | tunnel.chinanorth2.databricks.azure.cn | |
| China North 3 | Control Plane IPs, including default storage and webapp | 52.131.16.33/32, 52.131.16.35/32, 52.130.224.0/27, 52.131.16.32/29, 52.130.16.113/32 |
| SCC relay | tunnel.chinanorth3c2.databricks.azure.cn, tunnel.chinanorth2.databricks.azure.cn |
DBFS root storage IP address
To get IP addresses for DBFS root storage:
Go to the workspace instance in Azure portal.
Click the workspace's managed resource group name.
In the list of resources, find a storage account with the name in the format
dbstorage************and copy it.Get the endpoint domains, using the storage account name that you copied:
- Domain
<storage-account-name>.blob.core.chinacloudapi.cn. For example,dbstorage9875b57ac95c.blob.core.chinacloudapi.cn. - Domain
<storage-account-name>.dfs.core.chinacloudapi.cn. For example,dbstorage9875b57ac95c.dfs.core.chinacloudapi.cn.
- Domain
Look up the IP addresses for these domain names.
Create two UDRs to these IP addresses so that the UDRs route the traffic to the Azure Storage service.
Metastore, artifact Blob storage, system tables storage, log Blob storage, and Event Hubs endpoint IP addresses
To get the workspace-level Hive metastore, artifact Blob storage, system tables storage, log Blob storage, and Event Hubs IP addresses, you must use their domain names, provided in the following table, to look up the IP addresses.
| Azure Databricks Workspace Region | Service | FQDN | Port | Protocol |
|---|---|---|---|---|
| China East 2 | Metastore | consolidated-chinaeast2-prod-metastore-0.mysql.database.chinacloudapi.cn | 3306 | TCP |
| Artifact Blob storage primary | dbartifactsprodcne2.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Artifact Blob storage secondary | dbartifactsprodcnn2.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Log Blob storage | dblogprodchinaeast2.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Event Hubs endpoint | prod-chinaeast2-observabilityeventhubs.servicebus.chinacloudapi.cn | 9093 | TCP | |
| China East 3 | Metastore | consolidated-chinaeast3-prod-metastore-0.mysql.database.chinacloudapi.cn | 3306 | TCP |
| Artifact Blob storage primary | dbartifactsprodcne3.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Artifact Blob storage secondary | dbartifactsprodcne3.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Log Blob storage | dblogprodchinaeast3.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Event Hubs endpoint | prod-chinaeast2-observabilityeventhubs.servicebus.chinacloudapi.cn | 9093 | TCP | |
| China North 2 | Metastore | consolidated-chinanorth2-prod-metastore-0.mysql.database.chinacloudapi.cn | 3306 | TCP |
| Artifact Blob storage primary | dbartifactsprodcnn2.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Artifact Blob storage secondary | dbartifactsprodcnn2.blob.core.chinacloudapi.cn (identical to primary) | 443 | HTTPS | |
| Log Blob storage | dblogprodchinanorth2.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Event Hubs endpoint | prod-chinanorth2-observabilityeventhubs.servicebus.chinacloudapi.cn | 9093 | TCP | |
| China North 3 | Metastore | consolidated-chinanorth3-prod-metastore-0.mysql.database.chinacloudapi.cn consolidated-chinanorth3c2-prod-metastore-0.mysql.database.chinacloudapi.cn |
3306 | TCP |
| Artifact Blob storage primary | dbartifactsprodcnn3.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Artifact Blob storage secondary | dbartifactsprodcnn3.blob.core.chinacloudapi.cn (identical to primary) | 443 | HTTPS | |
| Log Blob storage | dblogprodchinanorth3.blob.core.chinacloudapi.cn | 443 | HTTPS | |
| Event Hubs endpoint | prod-chinanorth2-observabilityeventhubs.servicebus.chinacloudapi.cn prod-chinanorth3c2-observabilityEventHubs.servicebus.chinacloudapi.cn |
9093 | TCP |
Reserved IP ranges for Databricks internal use
Databricks reserves certain IP ranges for internal applications to avoid potential IP conflicts. Customers should avoid using these ranges in their network configurations:
- 127.187.216.0/24
- 192.168.216.0/24
- 198.18.216.0/24
These reserved IP ranges apply to all types of workspaces and all cluster types, including classic and serverless clusters, as well as Databricks Container Service clusters.
Databricks Container Service clusters
For Databricks Container Service (DCS) clusters, you should also avoid using the default Docker network range:
- 172.17.0.0/16
By reserving these IP ranges for Databricks internal use and avoiding the default Docker network range for DCS clusters, you can help prevent potential IP conflicts and ensure the smooth operation of your Databricks environment.