Starting on 30 May 2024, Azure Databricks will begin using new control plane service components. This will affect the egress and ingress IP addresses Azure Databricks’ control plane uses. If you use a firewall or proxy appliance to restrict user access to Azure Databricks control plane, and/or for controlling outbound access to your resources, you will need to update your access rules to include the new IP addresses. Otherwise, user access to the Azure Databricks control plane, including the web app, may be blocked and Azure Databricks’ control plane access to your resources may be blocked.
Please have the admin in your organization responsible for network security for the Azure Databricks platform review the information below.
What's changing
To support infrastructure improvements, Azure Databricks is deploying new components for our control plane service. These changes will improve multi-zonal availability and routing infrastructure for our web app and control plane.
Beginning on 30 May 2024, this means that:
- We will update the ingress Azure Databricks Control Plane Public IPs and associated Azure Service Tags. These are the IP addresses listed for each region under “Control Plane IPs, including webapp”.
- We will update the egress Azure Databricks Control Plane Public IPs and associated Azure Service Tags. These are the IP addresses listed for each region under the Service “Control Plane NAT”.
Action required
- If you have access rules on your firewall or gateway appliance to restrict access to Azure Databricks Control Plane ingress IPs, you will need to update the rules to include the new IP addresses for your region. See link in resources.
- Note that if you use Azure Service tags in your Azure Firewall, we will update the existing service tags to include the new IP addresses and no action is required with regards to #1. If you are using Azure Firewall but not leveraging service tags today, we recommend you migrate to using service tags if possible. See link in resources.
- If you have access rules in any resource firewall or proxy that restrict access from Azure Databricks Control Plane egress IPs, you will need to update the rules to include the new “Control Plane NAT” IP addresses. See link in resources.
Resources
- The list of all Azure Databricks control plane ingress IP addresses that must be included in your user/service access policies can be found here, under “Control Plane IPs, including webapp” for your region(s)
- The list of all Azure Databricks control plane egress IP addresses that must be included in your resource firewall policies can be found here, under “Control Plane NAT” for your region(s)
- More information on using Azure Service Tags can be found here
If you have any questions or require additional support, please comment below or open a support ticket with Azure Databricks.
Thank you,
Azure Databricks