https://community.databricks.com/t5/data-engineering/databricks-workspace-unknow-ip-access/m-p/153058#M53922 <P>Azure monitor log showing unknow ip authentication requests to Databricks workspace .</P><P>&nbsp;</P><P>-- When searched ip below url, result showing its from <STRONG>AZURE CLOUD : &lt;Region&gt; </STRONG>(the region is same as workspace)</P><P><A href="https://azureipranges.azurewebsites.net/SearchFor" target="_blank" rel="noopener">https://azureipranges.azurewebsites.net/SearchFor</A></P><P>&nbsp;</P><P>-- But Not present IN IP below docs</P><P>&nbsp; --&gt; Not directly present in azure ip ranges:</P><P><A href="https://www.microsoft.com/en-us/download/details.aspx?id=56519" target="_blank" rel="noopener">Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center</A></P><P>--&gt;Control plane ip ranges:</P><P><A href="https://learn.microsoft.com/en-us/azure/databricks/resources/ip-domain-region" target="_blank" rel="noopener">IP addresses and domains for Azure Databricks services and assets - Azure Databricks | Microsoft Learn</A></P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; - How can we identify which resource is associated with this IP address?</P><UL><LI>Which specific Azure Databricks resource is this IP attempting to access (e.g., cluster, table, Unity Catalog, etc.)?</LI><LI>How can we determine whether this access request is legitimate or suspicious?</LI><LI>Could you provide a step-by-step process to validate and confirm these details?</LI></UL><P>&nbsp;</P> Thu, 02 Apr 2026 14:43:47 GMT ittzzmalind 2026-04-02T14:43:47Z https://community.databricks.com/t5/data-engineering/databricks-workspace-unknow-ip-access/m-p/153058#M53922 <P>Azure monitor log showing unknow ip authentication requests to Databricks workspace .</P><P>&nbsp;</P><P>-- When searched ip below url, result showing its from <STRONG>AZURE CLOUD : &lt;Region&gt; </STRONG>(the region is same as workspace)</P><P><A href="https://azureipranges.azurewebsites.net/SearchFor" target="_blank" rel="noopener">https://azureipranges.azurewebsites.net/SearchFor</A></P><P>&nbsp;</P><P>-- But Not present IN IP below docs</P><P>&nbsp; --&gt; Not directly present in azure ip ranges:</P><P><A href="https://www.microsoft.com/en-us/download/details.aspx?id=56519" target="_blank" rel="noopener">Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center</A></P><P>--&gt;Control plane ip ranges:</P><P><A href="https://learn.microsoft.com/en-us/azure/databricks/resources/ip-domain-region" target="_blank" rel="noopener">IP addresses and domains for Azure Databricks services and assets - Azure Databricks | Microsoft Learn</A></P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; - How can we identify which resource is associated with this IP address?</P><UL><LI>Which specific Azure Databricks resource is this IP attempting to access (e.g., cluster, table, Unity Catalog, etc.)?</LI><LI>How can we determine whether this access request is legitimate or suspicious?</LI><LI>Could you provide a step-by-step process to validate and confirm these details?</LI></UL><P>&nbsp;</P> Thu, 02 Apr 2026 14:43:47 GMT https://community.databricks.com/t5/data-engineering/databricks-workspace-unknow-ip-access/m-p/153058#M53922 ittzzmalind 2026-04-02T14:43:47Z https://community.databricks.com/t5/data-engineering/databricks-workspace-unknow-ip-access/m-p/153075#M53928 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/223614">@ittzzmalind</a>,</P> <P>Because the IP is in the same Azure region but not listed in the Azure Databricks control plane ranges, it’s very likely not a Databricks owned control plane IP. It’s typically either a<SPAN>&nbsp;</SPAN><SPAN>user or service</SPAN><SPAN> coming from another Azure resource (VPN, VM, VDI, NAT gateway, firewall, etc.), or a</SPAN><SPAN>&nbsp;</SPAN><SPAN>3rd-party/SaaS or other tenant</SPAN><SPAN> hosted in Azure.</SPAN></P> <P>You generally can’t map an IP directly to "this Databricks cluster/table/UC object" from IP lists alone. Instead, you need to correlate identity + audit logs... Would recommend the below steps unless you have already checked it out..</P> <P>Check Microsoft Entra ID --&gt; Sign-in logs filtered by that IP and the Azure Databricks application. This shows which user/service principal is authenticating, from what device/location, and whether sign-ins are succeeding or failing.</P> <P>Use Databricks audit logs (system tables like system.access.audit or exported audit logs in Log Analytics) and filter on that IP. From fields like service_name, action_name, request_uri, clusterId / sqlWarehouseId / UC object names, you can see whether it’s accessing clusters, jobs, Unity Catalog, tables, etc. It is easy to query the system tables. Let me know if you want a simple query to get this from system tables.</P> <P>Compare identity vs. expected users/service principals,&nbsp;IP vs. your known NAT/firewall/VPN IPs, and actions vs. what that identity should normally be doing (and when).</P> <P>If it’s an unknown identity from an unknown Azure IP doing unusual or failing actions, treat it as suspicious and consider blocking it via context-based ingress controls, workspace IP access lists, or your firewall, and rotate any involved credentials.</P> <P class="p1"><FONT size="2" color="#FF6600"><STRONG><I>If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.</I></STRONG></FONT><I></I></P> Thu, 02 Apr 2026 16:09:53 GMT https://community.databricks.com/t5/data-engineering/databricks-workspace-unknow-ip-access/m-p/153075#M53928 Ashwin_DSA 2026-04-02T16:09:53Z