Metastore, artifact Blob storage, log Blob storage, DBFS root Blob storage, and Event Hub endpoint IPs can change over time.

[pnarsi]

The warning box on this page warns that the IP addresses of five of the services that we need to add to the Routing Table with a next hop of "Internet" can change over time.

How frequently will these IP addresses change? In theory can they change several times within the same day or are we talking about infrequent changes to the IP Addresses potentially once every few months?

Furthermore the Databricks team through a blog article talk about an alternative solution where we use an Azure Firewall on a peered VNET with service endpoints to whitelist the specific FQDN of these five service dependencies. The advantage of this is that we don't need to worry about changing IP addresses (at the cost of spinning up an Azure Firewall). Is this alternative setup suggested by Databricks something that Microsoft officially endorses?

Databricks blog entry on this topic: https://databricks.com/blog/2020/03/27/data-exfiltration-protection-with-azure-databricks.html

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: a44cbeaf-af2c-ef7e-b411-24556279d898
• Version Independent ID: aaced3ee-7d7c-a9d6-a81b-b132674fa055
• Content: User-defined route settings for Azure Databricks - Azure Databricks
• Content Source: databricks/administration-guide/cloud-configurations/azure/udr.md
• Service: azure-databricks
• GitHub Login: @mamccrea
• Microsoft Alias: mamccrea

[shashishailaj]

@pnarsi Thank you for your feedback . We will investigate this and update the thread.

[MartinJaffer-MSFT]

While it is possible for the IPs to change 'several times within the same day', the changes on average are closer to the 'every few months' timescale than the 'several times within the same day' timescale. @pnarsi I will ask author whether the approach is officially endorsed.

[MartinJaffer-MSFT]

@mamccrea can you please help me determine whether the solution hosted on Databricks website is officially endorsed by Microsoft?

[mikelor]

Just wanted to add, that we're experiencing a similar issue. It also looks like the doc was updated recently to add more artifact storage hostnames for the WestUS2 region.

I see two options

1. Implement the alternative solution as described on the databricks blog (adds cost & complexity)
2. Add UDR routes for all storage ranges in regions used based on the Azure IP Range document. https://www.microsoft.com/en-us/download/details.aspx?id=56519 (which also changes over time).

Of course my preferred option, would be for MS to implement something that makes it all transparent to me.

[mamccrea]

reassign:mssaperla

[kateglee-db]

Thanks for your dedication to our documentation. Unfortunately, we have been unable to address your issue and apologize for the delayed response. We are closing this issue, but if you feel that it's still a concern, please let us know directly at doc-feedback@databricks.com.

please-close

[prmerger-automator[bot]]

Invalid command: '#please-close'. Only Microsoft employees can use this command.

[JasonWHowell]

please-close