HDInsight management IP addresses
This article lists the IP addresses used by Azure HDInsight health and management services. If you use network security groups (NSGs) or user-defined routes (UDRs) you may need to add some of these IP address to the allow list for inbound network traffic.
In most cases, you can now use service tags for network security groups, instead of manually adding IP addresses. IP addresses will not be published for new Azure regions, and they will only have published service tags. The static IP addresses for management IP addresses will eventually be deprecated.
If you use network security groups (NSGs) or user-defined routes (UDRs) to control inbound traffic to your HDInsight cluster, you must ensure that your cluster can communicate with critical Azure health and management services. Some of the IP addresses for these services are region-specific, and some of them apply to all Azure regions. You may also need to allow traffic from the Azure DNS service if you aren't using custom DNS.
If you need IP addresses for a region not listed here, you can use the Service Tag Discovery API to find IP addresses for your region. If you are unable to use the API, download the service tag JSON file and search for your desired region.
The following sections discuss the specific IP addresses that must be allowed.
Azure DNS service
If you're using the Azure-provided DNS service, allow access from 220.127.116.11 on port 53. For more information, see the Name resolution for VMs and Role instances document. If you're using custom DNS, skip this step.
Health and management services: All regions
Allow traffic from the following IP addresses for Azure HDInsight health and management services, which apply to all Azure regions:
|Source IP address||Destination||Direction|
Health and management services: Specific regions
Allow traffic from the IP addresses listed for the Azure HDInsight health and management services in the specific Azure region where your resources are located:
If the Azure region you are using is not listed, then use the service tag feature for network security groups.
|Country||Region||Allowed Source IP addresses||Allowed Destination||Direction|
|Canada Central||18.104.22.16822.214.171.124||*: 443||Inbound|
|China North 2||126.96.36.199188.8.131.52||*:443||Inbound|
|China East 2||184.108.40.206220.127.116.11||*:443||Inbound|
|United Kingdom||UK West||18.104.22.16822.214.171.124||*:443||Inbound|
|United States||Central US||126.96.36.199188.8.131.52||*:443||Inbound|
|North Central US||184.108.40.206220.127.116.11||*:443||Inbound|
|West Central US||18.104.22.16822.214.171.124||*:443||Inbound|
|West US 2||126.96.36.199188.8.131.52||*:443||Inbound|
For information on the IP addresses to use for Azure Government, see the Azure Government Intelligence + Analytics document.
For more information, see Control network traffic.
If you're using user-defined routes (UDRs), you should specify a route and allow outbound traffic from the virtual network to the above IPs with the next hop set to "Internet".