HDInsight management IP addresses

Important

Use the service tag feature for network security groups. New regions will only be added for service tags and the static IP addresses will eventually be deprecated.

If you use network security groups (NSGs) or user defined routes (UDRs) to control inbound traffic to your HDInsight cluster, you must ensure that your cluster can communicate with critical Azure health and management services. Some of the IP addresses for these services are region specific, and some of them apply to all Azure regions. You may also need to allow traffic from the Azure DNS service if you aren't using custom DNS.

The following sections discuss the specific IP addresses that must be allowed.

Azure DNS service

If you are using the Azure-provided DNS service, allow access from 168.63.129.16 on port 53. For more information, see the Name resolution for VMs and Role instances document. If you are using custom DNS, skip this step.

Health and management services: All regions

Allow traffic from the following IP addresses for Azure HDInsight health and management services which apply to all Azure regions:

Source IP address Destination Direction
168.61.49.99 *:443 Inbound
23.99.5.239 *:443 Inbound
168.61.48.131 *:443 Inbound
138.91.141.162 *:443 Inbound

Health and management services: Specific regions

Allow traffic from the IP addresses listed for the Azure HDInsight health and management services in the specific Azure region where your resources are located:

Important

If the Azure region you are using is not listed, then use the service tag feature for network security groups.

Country Region Allowed Source IP addresses Allowed Destination Direction
Asia East Asia 23.102.235.122
52.175.38.134
*:443 Inbound
  Southeast Asia 13.76.245.160
13.76.136.249
*:443 Inbound
Australia Australia East 104.210.84.115
13.75.152.195
*:443 Inbound
  Australia Southeast 13.77.2.56
13.77.2.94
*:443 Inbound
Brazil Brazil South 191.235.84.104
191.235.87.113
*:443 Inbound
Canada Canada East 52.229.127.96
52.229.123.172
*:443 Inbound
  Canada Central 52.228.37.66
52.228.45.222
*: 443 Inbound
China China North 42.159.96.170
139.217.2.219

42.159.198.178
42.159.234.157
*:443 Inbound
  China East 42.159.198.178
42.159.234.157

42.159.96.170
139.217.2.219
*:443 Inbound
  China North 2 40.73.37.141
40.73.38.172
*:443 Inbound
  China East 2 139.217.227.106
139.217.228.187
*:443 Inbound
Europe North Europe 52.164.210.96
13.74.153.132
*:443 Inbound
  West Europe 52.166.243.90
52.174.36.244
*:443 Inbound
France France Central 20.188.39.64
40.89.157.135
*:443 Inbound
Germany Germany Central 51.4.146.68
51.4.146.80
*:443 Inbound
  Germany Northeast 51.5.150.132
51.5.144.101
*:443 Inbound
India Central India 52.172.153.209
52.172.152.49
*:443 Inbound
  South India 104.211.223.67
104.211.216.210
*:443 Inbound
Japan Japan East 13.78.125.90
13.78.89.60
*:443 Inbound
  Japan West 40.74.125.69
138.91.29.150
*:443 Inbound
Korea Korea Central 52.231.39.142
52.231.36.209
*:443 Inbound
  Korea South 52.231.203.16
52.231.205.214
*:443 Inbound
United Kingdom UK West 51.141.13.110
51.141.7.20
*:443 Inbound
  UK South 51.140.47.39
51.140.52.16
*:443 Inbound
United States Central US 13.89.171.122
13.89.171.124
*:443 Inbound
  East US 13.82.225.233
40.71.175.99
*:443 Inbound
  North Central US 157.56.8.38
157.55.213.99
*:443 Inbound
  West Central US 52.161.23.15
52.161.10.167
*:443 Inbound
  West US 13.64.254.98
23.101.196.19
*:443 Inbound
  West US 2 52.175.211.210
52.175.222.222
*:443 Inbound

For information on the IP addresses to use for Azure Government, see the Azure Government Intelligence + Analytics document.

For more information, see the Controlling network traffic section.

If you are using user-defined routes (UDRs), you should specify a route and allow outbound traffic from the VNET to the above IPs with the next hop set to "Internet".

Next steps