IP addresses and domains for Databricks services and assets

This article lists IP addresses and domains for Databricks services and assets.

You may need the following information if:

You create your Databricks workspaces in your own VPC, a feature known as customer-managed VPC.

See Configure a customer-managed VPC.
You use AWS PrivateLink within your Databricks network environment.

See Enable private connectivity using AWS PrivateLink.

Databricks control plane addresses

The following tables list the IP addresses or domain names the Databricks control plane uses for each supported region. Port 443 is used for all addresses except for the SCC relay for PrivateLink, which uses Port 6666.

Inbound IPs to Databricks control plane

Databricks Region	Service	Public IP or domain name
`ap-northeast-1`	Control plane services, including webapp	tokyo.cloud.databricks.com, 35.72.28.0/28
	SCC relay	tunnel.ap-northeast-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ap-northeast-1.cloud.databricks.com
`ap-northeast-2`	Control plane services, including webapp	seoul.cloud.databricks.com, 3.38.156.176/28
	SCC relay	tunnel.ap-northeast-2.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ap-northeast-2.cloud.databricks.com
`ap-south-1`	Control plane services, including webapp	mumbai.cloud.databricks.com, 65.0.37.64/28
	SCC relay	tunnel.ap-south-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ap-south-1.cloud.databricks.com
`ap-southeast-1`	Control plane services, including webapp	singapore.cloud.databricks.com, 13.214.1.96/28
	SCC relay	tunnel.ap-southeast-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ap-southeast-1.cloud.databricks.com
`ap-southeast-2`	Control plane services, including webapp	sydney.cloud.databricks.com, 3.26.4.0/28
	SCC relay	tunnel.ap-southeast-2.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ap-southeast-2.cloud.databricks.com
`ca-central-1`	Control plane services, including webapp	canada.cloud.databricks.com, 3.96.84.208/28
	SCC relay	tunnel.ca-central-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.ca-central-1.cloud.databricks.com
`eu-central-1`	Control plane services, including webapp	frankfurt.cloud.databricks.com, 18.159.44.32/28
	SCC relay	tunnel.eu-central-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.eu-central-1.cloud.databricks.com
`eu-west-1`	Control plane services, including webapp	ireland.cloud.databricks.com, 3.250.244.112/28
	SCC relay	tunnel.eu-west-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.eu-west-1.cloud.databricks.com
`eu-west-2`	Control plane services, including webapp	london.cloud.databricks.com, 18.134.65.240/28
	SCC relay	tunnel.eu-west-2.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.eu-west-2.cloud.databricks.com
`eu-west-3`	Control plane services, including webapp	paris.cloud.databricks.com, 13.39.141.128/28
	SCC relay	tunnel.eu-west-3.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.eu-west-3.cloud.databricks.com
`sa-east-1`	Control plane services, including webapp	saopaulo.cloud.databricks.com, 15.229.120.16/28
	SCC relay	tunnel.sa-east-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.sa-east-1.cloud.databricks.com
`us-east-1`	Control plane services, including webapp	nvirginia.cloud.databricks.com, 3.237.73.224/28
	SCC relay	tunnel.us-east-1.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.us-east-1.cloud.databricks.com
`us-east-2`	Control plane services, including webapp	ohio.cloud.databricks.com, 3.128.237.208/28
	SCC relay	tunnel.us-east-2.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.us-east-2.cloud.databricks.com
`us-gov-west-1`	Control plane services, including webapp	pendleton.cloud.databricks.us, 3.30.186.128/28
	SCC relay	tunnel.us-gov-west-1.cloud.databricks.us
	SCC relay for PrivateLink	tunnel.privatelink.us-gov-west-1.cloud.databricks.us
`us-gov-west-1` (DoD)	Control plane services, including webapp	pendleton-dod.cloud.databricks.mil
	SCC relay	tunnel.us-gov-west-1dod.cloud.databricks.mil
	SCC relay for PrivateLink	tunnel.privatelink.us-gov-west-1dod.cloud.databricks.mil
`us-west-1`	Control plane services, including webapp	oregon.cloud.databricks.com, 44.234.192.32/28
	SCC relay	tunnel.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.cloud.databricks.com
`us-west-2`	Control plane services, including webapp	oregon.cloud.databricks.com, 44.234.192.32/28
	SCC relay	tunnel.cloud.databricks.com
	SCC relay for PrivateLink	tunnel.privatelink.cloud.databricks.com

Outbound IPs from Databricks control plane

The following table list the outbound IP addresses or domain names the Databricks control plane uses for each supported region. Port 443 is used for all addresses except for the SCC relay for PrivateLink, which uses Port 6666.

Databricks Region	Service	Public IP or domain name
`ap-northeast-1`	Control plane NAT IPs	35.72.28.0/28, 18.177.16.95
	VPC ID	`vpc-082c211a3fdc5876e`, `vpc-0a9dd2f9a99283178`
`ap-northeast-2`	Control plane NAT IPs	3.38.156.176/28, 54.180.50.119
	VPC ID	`vpc-04e703ba94a49a3ac`, `vpc-097fd29f3acba52e8`
`ap-south-1`	Control plane NAT IPs	65.0.37.64/28, 13.232.248.161
	VPC ID	`vpc-042818d612f90f994`, `vpc-0a0c6fbd8a2890714`
`ap-southeast-1`	Control plane NAT IPs	13.214.1.96/28, 13.213.212.4
	VPC ID	vpc-01dcc0ded03337911`,` vpc-0e0baa0188c149eae`
`ap-southeast-2`	Control plane NAT IPs	3.26.4.0/28, 13.237.96.217
	VPC ID	`vpc-0c2c00de7182adc20`, `vpc-0a5b21c86d3fc89fa`
`ca-central-1`	Control plane NAT IPs	3.96.84.208/28, 35.183.59.105
	VPC ID	`vpc-0a2b384708459134f`, `vpc-09e67f3a27be71c9c`
`eu-central-1`	Control plane NAT IPs	18.159.44.32/28, 18.159.32.64
	VPC ID	`vpc-0fac49d340642f67b`, `vpc-0b6768aacb36c9425`
`eu-west-1`	Control plane NAT IPs	3.250.244.112/28, 46.137.47.49
	VPC ID	`vpc-0e362545addfa9470`, `vpc-0004e2691850f29b3`
`eu-west-2`	Control plane NAT IPs	18.134.65.240/28,3.10.112.150
	VPC ID	`vpc-07eb6b6a2cb9e77eb`, `vpc-0f0a9d76e15ca7eff`
`eu-west-3`	Control plane NAT IPs	13.39.141.128/28, 15.236.174.74
	VPC ID	`vpc-0b6f443f7cefdcda2`, `vpc-01ed1436ea79be8f4`
`sa-east-1`	Control plane NAT IPs	15.229.120.16/28, 177.71.254.47
	VPC ID	`vpc-0b13bcae0aa721cbc`, `vpc-0717a4601f05c79d9`
`us-east-1`	Control plane NAT IPs	3.237.73.224/28, 54.156.226.103
	VPC ID	`vpc-0e8e0ec90d0f40c06`, `vpc-08fd12c62a6e0b1df`
`us-east-2`	Control plane NAT IPs	3.128.237.208/28, 18.221.200.169
	VPC ID	`vpc-0865fc77cf45f52b7`, `vpc-0ea50fe31af7760e4`
`us-gov-west-1`	Control plane NAT IPs	3.30.186.128/28, 3.30.245.130
	VPC ID	`vpc-0ab77b8381fdd5416`, `vpc-0b394a016af6d42ab`
`us-west-1`	Control plane NAT IPs	44.234.192.32/28, 52.27.216.188
	VPC ID	N/A
`us-west-2`	Control plane NAT IPs	44.234.192.32/28, 52.27.216.188
	VPC ID	`vpc-dc8086b9`, `vpc-0c51983cc62e5ce0b`

Addresses for artifact storage, log storage, system tables, and shared datasets buckets

Databricks Region	Service	Public IP or domain name
`ap-northeast-1`	Artifact storage bucket	`databricks-prod-artifacts-ap-northeast-1`
	Log storage bucket	`databricks-prod-storage-tokyo`
	System tables bucket	`system-tables-prod-ap-northeast-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-tokyo`
`ap-northeast-2`	Artifact storage bucket	`databricks-prod-artifacts-ap-northeast-2`
	Log storage bucket	`databricks-prod-storage-seoul`
	System tables bucket	`system-tables-prod-ap-northeast-2-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-seoul`
`ap-south-1`	Artifact storage bucket	`databricks-prod-artifacts-ap-south-1`
	Log storage bucket	`databricks-prod-storage-mumbai`
	System tables bucket	`system-tables-prod-ap-south-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-mumbai`
`ap-southeast-1`	Artifact storage bucket	`databricks-prod-artifacts-ap-southeast-1`
	Log storage bucket	`databricks-prod-storage-singapore`
	System tables bucket	`system-tables-prod-ap-southeast-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-singapore`
`ap-southeast-2`	Artifact storage bucket	`databricks-prod-artifacts-ap-southeast-2`
	Log storage bucket	`databricks-prod-storage-sydney`
	System tables bucket	`system-tables-prod-ap-southeast-2-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-sydney`
`ca-central-1`	Artifact storage bucket	`databricks-prod-artifacts-ca-central-1`
	Log storage bucket	`databricks-prod-storage-montreal`
	System tables bucket	`system-tables-prod-ca-central-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-montreal`
`eu-central-1`	Artifact storage bucket	`databricks-prod-artifacts-eu-central-1`
	Log storage bucket	`databricks-prod-storage-frankfurt`
	System tables bucket	`system-tables-prod-eu-central-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-frankfurt`
`eu-west-1`	Artifact storage bucket	`databricks-prod-artifacts-eu-west-1`
	Log storage bucket	`databricks-prod-storage-ireland`
	System tables bucket	`system-tables-prod-eu-west-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-ireland`
`eu-west-2`	Artifact storage bucket	`databricks-prod-artifacts-eu-west-2`
	Log storage bucket	`databricks-prod-storage-london`
	System tables bucket	`system-tables-prod-eu-west-2-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-london`
`eu-west-3`	Artifact storage bucket	`databricks-prod-artifacts-eu-west-3`
	Log storage bucket	`databricks-prod-storage-paris`
	System tables bucket	`system-tables-prod-eu-west-3-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-paris`
`sa-east-1`	Artifact storage bucket	`databricks-prod-artifacts-sa-east-1`
	Log storage bucket	`databricks-prod-storage-saopaulo`
	System tables bucket	`system-tables-prod-sa-east-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-saopaulo`
`us-east-1`	Artifact storage bucket	`databricks-prod-artifacts-us-east-1`
	Log storage bucket	`databricks-prod-storage-virginia`
	System tables bucket	`system-tables-prod-us-east-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-virginia`
`us-east-2`	Artifact storage bucket	`databricks-prod-artifacts-us-east-2`
	Log storage bucket	`databricks-prod-storage-ohio`
	System tables bucket	`system-tables-prod-us-east-2-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-ohio`
`us-gov-west-1`	Artifact storage bucket	`databricks-prod-artifacts-us-gov-west-1`
	Log storage bucket	`databricks-prod-storage-pendleton`
	System tables bucket	N/A
	Shared datasets bucket	`databricks-datasets-pendleton`
`us-gov-west-1` (DoD)	Artifact storage bucket	`databricks-prod-artifacts-us-gov-west-1`
	Log storage bucket	`databricks-prod-storage-pendleton-dod`
	System tables bucket	N/A
	Shared datasets bucket	`databricks-datasets-pendleton`
`us-west-1`	Artifact storage bucket	`databricks-prod-artifacts-us-west-2`
	Log storage bucket	`databricks-prod-storage-oregon`
	System tables bucket	`system-tables-prod-us-west-1-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-oregon`
`us-west-2`	Artifact storage bucket	`databricks-prod-artifacts-us-west-2`, `databricks-update-oregon`
	Log storage bucket	`databricks-prod-storage-oregon`
	System tables bucket	`system-tables-prod-us-west-2-uc-metastore-bucket`
	Shared datasets bucket	`databricks-datasets-oregon`

S3 addresses

To add the global S3 bucket service to a route or allow list, use the following address and port, regardless of region: s3.amazonaws.com:443

For regional S3 buckets, AWS provides an address and port for a regional endpoint (s3.<region-name>.amazonaws.com:443). Databricks recommends that you use a VPC endpoint instead. Databricks uses VPC IDs for accessing S3 buckets in the same region as the Databricks control plane, and NAT IPs for accessing S3 buckets in different regions from the control plane. See (Recommended) Configure regional endpoints.

STS addresses

To add the global STS (AWS Security Token Service) to a route or allow list, use the following address and port, regardless of region: sts.amazonaws.com:443

For regional STS, AWS provides an address and port for a regional endpoint (sts.<region-name>.amazonaws.com:443), but Databricks recommends that you use a VPC endpoint instead. See (Recommended) Configure regional endpoints.

Kinesis addresses

For the Kinesis service, AWS provides addresses and ports for regional endpoints as shown in the table below. However, Databricks recommends that you use a VPC endpoint instead. See (Recommended) Configure regional endpoints.

VPC region	Address	Port
`us-west-1`	kinesis-fips.us-west-2.amazonaws.com	443
All other regions	kinesis.<region-name>.amazonaws.com	443

RDS addresses for legacy Hive metastore

To add the Amazon RDS services used by Databricks to a route or allow list, use the following addresses.

VPC region	Address	Port
`ap-northeast-1`	mddx5a4bpbpm05.cfrfsun7mryq.ap-northeast-1.rds.amazonaws.com	3306
`ap-northeast-2`	md1915a81ruxky5.cfomhrbro6gt.ap-northeast-2.rds.amazonaws.com	3306
`ap-south-1`	mdjanpojt83v6j.c5jml0fhgver.ap-south-1.rds.amazonaws.com	3306
`ap-southeast-1`	md1n4trqmokgnhr.csnrqwqko4ho.ap-southeast-1.rds.amazonaws.com	3306
`ap-southeast-2`	mdnrak3rme5y1c.c5f38tyb1fdu.ap-southeast-2.rds.amazonaws.com	3306
`ca-central-1`	md1w81rjeh9i4n5.co1tih5pqdrl.ca-central-1.rds.amazonaws.com	3306
`eu-central-1`	mdv2llxgl8lou0.ceptxxgorjrc.eu-central-1.rds.amazonaws.com	3306
`eu-west-1`	md15cf9e1wmjgny.cxg30ia2wqgj.eu-west-1.rds.amazonaws.com	3306
`eu-west-2`	mdio2468d9025m.c6fvhwk6cqca.eu-west-2.rds.amazonaws.com	3306
`eu-west-3`	metastorerds-dbconsolidationmetastore-asda4em2u6eg.c2ybp3dss6ua.eu-west-3.rds.amazonaws.com	3306
`sa-east-1`	metastorerds-dbconsolidationmetastore-fqekf3pck8yw.cog1aduyg4im.sa-east-1.rds.amazonaws.com	3306
`us-east-1`	mdb7sywh50xhpr.chkweekm4xjq.us-east-1.rds.amazonaws.com	3306
`us-east-2`	md7wf1g369xf22.cluz8hwxjhb6.us-east-2.rds.amazonaws.com	3306
`us-gov-west-1`	metastorerds-dbconsolidationmetastore-a62zjvlsjzzp.c40ji7ukhesx.us-gov-west-1.rds.amazonaws.com	3306
`us-west-1`	mdzsbtnvk0rnce.c13weuwubexq.us-west-1.rds.amazonaws.com	3306
`us-west-2`	mdpartyyphlhsp.caj77bnxuhme.us-west-2.rds.amazonaws.com	3306

PrivateLink VPC endpoint services

To configure your workspace to use AWS PrivateLink, use the following table to determine your region’s VPC endpoint service domains. You can use any availability zone in your region.

The endpoint service identified as Workspace (including REST API) is used for both the front-end connection (user-to-workspace for web application and REST APIs) and the back-end connection (to connect to REST APIs). If you are implementing both front-end and back-end connections, use this same workspace VPC endpoint service for both use cases.

For more information, see Enable private connectivity using AWS PrivateLink.

Region	Create VPC endpoints to these regional VPC endpoint services
`ap-northeast-1`	Workspace (including REST API): `com.amazonaws.vpce.ap-northeast-1.vpce-svc-02691fd610d24fd64` Secure cluster connectivity relay: `com.amazonaws.vpce.ap-northeast-1.vpce-svc-02aa633bda3edbec0`
`ap-northeast-2`	Workspace (including REST API): `com.amazonaws.vpce.ap-northeast-2.vpce-svc-0babb9bde64f34d7e` Secure cluster connectivity relay: `com.amazonaws.vpce.ap-northeast-2.vpce-svc-0dc0e98a5800db5c4`
`ap-south-1`	Workspace (including REST API): `com.amazonaws.vpce.ap-south-1.vpce-svc-0dbfe5d9ee18d6411` Secure cluster connectivity relay: `com.amazonaws.vpce.ap-south-1.vpce-svc-03fd4d9b61414f3de`
`ap-southeast-1`	Workspace (including REST API): `com.amazonaws.vpce.ap-southeast-1.vpce-svc-02535b257fc253ff4` Secure cluster connectivity relay: `com.amazonaws.vpce.ap-southeast-1.vpce-svc-0557367c6fc1a0c5c`
`ap-southeast-2`	Workspace (including REST API): `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b87155ddd6954974` Secure cluster connectivity relay: `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b4a72e8f825495f6`
`ca-central-1`	Workspace (including REST API): `com.amazonaws.vpce.ca-central-1.vpce-svc-0205f197ec0e28d65` Secure cluster connectivity relay: `com.amazonaws.vpce.ca-central-1.vpce-svc-0c4e25bdbcbfbb684`
`eu-central-1`	Workspace (including REST API): `com.amazonaws.vpce.eu-central-1.vpce-svc-081f78503812597f7` Secure cluster connectivity relay: `com.amazonaws.vpce.eu-central-1.vpce-svc-08e5dfca9572c85c4`
`eu-west-1`	Workspace (including REST API): `com.amazonaws.vpce.eu-west-1.vpce-svc-0da6ebf1461278016` Secure cluster connectivity relay: `com.amazonaws.vpce.eu-west-1.vpce-svc-09b4eb2bc775f4e8c`
`eu-west-2`	Workspace (including REST API): `com.amazonaws.vpce.eu-west-2.vpce-svc-01148c7cdc1d1326c` Secure cluster connectivity relay: `com.amazonaws.vpce.eu-west-2.vpce-svc-05279412bf5353a45`
`eu-west-3`	Workspace (including REST API): `com.amazonaws.vpce.eu-west-3.vpce-svc-008b9368d1d011f37` Secure cluster connectivity relay: `com.amazonaws.vpce.eu-west-3.vpce-svc-005b039dd0b5f857d`
`sa-east-1`	Workspace (including REST API): `com.amazonaws.vpce.sa-east-1.vpce-svc-0bafcea8cdfe11b66` Secure cluster connectivity relay: `com.amazonaws.vpce.sa-east-1.vpce-svc-0e61564963be1b43f`
`us-east-1`	Workspace (including REST API): `com.amazonaws.vpce.us-east-1.vpce-svc-09143d1e626de2f04` Secure cluster connectivity relay: `com.amazonaws.vpce.us-east-1.vpce-svc-00018a8c3ff62ffdf`
`us-east-2`	Workspace (including REST API): `com.amazonaws.vpce.us-east-2.vpce-svc-041dc2b4d7796b8d3` Secure cluster connectivity relay: `com.amazonaws.vpce.us-east-2.vpce-svc-090a8fab0d73e39a6`
`us-gov-west-1`	Workspace (including REST API): `com.amazonaws.vpce.us-gov-west-1.vpce-svc-0f25e28401cbc9418` Secure cluster connectivity relay: `com.amazonaws.vpce.us-gov-west-1.vpce-svc-05f27abef1a1a3faa`
`us-gov-west-1` (DoD)	Workspace (including REST API): `com.amazonaws.vpce.us-gov-west-1.vpce-svc-05c210a2feea23ad7` Secure cluster connectivity relay: `com.amazonaws.vpce.us-gov-west-1.vpce-svc-08fddf710780b2a54`
`us-west-1`	PrivateLink connectivity is not supported for this region.
`us-west-2`	Workspace (including REST API): `com.amazonaws.vpce.us-west-2.vpce-svc-0129f463fcfbc46c5` Secure cluster connectivity relay: `com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb`

Databricks control plane addresses​

Inbound IPs to Databricks control plane​

Outbound IPs from Databricks control plane​

Addresses for artifact storage, log storage, system tables, and shared datasets buckets​

S3 addresses​

STS addresses​

Kinesis addresses​

RDS addresses for legacy Hive metastore​

PrivateLink VPC endpoint services​