How to find Microsoft Purview Autoresolved IR Public IP

Question

How to find Microsoft Purview Autoresolved IR Public IP

Chan Ratiyaponpun 0

I'm trying to use Microsoft Purview's Autoresolved Integration Runtime (IR) to connect to and scan AWS Redshift.

To do this, I need to allow the IP address of the Autoresolved IR in the inbound rules of the Redshift security group on AWS.

I came across this Microsoft article: [https://learn.microsoft.com/en-us/answers/questions/630319/how-can-i-find-my-purviews-public-ip-address(maybe](https://learn.microsoft.com/en-us/answers/questions/630319/how-can-i-find-my-purviews-public-ip-address(maybe)

It suggests using IP ranges from specific service tags.

So I tried allowing the following IP ranges of these service tags in my Redshift security group:

DataFactory.{region}

AzureConnectors.{region}

MicrosoftPurviewPolicyDistribution

However, Purview still can't connect to Redshift using this configuration.

Note: If I temporarily allow all IP addresses, Purview can successfully connect to Redshift. So the issue seems to be that I'm not using the correct public IP(s) for the Autoresolved IR.

My question is:

How can I find the actual public IP addresses used by Microsoft Purview’s Autoresolved IR when it connects to AWS Redshift?

Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-13T09:49:44.08+00:00
Hi @Chan Ratiyaponpun

The issue you’re facing is because Microsoft Purview’s Autoresolved Integration Runtime (IR) uses dynamic public IP addresses managed by Microsoft, which are specific to your Azure region and regularly updated. While Azure service tags like DataFactory.{region} or AzureConnectors.{region} are useful within Azure, AWS security groups do not recognize or support these service tags directly.

This is why your Redshift connection fails unless you temporarily allow all IPs.

You can fix this:

Download Microsoft’s official Azure IP ranges JSON file here: https://www.microsoft.com/en-us/download/details.aspx?id=56519

Open the file and search for the entries matching your Azure region’s service tags, such as:

DataFactory.<your-region>

AzureConnectors.<your-region>

Extract the listed IP ranges (CIDR blocks) under these tags.

Add those IP ranges to your AWS Redshift security group inbound rules on port 5439.

This will allow your Redshift cluster to accept traffic only from the actual public IPs used by Purview’s Autoresolved IR.
Microsoft updates these IP ranges weekly, so please review and update your AWS whitelist regularly. Alternatively, for more predictable IP control, you can deploy a Self-Hosted Integration Runtime within a VNet that has static outbound IPs and whitelist those instead.

kindly refer this:
https://learn.microsoft.com/en-us/azure/purview/network-overview

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

https://learn.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime
Could you please share your Azure region? I can help extract the exact IP ranges for you if you’d like.

I hope this helps! Please let us know how it goes.

If you found this useful, consider upvoting the comment so it can help others in the community too.
Chan Ratiyaponpun 0 Reputation points

2025-06-14T14:09:50.9266667+00:00

Hi @Anonymous @Krupal Bandari ,

Thank you kindly for the instructions.

However, I’ve already followed these steps you mentioned:

Downloaded Microsoft’s official Azure IP ranges JSON file from: https://www.microsoft.com/en-us/download/details.aspx?id=56519 Searched the file for service tags matching my Azure region, such as: DataFactory.<your-region> AzureConnectors.<your-region> Extracted the listed IP ranges (CIDR blocks) under these tags. Added those CIDR ranges to my AWS Redshift security group inbound rules (port 5439).

As I mentioned in my main thread, I included all CIDR ranges for both DataFactory.<your-region> and AzureConnectors.<your-region>, but Purview still can't connect to Redshift.

It seems the Auto-Resolved Integration Runtime (AutoResolve IR) used by Purview does not fall under these service tags.

I also tried MicrosoftPurviewPolicyDistribution, but it didn't work either.

That’s why I opened this thread — to ask:

What are the actual IP addresses or CIDR ranges used by Purview's AutoResolve IR when connecting to Redshift?
Chan Ratiyaponpun 0 Reputation points

2025-06-14T14:10:28.03+00:00

FYI, my region is south east asia
Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-16T01:40:41.4666667+00:00

Hi @Chan Ratiyaponpun Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-13T09:49:44.08+00:00

Hi @Chan Ratiyaponpun

The issue you’re facing is because Microsoft Purview’s Autoresolved Integration Runtime (IR) uses dynamic public IP addresses managed by Microsoft, which are specific to your Azure region and regularly updated. While Azure service tags like DataFactory.{region} or AzureConnectors.{region} are useful within Azure, AWS security groups do not recognize or support these service tags directly.

This is why your Redshift connection fails unless you temporarily allow all IPs.

You can fix this:

Download Microsoft’s official Azure IP ranges JSON file here: https://www.microsoft.com/en-us/download/details.aspx?id=56519

Open the file and search for the entries matching your Azure region’s service tags, such as:

DataFactory.<your-region>

AzureConnectors.<your-region>

Extract the listed IP ranges (CIDR blocks) under these tags.

Add those IP ranges to your AWS Redshift security group inbound rules on port 5439.

This will allow your Redshift cluster to accept traffic only from the actual public IPs used by Purview’s Autoresolved IR.
Microsoft updates these IP ranges weekly, so please review and update your AWS whitelist regularly. Alternatively, for more predictable IP control, you can deploy a Self-Hosted Integration Runtime within a VNet that has static outbound IPs and whitelist those instead.

kindly refer this:
https://learn.microsoft.com/en-us/azure/purview/network-overview

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

https://learn.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime
Could you please share your Azure region? I can help extract the exact IP ranges for you if you’d like.

I hope this helps! Please let us know how it goes.

If you found this useful, consider upvoting the comment so it can help others in the community too.
Chan Ratiyaponpun 0 Reputation points

2025-06-14T14:09:50.9266667+00:00

Hi @Anonymous @Krupal Bandari ,

Thank you kindly for the instructions.

However, I’ve already followed these steps you mentioned:

Downloaded Microsoft’s official Azure IP ranges JSON file from: https://www.microsoft.com/en-us/download/details.aspx?id=56519 Searched the file for service tags matching my Azure region, such as: DataFactory.<your-region> AzureConnectors.<your-region> Extracted the listed IP ranges (CIDR blocks) under these tags. Added those CIDR ranges to my AWS Redshift security group inbound rules (port 5439).

As I mentioned in my main thread, I included all CIDR ranges for both DataFactory.<your-region> and AzureConnectors.<your-region>, but Purview still can't connect to Redshift.

It seems the Auto-Resolved Integration Runtime (AutoResolve IR) used by Purview does not fall under these service tags.

I also tried MicrosoftPurviewPolicyDistribution, but it didn't work either.

That’s why I opened this thread — to ask:

What are the actual IP addresses or CIDR ranges used by Purview's AutoResolve IR when connecting to Redshift?
Chan Ratiyaponpun 0 Reputation points

2025-06-14T14:10:28.03+00:00

FYI, my region is south east asia
Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-16T01:40:41.4666667+00:00

Hi @Chan Ratiyaponpun Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hi @Chan Ratiyaponpun
Thank you for confirming the steps and sharing your Azure region (Southeast Asia) .

You're absolutely right: currently, Microsoft Purview’s AutoResolve Integration Runtime (IR) does not fall under service tags like DataFactory, AzureConnectors, or MicrosoftPurviewPolicyDistribution. These tags do not cover all outbound traffic used by Purview when connecting to external sources like AWS Redshift.

To securely connect Purview to Redshift without allowing all IPs, the recommended approach is to:

Deploy a Self-Hosted Integration Runtime (SHIR)
Host it in your own Azure Virtual Network (in Southeast Asia).
Route outbound traffic through a NAT Gateway or assign a static public IP.
Add that public IP to your AWS Redshift security group (port 5439).
This gives you predictable IP control, which is not possible with AutoResolve IR since it's managed and shared across Microsoft tenants.

Further Information:

Microsoft does not publish a dedicated IP list for Purview AutoResolve IR.
If you still prefer to use IP whitelisting with AutoResolve IR, you could extract all CIDRs from the Azure IP Ranges JSON for the Southeast Asia region, but this list can change weekly and may still not fully resolve the issue.

References:

https://learn.microsoft.com/en-us/purview/legacy/concept-best-practices-network
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

If this is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Let me know if you have any further Queries.

Share via

How to find Microsoft Purview Autoresolved IR Public IP

1 answer

Your answer