What causes NETWORK_CHECK_CONTROL_PLANE_FAILURE?

Firewall or security group rules block outbound HTTPS (port 443) from the cluster subnet to Databricks control plane endpoints. A VPC or VNet route change removed the path from the cluster subnet to the internet or Databricks private endpoints. DNS resolution fails for Databricks control plane FQDNs from within the cluster subnet. A proxy configuration on the cluster nodes is blocking or misconfiguring control plane traffic. A Databricks Private Link (VPC endpoint) was removed or misconfigured

How do I fix NETWORK_CHECK_CONTROL_PLANE_FAILURE?

Check outbound security group rules — clusters must be able to reach Databricks control plane endpoints on port 443. Verify that DNS resolves Databricks control plane hostnames from within the subnet. Check VPC/VNet routing tables for routes to the internet gateway or private endpoint. Review recent changes to firewall rules, NAT gateways, or Private Link configuration. Consult the Databricks documentation for the required network endpoints specific to your cloud and region

High severitycluster

Power BI Refresh Error:
NETWORK_CHECK_CONTROL_PLANE_FAILURE

What does this error mean?

A Databricks cluster failed a network connectivity check to the Databricks control plane before or during startup. The cluster cannot communicate with the control plane and was terminated.

Common causes

1Firewall or security group rules block outbound HTTPS (port 443) from the cluster subnet to Databricks control plane endpoints
2A VPC or VNet route change removed the path from the cluster subnet to the internet or Databricks private endpoints
3DNS resolution fails for Databricks control plane FQDNs from within the cluster subnet
4A proxy configuration on the cluster nodes is blocking or misconfiguring control plane traffic
5A Databricks Private Link (VPC endpoint) was removed or misconfigured

How to fix it

1Check outbound security group rules — clusters must be able to reach Databricks control plane endpoints on port 443
2Verify that DNS resolves Databricks control plane hostnames from within the subnet
3Check VPC/VNet routing tables for routes to the internet gateway or private endpoint
4Review recent changes to firewall rules, NAT gateways, or Private Link configuration
5Consult the Databricks documentation for the required network endpoints specific to your cloud and region

Frequently asked questions

What ports does Databricks require outbound?

Primarily port 443 (HTTPS) to Databricks control plane endpoints. For some cloud providers, port 3306 (metastore) and 8443 (future use) may also be required. Consult the Databricks networking documentation for the full list.

Can this be caused by a security group change I did not make?

Yes — automated compliance tools, Infrastructure as Code drift, or a cloud security posture management (CSPM) tool may have modified security groups without a manual change.