Manage private access settings

This article discusses how to create private access settings objects, which are a required object as part of enabling AWS PrivateLink. This article does not contain all the information necessary to configure PrivateLink for your workspace. For all requirements and steps, including the requirements for registering VPC endpoints and creating network configuration objects, see Enable AWS PrivateLink.

The following related sections discuss updating existing network and configuration objects:

What is a private access settings object?

A private access settings object is a Databricks object that describes a workspace’s PrivateLink connectivity. Create a new private access settings object just for this workspace, or re-use and share an existing private access setting object among multiple workspaces but they must be in the same AWS region.

This object serves several purposes:

  • It expresses your intent to use AWS PrivateLink with your workspace.

  • It controls your settings for the front-end use case of AWS PrivateLink for public network access.

  • It controls which VPC endpoints are permitted to access your workspace.

Create a private access settings object using the account console or the Account API. You will reference it in the set of fields when you create a workspace. You can update a workspace to point to a different private access settings object but to use PrivateLink you must attach a private access settings object to the workspace during workspace creation.

Create a private access settings object

Note

These instructions show you how to create the private access object from the Cloud resources page in the account console before you create a new workspace. You can also create the private access settings in a similar way as part of the flow of creating a new workspace and choosing Add a new private access object from the picker instead of choosing an existing object. See Manually create a workspace (existing Databricks accounts).

  1. In the account console, click Cloud resources.

  2. In the horizontal tabs, click Network.

  3. In the vertical tabs, click Private access settings.

  4. Click Add private access settings.

    private access settings object

  5. Enter a name for your new private access settings object.

  6. For the region, be sure to match the region of your workspace as this is not validated immediately and workspace deployment will fail if it does not match. It is validated only during the actual creation of the workspace.

  7. Set the Public access enabled field, which configures public access to the front-end connection (the web application and REST APIs) for your workspace.

    • If set to False (the default), the front-end connection can be accessed only using PrivateLink connectivity and not from the public internet. When public access is disabled, the Configure IP access lists for workspaces feature is unsupported.

    • If set to True, the front-end connection can be accessed either from PrivateLink connectivity or from the public internet. Any IP access lists only limit connections from the public internet but not traffic through the PrivateLink connection.

  8. Set the Private Access Level field to the value that best represents which VPC endpoints to allow for your workspace.

    • Set to Account to limit connections to those VPC endpoints that are registered in your Databricks account.

    • Set to Endpoint to limit connections to an explicit set of VPC endpoints, which you can enter in a field that appears. It lets you select VPC endpoint registrations that you’ve already created. Be sure to include your front-end VPC endpoint registration if you created one.

  9. Click Add.

Update a private access settings object

To update fields on a private access object:

  1. In the account console, click Cloud resources.

  2. In the horizontal tabs, click Network.

  3. In the vertical tabs, click Private access settings.

  4. On the row for the configuration, click the kebab menu Vertical Ellipsis on the right, and select Update.

  5. Change any fields. For guidance on specific fields, see Create a private access settings object.

    Note

    The private access access level ANY is deprecated. If the object previously had this value and you use the account console to update the private access settings for any fields, you must change the private access level to a non-deprecated value. To make changes to other fields without changing the ANY private access level at this time, use the Account API. See AWS PrivateLink private access level ANY is deprecated.

  6. Click Update private access setting.

Delete a private access settings object

Private access settings object cannot be edited after creation. If the configuration has incorrect data or if you no longer need it for any workspaces, delete it:

  1. In the account console, click Cloud resources.

  2. Click Network.

  3. In the vertical tabs, click Private access settings.

  4. On the row for the configuration, click the kebab menu Vertical Ellipsis on the right, and select Delete.

  5. In the confirmation dialog, click Confirm Delete.