Unity Catalog connections
A connection is a securable object in Unity Catalog that stores the endpoint and credentials needed to access an external system. It lives directly under the metastore in the Unity Catalog object hierarchy. A connection bundles together:
- The endpoint or URL of the external system
- Authentication credentials
- Configuration parameters
- Owner and metadata
Connections are distinct from storage credentials (for cloud object storage) and service credentials (for non-storage cloud services).
Connection types
Managed ingestion connections
Fully managed, serverless ingestion from SaaS apps and databases into Delta tables. Two categories: SaaS connectors (direct API) and database connectors (CDC). Some database types overlap with federation. The same connection can serve both, depending on how it is consumed.
See Connect to managed ingestion sources and Managed connectors in Lakeflow Connect.
Query federation connections
Read-only queries against external databases without moving data, using foreign catalogs that mirror the external database structure. Queries are pushed down to the external database using JDBC.
See What is query federation? and Manage connections for Lakehouse Federation.
Catalog federation connections
Connect external catalogs (a Hive Metastore, AWS Glue, or Snowflake Horizon Catalog) to Databricks. Unity Catalog crawls the external catalog metadata and auto-populates a foreign catalog, querying data directly in the source file storage.
See What is catalog federation?.
JDBC connections
Read and write access to external databases using JDBC drivers through the Spark Data Source API or Remote Query SQL API.
See JDBC connection.
HTTP connections
Communication with external HTTP services through a Databricks-managed proxy. Powers external REST APIs, MCP integrations, and AI agent tools.
See Connect to external HTTP services and Use external MCP servers.
How to choose a connection type
Type | Use case | Read | Write | Governance level |
|---|---|---|---|---|
Managed ingestion | Ingest data from SaaS apps or databases into Delta tables | Ingests to Delta | N/A | Connection-level |
Query federation | Query an external database in place without copying data | Yes | No | Table-level |
Catalog federation | Connect external catalogs to query data directly in source file storage | Yes | No | Table-level |
JDBC | Read and write to an external database with a specific JDBC driver | Yes | Yes | Connection-level |
HTTP | Connect to external HTTP APIs, MCP servers, or agent tools | N/A | N/A | Connection-level |
Create a connection
You can create connections using:
- SQL:
CREATE CONNECTION connection_name TYPE connection_type OPTIONS (...) - Catalog Explorer UI: Catalog > Create > Create a connection
- REST API or Databricks CLI
The SQL CREATE CONNECTION statement supports the following TYPE values: DATABRICKS, HTTP, MYSQL, POSTGRESQL, REDSHIFT, SNOWFLAKE, SQLDW, SQLSERVER. SaaS ingestion types (such as Salesforce, HubSpot, and Jira) can only be created using the UI or APIs.
See CREATE CONNECTION in the SQL reference.
Security: connections versus egress control
Security for outbound connectivity operates in multiple layers:
Unity Catalog connections govern credentials and connection configuration (URL, host, port, options). They provide a secure, governed way to store and share authentication details and connection settings for external systems without embedding secrets in code.
Network policies govern network access. They control both outbound connectivity from Databricks compute to external endpoints and inbound connectivity from external sources to your workspace. Unity Catalog connections do not enforce network restrictions. To manage allowed traffic in either direction, configure network rules.