OpenSharing recipient firewall configuration for SecureConnect

Preview

This page describes how Databricks recipients access shares from a provider who has enabled OpenSharing SecureConnect.

If your provider has enabled SecureConnect and you have an egress firewall, you must allowlist Databricks inbound IP addresses to access SecureConnect. You allowlist IPs for the provider's cloud and region, regardless of the cloud you are on.

important

Databricks recipients on classic compute and open recipients must allowlist Databricks inbound IP addresses.

Databricks recipients on serverless compute do not need to configure their egress firewall to access SecureConnect. Databricks routes serverless traffic to SecureConnect internally.

For an overview of SecureConnect and provider-side setup, see Share data behind a firewall with SecureConnect.

Allowlist Databricks inbound IPs

Select the cloud your provider is on, then allowlist the listed Databricks inbound IP addresses for the provider's region.

AWS
Azure
GCP

For an AWS provider, allowlist the Databricks inbound IP addresses for "Default storage, OpenSharing SecureConnect, Zerobus Ingestion, and Lakebase (Autoscaling Beta)" corresponding to the provider's region.

See IP addresses and domains for Databricks services and assets.

Limitations

The following limitations apply to Databricks recipients accessing SecureConnect-enabled shares:

mTLS is not enabled for recipients using classic compute.
mTLS is not enabled for OIDC recipients.
Serverless Databricks recipients using a Databricks-to-Open credential in the same region as the provider are not supported.

Allowlist Databricks inbound IPs​

Limitations​

Allowlist Databricks inbound IPs

Limitations