Skip to main content

Configure domain name firewall rules

If your corporate firewall blocks traffic based on domain names, you must allow HTTPS and WebSocket traffic to Databricks domain names to ensure access to Databricks resources. You can choose between two options, one more permissive but easier to configure, the other specific to your workspace domains.

Option 1: Allow traffic to *.cloud.databricks.com

Update your firewall rules to allow HTTPS and WebSocket traffic to *.cloud.databricks.com. This is more permissive than option 2, but it saves you the effort of updating firewall rules for each Databricks workspace in your account.

Option 2: Allow traffic to your Databricks workspaces and account console only

If you choose to configure firewall rules for each workspace in your account, you must:

  1. Identify your workspace domains.

    Your Databricks workspace uses two domain names. The first is the one that you use to log in, such as yourcompany.cloud.databricks.com if you have a vanity domain name, or dbc-<random-string>.cloud.databricks.com if you do not.

    To find the second domain, log in to the first domain. After you log in, you should see https://<first-domain>/?o=<workspace-id> in your browser address bar, where <workspace-id> is a string of digits.

    note

    Some workspace types do not display a workspace ID in the logged-in URL. If you do not see a ?o= followed by a string of digits in the URL, contact your Databricks account team to get your workspace ID.

    The second domain has the format dbc-dp-<workspace-id>.cloud.databricks.com. For example, if the workspace ID is 123456, your second domain is dbc-dp-123456.cloud.databricks.com.

  2. If you will need to access account console use from that network, also allow traffic to:

    accounts.cloud.databricks.com

  3. Update your firewall rules.

    Update your firewall rules to allow HTTPS and WebSocket traffic to the two domains identified in step 1.

Allow traffic to CDN domains for UI assets

The Databricks UI loads static assets, like CSS, JavaScript, and images, from Content Delivery Network (CDN) domains. Selectively blocking asset types, like allowing JavaScript but blocking CSS or font files, can break the UI.

To keep the UI working, allow all asset types from CDN domains.

  • https://ui-assets.cloud.databricks.com/ - Databricks UI assets
  • https://*.cloud.databricksusercontent.com - Notebook assets

Firewall configuration recommendations

  • Apply the same rules across all listed CDN domains.
  • Avoid selective filtering of CSS, JavaScript, images, or font files.
  • Allow HTTPS (port 443) to all CDN domains.
Last updated on