Managed security
Managed security is the baseline network architecture. It deploys Databricks into your own VPC with SCC enabled by default on classic compute. You can optionally add classic PrivateLink for private control-plane connectivity.
Unlike Hardened connectivity and Isolated environment, Managed security doesn't require Databricks Enterprise plan. Enabling the optional classic compute plane PrivateLink is the only configuration that requires this tier.
Databricks tests the platform with annual third-party penetration tests and a public bug bounty program. See the Databricks Security Addendum.
This configuration has:
- Secure by default: Databricks enables SCC, encryption in transit, and authenticated workspace access by default.
- Optional private control-plane connectivity: Add classic compute plane PrivateLink to route classic compute traffic to the Databricks control plane over a private network. Requires Databricks Enterprise plan.
- Customer-managed network: Deploy into your own VPC for control over IP ranges, routing, and security groups.
- Serverless compute: Use serverless SQL warehouses and serverless compute for notebooks and jobs.
Use this configuration when:
- Getting started with Databricks for the first time.
- Running non-regulated workloads without strict network isolation requirements.
- Preferring operational simplicity over customized network controls.
- Using serverless compute as the primary compute option.
Required components
Inbound
Workspace access uses standard identity and authentication. For an additional baseline control, configure a context-based ingress policy to restrict workspace and API access to your organization's networks, like corporate VPNs, office IP ranges and identities. This adds defense-in-depth without requiring private connectivity.
See Context-based ingress control.
Outbound
Data access is governed by Unity Catalog. See What is Unity Catalog?. For an additional baseline control, you can optionally deploy an external firewall to inspect classic compute egress.
External firewall (optional)
External firewall (optional)Route classic compute egress through an external firewall for inspection, logging, and policy enforcement. Required in Isolated environment; optional here.
Options include AWS Network Firewall (managed service, integrated with AWS routing) or a third-party appliance such as Palo Alto integrated with Gateway Load Balancer.
Databricks control plane and SCC relay connections use TLS with certificate pinning. Do not enable TLS inspection (decrypt and re-encrypt) on traffic between your clusters and the Databricks control plane. Doing so causes cluster failures. See IP addresses and domains for Databricks services and assets for required endpoints.
Classic compute
If you use classic compute, Managed security applies the following controls by default:
Secure Cluster Connectivity
Secure Cluster ConnectivityEliminates public IP addresses on cluster nodes. Enabled by default with no additional configuration required.
Customer-managed VPC
Customer-managed VPCDeploy Databricks into your own virtual network for control over IP address ranges, routing, and security groups. Required for classic PrivateLink.
The following control is optional:
Classic compute plane PrivateLink (optional)
Classic compute plane PrivateLink (optional)Provides private connectivity between your VPC and the Databricks control plane. REST API and SCC relay traffic between clusters and the control plane stays private instead of using the public internet. Requires Databricks Enterprise plan and is not enabled by default.
For non-networking security controls including encryption, see Security and compliance.
Upgrade paths
-
- Hardened connectivity
- If you require IP-based workspace access controls, serverless egress controls, VPC endpoints for cloud service access, or an optional external firewall for egress inspection.
-
- Isolated environment
- If you require private workspace access (over VPN or inbound PrivateLink) and a required external firewall for end-to-end network isolation.