Managed security

Managed security is the baseline network architecture. It deploys Databricks into your own VPC with backend Private Link for control-plane connectivity and SCC enabled by default on classic compute.

Databricks tests the platform with annual third-party penetration tests and a public bug bounty program. See the Databricks Security Addendum.

This configuration has:

• Secure by default: Databricks enables SCC, encryption in transit, and authenticated workspace access by default.
• Private control-plane connectivity: Classic compute traffic to the Databricks control plane flows over classic Private Link.
• Customer-managed network: Deploy into your own VPC for control over IP ranges, routing, and security groups.
• Serverless compute: Use serverless SQL warehouses and serverless compute for notebooks and jobs.

Use this configuration when:

• Getting started with Databricks for the first time.
• Running non-regulated workloads without strict network isolation requirements.
• Preferring operational simplicity over customized network controls.
• Using serverless compute as the primary compute option.

Required components

Inbound

Workspace access uses standard identity and authentication. For an additional baseline control, configure a context-based ingress policy to restrict workspace and API access to your organization's networks, like corporate VPNs, office IP ranges and identities. This adds defense-in-depth without requiring private connectivity.

See Context-based ingress control.

Outbound

Data access is governed by Unity Catalog. See What is Unity Catalog?. For an additional baseline control, you can optionally deploy an external firewall to inspect classic compute egress.

External firewall (optional)

Route classic compute egress through an external firewall for inspection, logging, and policy enforcement. Required in Isolated environment; optional here.

Options include AWS Network Firewall (managed service, integrated with AWS routing) or a third-party appliance such as Palo Alto integrated with Gateway Load Balancer.

warning

Databricks control plane and SCC relay connections use TLS with certificate pinning. Do not enable TLS inspection (decrypt and re-encrypt) on traffic between your clusters and the Databricks control plane. Doing so causes cluster failures. See IP addresses and domains for Databricks services and assets for required endpoints.

Classic compute

If you use classic compute, the following controls apply by default:

Secure Cluster Connectivity

Eliminates public IP addresses on cluster nodes. Enabled by default with no additional configuration required.

See Classic compute plane networking.

Customer-managed VPC

Deploy Databricks into your own virtual network for control over IP address ranges, routing, and security groups. Required for classic Private Link.

See Configure a customer-managed VPC.

Classic compute plane Private Link

Provides private connectivity between your VPC and the Databricks control plane. REST API and SCC relay traffic between clusters and the control plane stays private.

See Configure classic private connectivity to Databricks.

For non-networking security controls including encryption, see Security and compliance.

Upgrade paths

• • Hardened connectivity
  • If you require IP-based workspace access controls, serverless egress controls, VPC endpoints for cloud service access, or an optional external firewall for egress inspection.
• • Isolated environment
  • If you require private workspace access (over VPN or inbound Private Link) and a required external firewall for end-to-end network isolation.