Skip to main content
Last updated on

Serverless compute firewall configuration

Preview

This feature is in Public Preview.

Databricks serverless compute connects to your cloud resources through managed network infrastructure. If your cloud resources are protected by firewalls, you must allow traffic from serverless compute. The configuration method depends on the type of resource:

  • Amazon S3 buckets in your workspace's region: Use VPCE OrgPath condition keys in your S3 bucket policies.
  • Other resources: Allowlist serverless outbound IP addresses published by Databricks.
important

Starting in mid-February 2026, Databricks publishes serverless outbound IPs in JSON format on a public endpoint, which is the supported method for retrieving these IPs. See guidance below.

If you use stable IPs from the Public Preview or copied them from a network connectivity configuration (NCC) in the account console, you must migrate to the new method before May 25, 2026. After May 25, 2026, legacy IP lists will be decommissioned and incomplete migrations might result in workload disruptions.

Considerations

  • DynamoDB allowlisting is in Private Preview. Contact your Databricks account team for access.
  • Configuring a firewall also affects connectivity from classic compute resources. You must also update your resource access rules to allowlist the IPs for connections from classic compute resources.
  • Allow time for firewall rule propagation before testing connectivity from serverless compute.

S3 bucket access using VPCE OrgPath

Serverless compute communicates with Amazon S3 buckets in the same region as your workspace through a VPC endpoint (VPCE). You can restrict S3 bucket access to only Databricks serverless compute by adding a condition to your S3 bucket policy that uses the aws:VpceOrgPaths condition key.

VPCE OrgPath value

Use the following OrgPath value in your S3 bucket policy condition:

Text
o-g29axo4oyt/r-gu8r/ou-gu8r-g4va1rkr/ou-gu8r-hvyilq7g/*
note

The VPC Org Path contains only Databricks Serverless VPCs. It does not include all Databricks-managed VPCs. Because S3 endpoints only allow regional ingress, access remains restricted to Serverless VPCs within the same AWS region as your bucket.

Outbound IP addresses for other resources

For resources other than Amazon S3 or Amazon DynamoDB in the same region, serverless compute uses regional outbound IP addresses to reach your resources. You must allowlist the CIDR blocks published by Databricks.

Retrieve the outbound IP ranges

Databricks publishes serverless outbound IP addresses in JSON format at a URL shared with you upon enrollment in this preview.

Databricks might update outbound IPs once every two weeks. Updated IPs become active two weeks after publication. Databricks might add new regions at any time, and new region IPs become active immediately. To track changes, save successive versions of the JSON file, and compare the timestampSeconds value between the current and previously saved versions.