Manage private access settings
This article explains how to create private access settings objects, which are required to enable private connectivity using PrivateLink.
To enable PrivateLink on your workspace, see Enable private connectivity using AWS PrivateLink.
What is a private access settings object?
A private access settings object is a Databricks object that describes a workspace’s PrivateLink connectivity. Create a new private access settings object just for this workspace, or re-use and share an existing private access setting object among multiple workspaces in the same region.
A private access settings object:
- Expresses your intent to use PrivateLink with your workspace.
- Controls your settings for the front-end use case of PrivateLink for public network access.
- Controls which VPC endpoints are permitted to access your workspace.
Create a private access settings object using the account console or the Private Access Settings API. You reference the private access settings object when you create a workspace. You can update a workspace to point to a different private access settings object, but to use PrivateLink you must attach a private access settings object to the workspace during workspace creation.
Create a private access settings object
-
As an account admin, go to the account console.
-
In the sidebar, click Cloud Resources.
-
Click Network.
-
In the sidebar, click Private access settings.
-
Click Add private access settings.
-
Enter a name for your new private access settings object.
-
Select a region matching the region of your workspace.
-
Set the Public access enabled field, which configures public access to the front-end connection (the web application and REST APIs) for your workspace.
- If set to False (the default), the front-end connection can be accessed only using PrivateLink connectivity and not from the public internet. When public access is disabled, the IP access lists are not supported on the workspace.
- If set to True, the front-end connection can be accessed either from PrivateLink connectivity or from the public internet. Any IP access lists only limit connections from the public internet but not traffic through the PrivateLink connection.
-
Select a Private Access Level that represents which VPC endpoints to allow for your workspace.
- Set to Account to limit connections to those VPC endpoints that are registered in your Databricks account.
- Set to Endpoint to limit connections to an explicit set of VPC endpoints, which you can enter in a field that appears. It lets you select VPC endpoint registrations that you’ve already created. Be sure to include your front-end VPC endpoint registration if you created one.
-
Click Add private access setting.
Update a private access settings object
To update fields on a private access object:
- In the account console, click Cloud resources.
- Click Network.
- In sidebar, click Private access settings.
- On the row for the configuration, click the kebab menu
on the right, and select Update.
- Change any fields. For guidance on specific fields, see Create a private access settings object.
- Click Update private access setting.
The private access access level ANY
is deprecated. If the object previously had this value and you use the account console to update the private access settings for any fields, you must change the private access level to another value.
Delete a private access settings object
Private access settings object cannot be edited after creation. If the configuration has incorrect data or if you no longer need it for any workspaces, delete it:
- In the account console, click Cloud resources.
- Click Network.
- Click Private access settings.
- On the row for the configuration, click the kebab menu
on the right, and select Delete.
- In the confirmation dialog, click Ok.