Configure domain name firewall rules

If your corporate firewall blocks traffic based on domain names, you must allow HTTPS and WebSocket traffic to Databricks domain names to ensure access to Databricks resources. You can choose between two options, one more permissive but easier to configure, the other specific to your workspace domains.

Option 1: Allow traffic to *

Update your firewall rules to allow HTTPS and WebSocket traffic to * This is more permissive than option 2, but it saves you the effort of updating firewall rules for each Databricks workspace in your account.

Option 2: Allow traffic to your Databricks workspaces and account console only

If you choose to configure firewall rules for each workspace in your account, you must:

  1. Identify your workspace domains.

    Your Databricks workspace uses two domain names. The first is the one that you use to log in, such as if you have a vanity domain name, or dbc-<random-string> if you do not.

    To find the second domain, log in to the first domain. After you log in, you should see https://<first-domain>/?o=<workspace-id> in your browser address bar, where <workspace-id> is a string of digits.


    Some workspace types do not display a workspace ID in the logged-in URL. If you do not see a ?o= followed by a string of digits in the URL, contact your Databricks account team to get your workspace ID.

    The second domain has the format dbc-dp-<workspace-id> For example, if the workspace ID is 123456, your second domain is

  2. If you will need to access account console use from that network, also allow traffic to:

  3. Update your firewall rules.

    Update your firewall rules to allow HTTPS and WebSocket traffic to the two domains identified in step 1.