Secure cluster connectivity

Secure cluster connectivity means that customer VPCs in the classic compute plane have no open ports and classic compute resources have no public IP addresses.

  • At a network level, each cluster initiates a connection to the control plane secure cluster connectivity relay during cluster creation. The cluster establishes this connection using port 443 (HTTPS) and uses a different IP address than is used for the Web application and REST API.

  • When the control plane logically starts new Databricks Runtime jobs or performs other cluster administration tasks, these requests are sent to the cluster through this tunnel.

  • The compute plane (the VPC) has no open ports, and classic compute plane resources have no public IP addresses.


  • Easy network administration, with no need to configure ports on security groups or to configure network peering.

  • With enhanced security and simple network administration, information security teams can expedite approval of Databricks as a PaaS provider.


Although the serverless compute plane does not use the secure cluster connectivity relay for the classic compute plane, serverless SQL warehouses do not have public IP addresses.

Secure cluster connectivity

Use secure cluster connectivity

To use secure cluster connectivity for a workspace, create a new workspace. You cannot add secure cluster connectivity to an existing workspace.