Configure IP access lists for workspaces

This article describes how to configure IP access lists for Databricks workspaces. This article discusses the most common tasks you can perform with the Databricks CLI. You can also use the IP Access Lists API.

Requirements

  • IP access lists support only Internet Protocol version 4 (IPv4) addresses.

Check if your workspace has the IP access list feature enabled

To check if your workspace has the IP access list feature enabled:

databricks workspace-conf get-status enableIpAccessLists

Enable or disable the IP access list feature for a workspace

In a JSON request body, specify enableIpAccessLists as true (enabled) or false (disabled).

databricks workspace-conf set-status --json '{
  "enableIpAccessLists": "true"
}'

Add an IP access list

When the IP access lists feature is enabled and there are no allow lists or block lists for the workspace, all IP addresses are allowed. Adding IP addresses to the allow list blocks all IP addresses that are not on the list. Review the changes carefully to avoid unintended access restrictions.

In the JSON request body, specify:

  • label — Label for this list.

  • list_type — Either ALLOW (allow list) or BLOCK (a block list, which means exclude even if in allow list).

  • ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.

For example, to add an allow list:

databricks  ip-access-lists create --json '{
  "label": "office",
  "list_type": "ALLOW",
  "ip_addresses": [
    "1.1.1.1",
    "2.2.2.2/21"
  ]
}'

To add a block list, do the same thing but with list_type set to BLOCK.

List IP access lists

databricks  ip-access-lists list"

Update an IP access list

In the JSON request body, specify at least one of the following values to update:

  • label — Label for this list.

  • list_type — Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).

  • ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.

  • enabled — Specifies whether this list is enabled. Pass true or false.

The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to disable a list:

databricks  ip-access-lists update --list-id "<list-id>" --json '{
  "enabled": "false"
}'

Replace an IP access list

For example, to replace a list:

databricks  ip-access-lists replace --list-id "<list-id>" --json '{
  "label": "office",
  "list_type": "ALLOW",
  "ip_addresses": [
      "1.1.1.1",
      "2.2.2.2/21"
    ],
  "enabled": "false"
}'

Delete an IP access list

To delete an IP access:

databricks  ip-access-lists delete --list-id "<list-id>"