This guide introduces IP access lists for the Databricks account and workspaces.
This feature requires the Enterprise pricing tier.
By default, users can connect to Databricks from any computer or IP address. IP access lists enable you to restrict access to your Databricks account and workspaces based on a user’s IP address. For example, you can configure IP access lists to allow users to connect only through existing corporate networks with a secure perimeter. If the internal VPN network is authorized, users who are remote or traveling can use the VPN to connect to the corporate network. If a user attempts to connect to Databricks from an insecure network, like from a coffee shop, access is blocked.
There are two IP access list features:
IP access lists for the account console: Account admins can configure IP access lists for the account console to allow users to connect to the account console UI and account-level REST APIs only through a set of approved IP addresses. Account admins can use an account console UI or a REST API to configure allowed and blocked IP addresses and subnets. See Configure IP access lists for the account console.
IP access lists for workspaces: Workspace admins can configure IP access lists for Databricks workspaces to allow users to connect to the workspace or workspace-level APIs only through a set of approved IP addresses. Workspace admins use a REST API to configure allowed and blocked IP addresses and subnets. See Configure IP access lists for workspaces.
If you use PrivateLink, IP access lists apply only to requests over the internet (public IP addresses). Private IP addresses from PrivateLink traffic cannot be blocked by IP access lists. To block specific private IP addresses from PrivateLink traffic, use AWS Network Firewall. If you want to restrict the PrivateLink connection to a set of registered PrivateLink endpoints, change your workspace’s private access settings object to use the ENDPOINT access level. See Enable AWS PrivateLink.
The IP access lists feature allows you to configure allow lists and block lists for the Databricks account console and workspaces:
Allow lists contain the set of IP addresses on the public internet that are allowed access. Allow multiple IP addresses explicitly or as entire subnets (for example
Block lists contain the IP addresses or subnets to block, even if they are included in the allow list. You might use this feature if an allowed IP address range includes a smaller range of infrastructure IP addresses that in practice are outside the actual secure network perimeter.
When a connection is attempted:
First all block lists are checked. If the connection IP address matches any block list, the connection is rejected.
If the connection was not rejected by block lists, the IP address is compared with the allow lists. If there is at least one allow list, the connection is allowed only if the IP address matches an allow list. If there are no allow lists, all IP addresses are allowed.
If the feature is disabled, all access is allowed to your account or workspace.
For all allow lists and block lists combined, the account console supports a maximum of 1000 IP/CIDR values, where one CIDR counts as a single value.
Changes to IP access lists can take a few minutes to take effect.