IP access lists for the account console
Preview
This feature is in Public Preview.
Enterprises that use cloud SaaS applications need to restrict access to their own employees. Authentication helps to prove user identity, but that does not enforce network location of the users. Accessing a cloud service from an unsecured network can pose security risks to an enterprise, especially when the user may have authorized access to sensitive or personal data. Enterprise network perimeters apply security policies and limit access to external services (for example, firewalls, proxies, DLP, and logging), so access beyond these controls are assumed to be untrusted.
Suppose a hospital IT admin accesses the Databricks account console from a laptop. If the employee walks from the office to a coffee shop with the laptop, the hospital can block connections to the Databricks account console even though they have correct credentials.
You can configure Databricks so that the account owner and account admins connect to the account console only through existing corporate networks with a secure perimeter. IP access lists for the account console lets you define a set of approved IP addresses. All incoming access to the web application and REST APIs requires the user connect from an authorized IP address.
If the internal VPN network is authorized, employees who are remote or traveling could use the VPN to connect to the corporate network, which in turn enables access to the account console. Account admins must manage IP access lists separately for the account console and for individual workspaces. For IP access lists on workspaces, see IP access lists for workspaces.
Account admins can disable IP access lists for account console using an account console setting. There is no API to disable multiple IP access lists in one request as this setting does, but you can use the API to disable each individual IP access list for the account console in separate API requests.
Note
Databricks support for AWS PrivateLink affects only user access to the workspace, not account admin access to the account console.
Requirements
This feature requires the Enterprise pricing tier.
IP access lists support only Internet Protocol version 4 (IPv4) addresses.
Flexible configuration
The IP access lists feature is flexible:
Your account admins the set of IP addresses on the public Internet that are allowed access. This is known as the allow list. Allow multiple IP addresses explicitly or as entire subnets (for example
216.58.195.78/28).Your account admins can optionally specify IP addresses or subnets to block even if they are included in the allow list. This is known as the block list. You might use this feature if an allowed IP address range includes a smaller range of infrastructure IP addresses that in practice are outside the actual secure network perimeter.
Your account admins can use either the account console UI or a REST API to update the allow lists and block lists.
Feature details
The Accounts IP Access List feature enables Databricks account admins to configure IP allow lists and block lists for the account console. If the feature is disabled, all access is allowed to your account in the account console. There is support for allow lists (inclusion) and block lists (exclusion).
When a connection is attempted:
First all block lists are checked. If the connection IP address matches any block list, the connection is rejected.
If the connection was not rejected by block lists, the IP address is compared with the allow lists. If there is at least one allow list for the account console, the connection is allowed only if the IP address matches an allow list. If there are no allow lists for the account console, all IP addresses are allowed.
For all allow lists and block lists combined, the account console supports a maximum of 1000 IP/CIDR values, where one CIDR counts as a single value.
After changes to the IP access list feature, it can take a few minutes for changes to take effect.
Use the account console UI
As an account admin, go to the account console.
In the sidebar, click Settings.
On the Security tab, click IP Access List.
By default, new IP access lists for the account console take effect within a few minutes. Account admins can disable or re-enable IP access lists for account console by clicking the Enabled button. Disabling the feature means that all existing allow lists or block lists are ignored and all IP addresses can access your account in the account console. Disabling it does not affect IP access lists for workspaces.
Add an IP access list
As an account admin, go to the account console.
In the sidebar, click Settings.
In the Security tab, click IP Access List.
Click Add rule.
Choose whether to make an ALLOW or BLOCK list.
In the label field, add a human-readable label.
Add one or more IP addresses or CIDR IP ranges, with commas separating them.
Click Add rule.
Delete an IP access list
As an account admin, go to the account console.
In the sidebar, click Settings.
In the Security tab, click IP Access List.
To the right of a rule, click the three vertical dot icon (kebab menu) and click Delete.
Confirm deletion in the confirmation popup that appears.
Use the API
This article discusses the most common tasks you can perform with the API. For the complete REST API reference, see the API Reference section on IP access list for account console.
To learn about authenticating to an account-level Databricks API like this one, see How to use the Account API.
The base path for the endpoints described in this article is https://<account-domain>/api/2.0, where <account-domain> is accounts.cloud.databricks.com.
Add an IP access list
To add an IP access list, call the Add an IP access list API (POST /accounts/<account-id>/ip-access-lists).
In the JSON request body, specify:
label— Label for this list.list_type— EitherALLOW(allow list) orBLOCK(a block list, which means exclude even if in allow list).ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.
The response is a copy of the object that you passed in, but with some additional fields, most importantly the list_id field. You may want to save that value so you can update or delete the list later. If you do not save it, you are still able to get the ID later by querying the full set of IP access lists with a GET request to the /accounts/<account-id>/ip-access-lists endpoint.
For example, to add an allow list:
curl -X POST -n \
https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists
-d '{
"label": "office",
"list_type": "ALLOW",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
]
}'
Example response:
{
"ip_access_list": {
"list_id": "<list-id>",
"label": "office",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
],
"address_count": 2,
"list_type": "ALLOW",
"created_at": 1578423494457,
"created_by": 6476783916686816,
"updated_at": 1578423494457,
"updated_by": 6476783916686816,
"enabled": true
}
}
To add a block list, do the same thing but with list_type set to BLOCK.
Update an IP access list
To update an IP access list:
Call the
List all IP access listsAPI (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to update.Call the
Update an IP access listAPI (PATCH /accounts/<account-id>/ip-access-lists/<list-id>).
In the JSON request body, specify at least one of the following values to update:
label— Label for this list.list_type— EitherALLOW(allow list) orBLOCK(block list, which means exclude even if in allow list).ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.enabled— Specifies whether this list is enabled. Passtrueorfalse.
The response is a copy of the object that you passed in with additional fields for the ID and modification dates.
For example, to disable a list:
curl -X PATCH -n \
https:/<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>
-d '{ "enabled": "false" }'
Replace an IP access list
To replace an IP access list:
Call the
List all IP access listsAPI (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to replace.Call the
Replace an IP access listAPI (PUT /accounts/<account-id>/ip-access-lists/<list-id>).
In the JSON request body, specify:
label— Label for this list.list_type— EitherALLOW(allow list) orBLOCK(block list, which means exclude even if in allow list).ip_addresses— A JSON array of IP addresses and CIDR ranges, as String values.enabled— Specifies whether this list is enabled. Passtrueorfalse.
The response is a copy of the object that you passed in with additional fields for the ID and modification dates.
For example, to replace the contents of the specified list with the following values:
curl -X PUT -n \
https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>
-d '{
"label": "office",
"list_type": "ALLOW",
"ip_addresses": [
"1.1.1.1",
"2.2.2.2/21"
],
"enabled": "false"
}'
Delete an IP access list
To delete an IP access list:
Call the
List all IP access listsAPI (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to delete.Call the
Delete an IP access listAPI (DELETE /accounts/<account-id>/ip-access-lists/<list-id>).
For example:
curl -X DELETE -n \
https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>