IP access lists for the account console

Preview

This feature is in Public Preview.

Enterprises that use cloud SaaS applications need to restrict access to their own employees. Authentication helps to prove user identity, but that does not enforce network location of the users. Accessing a cloud service from an unsecured network can pose security risks to an enterprise, especially when the user may have authorized access to sensitive or personal data. Enterprise network perimeters apply security policies and limit access to external services (for example, firewalls, proxies, DLP, and logging), so access beyond these controls are assumed to be untrusted.

Suppose a hospital IT admin accesses the Databricks account console from a laptop. If the employee walks from the office to a coffee shop with the laptop, the hospital can block connections to the Databricks account console even though they have correct credentials.

You can configure Databricks so that the account owner and account admins connect to the account console only through existing corporate networks with a secure perimeter. IP access lists for the account console lets you define a set of approved IP addresses. All incoming access to the web application and REST APIs requires the user connect from an authorized IP address.

If the internal VPN network is authorized, employees who are remote or traveling could use the VPN to connect to the corporate network, which in turn enables access to the account console. Account admins must manage IP access lists separately for the account console and for individual workspaces. For IP access lists on workspaces, see IP access lists for workspaces.

IP access lists for account console overview diagram

Account admins can disable IP access lists for account console using an account console setting. There is no API to disable multiple IP access lists in one request as this setting does, but you can use the API to disable each individual IP access list for the account console in separate API requests.

Note

Databricks support for AWS PrivateLink affects only user access to the workspace, not account admin access to the account console.

Requirements

This feature requires the Enterprise pricing tier.

  • IP access lists support only Internet Protocol version 4 (IPv4) addresses.

Flexible configuration

The IP access lists feature is flexible:

  • Your account admins the set of IP addresses on the public Internet that are allowed access. This is known as the allow list. Allow multiple IP addresses explicitly or as entire subnets (for example 216.58.195.78/28).

  • Your account admins can optionally specify IP addresses or subnets to block even if they are included in the allow list. This is known as the block list. You might use this feature if an allowed IP address range includes a smaller range of infrastructure IP addresses that in practice are outside the actual secure network perimeter.

  • Your account admins can use either the account console UI or a REST API to update the allow lists and block lists.

Feature details

The Accounts IP Access List feature enables Databricks account admins to configure IP allow lists and block lists for the account console. If the feature is disabled, all access is allowed to your account in the account console. There is support for allow lists (inclusion) and block lists (exclusion).

When a connection is attempted:

  1. First all block lists are checked. If the connection IP address matches any block list, the connection is rejected.

  2. If the connection was not rejected by block lists, the IP address is compared with the allow lists. If there is at least one allow list for the account console, the connection is allowed only if the IP address matches an allow list. If there are no allow lists for the account console, all IP addresses are allowed.

For all allow lists and block lists combined, the account console supports a maximum of 1000 IP/CIDR values, where one CIDR counts as a single value.

After changes to the IP access list feature, it can take a few minutes for changes to take effect.

IP access list for account console logic flow diagram

Use the account console UI

  1. As an account admin, go to the account console.

  2. In the sidebar, click Settings.

  3. On the Security tab, click IP Access List.

    IP access lists for account console main settings

By default, new IP access lists for the account console take effect within a few minutes. Account admins can disable or re-enable IP access lists for account console by clicking the Enabled button. Disabling the feature means that all existing allow lists or block lists are ignored and all IP addresses can access your account in the account console. Disabling it does not affect IP access lists for workspaces.

Add an IP access list

  1. As an account admin, go to the account console.

  2. In the sidebar, click Settings.

  3. In the Security tab, click IP Access List.

  4. Click Add rule.

    Add an IP access lists for account console
  5. Choose whether to make an ALLOW or BLOCK list.

  6. In the label field, add a human-readable label.

  7. Add one or more IP addresses or CIDR IP ranges, with commas separating them.

  8. Click Add rule.

Delete an IP access list

  1. As an account admin, go to the account console.

  2. In the sidebar, click Settings.

  3. In the Security tab, click IP Access List.

  4. To the right of a rule, click the three vertical dot icon (kebab menu) and click Delete.

  5. Confirm deletion in the confirmation popup that appears.

Disable an IP access list

  1. As an account admin, go to the account console.

  2. In the sidebar, click Settings.

  3. In the Security tab, click IP Access List.

  4. In the Status column, click the Enabled button to toggle between enabled and disabled.

Update an IP access list

  1. As an account admin, go to the account console.

  2. In the sidebar, click Settings.

  3. In the Security tab, click IP Access List.

  4. To the right of a rule, click the three vertical dot icon (kebab menu) and click Update.

  5. Update any fields.

  6. Click Update rule.

Use the API

This article discusses the most common tasks you can perform with the API. For the complete REST API reference, see the API Reference section on IP access list for account console.

To learn about authenticating to an account-level Databricks API like this one, see How to use the Account API.

The base path for the endpoints described in this article is https://<account-domain>/api/2.0, where <account-domain> is accounts.cloud.databricks.com.

Add an IP access list

To add an IP access list, call the Add an IP access list API (POST /accounts/<account-id>/ip-access-lists).

In the JSON request body, specify:

  • label — Label for this list.

  • list_type — Either ALLOW (allow list) or BLOCK (a block list, which means exclude even if in allow list).

  • ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.

The response is a copy of the object that you passed in, but with some additional fields, most importantly the list_id field. You may want to save that value so you can update or delete the list later. If you do not save it, you are still able to get the ID later by querying the full set of IP access lists with a GET request to the /accounts/<account-id>/ip-access-lists endpoint.

For example, to add an allow list:

curl -X POST -n \
  https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists
  -d '{
    "label": "office",
    "list_type": "ALLOW",
    "ip_addresses": [
        "1.1.1.1",
        "2.2.2.2/21"
      ]
    }'

Example response:

{
  "ip_access_list": {
    "list_id": "<list-id>",
    "label": "office",
    "ip_addresses": [
        "1.1.1.1",
        "2.2.2.2/21"
    ],
    "address_count": 2,
    "list_type": "ALLOW",
    "created_at": 1578423494457,
    "created_by": 6476783916686816,
    "updated_at": 1578423494457,
    "updated_by": 6476783916686816,
    "enabled": true
  }
}

To add a block list, do the same thing but with list_type set to BLOCK.

Update an IP access list

To update an IP access list:

  1. Call the List all IP access lists API (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to update.

  2. Call the Update an IP access list API (PATCH /accounts/<account-id>/ip-access-lists/<list-id>).

In the JSON request body, specify at least one of the following values to update:

  • label — Label for this list.

  • list_type — Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).

  • ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.

  • enabled — Specifies whether this list is enabled. Pass true or false.

The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to disable a list:

curl -X PATCH -n \
  https:/<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>
  -d '{ "enabled": "false" }'

Replace an IP access list

To replace an IP access list:

  1. Call the List all IP access lists API (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to replace.

  2. Call the Replace an IP access list API (PUT /accounts/<account-id>/ip-access-lists/<list-id>).

In the JSON request body, specify:

  • label — Label for this list.

  • list_type — Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).

  • ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.

  • enabled — Specifies whether this list is enabled. Pass true or false.

The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to replace the contents of the specified list with the following values:

curl -X PUT -n \
  https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>
  -d '{
    "label": "office",
    "list_type": "ALLOW",
    "ip_addresses": [
        "1.1.1.1",
        "2.2.2.2/21"
      ],
    "enabled": "false"
    }'

Delete an IP access list

To delete an IP access list:

  1. Call the List all IP access lists API (GET /accounts/<account-id>/ip-access-lists), and find the ID of the list you want to delete.

  2. Call the Delete an IP access list API (DELETE /accounts/<account-id>/ip-access-lists/<list-id>).

For example:

curl -X DELETE -n \
  https://<account-domain>/api/2.0/preview/accounts/<account-id>/ip-access-lists/<list-id>