Configure IP access lists for workspaces

This article describes how to configure IP access lists for Databricks workspaces. This article discusses the most common tasks you can perform using the Databricks CLI.

You can also use the IP Access Lists API.

Requirements

This feature requires the Enterprise pricing tier.

IP access lists support only Internet Protocol version 4 (IPv4) addresses.

Any public IPs that the compute plane uses to access the control plane must either be added to an allow list or you must configure back-end PrivateLink. Otherwise, classic compute resources cannot launch.

For example, when you configure a customer-managed VPC, subnets must have outbound access to the public network using a NAT gateway or a similar approach. Those public IPs must be present in an allow list. See Subnets. Alternatively, if you use a Databricks-managed VPC and you configure the managed NAT gateway to access public IPs, those IPs must be present in an allow list. For more information, see the Databricks Community post.

Check if your workspace has the IP access list feature enabled

To check if your workspace has the IP access list feature enabled:

Bash

databricks workspace-conf get-status enableIpAccessLists

Enable or disable the IP access list feature for a workspace

In a JSON request body, specify enableIpAccessLists as true (enabled) or false (disabled).

Bash
databricks workspace-conf set-status --json '{
  "enableIpAccessLists": "true"
}'

Add an IP access list

When the IP access lists feature is enabled and there are no allow lists or block lists for the workspace, all IP addresses are allowed. Adding IP addresses to the allow list blocks all IP addresses that are not on the list. Review the changes carefully to avoid unintended access restrictions.

Any public IPs that the compute plane uses to access the control plane should be added to an allow list.

IP access lists have a label, which is a name for the list, and a list type. The list type is either ALLOW (allow list) or BLOCK (a block list, which means exclude even if in allow list).

For example, to add an allow list:

Bash
databricks ip-access-lists create --json '{
  "label": "office",
  "list_type": "ALLOW",
  "ip_addresses": [
    "1.1.1.0/24",
    "2.2.2.2/32"
  ]
}'

List IP access lists

Bash

databricks ip-access-lists list

Update an IP access list

Specify at least one of the following values to update:

label — Label for this list.
list_type — Either ALLOW (allow list) or BLOCK (block list, which means exclude even if in allow list).
ip_addresses — A JSON array of IP addresses and CIDR ranges, as String values.
enabled — Specifies whether this list is enabled. Pass true or false.

The response is a copy of the object that you passed in with additional fields for the ID and modification dates.

For example, to disable a list:

Bash
databricks  ip-access-lists update <list-id> --json '{
  "enabled": false
}'

Delete an IP access list

To delete an IP access:

Bash
databricks  ip-access-lists delete <list-id>

Requirements​

Check if your workspace has the IP access list feature enabled​

Enable or disable the IP access list feature for a workspace​

Add an IP access list​

List IP access lists​

Update an IP access list​

Delete an IP access list​