IP access lists

Enterprises that use cloud SaaS applications need to restrict access to their own employees. Authentication helps to prove user identity, but that does not enforce network location of the users. Accessing a cloud service from an unsecured network can pose security risks to an enterprise, especially when the user may have authorized access to sensitive or personal data. Enterprise network perimeters apply security policies and limit access to external services (for example, firewalls, proxies, DLP, and logging), so access beyond these controls are assumed to be untrusted.

For example, suppose a hospital employee accesses a Databricks resource. If they walk from the office to a coffee shop, the hospital can block connections to the Databricks resource even if they have correct credentials.

There are two IP access list features:

  • IP access lists for workspaces: Configure Databricks workspaces so that users connect to the service only through existing corporate networks with a secure perimeter and a set of approved IP addresses. Workspace admins must use REST APIs to configure allowed and blocked IP addresses and subnets use REST APIs. See IP access lists for workspaces.

  • IP access lists for the account console (Public Preview): Configure the Databricks account console so that account owners and account admins connect to the account console UI and account-level REST APIs such as the Account API only through existing corporate networks with a secure perimeter and a set of approved IP addresses. Account owners and account admins can use an account console UI or a REST API to configure allowed and blocked IP addresses and subnets. See IP access lists for the account console.

Flexible configuration

  • Admins control the set of IP addresses on the public Internet that are allowed access. This is known as the allow list. Allow multiple IP addresses explicitly or as entire subnets using CIDR notation (for example 216.58.195.78/28).

  • Admins can optionally specify IP addresses or subnets to block even if they are included in the allow list. This is known as the block list. You might use this feature if an allowed IP address range includes a smaller range of infrastructure IP addresses that in practice are outside the actual secure network perimeter.