Skip to main content

Serverless compute firewall configuration

Databricks serverless compute connects to your cloud resources through managed network infrastructure. If firewalls protect your cloud resources, you must allow traffic from serverless compute. The configuration method depends on the type of resource:

  • Amazon S3 buckets in your workspace's region: Use VPCE OrgPath condition keys in your S3 bucket policies.
note

If you require dedicated, private connectivity to your resources, use an outbound Private Link connection to reach your resource instead of allowlisting IP addresses. See Configure private connectivity to resources in your VPC.

Configure S3 bucket access using VPCE OrgPath

Serverless compute communicates with Amazon S3 buckets in the same region as your workspace through a VPC endpoint (VPCE). You can restrict S3 bucket access to only Databricks serverless compute by adding a condition to your S3 bucket policy that uses the aws:VpceOrgPaths condition key.

Databricks serverless OrgPath

o-g29axo4oyt/r-gu8r/ou-gu8r-g4va1rkr/ou-gu8r-hvyilq7g/
note

The VPCE OrgPath contains Databricks serverless VPCs. Each VPC has an S3 gateway endpoint. Gateway endpoints are only available in the region where they are created.

Configure access to other resources using outbound IP addresses

important

Starting in mid-February 2026, Databricks publishes outbound IPs in JSON format on a public endpoint, which is the supported method for retrieving these IPs.

If you use stable IPs from the Public Preview or copied them from a network connectivity configuration (NCC) in the account console, you must migrate to the new method before May 25, 2026. After May 25, 2026, legacy IP lists will be decommissioned, and incomplete migrations might result in workload disruptions.

For resources other than Amazon S3 or Amazon DynamoDB in the same region as your workspace, serverless compute uses public IP addresses to reach your resources.

To allow serverless to access resources with firewalls, you must add the CIDR blocks published by Databricks to your allowlist. For more information about published outbound IP addresses, see Outbound IPs for serverless compute firewall preview.

Find the outbound IP addresses for your environment

  1. Download ip-ranges.json.
  2. Filter the JSON to the entries that apply to your workspace. Keep only entries where:
    • service is Databricks
    • type is outbound
    • region matches your workspace region
    • platform matches aws
  3. Allowlist the ipv4Prefixes (CIDR blocks) from the matching entries in your resource firewall.

Automate updates to keep your allowlist current

You must automate updates to your allowlist. Databricks changes these IPs over time, so a static, one-time copy eventually breaks serverless connectivity. Updates publish as often as once every 30 days, new IPs become active as soon as 60 days after publication, and new regions are added periodically. To keep your allowlist current:

  1. Fetch ip-ranges.json on a schedule (for example, every 30 days).
  2. Compare its timestampSeconds field against your saved copy to detect changes.
  3. If it changed, check whether the IPs for your platform and region changed.
  4. Update your firewall allowlist with any new IPs.
  5. Save the file for the next comparison.

Considerations

Review the following considerations before you configure a firewall for serverless compute:

  • Configuring a firewall also affects connectivity from classic compute resources. You must also update your resource access rules to allow the IPs for connections from classic compute resources.
  • Allow time for firewall rule propagation before testing connectivity from serverless compute.
  • DynamoDB allowlisting is in Private Preview. Contact your Databricks account team for access.

Next steps