OpenSharing recipient firewall configuration for SecureConnect
This feature is in Public Preview.
This page describes how Databricks recipients access shares from a provider who has enabled OpenSharing SecureConnect.
If your provider has enabled SecureConnect and you have an egress firewall, you must allowlist Databricks inbound IP addresses to access SecureConnect. You allowlist IPs for the provider's cloud and region, regardless of the cloud you are on.
Databricks recipients on classic compute and open recipients must allowlist Databricks inbound IP addresses.
Databricks recipients on serverless compute do not need to configure their egress firewall to access SecureConnect. Databricks routes serverless traffic to SecureConnect internally.
Allowlist Databricks inbound IPs
Select the cloud your provider is on, then allowlist the listed Databricks inbound IP addresses for the provider's region.
- AWS
- Azure
- GCP
For an AWS provider, allowlist the Databricks inbound IP addresses for "Default storage, OpenSharing SecureConnect, Zerobus Ingestion, and Lakebase (Autoscaling Beta)" corresponding to the provider's region.
See IP addresses and domains for Databricks services and assets.
For an Azure provider, allowlist the Databricks inbound IP addresses for "Control Plane IPs, including default storage and webapp" corresponding to the provider's region.
See IP addresses and domains for Databricks services and assets.
For a GCP provider, allowlist the Databricks inbound IP addresses for "Control Plane services, including default storage and webapp" for the provider's region. See IP addresses and domains for Databricks services and assets.
Limitations
The following limitations apply to Databricks recipients accessing SecureConnect-enabled shares:
- mTLS is not enabled for recipients using classic compute.
- mTLS is not enabled for OIDC recipients.
- Serverless Databricks recipients using a Databricks-to-Open credential in the same region as the provider are not supported.