Configure networking for Databricks Apps

Databricks Apps supports fine-grained network control to help you secure and manage how your app communicates with the internet and internal resources. You can configure both ingress (incoming) and egress (outgoing) traffic rules using a combination of IP access lists, front-end private connectivity, and network policies.

Network architecture

Databricks deploys apps on the serverless compute plane, where they receive traffic directly. This is similar to other route-optimized services like Model Serving and Vector Search.

The connection process operates as follows:

1. Initial user requests to a Databricks app initiate OAuth authentication with the control plane to validate the session and authorize access to the app.
2. Upon successful authentication, all subsequent requests are routed directly to the serverless compute plane without traversing the control plane.

Network security policies configured for the serverless compute plane apply to Databricks Apps traffic. This includes IP access lists and front-end private connectivity configurations.

Ingress controls

Use the following features to limit access to your Databricks workspace and apps from the public internet.

• IP access lists: Restrict workspace and app access to known and trusted IP ranges by enabling IP access lists at the workspace level. Only traffic from the configured IP ranges is allowed. For details, see Configure IP access lists for workspaces.

• Front-end private connectivity: Route ingress traffic through your own VPC interface endpoint instead of the public internet.

  You must configure conditional DNS forwarding for the databricksapps.com domain to ensure proper name resolution through your private connection. Otherwise, DNS queries for your app's domain might resolve to public IP addresses instead of the private endpoint. For setup instructions, see Configure private connectivity to Databricks.

Egress controls

To control outbound traffic from your app, apply network policies to the workspace hosting the app.

Network policies

Use network policies to enforce egress restrictions on Databricks apps and other serverless workloads. This is useful when you need to meet organizational or compliance requirements for controlling outbound connectivity.

note

Network policies are only available on the Premium tier.

Apply a network policy if your app:

• Must limit access to a specific set of approved external domains
• Needs to prevent accidental data exfiltration
• Must comply with security or compliance standards that restrict outbound internet traffic

Best practices for configuring network policies

Follow these guidelines to avoid unintended disruptions and ensure that your apps can access required resources:

• Allow only required destinations. Add fully qualified domain names (FQDNs) for public or private resources that your app needs.
• Include package repositories as needed. If your app installs public Python or Node.js packages, you might to allow domains such as pypi.org for Python, or registry.npmjs.org for Node. Your application might require additional or different domains depending on your specific dependencies. Without these repositories, app builds that rely on requirements.txt or package.json might fail.
• Use dry-run mode to validate your network policy. This mode simulates policy enforcement without blocking traffic.
• Review denied connection attempts using the system.access.outbound_network table. This helps you identify domains that you might need to allow. See Check denial logs.

• Add any required external domains, such as trusted APIs or GCP storage accounts not registered in Unity Catalog.

Encryption and traffic routing

Databricks Apps uses dedicated routing paths and multiple encryption layers to secure network communications and protect data.

Traffic routing

Traffic between the Databricks control plane, compute plane, other Databricks resources, and cloud services travels over the cloud provider's global network and doesn't traverse the public internet.

Traffic between users and databricksapps.com might traverse the public internet depending on the user's network location. To avoid public internet routing, configure front-end private connectivity.

Encryption in transit

All network communications to and from apps are encrypted:

• User traffic: Communication between users and databricksapps.com uses Transport Layer Security (TLS) 1.3 encryption.
• Control plane traffic: Communication between the Databricks control plane and compute plane uses mutual TLS (mTLS) for management operations including app creation, updates, and deletion.

Encryption at rest

Databricks Apps encrypts stored data using the following methods:

• Application code: Databricks stores app code in workspace files and uses the same encryption as notebooks and other workspace files.
• Compute storage: Apps use ephemeral host operating system disks encrypted with AES-256 and the cloud provider's default encryption implementation.