Skip to main content

Configure networking for Databricks Apps

Databricks Apps supports fine-grained network control to help you secure and manage how your app communicates with the internet and internal resources. You can configure both ingress (incoming) and egress (outgoing) traffic rules using a combination of IP access controls, front-end private connectivity, and network policies.

Ingress controls

Use the following features to limit access to your Databricks workspace and apps from the public internet.

  • IP access lists – Restrict workspace and app access to known and trusted IP ranges by enabling IP access lists at the workspace level. Only traffic from the configured IP ranges is allowed. For details, see Configure IP access lists for workspaces.
  • Front-end private connectivity – Route ingress traffic through your own VPC interface endpoint instead of the public internet. This setup provides private connectivity to apps running in the workspace. For details, see Configure private connectivity to Databricks.

Egress controls

To control outbound traffic from your app, apply network policies to the workspace hosting the app.

Network policies

Use network policies to enforce egress restrictions on Databricks apps and other serverless workloads. This is useful when you need to meet organizational or compliance requirements for controlling outbound connectivity.

note

Network policies are only available on the Premium tier.

Apply a network policy if your app:

  • Must limit access to a specific set of approved external domains
  • Needs to prevent accidental data exfiltration
  • Must comply with security or compliance standards that restrict outbound internet traffic

Best practices for configuring network policies

Follow these guidelines to avoid unintended disruptions and ensure that your apps can access required resources:

  • Allow only required destinations. Add fully qualified domain names (FQDNs) for public or private resources that your app needs.
  • Include package repositories as needed. If your app installs public Python or Node.js packages, you might to allow domains such as pypi.org for Python, or registry.npmjs.org for Node. Your application might require additional or different domains depending on your specific dependencies. Without these repositories, app builds that rely on requirements.txt or package.json might fail.
  • Use dry-run mode to validate your network policy. This mode simulates policy enforcement without blocking traffic.
  • Review denied connection attempts using the system.access.outbound_network table. This helps you identify domains that you might need to allow. See Check denial logs.
  • Add any required external domains, such as trusted APIs or GCP storage accounts not registered in Unity Catalog.
Last updated on