Skip to main content

OpenSharing recipient firewall configuration for SecureConnect

Preview

This feature is in Public Preview.

This page describes how Databricks recipients access shares from a provider who has enabled OpenSharing SecureConnect.

If your provider has enabled SecureConnect and you have an egress firewall, you must allow outbound connections to Databricks IP addresses to access SecureConnect. Allowlist the IP addresses for the provider's cloud and region, regardless of the cloud you are on.

important

Databricks recipients on classic compute and open recipients must allow outbound connections to Databricks IP addresses in their egress firewall. SecureConnect does not initiate inbound connections to the recipient's network.

Databricks recipients on serverless compute do not need to configure their egress firewall to access SecureConnect. Databricks routes serverless traffic to SecureConnect internally.

Allowlist Databricks IPs in your egress firewall

Select the cloud your provider is on, then add the listed Databricks IP addresses to your egress firewall's outbound allowlist for the provider's region.

For an AWS provider, allowlist the Databricks IP addresses for "Default storage, OpenSharing SecureConnect, Zerobus Ingestion, and Lakebase (Autoscaling Beta)" corresponding to the provider's region.

See IP addresses and domains for Databricks services and assets.

Limitations

The following limitations apply to Databricks recipients accessing SecureConnect-enabled shares:

  • mTLS is not enabled for recipients using classic compute.
  • mTLS is not enabled for OIDC recipients.
  • Serverless Databricks recipients using a Databricks-to-Open credential in the same region as the provider are not supported.