Skip to main content

Update workspace network configuration

Preview

This feature is in Public Preview.

Update or reconfigure an existing workspace for Private Service Connect

This page provides step-by-step instructions for updating the network configuration of an existing Databricks workspace to use Private Service Connect, change an existing workspace's front-end or back-end Private Service Connect settings, or modify its underlying network configuration, like expanding a subnet's IP range.

Why update your network configuration?

Updating your workspace network configuration provides the following enhanced security and connectivity capabilities:

  • Enhanced security: Use Private Service Connect to establish private connections between your VPC and Databricks services.
  • Flexible networking: Modify subnet IP ranges and network configurations to meet your organization's requirements.
  • Service integration: Connect your workspace to other Google Cloud services using private endpoints.
  • Custom connectivity: Configure front-end and back-end Private Service Connect settings for your specific use case.

Before you begin

  • To prevent disruption and ensure a safe update, terminate all running clusters and jobs in the workspace. You can restart them after the update is complete.

Change the subnet for an existing workspace

To change the IP range used by your workspace, you must create a new subnet with the desired range and then update your network configuration to use it.

Step 1: Create cloud resources

Create the necessary cloud resources in your Google Cloud project and Databricks account:

  1. Create a new subnet: Create a subnet in your VPC with the new CIDR range you intend to use in your Google Cloud project.
  2. Create a network configuration object: Create the network configuration object against the subnet in your Databricks account. See Step 2: Create a subnet.

Step 2: Update the workspace using the API

Update the workspace using the Databricks Accounts REST API:

  1. Authentication: Authenticate to the Accounts API. See Authorizing access to Databricks resources. On Google Cloud, you can also use Authentication with Google ID tokens.

  2. Execute the REST API:

    • Endpoint: PATCH /api/2.0/accounts/{account_id}/workspaces/{workspace_id}
    • Path Parameters:
      • account_id (required, uuid)
      • workspace_id (required, int64)
    • Query Parameters:
      • update_mask (required, string)

  3. Request example:

    HTTP
    PATCH /api/2.0/accounts/{account_id}/workspaces/{workspace_id}?update_mask=network_id
    Content-Type: application/json

    {
        "network_id": "fd0cc5bc-683c-47e9-b15e-144d7744a496"
    }

  4. Response example:

    JSON
    {
      "workspace_id": 3389895405782117,
      "workspace_name": "jessie-example-ws",
      "creation_time": 1722542958272,
      "deployment_name": "3389895405782117.7",
      "workspace_status": "RUNNING",
      "account_id": "2e0b6f3b-e1dc-43ea-93f5-7d55b9d7b780",
      "workspace_status_message": "Workspace is running.",
      "network_id": "fd0cc5bc-683c-47e9-b15e-144d7744a496",
      "pricing_tier": "ENTERPRISE",
      "location": "us-east4",
      "cloud": "gcp",
      "identity_federation_info": {
        "enable_identity_federation": true
      },
      "gke_config": {
        "connectivity_type": "PRIVATE_NODE_PUBLIC_MASTER",
        "master_ip_range": "10.103.0.0/28"
      },
      "cloud_resource_container": {
        "gcp": {
          "project_id": "databricks-dev-entd-shared"
        }
      }
    }

Step 3: Configure the firewall

Update your firewall's ingress rules to reflect the new CIDR range. Check that the Databricks ingress rule source is updated to reflect the new CIDR range. For details, see Limit network egress for your workspace using a firewall.

Step 4: Restart clusters and jobs

After the workspace update is complete, restart your clusters and jobs in the workspace.

Migrate a non-Private Service Connect workspace or change the Private Service Connect configuration of an existing workspace

Complete these steps if you are migrating a non-Private Service Connect workspace or changing the Private Service Connect configuration of an existing one.

note

Confirm that your account is enabled for Private Service Connect. If it's not, contact your Databricks account team to enable it for your specific account, project, and region.

Step 1: Create or update cloud resources

  1. Create or update the necessary cloud resources:
    1. VPC endpoints: See Step 3: Create VPC endpoints.
    2. Private access settings: See Create private access settings.
    3. Network configuration: See Step 6: Create a network configuration.

You need the IDs for these resources in Step 2.

Step 2: Update the workspace using the API

To apply the changes, send a PATCH request to the Accounts API.

  • Authentication: Authenticate to the Accounts API. See Authorizing access to Databricks resources. On Google Cloud, you can also use Authentication with Google ID tokens.
  • Endpoint: PATCH /api/2.0/accounts/{account_id}/workspaces/{workspace_id}
  • Query Parameter: You must include the update_mask query parameter to specify which fields to update.
    • Example: update_mask=network_id,private_access_settings_id
  • Request Body: Include the new network_id and/or private_access_settings_id in the JSON body.

The following example request applies changes to a workspace's network configuration and private access settings:

HTTP
PATCH /api/2.0/accounts/{account_id}/workspaces/{workspace_id}?update_mask=network_id,private_access_settings_id
Content-Type: application/json

{
  "network_id": "fd0cc5bc-683c-47e9-b15e-244d7744a496",
  "private_access_settings_id": "3b3bbcb5-46bd-4b03-944e-97eb44ed7991"
}

Response example:

JSON
{
  "workspace_id": 3389895405782117,
  "workspace_name": "jessie-example-ws",
  "creation_time": 1722542958272,
  "deployment_name": "3389895405782117.7",
  "workspace_status": "RUNNING",
  "account_id": "2e0b6f3b-e1dc-43ea-93f5-7d55b9d7b780",
  "workspace_status_message": "Workspace is running.",
  "network_id": "fd0cc5bc-683c-47e9-b15e-144d7744a496",
  "pricing_tier": "ENTERPRISE",
  "private_access_settings_id": "3b3bbcb5-46bd-4b03-944e-97eb44ed7991",
  "location": "us-east4",
  "cloud": "gcp",
  "identity_federation_info": {
    "enable_identity_federation": true
  },
  "gke_config": {
    "connectivity_type": "PRIVATE_NODE_PUBLIC_MASTER",
    "master_ip_range": "10.103.0.0/28"
  },
  "cloud_resource_container": {
    "gcp": {
      "project_id": "databricks-dev-entd-shared"
    }
  }
}

Step 3: Configure DNS (optional)

This step is required if the workspace is a Private Service Connect workspace after the update. To allow users to access the new workspace URL, you must configure DNS. See Step 9: Configure DNS

Step 4: Configure the firewall (optional)

This step is required if you updated the workspace with a network configuration object that uses a different CIDR range.

Update your firewall's ingress rules to allow traffic from the new subnet CIDR ranges. Verify that the Databricks ingress rule source is updated to reflect the new CIDR range. For details, see Limit network egress for your workspace using a firewall.

Step 5: Restart clusters and jobs

After the workspace update is complete and any necessary DNS or firewall changes are configured, you can restart your clusters and jobs.

Last updated on