Skip to main content

Users to Databricks networking

This guide introduces features to customize network access between users and their Databricks workspaces.

Why customize networking from users to Databricks?

By default, users and applications can connect toDatabricks from any IP address. Users might access critical data sources usingDatabricks. If a user's credentials are compromised through phishing or a similar attack, securing network access dramatically reduces the risk of an account takeover. Configurations like private connectivity, IP access lists, and firewalls help keep critical data secure.

You can also configure authentication and access control features to protect your user's credentials, see Authentication and access control.

note

Users to Databricks secure networking features require the Premium plan.

Private connectivity

Between Databricks users and the control plane, Private Service Connect provides strong controls that limit the source for inbound requests. If your organization routes traffic through a GCP environment, you can use Private Service Connect to ensure the communication between users and the Databricks control plane does not traverse public IP addresses. See Configure private connectivity to Databricks.

Context-based ingress control

Context-based ingress control provides account-level policies that combine identity, request type, and network source to determine who can reach your workspace. Ingress policies allow you to:

  • Allow or deny access to Workspace UI, APIs, or Lakebase compute.
  • Apply rules to all users, all service principals, or specific selected identities.
  • Grant or block access from all public IPs or from specific IP ranges.
  • Run in dry-run mode to log denials without blocking traffic, or in enforced mode to actively block untrusted requests.

Each account includes a default ingress policy that applies to all eligible workspaces. Workspace IP access lists are still supported, but they are evaluated only after the account ingress policy allows a request. For more information, see Context-based ingress control.

IP access lists

Authentication proves user identity, but it does not enforce the network location of the users. Accessing a cloud service from an unsecured network poses security risks, especially when the user may have authorized access to sensitive or personal data. Using IP access lists, you can configure Databricks workspaces so that users connect to the service only through existing networks with a secure perimeter.

Admins can specify the IP addresses that are allowed access to Databricks. You can also specify IP addresses or subnets to block. For details, see Manage IP access lists.

You can also use Private Service Connect to block all public internet access to a Databricks workspace.

Firewall rules

Many organizations use firewall to block traffic based on domain names. You must allow list Databricks domain names to ensure access to Databricks resources. For more information, see Configure domain name firewall rules.

Databricks also performs host header validation to ensure requests use authorized Databricks domains like .gcp.databricks.com. Requests using domains outside of the Databricks network will be blocked. This security measure protects against potential HTTP host header attacks.