Serverless compute firewall configuration
This feature is in Public Preview.
Databricks serverless compute connects to your cloud resources through managed network infrastructure. If firewalls protect your cloud resources, you must allow traffic from serverless compute. The configuration method depends on the type of resource:
- Google Cloud resources: Use serverless project numbers with VPC Service Controls (VPC-SC).
- Other resources: Allowlist the outbound IP addresses published by Databricks.
Configure access using serverless project numbers
This feature is in Private Preview. To join this preview, contact your Databricks account team.
Google Cloud VPC Service Controls (VPC-SC) are used to define service perimeters that create a security boundary around Google Cloud resources. Serverless project numbers enable you to create VPC-SCs between the Databricks serverless compute plane and your Google Cloud resources, such as GCS buckets. A VPC-SC ensures that only Databricks serverless SQL compute projects can access your resources. For more information, contact your Databricks account team.
Serverless project numbers are only supported from SQL warehouses. They are not supported from other compute resources in the serverless compute plane.
Configure access to other resources using outbound IP addresses
Starting in mid-February 2026, Databricks publishes outbound IPs in JSON format on a public endpoint, which is the supported method for retrieving these IPs.
If you use stable IPs from the Public Preview or copied them from a network connectivity configuration (NCC) in the account console, you must migrate to the new method before May 25, 2026. After May 25, 2026, legacy IP lists will be decommissioned, and incomplete migrations might result in workload disruptions.
For resources other than Google Cloud resources, serverless compute uses public IP addresses to reach your resources.
To allow serverless to access resources with firewalls, you must add the CIDR blocks published by Databricks to your allowlist. For more information about published outbound IP addresses, see Outbound IPs for serverless compute firewall preview.
Find the outbound IP addresses for your environment
- Download
ip-ranges.json. - Filter the JSON to the entries that apply to your workspace. Keep only entries where:
serviceisDatabrickstypeisoutboundregionmatches your workspace regionplatformmatchesgcp
- Allowlist the
ipv4Prefixes(CIDR blocks) from the matching entries in your resource firewall.
Automate updates to keep your allowlist current
You must automate updates to your allowlist. Databricks changes these IPs over time, so a static, one-time copy eventually breaks serverless connectivity. Updates publish as often as once every 30 days, new IPs become active as soon as 60 days after publication, and new regions are added periodically. To keep your allowlist current:
- Fetch
ip-ranges.jsonon a schedule (for example, every 30 days). - Compare its
timestampSecondsfield against your saved copy to detect changes. - If it changed, check whether the IPs for your
platformandregionchanged. - Update your firewall allowlist with any new IPs.
- Save the file for the next comparison.
Considerations
Review the following considerations before you configure a firewall for serverless compute:
- Configuring a firewall also affects connectivity from classic compute resources. You must also update your resource access rules to allow the IPs for connections from classic compute resources.
- Allow time for firewall rule propagation before testing connectivity from serverless compute.