Skip to main content

Serverless compute firewall configuration

Preview

This feature is in Public Preview.

Databricks serverless compute connects to your cloud resources through managed network infrastructure. If firewalls protect your cloud resources, you must allow traffic from serverless compute. The configuration method depends on the type of resource:

note

Configure access using serverless project numbers

Preview

This feature is in Private Preview. To join this preview, contact your Databricks account team.

Google Cloud VPC Service Controls (VPC-SC) are used to define service perimeters that create a security boundary around Google Cloud resources. Serverless project numbers enable you to create VPC-SCs between the Databricks serverless compute plane and your Google Cloud resources, such as GCS buckets. A VPC-SC ensures that only Databricks serverless SQL compute projects can access your resources. For more information, contact your Databricks account team.

Serverless project numbers are only supported from SQL warehouses. They are not supported from other compute resources in the serverless compute plane.

Configure access to other resources using outbound IP addresses

important

Starting in mid-February 2026, Databricks publishes outbound IPs in JSON format on a public endpoint, which is the supported method for retrieving these IPs.

If you use stable IPs from the Public Preview or copied them from a network connectivity configuration (NCC) in the account console, you must migrate to the new method before May 25, 2026. After May 25, 2026, legacy IP lists will be decommissioned, and incomplete migrations might result in workload disruptions.

For resources other than Google Cloud resources, serverless compute uses public IP addresses to reach your resources.

To allow serverless to access resources with firewalls, you must add the CIDR blocks published by Databricks to your allowlist. For more information about published outbound IP addresses, see Outbound IPs for serverless compute firewall preview.

Find the outbound IP addresses for your environment

  1. Download ip-ranges.json.
  2. Filter the JSON to the entries that apply to your workspace. Keep only entries where:
    • service is Databricks
    • type is outbound
    • region matches your workspace region
    • platform matches gcp
  3. Allowlist the ipv4Prefixes (CIDR blocks) from the matching entries in your resource firewall.

Automate updates to keep your allowlist current

You must automate updates to your allowlist. Databricks changes these IPs over time, so a static, one-time copy eventually breaks serverless connectivity. Updates publish as often as once every 30 days, new IPs become active as soon as 60 days after publication, and new regions are added periodically. To keep your allowlist current:

  1. Fetch ip-ranges.json on a schedule (for example, every 30 days).
  2. Compare its timestampSeconds field against your saved copy to detect changes.
  3. If it changed, check whether the IPs for your platform and region changed.
  4. Update your firewall allowlist with any new IPs.
  5. Save the file for the next comparison.

Considerations

Review the following considerations before you configure a firewall for serverless compute:

  • Configuring a firewall also affects connectivity from classic compute resources. You must also update your resource access rules to allow the IPs for connections from classic compute resources.
  • Allow time for firewall rule propagation before testing connectivity from serverless compute.