Users to Databricks networking
This guide introduces features to customize network access between users and their Databricks workspaces.
Why customize networking from users to Databricks?
By default, users and applications can connect to Databricks from any IP address. Users might access critical data sources using Databricks. In the case a user’s credentials are compromised through phishing or a similar attack, securing network access dramatically reduces the risk of an account takeover. Configurations like private connectivity, IP access lists, and firewalls helps to keep your critical data secure.
You can also configure authentication and access control features to protect your user’s credentials, see Authentication and access control.
Note
Users to Databricks secure networking features require the Enterprise plan.
Private connectivity
Between Databricks users and the control plane, PrivateLink provides strong controls that limit the source for inbound requests. If your organization routes traffic through an AWS environment, you can use PrivateLink to ensure the communication between users and the Databricks control plane does not traverse public IP addresses. See Configure private connectivity to Databricks.
IP access lists
Authentication proves user identity, but it does not enforce the network location of the users. Accessing a cloud service from an unsecured network poses security risks, especially when the user may have authorized access to sensitive or personal data. Using IP access lists, you can configure Databricks workspaces so that users connect to the service only through existing networks with a secure perimeter.
Admins can specify the IP addresses that are allowed access to Databricks. You can also specify IP addresses or subnets to block. For details, see Manage IP access lists.
You can also use PrivateLink to block all public internet access to a Databricks workspace.
Firewall rules
Many organizations use firewall to block traffic based on domain names. You must allow list Databricks domain names to ensure access to Databricks resources. For more information, see Configure domain name firewall rules.
Databricks also performs host header validation for both public and private connections to ensure that requests originate from the intended host. This protects against potential HTTP host header attacks.