Users to Azure Databricks networking

This guide introduces features to customize network access between users and their Azure Databricks workspaces.

Why customize networking from users to Azure Databricks?

By default, users and applications can connect to Azure Databricks from any IP address. Users might access critical data sources using Azure Databricks. In the case a user's credentials are compromised through phishing or a similar attack, securing network access dramatically reduces the risk of an account takeover. Configurations like private connectivity, IP access lists, and firewalls helps to keep your critical data secure.

You can also configure authentication and access control features to protect your user's credentials, see Authentication and access control.

Note

Users to Azure Databricks secure networking features require the Premium plan.

Private connectivity

Between Azure Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If your organization routes traffic through an Azure environment, you can use Private Link to ensure the communication between users and the Databricks control plane does not traverse public IP addresses. See Configure private connectivity to Azure Databricks.

IP access lists

Authentication proves user identity, but it does not enforce the network location of the users. Accessing a cloud service from an unsecured network poses security risks, especially when the user may have authorized access to sensitive or personal data. Using IP access lists, you can configure Azure Databricks workspaces so that users connect to the service only through existing networks with a secure perimeter.

Admins can specify the IP addresses that are allowed access to Azure Databricks. You can also specify IP addresses or subnets to block. For details, see Manage IP access lists.

You can also use Private Link to block all public internet access to an Azure Databricks workspace.

Firewall rules

Many organizations use firewall to block traffic based on domain names. You must allow list Azure Databricks domain names to ensure access to Azure Databricks resources. For more information, see Configure domain name firewall rules.

Azure Databricks also performs host header validation for both public and private connections to ensure that requests originate from the intended host. This protects against potential HTTP host header attacks.