Private Link for Lakebase Autoscaling

Configuring Private Link for Lakebase Autoscaling keeps all traffic off the public internet. The endpoints you need depend on how your applications connect to Lakebase:

  • Inbound Private Link is required. It covers Azure Databricks REST API calls and workspace traffic.
  • Inbound Private Link for performance-intensive services (Service Direct Private Link, port 5432) is required when your applications connect to Lakebase from outside the Azure Databricks workspace using a Postgres client (such as psql, a Postgres driver, or an ORM) and a regional connection string. Connection strings without a region, such as those from Lakebase Provisioned instances, don't require this endpoint and remain accessible over the standard inbound Private Link. Applications connecting from within the Azure Databricks workspace, such as Azure Databricks Apps or Feature Store connectors, don't require this endpoint. In-product UI pages (the SQL Editor, Tables editor, Query Stats, and Active queries) work over the existing front-end Private Link and don't require this endpoint. If your applications connect only through the Data API, you don't need this endpoint.

Lakebase Autoscaling routes these two traffic types through separate network paths, each with its own endpoint. Postgres client connections use a dedicated high-performance regional ingress with a hostname in the form *.database.<region>.cloud.databricks.com.

Private Link endpoints

Endpoint Traffic type Port Notes
Inbound Private Link Azure Databricks REST API and workspace connectivity 443 Standard Azure Databricks workspace-level Private Link.
Inbound Private Link for performance-intensive services Postgres database connections 5432 Covers the high-performance regional ingress used by Lakebase Autoscaling. Required for Postgres clients, drivers, and tools connecting to the database from outside the Azure Databricks workspace using a regional connection string.

Troubleshoot Private Link connectivity

If the Tables editor or SQL Editor in the Lakebase App displays a "Failed to fetch" or "Unknown error" message and your workspace uses Private Link, confirm that inbound Private Link (workspace-level, port 443) is correctly configured. The in-product UI pages work over the existing front-end Private Link and do not require inbound Private Link for performance-intensive services.

If Postgres clients connecting from outside the workspace fail to connect, confirm that inbound Private Link for performance-intensive services is configured. See Configure inbound Private Link for performance-intensive services.

Additional resources