Migrate to serverless routing for HTTP connections

Azure Databricks is moving HTTP connection routing from the control plane to the serverless compute plane, which improves network security and enables Private Link for private connectivity. On April 30, 2026, all workspaces will be automatically migrated.

If your workspace was created before March 2026 and your external services use IP-based firewall rules, you must either migrate to Private Link or update your allowlists to use serverless outbound IPs to avoid connectivity failures.

If you are unsure whether your workspace uses control plane or serverless routing, contact your Azure Databricks account team.

Before you begin

• Identify all external services that your HTTP connections access.
• Verify that you have access to update firewall rules or IP allowlists for those services.
• Review the network security options in Secure your network connectivity to external services.

Migrate to Private Link (recommended)

For complete tenant isolation, Azure Databricks recommends configuring Private Link instead of IP allowlists. With Private Link, traffic between Azure Databricks and your service travels over a private connection, and only your workspace can reach the service.

To set up Private Link:

1. Contact your Azure Databricks account team to enable serverless routing for your workspace.
2. Follow the instructions in Private Link (recommended).

Update IP allowlists

If Private Link is not an option for your environment, update your IP allowlists to use serverless outbound IPs instead of control plane IPs:

1. Get the serverless outbound IPs. See Outbound IPs for serverless compute firewall preview.
2. Update your firewall rules. Add the serverless outbound IPs to the IP allowlists of each external service that your HTTP connections access.
3. Reach out to your Azure Databricks account team to enable serverless routing for your workspace.
4. Verify that your HTTP connections can reach each external service with the updated allowlists.