Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Managed security is the baseline network architecture. It deploys Azure Databricks into your own VNet with backend Private Link for control-plane connectivity and SCC enabled by default on classic compute.
Azure Databricks tests the platform with annual third-party penetration tests and a public bug bounty program. See the Databricks Security Addendum.
This configuration has:
- Secure by default: Azure Databricks enables SCC, encryption in transit, and authenticated workspace access by default.
- Private control-plane connectivity: Classic compute traffic to the Azure Databricks control plane flows over classic Private Link.
- Customer-managed network: Deploy into your own VNet for control over IP ranges, routing, and security groups.
- Serverless compute: Use serverless SQL warehouses and serverless compute for notebooks and jobs.
Use this configuration when:
- Getting started with Azure Databricks for the first time.
- Running non-regulated workloads without strict network isolation requirements.
- Preferring operational simplicity over customized network controls.
- Using serverless compute as the primary compute option.
Required components
Inbound
Workspace access uses standard identity and authentication. For an additional baseline control, configure a context-based ingress policy to restrict workspace and API access to your organization's networks, like corporate VPNs, office IP ranges and identities. This adds defense-in-depth without requiring private connectivity.
See Context-based ingress control.
Outbound
Data access is governed by Unity Catalog. See What is Unity Catalog?. For an additional baseline control, you can optionally deploy an external firewall to inspect classic compute egress.
External firewall (optional)
Route classic compute egress through an external firewall for inspection, logging, and policy enforcement. Required in Isolated environment; optional here.
Options include Azure Firewall or a third-party network virtual appliance (NVA).
Warning
Azure Databricks control plane and SCC relay connections use TLS with certificate pinning. Do not enable TLS inspection (decrypt and re-encrypt) on traffic between your clusters and the Azure Databricks control plane. Doing so causes cluster failures. See IP addresses and domains for Azure Databricks services and assets for required endpoints.
Classic compute
If you use classic compute, the following controls apply by default:
Secure Cluster Connectivity
Eliminates public IP addresses on cluster nodes. Enabled by default with no additional configuration required.
VNet injection
Deploy Azure Databricks into your own virtual network for control over IP address ranges, routing, and network security groups. Required for classic Private Link.
See Deploy Azure Databricks in your Azure virtual network (VNet injection).
Classic compute plane Private Link
Provides private connectivity between your VNet and the Azure Databricks control plane. REST API and SCC relay traffic between clusters and the control plane stays private.
See Configure classic compute plane private connectivity to Azure Databricks.
For non-networking security controls including encryption, see Security and compliance.
Upgrade paths
| Upgrade path | When to upgrade |
|---|---|
| Hardened connectivity | If you require IP-based workspace access controls, serverless egress controls, VPC endpoints for cloud service access, or an optional external firewall for egress inspection. |
| Isolated environment | If you require private workspace access (over VPN or inbound Private Link) and a required external firewall for end-to-end network isolation. |