Configure inbound Private Link for account-level resources

Important

Inbound Private Link for account-level resources is in Beta.

This page shows how to configure Private Link for inbound connectivity to account-level resources on the Azure Databricks platform (for example, the account console and account-level Genie). This private connection allows external clients and users to access Azure Databricks account-level resources without traversing the public internet.

Requirements

  • Your Azure Databricks account must be on the Premium tier.
  • You must be a Azure Databricks account admin to register private endpoints.
  • You must have Network Contributor or equivalent permissions in Azure to create private endpoints.

Step 1: Create a private endpoint

This step creates a private endpoint in the Azure portal that connects to your Azure Databricks account-level resources.

Prepare VNet and subnet

  1. Prepare a VNet and subnet to host the private endpoint. You can create a new VNet or reuse an existing one (such as your workspace VNet).
  2. Verify that Private endpoint network policy is Disabled in your subnet. This is the default setting. See Manage network policies for private endpoints for details.
  3. If you reuse an existing workspace VNet, you must use or create a different subnet from the one used by the workspace.
  4. If the VNet hosting the private endpoint differs from the VNet sending traffic, configure VNet peering or connectivity. See Verify VNet connectivity.

Deploy a private endpoint

  1. In the Azure portal, search for Private endpoints in Microsoft Marketplace and select Create.
  2. Enter a name and network interface name, and set the region to match your workspace VNet region.
  3. Click Next: Resource.
  4. Select Connect to an Azure resource by resource ID or alias.
  5. In the Resource ID or alias field, enter the Private Link Service resource ID for general_access services for your region. See Private Link Service Resource IDs for performance-intensive services and general access for the list of resource IDs.
  6. In the Target sub-resource field, enter general_access.
  7. Click Next: Virtual Network.
  8. Select the virtual network and subnet you prepared in the Prepare VNet and subnet section.
  9. Click Next: DNS.
  10. Leave Integrate with private DNS zone set to No. You configure DNS manually in a later step.
  11. Click Next: Tags.
  12. Click Next: Review + create.
  13. Review the configuration and click Create to deploy the private endpoint.
  14. After the deployment completes, record these values:
    • Private endpoint name: The name of your private endpoint.
    • Resource GUID: Go to the private endpoint resource, click JSON view, and find the value in properties.resourceGuid. This is required in Step 2.
    • Private IP address: In JSON view, find the IP address in properties.customDnsConfigs[0].ipAddresses[0]. This is required in Step 4.

Note

After deployment, the private endpoint connection state shows as Pending. This is expected. The endpoint remains in Pending state until you complete Step 2 (Register your private endpoint).

Step 2: Register your private endpoint

After you create your private endpoint in the Azure portal, register it with Azure Databricks.

  1. Go to the Azure Databricks account console.
  2. In the sidebar, click Security > Networking > Endpoints > Register endpoint.
  3. Enter a descriptive name for your private endpoint registration.
  4. Select the region that matches the region of the Azure private endpoint you're registering.
  5. Paste the Resource GUID in the Azure private endpoint resource GUID field.
  6. Click Register new private endpoint.

Step 3: Allowlist your private endpoint to account-level resources with context-based ingress

After you register your general access private endpoint, configure a private access policy for your account-level resources using context-based ingress. See Context-based ingress control for more details.

  1. In the account console, click Security in the sidebar.
  2. Click Context-based ingress & egress control in the sidebar.
  3. Under Account level policy, click account-policy.
  4. Under Private Network Access, define your private access policy. By default, no registered endpoints are allowed.
    • To allowlist specific registered endpoints while denying all other endpoints, add an allow rule.
      1. Select the identities and account-level destinations you want to allow access to (by default, all identities and destinations are allowed).
      2. Then select Source type = Selected private endpoints, and select the general access private endpoint(s) you registered. A general access endpoint in any region can serve any account-level resource.
      3. Click Confirm.
      4. You can also add deny rules in your policy, which define exceptions to your allow rules.
    • To allowlist all registered endpoints, check Allow access from all private endpoints. By default, this option only includes the first 200 registered private endpoints. If your policy requires more than 200 endpoints, contact your account team for an increase.
  5. Test your ingress policy in Dry run mode first, before switching it to Enforced.
  6. Save your network policy. Context-based ingress policy updates take under 10 minutes to take effect.

Tip

There is only one network policy shared across all account-level resources. To configure different policies for different account-level resources, add multiple allow rules to different destinations.

Step 4: Configure DNS

After your private endpoint is registered and allowlisted, configure DNS so account-level traffic routes through the private endpoint using your custom domain (<your-custom-account-name>.azuredatabricks.net). If you don't want to use your custom domain to access account-level resources, you can also use accounts.azuredatabricks.net.

  1. Create an Azure private DNS zone:
    • Named <your-custom-account-name>.azuredatabricks.net to use your custom domain.
    • Or named accounts.azuredatabricks.net if you don't want to use your custom domain.
  2. For new zones, see Create an Azure private DNS zone using the Azure portal.
  3. Link the private DNS zone to the VNet hosting your private endpoint. See Link the virtual network.

Create a DNS A record

  1. Go to your new private DNS zone.
  2. Select the Recordsets tab under DNS Management.
  3. Click Add to add a record set.
  4. Configure the A record:
    • Name: *
    • Type: A
    • IP address: The private IP address from your private endpoint (recorded in Step 1).
  5. Click OK to save the record.

Verify DNS resolution

From a machine in your VNet, or from a workspace job attached to your private DNS zone, confirm that DNS queries resolve to the private endpoint IP:

nslookup <your-custom-account-name>.azuredatabricks.net

Or use dig:

dig <your-custom-account-name>.azuredatabricks.net

Both commands return the private IP address of your private endpoint.

Verify VNet connectivity

If the VNet generating traffic differs from the VNet hosting the private endpoint, configure VNet peering or connectivity between them. See Azure Private Endpoint DNS Integration Scenarios for detailed guidance.

Step 5: Disable public access (optional)

Completing Private Link setup doesn't automatically block public internet access to your account-level resources. Public and private access are independent settings. To enforce private-only connectivity, disable public network access with account IP access lists. See Configure IP access lists for the account console.

Next steps