This article describes how to configure IP access lists for Azure Databricks workspaces. This article discusses the most common tasks you can perform with the Databricks CLI. You can also use the IP Access Lists API.
IP access lists support only Internet Protocol version 4 (IPv4) addresses.
If you enable secure cluster connectivity on a workspace, any public IPs that the compute plane uses to access the control plane must either be added to an allow list or you must configure configure back-end Private Link. Otherwise, classic compute resources cannot launch.
For example, if you enable secure cluster connectivity on a workspace that uses VNet Injection, Databricks recommends that your workspace has a stable egress public IP. That public IP and any others must be present in an allow list. See Egress IP addresses when using secure cluster connectivity. Alternatively, if you use a Azure Databricks-managed VNet and you configure the managed NAT gateway to access public IPs, those IPs must be present in an allow list. For more information, see the Databricks Community post.
Check if your workspace has the IP access list feature enabled
To check if your workspace has the IP access list feature enabled:
When the IP access lists feature is enabled and there are no allow lists or block lists for the workspace, all IP addresses are allowed. Adding IP addresses to the allow list blocks all IP addresses that are not on the list. Ensure to add any public IPs that the compute plane uses to access the control plane to an allow list. Review the changes carefully to avoid unintended access restrictions.
IP access lists have a label, which is a name for the list, and a list type. The list type is either ALLOW (allow list) or BLOCK (a block list, which means exclude even if in allow list).
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.