Configure an Azure network security perimeter for Azure resources

This page describes how to configure Azure Network Security Perimeter (NSP) to control access from serverless compute to your Azure resources using the Azure portal.

Overview of network security perimeter for Azure resources

Azure network security perimeter (NSP) is an Azure-native feature that creates a logical isolation boundary for your PaaS resources. By associating resources like storage accounts or databases with an NSP, you can centrally manage network access using a simplified rule set. This replaces the need to manually manage complex lists of individual IP addresses or subnet IDs.

NSP supports access from serverless SQL warehouses, jobs, notebooks, Lakeflow Spark Declarative Pipelines, and model serving endpoints.

Key benefits

Using NSP for Azure Azure Databricks serverless outbound traffic improves your security posture while significantly reducing operational overhead:

Benefit	Description
Cost savings	Traffic sent over service endpoints stays on the Azure backbone and incurs no data processing charges.
Simplified management	Use the AzureDatabricksServerless service tag to manage access globally. To restrict access to serverless compute in a specific Azure region, append the region name to the service tag, for example, AzureDatabricksServerless.EastUS2. For the complete list of supported Azure regions, see Azure Databricks regions.
Centralized access control	Manage security policies across multiple resource types—including storage, key vaults, and databases—within a single NSP profile.

Expanded service support

Securely connect serverless compute to a broad range of Azure services:

• Data & Analytics: Azure Storage (including ADLS Gen2), Azure SQL Database, Synapse Analytics, Cosmos DB, and MariaDB
• Security & Apps: Key Vault, App Service, and Cognitive Services
• Messaging & DevOps: Event Hubs, Service Bus, and Container Registry

Requirements

• You must be an Azure Databricks account admin.
• You must have Contributor or Owner permissions on the Azure resource you want to configure.
• You must have permission to create network security perimeter resources in your Azure subscription.
• Your Azure Databricks workspace and Azure resources should be in the same Azure region for optimal performance and to avoid cross-region data transfer charges.

Step 1: Create a network security perimeter and note the Profile ID

1. Sign in to the Azure portal.

2. In the search box at the top, type Network security perimeters and select it from the results.

3. Click + Create.

4. On the Basics tab, enter the following information:

   • Subscription: Select your Azure subscription.
   • Resource group: Select an existing resource group or create a new one.
   • Name: Enter a name for your NSP (for example, databricks-nsp).
   • Region: Select the region for your NSP. This should match your Azure Databricks workspace region and the region of your Azure resources.
   • Profile name: Enter a profile name (for example, databricks-profile).

5. Click Review + create, then Create.

6. Once the NSP is created, navigate to it in the Azure portal.

7. In the left sidebar, go to Settings > Profiles.

8. Create or select your profile (for example, databricks-profile).

9. Copy the Resource ID for the profile. You'll need this ID if you plan to associate resources programmatically.

   Tip

   Save the Profile ID in a secure location. You'll need it later if you want to associate resources using the Azure CLI or API instead of the Azure Portal.

Step 2: Associate your resource with NSP in Transition mode

You must associate each Azure resource that you want to access from Azure Databricks serverless compute with your NSP profile. This example shows how to associate an Azure Storage account, but the same steps apply to other Azure resources.

1. Navigate to your network security perimeter in the Azure portal.
2. In the left sidebar, go to Resources under Settings.
3. Click + Add > Associate resources with an existing profile.
4. Select the profile you created in Step 1 (for example, databricks-profile).
5. Click Associate.
6. In the resource selection pane, filter by resource type. For example, to associate an Azure Data Lake Storage Gen2 account, filter by Microsoft.Storage/storageAccounts.
7. Select your resource(s) from the list.
8. Click Associate at the bottom of the pane.

Verify Transition mode:

1. In the NSP, go to Settings > Resources (or Associated resources).
2. Locate your storage account in the list.
3. Verify that the Access Mode column shows Transition. This is the default mode.

Note

Transition mode evaluates NSP rules first. If no NSP rule matches the incoming request, the system falls back to the resource's existing firewall rules. This allows you to test your NSP configuration without disrupting existing access patterns.

Step 3: Add an inbound access rule for Azure Databricks serverless compute

You must create an inbound access rule in your NSP profile to allow traffic from Azure Databricks serverless compute to your Azure resources.

1. Navigate to your network security perimeter in the Azure portal.
2. In the left sidebar, go to Settings > Profiles.
3. Select your profile (for example, databricks-profile).
4. Under Settings click Inbound access rules.
5. Click + Add.
6. Configure the rule:
   • Rule name: Enter a descriptive name (for example, allow-databricks-serverless).
   • Source Type: Select Service Tag.
   • Allowed Sources: Select AzureDatabricksServerless.
7. Click Add.

Tip

The AzureDatabricksServerless service tag automatically covers all Azure Databricks serverless compute IP ranges across all Azure regions. You don't need to manually manage IP addresses or update rules when Azure Databricks adds new IP ranges.

Step 4: Verify the configuration

After configuring your NSP, verify that Azure Databricks serverless compute can access your Azure resource and monitor NSP activity.

Test access from serverless compute

1. Navigate to your Azure resource in the Azure portal.

2. Go to Security + networking > Networking.

3. Verify that the resource shows an association with your network security perimeter.

4. Verify that the status shows Transition mode.

5. View the inbound rules associated with your profile to confirm that the AzureDatabricksServerless rule is listed.

6. In your Azure Databricks workspace, run a test query to confirm that serverless compute can access your resource. For example, to test access to an ADLS Gen2 storage account:

   SELECT * FROM delta.`abfss://container@storageaccount.dfs.core.windows.net/path/to/data` LIMIT 10;
   

   If the query succeeds, your NSP configuration is working correctly.

Monitor NSP activity

To monitor which access attempts are being allowed or denied by NSP rules:

1. Navigate to your Azure resource in the Azure portal.
2. Go to Monitoring > Diagnostic settings.
3. Click + Add diagnostic setting.
4. Select the log categories you want to monitor. For Azure Storage accounts, select:
   • StorageRead
   • StorageWrite
5. Choose a destination:
   • Log Analytics workspace (recommended for querying and analysis)
   • Storage account (for long-term archival)
   • Event Hub (for streaming to external systems)
6. Click Save.

Tip

Diagnostic logs show which access attempts are matched by NSP rules versus resource firewall rules. This helps you validate your configuration before moving to Enforced mode. In Transition mode, the logs indicate whether each request was allowed by an NSP rule or fell back to the resource firewall.

Switch to Enforced mode (optional)

After thoroughly testing your NSP configuration in Transition mode and confirming that all expected access patterns work correctly, you can optionally switch to Enforced mode for stricter security.

1. Navigate to your network security perimeter in the Azure portal.
2. Go to Settings > Resources.
3. Select your resource from the list.
4. Change the Access Mode from Transition to Enforced.
5. Click Save.

Warning

Enforced mode strictly enforces NSP rules only. Access attempts that don't match an NSP rule will be denied, even if the resource's firewall rules would allow them. Only switch to Enforced mode after confirming that all necessary access patterns work correctly in Transition mode. Review your diagnostic logs to ensure no legitimate traffic is being blocked.

Next steps

• Configure subnet-based firewall rules: If you prefer to use Network Connectivity Configurations (NCCs) with subnet-based rules instead of NSP, see Configure a firewall for serverless compute access.
• Configure private endpoints: For private connectivity to Azure resources without public endpoints, see Configure private connectivity to Azure resources.
• Manage network policies: Implement network policies to provide additional security controls and access restrictions for your serverless compute environments. See What is serverless egress control?.
• Understand data transfer costs: Learn about the costs associated with moving data into and out of serverless environments. See Understand Databricks serverless networking costs.