הערה
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות להיכנס או לשנות מדריכי כתובות.
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות לשנות מדריכי כתובות.
Azure Databricks is moving HTTP connection routing from the control plane to the serverless compute plane, which improves network security and enables Private Link for private connectivity. On April 30, 2026, all workspaces will be automatically migrated.
If your workspace was created before March 2026 and your external services use IP-based firewall rules, you must either migrate to Private Link or update your allowlists to use serverless outbound IPs to avoid connectivity failures.
If you are unsure whether your workspace uses control plane or serverless routing, contact your Azure Databricks account team.
Before you begin
- Verify that you have access to update firewall rules or IP allowlists for those services.
- Review the network security options in Secure your network connectivity to external services.
Identify your HTTP connections
Before updating firewall rules, identify all UC HTTP connections and their destination URLs. A metastore admin should run the following in each affected workspace, either in a Azure Databricks notebook or locally with the Azure Databricks SDK:
from databricks.sdk import WorkspaceClient
import pandas as pd
w = WorkspaceClient()
http_connections = [
{"Name": c.name, "Destination URL": c.url, "Owner": c.owner}
for c in w.connections.list()
if c.connection_type and c.connection_type.value == "HTTP"
]
if not http_connections:
print("No HTTP connections found in this workspace.")
else:
display(pd.DataFrame(http_connections))
Each destination URL represents an external service whose firewall rules may need to be updated to allow serverless compute outbound IPs instead of control plane IPs. This script must be run per workspace by a metastore admin to ensure all connections are visible regardless of per-object permissions.
Migrate to Private Link (recommended)
For complete tenant isolation, Azure Databricks recommends configuring Private Link instead of IP allowlists. With Private Link, traffic between Azure Databricks and your service travels over a private connection, and only your workspace can reach the service.
To set up Private Link:
- Contact your Azure Databricks account team to enable serverless routing for your workspace.
- Follow the instructions in Private Link (recommended).
Update IP allowlists
If Private Link is not an option for your environment, update your IP allowlists to use serverless outbound IPs instead of control plane IPs:
- Get the serverless outbound IPs. See Outbound IPs for serverless compute firewall preview.
- Update your firewall rules. Add the serverless outbound IPs to the IP allowlists of each external service that your HTTP connections access.
- Reach out to your Azure Databricks account team to enable serverless routing for your workspace.
- Verify that your HTTP connections can reach each external service with the updated allowlists.