Configure networking for Databricks Apps

Databricks Apps supports fine-grained network control to help you secure and manage how your app communicates with the internet and internal resources. You can configure both ingress (incoming) and egress (outgoing) traffic rules using a combination of IP access lists, front-end private connectivity, and network policies.

Network architecture​

Databricks deploys apps on the serverless compute plane, where they receive traffic directly. This is similar to other route-optimized services like Model Serving and Vector Search.

The connection process operates as follows:

1. Initial user requests to a Databricks app initiate OAuth authentication with the control plane to validate the session and authorize access to the app.
2. Upon successful authentication, all subsequent requests are routed directly to the serverless compute plane without traversing the control plane.

Network security policies configured for the serverless compute plane apply to Databricks Apps traffic. This includes IP access lists and front-end private connectivity configurations.

Ingress controls​

Use the following features to limit access to your Databricks workspace and apps from the public internet.

• IP access lists: Restrict workspace and app access to known and trusted IP ranges by enabling IP access lists at the workspace level. Only traffic from the configured IP ranges is allowed. For details, see Configure IP access lists for workspaces.

• Front-end private connectivity: Route ingress traffic through your own VPC interface endpoint instead of the public internet. This setup provides private connectivity to apps running in the workspace. For details, see Configure private connectivity to Databricks.

Egress controls​

To control outbound traffic from your app, create a network connectivity configuration (NCC) and apply network policies to the workspace hosting the app.

Network connectivity configurations​

Use a network connectivity configuration to assign stable egress IPs and control how your app connects to external services. NCCs provide fixed public IP addresses that you can add to external system allowlists to securely permit Databricks traffic.

To restrict egress to private destinations such as an S3 bucket or a network load balancer (NLB), configure PrivateLink connections as part of your NCC setup.

Network policies​

Use network policies to enforce egress restrictions on Databricks apps and other serverless workloads. This is useful when you need to meet organizational or compliance requirements for controlling outbound connectivity.

Apply a network policy if your app:

• Must limit access to a specific set of approved external domains
• Needs to prevent accidental data exfiltration
• Must comply with security or compliance standards that restrict outbound internet traffic

Best practices for configuring network policies​

Follow these guidelines to avoid unintended disruptions and ensure that your apps can access required resources:

• Allow only required destinations. Add fully qualified domain names (FQDNs) for public or private resources that your app needs.
• Include package repositories as needed. If your app installs public Python or Node.js packages, you might to allow domains such as pypi.org for Python, or registry.npmjs.org for Node. Your application might require additional or different domains depending on your specific dependencies. Without these repositories, app builds that rely on requirements.txt or package.json might fail.
• Use dry-run mode to validate your network policy. This mode simulates policy enforcement without blocking traffic.
• Review denied connection attempts using the system.access.outbound_network table. This helps you identify domains that you might need to allow. See Check denial logs.

• Add any required external domains, such as trusted APIs or AWS service endpoints like S3 or STS.

Encryption and traffic routing​

Databricks Apps uses dedicated routing paths and multiple encryption layers to secure network communications and protect data.

Traffic routing​

Traffic between the Databricks control plane, compute plane, other Databricks resources, and cloud services travels over the cloud provider's global network and doesn't traverse the public internet.

Traffic between users and databricksapps.com might traverse the public internet depending on the user's network location. To avoid public internet routing, configure front-end private connectivity.

Encryption in transit​

All network communications to and from apps are encrypted:

• User traffic: Communication between users and databricksapps.com uses Transport Layer Security (TLS) 1.3 encryption.
• Control plane traffic: Communication between the Databricks control plane and compute plane uses mutual TLS (mTLS) for management operations including app creation, updates, and deletion.

Encryption at rest​

Databricks Apps encrypts stored data using the following methods:

• Application code: Databricks stores app code in workspace files and uses the same encryption as notebooks and other workspace files.
• Compute storage: Apps use ephemeral host operating system disks encrypted with AES-256 and the cloud provider's default encryption implementation.