Configure private connectivity to Azure Databricks
This article describes private connectivity between users and their Databricks workspaces. For information on how to configure private connectivity from the control plane to the classic compute plane, see Classic compute plane networking.
For information on how to configure private connectivity from the the serverless compute plane to Azure storage, see Configure private connectivity from serverless compute.
Private connectivity to Azure Databricks overview
Azure Private Link provides private connectivity from Azure VNets and on-premises networks to Azure services without exposing the traffic to the public network. Azure Databricks supports using Private Link to allow users and applications to connect to Azure Databricks over a VNet interface endpoint. The endpoint is known as an Azure private endpoint and the target of the endpoint is the Azure Databricks control plane. This private endpoint has the sub-resource type databricks_ui_api
and there is one for each workspace.
The network traffic for a Private Link connection between a transit VNet and the workspace control plane traverses over the Microsoft backbone network.
Private connectivity to Azure Databricks is supported when connecting to the web application, REST API, Databricks Connect API, JDBC/ODBC, and Power BI integrations.
You can optionally mandate private connectivity for the workspace, which means Azure Databricks rejects any connections over the public network. You must configure private connectivity from users to Azure Databricks (front-end) and from the control plane to the compute plane (back-end) in order to mandate private connectivity for a workspace.
You can enable Private Link while creating a workspace or on an existing workspace. To enable private connectivity to Azure Databricks, see Enable Azure Private Link back-end and front-end connections.
Single sign-on with private connectivity
To support private connections to Azure Databricks for clients that have no public internet connectivity, you must add a browser authentication private endpoint to support single sign-on login callbacks to the Azure Databricks from Microsoft Entra ID. A browser authentication private endpoint is a private connection with sub-resource type browser_authentication
. There is one browser authentication private endpoint per region, rather than per workspace.
Note
If you allow connections from your network to the public internet, a browser authentication private endpoint is not required. However, Databricks recommends using a browser authentication private endpoint.
Enable private connectivity to Azure Databricks
To enable private connectivity to Azure Databricks, see Enable Azure Private Link back-end and front-end connections.