This guide introduces features to customize network access between the Databricks control plane and the compute plane.
To learn more about the control plane and the compute plane, see Databricks architecture overview.
The features in this section focus on establishing and securing the connection between the Databricks control plane and compute plane. This connection is labeled as 2 the diagram below:
All new workspaces are created with secure cluster connectivity by default. When secure cluster connectivity is enabled, customer virtual networks have no open ports and Databricks Runtime cluster nodes have no public IP addresses. This simplifies network administration by removing the need to configure ports on security groups or network peering. To learn more about deploying a workspace with secure cluster connectivity, see Secure cluster connectivity.
A Google Cloud Virtual Private Cloud (VPC) lets you provision a logically isolated section of Google Cloud where you can launch GCP resources in a virtual network. The VPC is the network location for your Databricks clusters. By default, Databricks creates and manages a VPC for the Databricks workspace.
You can instead provide your own VPC to host your Databricks clusters, enabling you to maintain more control of your own GCP account and limit outgoing connections. To take advantage of a customer-managed VPC, you must specify a VPC when you first create the Databricks workspace. You can share VPCs across workspaces, but you cannot share subnets across workspaces. For more information, see Configure a customer-managed VPC.
Google Private Service Connect (PSC) provides private connectivity from Google Cloud VPCs to Google Cloud services without exposing the traffic to the public network. This enables private connectivity from Databricks compute in a customer-managed VPC to a Databricks workspace’s core services.
For more information, see Enable Private Service Connect for your workspace.