Configure domain name firewall rules

If your corporate firewall blocks traffic based on domain names, you must allow HTTPS and WebSocket traffic to Databricks domain names to ensure access to Databricks resources. You can choose between two options, one more permissive but easier to configure, the other specific to your workspace domains.

To limit egress from clusters and other compute resources in the compute plane using a firewall, see Limit network egress for your workspace using a firewall.

Option 1: Allow traffic to *.gcp.databricks.com

Update your firewall rules to allow HTTPS and WebSocket traffic to *.gcp.databricks.com. This is more permissive than option 2, but it saves you the effort of updating firewall rules for each Databricks workspace in your account.

Option 2: Allow traffic to your Databricks workspaces and account console only

If you choose to configure firewall rules for each workspace in your account, you must:

  1. Identify your workspace domains. Your Databricks workspace domain name includes your workspace ID as well as a subdomain that is the last digit of your workspace ID:

    <workspace-ID>.<last-digit-of-workspace-ID>.gcp.databricks.com

    For example:

    12345678990.0.gcp.databricks.com

    To get the URL from a workspace you are using, use the browser URL.

    You can also get the workspace URL from the account console

  2. If you will need to access the account console from that network, also allow traffic to:

    accounts.gcp.databricks.com

  3. Update your firewall rules. Update your firewall rules to allow HTTPS and WebSocket traffic to the domains.