By default, a Databricks workspace exposes its sign-in page to any IP address on the internet. In enterprise environments, requirements like "only allow access from the corporate VPN" or "restrict access to specific office IPs" come up constantly. IP Access Lists is the feature that controls which IP address ranges can reach a workspace, using CIDR notation.
This article walks through how IP Access Lists work, the differences between Allow Lists and Block Lists, REST API configuration steps, CIDR notation basics, and when to use VPN or Private Link instead.
IP Access Lists are a workspace-level network access control. When enabled, every request to the workspace (UI sign-in, REST API calls, JDBC/ODBC connections) is checked against the source IP address. Requests from IPs that are not permitted are rejected with 403 Forbidden.
There are two kinds of IP Access Lists, each with a different role.
| Type | Role | Typical use case |
|---|---|---|
| Allow List | Only allows access from specified CIDRs | Permitting corporate VPN or office IPs |
| Block List | Explicitly denies access from specified CIDRs | Excluding specific subnets within an Allow List |
The evaluation order is Block List → Allow List. If a request matches the Block List, it is denied even if it also matches the Allow List. When at least one Allow List is defined, any IP that does not match any Allow List is implicitly denied.
IP Access Lists configuration uses CIDR (Classless Inter-Domain Routing) notation. Here is a quick refresher for data engineers who are not network-management specialists.
| CIDR notation | IP address range | Address count | Example use |
|---|---|---|---|
| 203.0.113.10/32 | Only 203.0.113.10 | 1 | An individual's global IP |
| 10.0.0.0/24 | 10.0.0.0 to 10.0.0.255 | 256 | An office subnet |
| 10.0.0.0/16 | 10.0.0.0 to 10.0.255.255 | 65,536 | An entire corporate network |
| 0.0.0.0/0 | Every IPv4 address | All IPs | Denies everything when added to a Block List |
The number after the slash is the network prefix length. A larger value means a smaller range. /32 represents a single IP address, while /0 covers every IP address.
When IP Access Lists are enabled, requests are processed in the following order.
If there are zero Allow Lists and only Block Lists, then every IP not on a Block List is permitted. In practice, however, the recommended pattern is to make Allow Lists the primary control and use Block Lists for exception exclusions.
You can configure IP Access Lists from the UI, but for IaC management and automation you use the REST API. The example below creates an Allow List with curl.
# Create an Allow List (corporate VPN CIDRs)
curl -X POST \
"https://<workspace-url>/api/2.0/ip-access-lists" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"label": "Corporate VPN",
"list_type": "ALLOW",
"ip_addresses": [
"10.0.0.0/16",
"172.16.0.0/12"
]
}'To add a Block List, change list_type to "BLOCK".
# Add a Block List (exclude a specific subnet)
curl -X POST \
"https://<workspace-url>/api/2.0/ip-access-lists" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"label": "Exclude Guest Network",
"list_type": "BLOCK",
"ip_addresses": [
"10.0.99.0/24"
]
}'Enabling or disabling the IP Access Lists feature itself is done through the workspace configuration API.
# Enable the IP Access List feature
curl -X PATCH \
"https://<workspace-url>/api/2.0/workspace-conf" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"enableIpAccessLists": "true"
}'Databricks offers several network security features, and they are easy to mix up on the exam. Here is a comparison of what each one protects and how it behaves.
| Approach | Traffic path | Protection scope | Setup cost | Cloud dependency |
|---|---|---|---|---|
| IP Access List | Over the internet (source IP restriction) | Workspace UI and API | Low (configuration only) | None (works on all clouds) |
| VPN + IP Access List | Through a VPN, then a fixed IP, then the internet | Workspace UI and API | Medium (requires a VPN platform) | Depends on the VPN product |
| Private Link | Cloud backbone (does not traverse the internet) | Control plane and data plane | High (requires VNet/VPC configuration) | AWS/Azure specific |
| VNet Injection | Launches clusters inside the customer VNet | Data plane (cluster traffic) | High (requires network design) | AWS/Azure specific |
IP Access List is the simplest to roll out and takes effect immediately. However, since traffic still flows over the internet, you need Private Link when the requirement is that data must never traverse any external network. Many organizations start with IP Access List and migrate to Private Link as compliance requirements tighten — a phased approach.
To manage IP Access Lists as IaC, use the databricks_ip_access_list resource from the Databricks Terraform Provider.
resource "databricks_ip_access_list" "corporate_vpn" {
label = "Corporate VPN"
list_type = "ALLOW"
ip_addresses = [
"10.0.0.0/16",
"172.16.0.0/12",
]
}
resource "databricks_ip_access_list" "guest_block" {
label = "Block Guest Network"
list_type = "BLOCK"
ip_addresses = [
"10.0.99.0/24",
]
}
resource "databricks_workspace_conf" "ip_access" {
custom_config = {
"enableIpAccessLists" = "true"
}
}Managing with Terraform enforces a review process for IP changes (PR, approve, apply) and naturally leaves an audit trail of who changed which IP and when.
Security & Governance
問題 1
The security team gives you this requirement: restrict access to the Databricks workspace to the corporate VPN only (egress IP: 203.0.113.0/24), but deny access from the guest Wi-Fi (203.0.113.128/25). Which configuration is the best fit?
正解: A
Allowing the entire corporate VPN range and excluding the guest subnet with a Block List matches the requirement exactly. Because the Block List is evaluated before the Allow List, guest Wi-Fi IPs are denied even though they fall inside the Allow List range. Option B is mathematically equivalent if you do the CIDR arithmetic correctly, but designing exclusions purely with Allow Lists hurts readability and is not recommended operationally. Private Link is about changing the network path itself, not IP filtering. Unity Catalog handles data access control, not network control.
Do existing sessions get terminated immediately when IP Access Lists are enabled?
No. Enabling IP Access Lists is a workspace-level configuration change, so it does not immediately invalidate existing authenticated sessions. However, the IP check runs on the next API request or UI action, so any access from an IP not on the allow list will be blocked very quickly. Because there is a real risk of locking yourself out with a misconfiguration, always confirm your own IP or VPN CIDR is in the allow list before enabling. If you do get locked out, you can fix the list from the Account Console (which is not affected by IP Access Lists).
What happens if the same IP appears in both the Allow List and the Block List?
The Block List wins. Databricks IP Access Lists use a deny-first model: the Block List is evaluated first, then the Allow List. So even if you allow a broad CIDR like 10.0.0.0/8, adding 10.0.1.0/24 to the Block List denies access from that subnet. This pattern is useful for configurations like "allow the entire corporate network, but exclude one department's subnet."
How is IP Access List configuration tested on the Databricks certification exams?
It appears in the Security and Governance domain on both Data Engineer Associate and Professional. Typical question patterns include "how to restrict workspace access to a specific network," "access control combined with a VPN," and "how it differs from Private Link." You are rarely asked to write specific REST API endpoint names. The focus is on knowing when to use IP Access List versus Private Link / VNet Injection.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...