Databricks

Protect Your Databricks Workspace with IP Access Lists

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

By default, a Databricks workspace exposes its sign-in page to any IP address on the internet. In enterprise environments, requirements like "only allow access from the corporate VPN" or "restrict access to specific office IPs" come up constantly. IP Access Lists is the feature that controls which IP address ranges can reach a workspace, using CIDR notation.

This article walks through how IP Access Lists work, the differences between Allow Lists and Block Lists, REST API configuration steps, CIDR notation basics, and when to use VPN or Private Link instead.

How IP Access Lists Work

IP Access Lists are a workspace-level network access control. When enabled, every request to the workspace (UI sign-in, REST API calls, JDBC/ODBC connections) is checked against the source IP address. Requests from IPs that are not permitted are rejected with 403 Forbidden.

There are two kinds of IP Access Lists, each with a different role.

TypeRoleTypical use case
Allow ListOnly allows access from specified CIDRsPermitting corporate VPN or office IPs
Block ListExplicitly denies access from specified CIDRsExcluding specific subnets within an Allow List

The evaluation order is Block List Allow List. If a request matches the Block List, it is denied even if it also matches the Allow List. When at least one Allow List is defined, any IP that does not match any Allow List is implicitly denied.

CIDR Notation Basics

IP Access Lists configuration uses CIDR (Classless Inter-Domain Routing) notation. Here is a quick refresher for data engineers who are not network-management specialists.

CIDR notationIP address rangeAddress countExample use
203.0.113.10/32Only 203.0.113.101An individual's global IP
10.0.0.0/2410.0.0.0 to 10.0.0.255256An office subnet
10.0.0.0/1610.0.0.0 to 10.0.255.25565,536An entire corporate network
0.0.0.0/0Every IPv4 addressAll IPsDenies everything when added to a Block List

The number after the slash is the network prefix length. A larger value means a smaller range. /32 represents a single IP address, while /0 covers every IP address.

Allow List vs Block List Evaluation Flow

When IP Access Lists are enabled, requests are processed in the following order.

  1. Capture the source IP address of the request
  2. Match against the Block List: if the IP matches any Block List CIDR reject immediately with 403
  3. Match against the Allow List: if the IP matches any Allow List CIDR permit (continue to normal authentication)
  4. No Allow List match implicit deny (403)

If there are zero Allow Lists and only Block Lists, then every IP not on a Block List is permitted. In practice, however, the recommended pattern is to make Allow Lists the primary control and use Block Lists for exception exclusions.

Configuring IP Access Lists via the REST API

You can configure IP Access Lists from the UI, but for IaC management and automation you use the REST API. The example below creates an Allow List with curl.

# Create an Allow List (corporate VPN CIDRs)
curl -X POST \
  "https://<workspace-url>/api/2.0/ip-access-lists" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "Corporate VPN",
    "list_type": "ALLOW",
    "ip_addresses": [
      "10.0.0.0/16",
      "172.16.0.0/12"
    ]
  }'

To add a Block List, change list_type to "BLOCK".

# Add a Block List (exclude a specific subnet)
curl -X POST \
  "https://<workspace-url>/api/2.0/ip-access-lists" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "Exclude Guest Network",
    "list_type": "BLOCK",
    "ip_addresses": [
      "10.0.99.0/24"
    ]
  }'

Enabling or disabling the IP Access Lists feature itself is done through the workspace configuration API.

# Enable the IP Access List feature
curl -X PATCH \
  "https://<workspace-url>/api/2.0/workspace-conf" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "enableIpAccessLists": "true"
  }'

Comparing VPN, Private Link, and IP Access List

Databricks offers several network security features, and they are easy to mix up on the exam. Here is a comparison of what each one protects and how it behaves.

ApproachTraffic pathProtection scopeSetup costCloud dependency
IP Access ListOver the internet (source IP restriction)Workspace UI and APILow (configuration only)None (works on all clouds)
VPN + IP Access ListThrough a VPN, then a fixed IP, then the internetWorkspace UI and APIMedium (requires a VPN platform)Depends on the VPN product
Private LinkCloud backbone (does not traverse the internet)Control plane and data planeHigh (requires VNet/VPC configuration)AWS/Azure specific
VNet InjectionLaunches clusters inside the customer VNetData plane (cluster traffic)High (requires network design)AWS/Azure specific

IP Access List is the simplest to roll out and takes effect immediately. However, since traffic still flows over the internet, you need Private Link when the requirement is that data must never traverse any external network. Many organizations start with IP Access List and migrate to Private Link as compliance requirements tighten — a phased approach.

Operational Best Practices for IP Access Lists

  • Keep Allow Lists minimal: instead of allowing the whole corporate network (/8 or /16), specify VPN egress IPs (/32) or office subnets (/24) to keep the attack surface small.
  • Do not forget automation pipeline IPs: CI/CD runner IP ranges from services like GitHub Actions or Jenkins must also be in the Allow List, or deployments will fail.
  • Manage with labels: give each list a meaningful label ("Tokyo Office", "CI/CD Runners", etc.) so you can tell later why each list was created.
  • Test before enabling: stick to the order of "create the Allow List first, then enable the feature." Enabling first leads to the classic incident: "empty allow list everyone is blocked."
  • The Account Console is unaffected: even if you are locked out of the workspace, you can fix the lists from the Account Console — keep this escape hatch in mind.

Managing with Terraform

To manage IP Access Lists as IaC, use the databricks_ip_access_list resource from the Databricks Terraform Provider.

resource "databricks_ip_access_list" "corporate_vpn" {
  label    = "Corporate VPN"
  list_type = "ALLOW"
  ip_addresses = [
    "10.0.0.0/16",
    "172.16.0.0/12",
  ]
}

resource "databricks_ip_access_list" "guest_block" {
  label    = "Block Guest Network"
  list_type = "BLOCK"
  ip_addresses = [
    "10.0.99.0/24",
  ]
}

resource "databricks_workspace_conf" "ip_access" {
  custom_config = {
    "enableIpAccessLists" = "true"
  }
}

Managing with Terraform enforces a review process for IP changes (PR, approve, apply) and naturally leaves an audit trail of who changed which IP and when.

Key Points for the Exam

  • "How do I restrict workspace access to specific IPs?" IP Access List
  • "How do I connect to the workspace without traversing the internet?" Private Link (not IP Access List)
  • "Which has priority, Block List or Allow List?" Block List wins
  • "At what level are IP Access Lists scoped?" Workspace level
  • "A CI/CD pipeline got blocked by IP restrictions — what now?" Add the runner IPs to the Allow List

Check Yourself

Security & Governance

問題 1

The security team gives you this requirement: restrict access to the Databricks workspace to the corporate VPN only (egress IP: 203.0.113.0/24), but deny access from the guest Wi-Fi (203.0.113.128/25). Which configuration is the best fit?

  1. Add 203.0.113.0/24 to the Allow List and add 203.0.113.128/25 to the Block List
  2. Only add 203.0.113.0/25 to the Allow List and enable the feature
  3. Configure Private Link and only allow access through the VPN
  4. Define a network policy in Unity Catalog to restrict access to tables

正解: A

Allowing the entire corporate VPN range and excluding the guest subnet with a Block List matches the requirement exactly. Because the Block List is evaluated before the Allow List, guest Wi-Fi IPs are denied even though they fall inside the Allow List range. Option B is mathematically equivalent if you do the CIDR arithmetic correctly, but designing exclusions purely with Allow Lists hurts readability and is not recommended operationally. Private Link is about changing the network path itself, not IP filtering. Unity Catalog handles data access control, not network control.

Frequently Asked Questions

Do existing sessions get terminated immediately when IP Access Lists are enabled?

No. Enabling IP Access Lists is a workspace-level configuration change, so it does not immediately invalidate existing authenticated sessions. However, the IP check runs on the next API request or UI action, so any access from an IP not on the allow list will be blocked very quickly. Because there is a real risk of locking yourself out with a misconfiguration, always confirm your own IP or VPN CIDR is in the allow list before enabling. If you do get locked out, you can fix the list from the Account Console (which is not affected by IP Access Lists).

What happens if the same IP appears in both the Allow List and the Block List?

The Block List wins. Databricks IP Access Lists use a deny-first model: the Block List is evaluated first, then the Allow List. So even if you allow a broad CIDR like 10.0.0.0/8, adding 10.0.1.0/24 to the Block List denies access from that subnet. This pattern is useful for configurations like "allow the entire corporate network, but exclude one department's subnet."

How is IP Access List configuration tested on the Databricks certification exams?

It appears in the Security and Governance domain on both Data Engineer Associate and Professional. Typical question patterns include "how to restrict workspace access to a specific network," "access control combined with a VPN," and "how it differs from Private Link." You are rarely asked to write specific REST API endpoint names. The focus is on knowing when to use IP Access List versus Private Link / VNet Injection.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.