topic Re: Databricks Network Policies in Administration & Architecture

Databricks Network Policies

mohsen-dbx — Thu, 27 Feb 2025 15:27:32 GMT

Hi Databricks community. I have 2 questions that I'd appreciate if you can shed some lights on:

Is the new Network Policies in Databricks account, only applicable to serverless compute or are these workspace-wide policies which apply to all other compute types? The databricks documentation Managing network policies for serverless egress control talks about the serverless egress control but it's not clear if this applies to other computes or not. Also nothing in the network policy menu hints at this being a feature for serverless compute.
Also I have created a new policy and assigned a workspace to this policy. As you can see no domains is allowed and the policy is being enforced to the workspaces (I've redacted them). But I can still run any query from these workspaces to storage accounts. Also I can resolve any domain from notebooks. What am I misconfiguring here?

Re: Databricks Network Policies

mohsen-dbx — Mon, 03 Mar 2025 21:41:22 GMT

@support can you share your thoughts on the above please as no one else have responded.

Re: Databricks Network Policies

Rjdudley — Thu, 06 Mar 2025 13:56:39 GMT

I am not support, just a regular customer like you, but here is what I know:

1. Yes, serverless egress only applies to serverless. There is another upcoming change you'll need to make for your classic compute, announced by Microsoft at Default outbound access in Azure - Azure Virtual Network | Microsoft Learn and mentioned by Databricks in Enable secure cluster connectivity - Azure Databricks | Microsoft Learn.

2. Not sure. If the storage accounts are in Unity Catalog they will be automatically allowed. Likewise, if you're running classic compute this policy won't be applied. How did you try to resolve the domain--just a ping, or call an API?