topic Serverless NCC Private Endpoint ESTABLISHED but traffic routes via eth0 instead of PrivateLink (AWS in Administration & Architecture https://community.databricks.com/t5/administration-architecture/serverless-ncc-private-endpoint-established-but-traffic-routes/m-p/158275#M5301 <P>Hi community,</P><P>I've been trying to connect Databricks Serverless to a SQL Server<BR />running on an EC2 instance using NCC Private Endpoint, but traffic<BR />is not being routed through PrivateLink.</P><P>## Setup<BR />- Databricks Serverless (AWS, us-east-1)<BR />- NCC attached to workspace: ESTABLISHED status<BR />- VPC Endpoint Service: internal NLB (scheme: internal)<BR />forwarding TCP:1433 to EC2 target (Healthy)<BR />- Resource FQDN in NCC rule:<BR />LBdemosql-80fcd74e8ec6b9b0.elb.us-east-1.amazonaws.com<BR />- VPC Endpoint status: ESTABLISHED</P><P>## Evidence<BR />From serverless notebook:</P><P># DNS resolves correctly via PrivateLink<BR />nslookup LBdemosql-80fcd74e8ec6b9b0.elb.us-east-1.amazonaws.com<BR />→ 10.0.0.45, 10.0.0.23 <span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span></P><P># But routing goes via internet gateway, not PrivateLink<BR />ip route get 10.0.0.45<BR />→ 10.0.0.45 via 169.254.1.1 dev eth0 src 192.168.210.11 <span class="lia-unicode-emoji" title=":cross_mark:">❌</span></P><P># TCP connection fails<BR />socket.connect_ex("LBdemosql...", 1433) → 111 (Connection refused)</P><P># Direct connection via EC2 public IP works fine <span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span></P><P>## What I've tried<BR />- Recreated NCC rule multiple times<BR />- Verified NLB target is Healthy<BR />- Verified Security Groups allow traffic<BR />- Verified NACL allows all traffic<BR />- Cross-zone load balancing enabled<BR />- Windows Firewall disabled on EC2<BR />- Allow principals includes Databricks IAM role</P><P>## Questions<BR />1. Is an internal NLB supported as NCC PrivateLink target for<BR />Serverless compute?<BR />2. Does the FQDN need to resolve to a public IP for Serverless<BR />to intercept DNS and route via PrivateLink?<BR />3. Is there any additional configuration needed when the NLB<BR />DNS resolves to private IPs (10.0.0.x)?</P><P>Thanks in advance.</P> Thu, 04 Jun 2026 06:09:34 GMT Javier_Epad 2026-06-04T06:09:34Z Serverless NCC Private Endpoint ESTABLISHED but traffic routes via eth0 instead of PrivateLink (AWS https://community.databricks.com/t5/administration-architecture/serverless-ncc-private-endpoint-established-but-traffic-routes/m-p/158275#M5301 <P>Hi community,</P><P>I've been trying to connect Databricks Serverless to a SQL Server<BR />running on an EC2 instance using NCC Private Endpoint, but traffic<BR />is not being routed through PrivateLink.</P><P>## Setup<BR />- Databricks Serverless (AWS, us-east-1)<BR />- NCC attached to workspace: ESTABLISHED status<BR />- VPC Endpoint Service: internal NLB (scheme: internal)<BR />forwarding TCP:1433 to EC2 target (Healthy)<BR />- Resource FQDN in NCC rule:<BR />LBdemosql-80fcd74e8ec6b9b0.elb.us-east-1.amazonaws.com<BR />- VPC Endpoint status: ESTABLISHED</P><P>## Evidence<BR />From serverless notebook:</P><P># DNS resolves correctly via PrivateLink<BR />nslookup LBdemosql-80fcd74e8ec6b9b0.elb.us-east-1.amazonaws.com<BR />→ 10.0.0.45, 10.0.0.23 <span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span></P><P># But routing goes via internet gateway, not PrivateLink<BR />ip route get 10.0.0.45<BR />→ 10.0.0.45 via 169.254.1.1 dev eth0 src 192.168.210.11 <span class="lia-unicode-emoji" title=":cross_mark:">❌</span></P><P># TCP connection fails<BR />socket.connect_ex("LBdemosql...", 1433) → 111 (Connection refused)</P><P># Direct connection via EC2 public IP works fine <span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span></P><P>## What I've tried<BR />- Recreated NCC rule multiple times<BR />- Verified NLB target is Healthy<BR />- Verified Security Groups allow traffic<BR />- Verified NACL allows all traffic<BR />- Cross-zone load balancing enabled<BR />- Windows Firewall disabled on EC2<BR />- Allow principals includes Databricks IAM role</P><P>## Questions<BR />1. Is an internal NLB supported as NCC PrivateLink target for<BR />Serverless compute?<BR />2. Does the FQDN need to resolve to a public IP for Serverless<BR />to intercept DNS and route via PrivateLink?<BR />3. Is there any additional configuration needed when the NLB<BR />DNS resolves to private IPs (10.0.0.x)?</P><P>Thanks in advance.</P> Thu, 04 Jun 2026 06:09:34 GMT https://community.databricks.com/t5/administration-architecture/serverless-ncc-private-endpoint-established-but-traffic-routes/m-p/158275#M5301 Javier_Epad 2026-06-04T06:09:34Z