cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Databricks App in Azure Databricks with private link cluster (no Public IP)

Behwar
New Contributor II

Hello,
I've deployed Azure Databricks with a standard Private Link setup (no public IP). Everything works as expectedโ€”I can log in via the private/internal network, create clusters, and manage workloads without any issues.

When I create a Databricks App, it generates a URL like: <name>.azure.databricksapps.com

Since I didnโ€™t initially have a Private DNS Zone for azure.databricksapps.com, my system resolved this address to a public IP. To fix this, I:

  • Created a Private DNS Zone for azure.databricksapps.com.
  • Added an A record pointing <name>.azure.databricksapps.com to my Databricks workspace private IP endpoint (same as used in privatelink.azuredatabricks.net for this workspace).

Behavior Before Adding the Private DNS Zone:
nslookup <app-name>.azure.databricksapps.com โ†’ Resolved to a public IP.
curl or accessing via a browser resulted in:
{"X-Databricks-Reason-Phrase":"Public access is not allowed for workspace: xyz"}

Behavior After Adding the Private DNS Zone:
nslookup <app-name>.azure.databricksapps.com โ†’ Now resolves to the private IP (as expected).
However, curl and browser requests still go through the public IP and return the same error:
{"X-Databricks-Reason-Phrase":"Public access is not allowed for workspace: xyz"}

Is additional configuration needed to ensure Databricks Apps work over Private Link?
Does this feature require a Public IP, or should it work fully within a private network?

2 REPLIES 2

Alberto_Umana
Databricks Employee
Databricks Employee

Hello @Behwar,

Did you make sure that your internal DNS is configured to map the web application workspace URL to your front-end VPC endpoint. This involves creating an A-record in your internal DNS that maps the workspace URL directly to the front-end (workspace) VPC endpoint private IP

I'm using Azure, so instead of a VPC endpoint, I'm working with Azure Private Link. Here's what I checked and did:

  • Verified my Databricks workspace private endpoint under privatelink.azuredatabricks.net.
  • Created a Private DNS Zone for azure.databricksapps.com and mapped <app-name> to the same private IP as my Databricks workspace.
  • Linked my VNet to the Private DNS Zone so all internal resources resolve it correctly.
  • Confirmed that nslookup now returns the private IP, but browser and curl still attempt to route via the public IP.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group