Your current setup is a known anti-pattern. By creating a PHZ for cloud.databricks.com, you're shadowing every subdomain under that zone, including accounts, ui-assets, and any future public subdomains Databricks adds.
How it works
Databricks workspace URLs resolve through a CNAME chain:
<workspace>.cloud.databricks.com → <region>.privatelink.cloud.databricks.com
So the PHZ only needs to cover privatelink.cloud.databricks.com with regional A records pointing to your VPC endpoint private IPs. This leaves all public subdomains (accounts, ui-assets, etc.) resolving normally through public DNS.
Recommended Steps
1. Create a new PHZ for privatelink.cloud.databricks.com associated with your VPC
2. Add A records for your region(s), e.g. us-east-1.privatelink.cloud.databricks.com → VPC endpoint private IPs
3. Delete the old cloud.databricks.com PHZ
4. Verify accounts.cloud.databricks.com and ui-assets.cloud.databricks.com resolve publicly again
This eliminates all hardcoded ELB hostnames and is resilient to Databricks infrastructure rotations.
References
- https://docs.databricks.com/aws/en/security/network/classic/privatelink-dns
- https://community.databricks.com/t5/community-articles/configuring-dns-resolution-for-private-databr...
