Databricks Community

Your current setup is a known anti-pattern. By creating a PHZ for cloud.databricks.com, you're shadowing every subdomain under that zone, including accounts, ui-assets, and any future public subdomains Databricks adds.

How it works

Databricks workspace URLs resolve through a CNAME chain:

<workspace>.cloud.databricks.com → <region>.privatelink.cloud.databricks.com

So the PHZ only needs to cover privatelink.cloud.databricks.com with regional A records pointing to your VPC endpoint private IPs. This leaves all public subdomains (accounts, ui-assets, etc.) resolving normally through public DNS.

Recommended Steps

1. Create a new PHZ for privatelink.cloud.databricks.com associated with your VPC
2. Add A records for your region(s), e.g. us-east-1.privatelink.cloud.databricks.com → VPC endpoint private IPs
3. Delete the old cloud.databricks.com PHZ
4. Verify accounts.cloud.databricks.com and ui-assets.cloud.databricks.com resolve publicly again

This eliminates all hardcoded ELB hostnames and is resilient to Databricks infrastructure rotations.

References
- https://docs.databricks.com/aws/en/security/network/classic/privatelink-dns
- https://community.databricks.com/t5/community-articles/configuring-dns-resolution-for-private-databr...

Thank you for your response. I added a new private hosted zone in Amazon Route 53 for privatelink.cloud.databricks.com, and created an A record for us-east-1.privatelink.cloud.databricks.com pointing to the private endpoint IP.

I had a question regarding split DNS in Tailscale. It is currently configured to forward cloud.databricks.com to 10.104.248.2 (our VPC DNS resolver), as it was for the original private hosted zone. However, when I switch the split DNS domain to privatelink.cloud.databricks.com, it breaks private DNS resolution for workspaces using Private Link and starts returning public IPs instead. Does this mean we should keep the split DNS configuration in Tailscale set to cloud.databricks.com → 10.104.248.2?