cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Serverless Access to Public internet

jpm2617
New Contributor II

2 weeks ago

Hi

I am trying to run notebooks on serverless compute but I cannot access the public internet. I cannot perform a get on google.com getting "[Errno -3] Temporary failure in name resolution". 

I checked my admin console network policies and they all were on the default provided by databricks so I am not sure what I am missing. Could you please provide support? 

Thanks 

0 Kudos
4 REPLIES 4

szymon_dybczak
Esteemed Contributor III

2 weeks ago - last edited 2 weeks ago

Hi  @jpm2617 ,

Network policies have two primary modes: Full Access (unrestricted outbound internet) and Restricted Access (tightly controlled outbound connections). The default policy is associated with all workspaces that have no explicit network policy assignment. 

The key thing to check is what your default policy's internet access mode is actually set to. "Default provided by Databricks" doesn't automatically mean "Full Access" - if your account admin (or a previous admin) has modified the default policy to restricted mode, public internet will be blocked.

As an account admin, do the following:

  1. Go to the Account Console -> Security -> Networking tab
  2. Under Policies, click Context-based ingress & egress control
  3. Open the default policy (or whichever policy is attached to your workspace)
  4. Click the Egress tab and check the internet access setting
  5. Set it to "Allow access to all destinations" for unrestricted outbound internet access or add domains you want to reach to "Allowed domains"

szymon_dybczak_0-1777477574615.png

 

 

If my answer was helpful, please consider marking it as accepted solution

0 Kudos

jpm2617
New Contributor II
In response to szymon_dybczak

2 weeks ago

Hi, 
I cannot find the place that you have in your screenshot, this is what my network tab looks like. 

Thanks,

jpm2617_0-1777479933379.png

 

0 Kudos

jpm2617
New Contributor II
In response to szymon_dybczak

2 weeks ago

I can also see that my default_policy attached to my workspace looks like this: 

jpm2617_1-1777480168524.png

 

0 Kudos

Louis_Frolio
Databricks Employee
Databricks Employee

a week ago

Greetings @jpm2617 , I did some digging and would like to share my thoughts:

@szymon_dybczak nailed the root cause. Your [Errno -3] Temporary failure in name resolution when calling google.com is the classic symptom of a workspace attached to a restricted serverless egress policy, even when the policy is named default_policy and looks like the Databricks default. The name "default" does not guarantee full internet access.

A few clarifications and a clear set of next steps.

  1. You need the Account Console, not the workspace Admin page

The controls live at the account layer, not the workspace one:

Account Console โ†’ Security โ†’ Networking โ†’ Context-based ingress & egress control

If you only see workspace VPC options and no "Context-based ingress & egress control" section, one of two things is happening. You're still in the workspace UI, or you don't have account admin rights. Cluster VPC and secure cluster connectivity settings live in the workspace Network tab, but they're not what you need here.

  1. You need account admin rights to see or edit the policy

Only users with the account admin role (or equivalent) can open the network policy object and change its egress and internet access mode. If the "Context-based ingress & egress control" section is missing entirely, it's one of these:

  • You're not actually in the Account Console
  • Your user is not an account admin
  • Your account or plan does not expose the feature (some lightweight or free setups don't)

If it's the third case, I don't know of a supported way for you to override serverless egress on your own today. You'd need your account team or Databricks Support to confirm what's available on your specific tenant. I can't tell which account type you're on from the screenshot alone, so I won't guess at it.

  1. What to change once you're in the right place

Once you're in the Account Console as an account admin, do this in order:

a. Go to Security โ†’ Networking โ†’ Context-based ingress & egress control. b. Open the policy attached to your workspace (you've already identified it as default_policy). c. On the Egress tab, set Internet access to one of these:

  • "Allow access to all destinations" if you truly want unrestricted outbound internet so google.com and similar resolve.
  • "Allow access only to selected domains" and add the specific domains your serverless compute needs to reach. d. Restart your serverless compute so the new egress rules apply. e. Re-run your test GET against https://www.google.com to confirm.
  1. If you don't actually want public internet

Many customers deliberately keep serverless off the public internet and front required services through Private Link or NCC (Network Connectivity Configuration). All traffic stays on private cloud networks, which reduces exposure. Databricks engineering has written about this pattern for exactly this scenario. If that's your real goal, follow those patterns instead of opening full outbound internet.

Takeaway

If you can confirm you're in the Account Console as an account admin and you still don't see "Context-based ingress & egress control," this is almost certainly an account or plan configuration limit. Open a Databricks Support ticket or contact your account team to verify whether serverless egress policy management is enabled for your tenant, and if not, what your options are.

Hope this helps.

Regards, Louis.

Announcements