cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Workspace deployed via AWS Marketplace.

Go to solution
KrumIT
New Contributor

3 weeks ago

Workspace deployed via AWS Marketplace.
Internal endpoint 10.53.215.1 exists in VPC but
SSL handshake fails. Cannot connect to metastore.
Workspace URL: dbc-bb08dd2f-f142.cloud.databricks.com
AWS Account: 452456948535
Region: us-east-1"

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
nayan_wylde
Esteemed Contributor II

3 weeks ago

Databricks endpoints present certificates for hostnames like *.cloud.databricks.com (or *.privatelink.cloud.databricks.com when PrivateLink is enabled). If your client connects to https://10.53.215.1 directly, the TLS ClientHello typically lacks the right SNI hostname, and the server returns a cert that doesnโ€™t match the IP โ†’ handshake fails.
Fix: Always connect using the workspace URL hostname, not the IP:

dbc-bb08dd2f-f142.cloud.databricks.com (public DNS)
or dbc-bb08dd2f-f142.privatelink.cloud.databricks.com (if private access settings force PrivateLink)

Databricks explicitly recommends allowlisting FQDNs (not IPs) because IPs can change and are not the stable contract for SCC relay / endpoints.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
pradeep_singh
Contributor III

3 weeks ago

Can you try using the hostname for your endpoint instead of IP address . 

Thank You
Pradeep Singh - https://www.linkedin.com/in/dbxdev
0 Kudos

Go to solution
balajij8
Contributor III

3 weeks ago

Databricks TLS validation requires SNI with the correct hostname for certificate verification - Check if you are connecting to the metastore via IP instead of hostname. Always use the documented metastore hostname.

Ensure the Databricks Private Link VPC endpoints are configured (*.cloud.databricks.com & meta store) with "Enable Private DNS" checked so hostnames resolve to private IPs & not public. Verify the endpoint status is In Service in AWS VPC Console. Exclude *.cloud.databricks.com from interception if using a proxy/TLS inspection appliance

0 Kudos

Go to solution
nayan_wylde
Esteemed Contributor II

3 weeks ago

Databricks endpoints present certificates for hostnames like *.cloud.databricks.com (or *.privatelink.cloud.databricks.com when PrivateLink is enabled). If your client connects to https://10.53.215.1 directly, the TLS ClientHello typically lacks the right SNI hostname, and the server returns a cert that doesnโ€™t match the IP โ†’ handshake fails.
Fix: Always connect using the workspace URL hostname, not the IP:

dbc-bb08dd2f-f142.cloud.databricks.com (public DNS)
or dbc-bb08dd2f-f142.privatelink.cloud.databricks.com (if private access settings force PrivateLink)

Databricks explicitly recommends allowlisting FQDNs (not IPs) because IPs can change and are not the stable contract for SCC relay / endpoints.

0 Kudos
Announcements