cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Community Platform Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

AWS Firewall Websocket Settings

crvkumar
New Contributor II

โ€Ž03-12-2024 07:31 PM

Hello,

Our architecture has customer-managed VPC which sits behind the AWS Firewall. I followed the databricks documentation and I created a stateful domain rule group for .cloud.databricks.com but I am not clear about creating outbound Websocket opening to *.cloud.databricks.com. 

With just domain rule group, clusters are not running(data plane can not communicate with control plane).

It would be helpful if anyone can guide on how to enable outbound databricks websocket communication in AWS Firewall.

0 Kudos
2 REPLIES 2

Kaniz_Fatma
Community Manager
Community Manager

โ€Ž03-13-2024 02:52 AM

Hi @crvkumarTo enable outbound WebSocket communication for Databricks in your AWS Firewall, you have a couple of options.

Letโ€™s explore them:

  1. *Option 1: Allow Traffic to .cloud.databricks.com

  2. Option 2: Allow Traffic to Your Databricks Workspaces and Account Console Only

    • If you prefer a more specific configuration, you can set up firewall rules for each workspace in your account.
    • Hereโ€™s how:
      • Identify Your Workspace Domains:
        • Your Databricks workspace uses two domain names:
          • The first domain is the one you use to log in (e.g., yourcompany.cloud.databricks.com if you have a vanity domain or dbc-<random-string>.cloud.databricks.com if not).
          • To find the second domain, log in to the first domain. After logging in, check your browser address bar. You should see a URL like https://<first-domain>/?o=<workspace-id>, where <workspace-id> is a string of digits.
          • If you donโ€™t see a ?o= followed by a string of digits in the URL, contact your Databricks account team to get your workspace ID. The second domain has the format dbc-dp-<workspace-id>.cloud.databricks.com. For example, if the workspace ID is 123456, your second domain is dbc-dp-123456.cloud.databricks.com.
          • If you need to access the account console from that network, also allow traffic to accounts.cloud.databricks.com.
      • Update Your Firewall Rules:
        • Update your firewall rules to allow HTTPS and WebSocket traffic to the two domains identified in the previous step.
    • This approach provides more granular control but requires additional configuration for each workspac...1.

Remember to adjust your firewall rules based on your specific requirements and security policies. By allowing the necessary traffic, youโ€™ll ensure that your Databricks clusters can communicate effectively between the data plane and control plane. ๐Ÿš€

 
0 Kudos

crvkumar
New Contributor II
In response to Kaniz_Fatma

โ€Ž03-13-2024 04:08 AM

Hello Kaniz,

Thanks for the reply. But this is exactly what is in the Databricks documentation.

Can you elaborate on how to set up firewall rules to allow Websocket traffic in AWS Firewall? Clearly creating only stateful rule group allowing .cloud.databricks.com is not sufficient.

Regards,

Venki.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements