cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Lakebase Discussions
Ask questions, share challenges, and connect with others working on Lakebase. From troubleshooting to best practices, this is where conversations happen.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Lakebase Data API private access with Public Network Access disabled

Go to solution
POCUSER
New Contributor III

3 weeks ago

We are testing Azure Databricks Lakebase Autoscaling with Public Network Access disabled and standard inbound Private Link enabled.

The workspace UI works privately through VPN, but the Lakebase Data API hostname still resolves to a public IP and returns:

HTTP 403: Public access is not allowed for workspace

According to the docs, Service Direct Private Link is not required when using only the Data API.

Has anyone successfully used Lakebase Data API privately with Public Network Access disabled?

If yes, what DNS or Private Link configuration is required? Should the Data API hostname resolve through the workspace inbound Private Link, or is another private endpoint/DNS setup needed?

Thanks!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
stbjelcevic
Databricks Employee
Databricks Employee

2 weeks ago

Hi @POCUSER ,

Yes, the Lakebase Data API can be used privately with Public Network Access disabled. Because the Data API is a REST endpoint (Lakebase Data API), it goes through your workspace’s standard inbound (front-end) Private Link, the databricks_ui_api endpoint on port 443, not a dedicated one.

Service Direct Private Link (the port-5432 endpoint for performance-intensive services) is not required for the Data API. The docs state it directly: “If your applications connect only through the Data API, you don’t need this endpoint.” See Private Link for Lakebase Autoscaling and Configure inbound Private Link for performance-intensive services.

So this is a DNS issue, not a missing Private Link. With Public Network Access disabled, your DNS must resolve the Data API hostname to the private IP of your existing inbound private endpoint (the privatelink.azuredatabricks.net zone, databricks_ui_api A record). The 403 is consistent with DNS still resolving the hostname to a public IP instead of your private endpoint. Confirm with nslookup that it returns the private IP. See Configure Inbound Private Link for the DNS verification steps.

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
stbjelcevic
Databricks Employee
Databricks Employee

2 weeks ago

Hi @POCUSER ,

Yes, the Lakebase Data API can be used privately with Public Network Access disabled. Because the Data API is a REST endpoint (Lakebase Data API), it goes through your workspace’s standard inbound (front-end) Private Link, the databricks_ui_api endpoint on port 443, not a dedicated one.

Service Direct Private Link (the port-5432 endpoint for performance-intensive services) is not required for the Data API. The docs state it directly: “If your applications connect only through the Data API, you don’t need this endpoint.” See Private Link for Lakebase Autoscaling and Configure inbound Private Link for performance-intensive services.

So this is a DNS issue, not a missing Private Link. With Public Network Access disabled, your DNS must resolve the Data API hostname to the private IP of your existing inbound private endpoint (the privatelink.azuredatabricks.net zone, databricks_ui_api A record). The 403 is consistent with DNS still resolving the hostname to a public IP instead of your private endpoint. Confirm with nslookup that it returns the private IP. See Configure Inbound Private Link for the DNS verification steps.

0 Kudos
Announcements