Background
To improve serverless scalability and expand service endpoint support to additional resources, Azure Databricks will make a change to the identifiers used to firewall storage access from serverless compute.
If you allow-list Azure Databricks serverless subnet IDs in any Azure storage firewalls, action is required. Note that if you disallow public access to your storage accounts and use Azure Private Link to connect from Azure Databricks, no action is required.
As of January 26, 2026, in any tenants where at least one Azure storage account contained Azure Databricks serverless subnet IDs, all subscription owners with at least one Azure Databricks instance have been emailed.
Action
By 27 April 2026, any existing Azure storage account allowlisting Databricks serverless subnet IDs must:
- Be onboarded to a network security perimeter in transition mode
- If you are unable to onboard to a network security perimeter, you must reach out to file a support ticket to discuss alternatives by 27 February 2026.
- Allowlist the AzureDatabrickServerless service tag in the corresponding network security perimeter firewall(s).
Important callout: Remain in transition mode indefinitely to avoid impact to your storage access, if any of the Network Security Perimeter limitations apply to you.
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, please create a support request.
Benefits of NSP
For Azure Databricks serverless outbound traffic, today’s subnet ID feature enables customers to connect over service endpoints to in-region or paired-region Azure storage accounts. This access has no data processing charge, and stays on the Azure backbone. The migration to Network Security Perimeter will enable Databricks to add additional resource support for service endpoints in the future, saving significant data processing charges for customers, and improving security posture. Once done, this will enable the following resources to use service endpoints:
-
Azure Storage (Microsoft.Storage)
-
Azure Storage cross-region service endpoints (Microsoft.Storage.Global)
-
Azure SQL Database (Microsoft.Sql)
-
Azure Synapse Analytics (Microsoft.Sql)
-
Azure Database for MariaDB (Microsoft.Sql)
-
Azure Cosmos DB (Microsoft.AzureCosmosDB)
-
Azure Key Vault (Microsoft.KeyVault)
-
Azure Service Bus (Microsoft.ServiceBus)
-
Azure Event Hubs (Microsoft.EventHub)
-
Azure App Service (Microsoft.Web)
-
Azure Cognitive Services (Microsoft.CognitiveServices)
-
Azure Container Registry (Microsoft.ContainerRegistry)
Instructions
Please refer to public documentation for step-by-step instructions: https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/serv...
Automation Tools for Migration
If you would like helping to automate migration of your storage accounts, we have created a public repo that takes subscriptions as inputs, and enables retrieving storage accounts configured with Databricks serverless subnet IDs, and creating or updating Network Security Perimeters (NSPs) with the needed policy. Please refer to:
https://github.com/brucenelson6655/nsp-migrate
Helpful Links:
Quickstart - Create a network security perimeter - Azure PowerShell - Azure Private Link | Microsoft...
Quickstart - Create a network security perimeter - Azure CLI - Azure Private Link | Microsoft Learn
