cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Product Platform Updates
Stay informed about the latest updates and enhancements to the Databricks platform. Learn about new features, improvements, and best practices to optimize your data analytics workflow.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Azure Databricks: Required change in resource firewalls allowlisting Databricks serverless compute

AlexEsibov
Databricks Employee
Databricks Employee
‎01-26-2026 11:56 AM

Background

To improve serverless scalability and expand service endpoint support to additional resources, Azure Databricks will make a change to the identifiers used to firewall storage access from serverless compute. 

If you allow-list Azure Databricks serverless subnet IDs in any Azure storage firewalls, action is required. Note that if you disallow public access to your storage accounts and use Azure Private Link to connect from Azure Databricks, no action is required.

Following a comprehensive review, we have identified additional affected subscriptions. To ensure a unified transition across all impacted customers, the migration deadline has been updated to June 9, 2026.

Required Action

By June 9, 2026, any existing Azure storage account allowlisting Databricks serverless subnet IDs must: 

  1. Be onboarded to a network security perimeter in transition mode 
    1. If you are unable to onboard to a network security perimeter, you must reach out to file a support ticket to discuss alternatives by 30 March 2026.  
  2. In your network security perimeter firewall(s), allowlist AzureDatabricksServerless. Regional scoping is recommended (e.g., AzureDatabricksServerless.EastUS2).
Note: Using the AzureDatabricksServerless service tag and allows Azure Databricks serverless compute to communicate with your Azure resources over the Azure backbone. The tag maps to Azure Databricks public IPs that represent service endpoints and NAT IPs.

Important callout: Remain in transition mode indefinitely to avoid impact to your storage access, if any of the Network Security Perimeter limitations apply to you. 

Additional details, including the benefits of this change, and step-by-step guidance, can be found here.

Help and support 

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and need technical help, please create a support request.

Benefits of NSP

For Azure Databricks serverless outbound traffic, today’s subnet ID feature enables customers to connect over service endpoints to in-region or paired-region Azure storage accounts. This access has no data processing charge, and stays on the Azure backbone. The migration to Network Security Perimeter will enable Databricks to add additional resource support for service endpoints in the future, saving significant data processing charges for customers, and improving security posture.

Instructions

Please refer to public documentation for step-by-step instructions: https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/serv...

Automation Tools for Migration

If you would like helping to automate migration of your storage accounts, we have created a public repo that takes subscriptions as inputs, and enables retrieving storage accounts configured with Databricks serverless subnet IDs, and creating or updating Network Security Perimeters (NSPs) with the needed policy. Please refer to: 

https://github.com/brucenelson6655/nsp-migrate 

Helpful Links:

Quickstart - Create a network security perimeter - Azure PowerShell - Azure Private Link | Microsoft... 

Quickstart - Create a network security perimeter - Azure CLI - Azure Private Link | Microsoft Learn

0 Kudos
Contributors
Popular Articles