https://community.databricks.com/t5/lakebase-discussions/lakebase-data-api-private-access-with-public-network-access/m-p/158092#M107 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/228048">@POCUSER</a>&nbsp;,</P> <P>Yes, the Lakebase Data API can be used privately with Public Network Access disabled. Because the Data API is a REST endpoint (<A href="https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/data-api" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/data-api&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw2ITIfs90A4chvSrnL1S5_R" target="_blank">Lakebase Data API</A>), it goes through your workspace’s standard inbound (front-end) Private Link, the <CODE>databricks_ui_api</CODE> endpoint on port 443, not a dedicated one.</P> <P>Service Direct Private Link (the port-5432 endpoint for performance-intensive services) is <STRONG>not</STRONG> required for the Data API. The docs state it directly: “If your applications connect only through the Data API, you don’t need this endpoint.” See <A href="https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/private-link" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/private-link&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1l11jrHEhpDRrZCHy8LOnl" target="_blank">Private Link for Lakebase Autoscaling</A> and <A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/service-direct-privatelink" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/service-direct-privatelink&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1644ygf3dKACpX6irEYFJQ" target="_blank">Configure inbound Private Link for performance-intensive services</A>.</P> <P>So this is a DNS issue, not a missing Private Link. With Public Network Access disabled, your DNS must resolve the Data API hostname to the <STRONG>private</STRONG> IP of your existing inbound private endpoint (the <CODE><A href="http://privatelink.azuredatabricks.net" data-saferedirecturl="https://www.google.com/url?q=http://privatelink.azuredatabricks.net&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1vv5KfpmJDcMUWdObpeXnZ" target="_blank">privatelink.azuredatabricks.<WBR />net</A></CODE> zone, <CODE>databricks_ui_api</CODE> A record). The 403 is consistent with DNS still resolving the hostname to a public IP instead of your private endpoint. Confirm with <CODE>nslookup</CODE> that it returns the private IP. See <A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/front-end-private-connect" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/front-end-private-connect&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1K6LhCatUaz7IHe4X9z0FA" target="_blank">Configure Inbound Private Link</A> for the DNS verification steps.</P> Mon, 01 Jun 2026 23:48:53 GMT stbjelcevic 2026-06-01T23:48:53Z https://community.databricks.com/t5/lakebase-discussions/lakebase-data-api-private-access-with-public-network-access/m-p/157858#M106 <P>We are testing Azure Databricks Lakebase Autoscaling with Public Network Access disabled and standard inbound Private Link enabled.</P><P>The workspace UI works privately through VPN, but the Lakebase Data API hostname still resolves to a public IP and returns:</P><P>HTTP 403: Public access is not allowed for workspace</P><P>According to the docs, Service Direct Private Link is not required when using only the Data API.</P><P>Has anyone successfully used Lakebase Data API privately with Public Network Access disabled?</P><P>If yes, what DNS or Private Link configuration is required? Should the Data API hostname resolve through the workspace inbound Private Link, or is another private endpoint/DNS setup needed?</P><P>Thanks!</P> Fri, 29 May 2026 07:58:24 GMT https://community.databricks.com/t5/lakebase-discussions/lakebase-data-api-private-access-with-public-network-access/m-p/157858#M106 POCUSER 2026-05-29T07:58:24Z https://community.databricks.com/t5/lakebase-discussions/lakebase-data-api-private-access-with-public-network-access/m-p/158092#M107 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/228048">@POCUSER</a>&nbsp;,</P> <P>Yes, the Lakebase Data API can be used privately with Public Network Access disabled. Because the Data API is a REST endpoint (<A href="https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/data-api" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/data-api&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw2ITIfs90A4chvSrnL1S5_R" target="_blank">Lakebase Data API</A>), it goes through your workspace’s standard inbound (front-end) Private Link, the <CODE>databricks_ui_api</CODE> endpoint on port 443, not a dedicated one.</P> <P>Service Direct Private Link (the port-5432 endpoint for performance-intensive services) is <STRONG>not</STRONG> required for the Data API. The docs state it directly: “If your applications connect only through the Data API, you don’t need this endpoint.” See <A href="https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/private-link" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/oltp/projects/private-link&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1l11jrHEhpDRrZCHy8LOnl" target="_blank">Private Link for Lakebase Autoscaling</A> and <A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/service-direct-privatelink" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/service-direct-privatelink&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1644ygf3dKACpX6irEYFJQ" target="_blank">Configure inbound Private Link for performance-intensive services</A>.</P> <P>So this is a DNS issue, not a missing Private Link. With Public Network Access disabled, your DNS must resolve the Data API hostname to the <STRONG>private</STRONG> IP of your existing inbound private endpoint (the <CODE><A href="http://privatelink.azuredatabricks.net" data-saferedirecturl="https://www.google.com/url?q=http://privatelink.azuredatabricks.net&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1vv5KfpmJDcMUWdObpeXnZ" target="_blank">privatelink.azuredatabricks.<WBR />net</A></CODE> zone, <CODE>databricks_ui_api</CODE> A record). The 403 is consistent with DNS still resolving the hostname to a public IP instead of your private endpoint. Confirm with <CODE>nslookup</CODE> that it returns the private IP. See <A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/front-end-private-connect" data-saferedirecturl="https://www.google.com/url?q=https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/front-end-private-connect&amp;source=gmail&amp;ust=1780444042910000&amp;usg=AOvVaw1K6LhCatUaz7IHe4X9z0FA" target="_blank">Configure Inbound Private Link</A> for the DNS verification steps.</P> Mon, 01 Jun 2026 23:48:53 GMT https://community.databricks.com/t5/lakebase-discussions/lakebase-data-api-private-access-with-public-network-access/m-p/158092#M107 stbjelcevic 2026-06-01T23:48:53Z