Skip to main content

Security & Trust Center

Your data security is our top priority

Serverless egress controls: Outbound network security for your serverless workloads

Databricks offers serverless egress controls on AWS (including GovCloud), Azure and GCP, empowering users to manage and secure outbound network connections for all serverless workloads, including model serving, notebooks, workflow, Delta Live Tables, and SQL warehouses. This new feature gives administrators robust control over outbound access, which is crucial for protecting data and reducing exposure to exfiltration risks.

serverless egress controls

What are serverless egress controls?

Serverless egress controls allow administrators to specify where serverless workloads can connect outside the Databricks environment. By implementing these controls, organizations can define a perimeter around their serverless compute operations, restricting access to only approved destinations. This security measure builds on existing Databricks ingress controls (such as front-end Private Link and IP ACLs) to create a more secure and reliable setup for handling sensitive data.

Benefits of serverless egress control for Databricks users

Enhanced security

By limiting outbound connections to trusted destinations, organizations can reduce the risk of data exfiltration and keep their data in their trusted environment.

Simplified policy management

Administrators can manage egress controls through centralized policies that apply to one, multiple or all workspaces, ensuring consistency and reducing manual configuration.

Default deny posture

With a “deny by default” approach, administrators can ensure that only explicitly permitted destinations are accessible, aligning with industry security best practices.

Unified configuration

Serverless egress controls integrate seamlessly with Unity Catalog, automatically allowing access to defined storage locations and connections, further simplifying network configuration.

Policy evaluation with dry-run mode

Administrators can test egress policies without immediate enforcement. Dry-run mode logs violations for analysis, allowing policy adjustments before full enforcement, which is particularly valuable for production workloads.

Getting started with serverless egress control

Serverless egress controls are now available on Databricks Enterprise Tier (AWS & GCP) and Premium Tier (Azure). To configure egress policies, administrators can access the Network Policies UI in the Databricks account console.

For more details on configuring these policies, please refer to the official Databricks documentation for AWS, GCP and Azure.

Report an issue