TLDR
IP Access list is one of the ways to netowrk-isolate Azure Databricks. It is a list of IP addresses that are allowed to access Azure Databricks. You can use this list to control access to Azure Databricks from specific IP addresses or ranges of IP addresses.
It’s only accessable by using REST API.
Options to control access to Azure Databricks
When it comes to network isolation, you can protect Azure Databricks using 3 ways
- Azure AD conditional access policy (that used to be only way couple of years ago)
- Disable public access and use only private endpoints
- Enable public access then control the acess using IP access list
In this article, I’m going to focus on the last option.
IP Access list
The IP Access List API enables Azure Databricks admins to configure IP allow lists and block lists for a workspace. If the feature is disabled for a workspace, all access is allowed. There is support for allow lists (inclusion) and block lists (exclusion).
Enable IP Access list
Using the workspace REST API, you can enable IP Access list for a workspace. First step is to get the workspace URL. You can get it from the Azure portal or from the browser address bar when you are in the workspace. It’s in the format https://adb-<digits>.<digits>.azuredatabricks.net
Then you need access token to login to the workspace. Azure Databricks supports either the personal access token or Azure AD token. Not all the APIs are accessible by Azure AD token (more secure) but luckily the IP Access list API is accessible by Azure AD token.
You get the Azure AD token by either the az cli or the PowerShell Az module.
$databricks_aad_token = (Get-AzAccessToken -Resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d).Token
The resource GUID is the id of the Databricks application in Azure AD. So it has to be the same for all the tenants.
After that you can use any REST client or SDK to call the API. When testing I prefer to use the vscode extension called REST Client. It’s very handy and easy to use.
First I setup the variables in the request file.
@accessToken=eyJ0eXAiOiJKV1QiLCJhbGci....
@databricksInstanceURL=https://adb-87744261....1.11.azuredatabricks.net
Now query what’s the status of the Access list
/api/2.0/workspace-conf?keys=enableIpAccessLists
Authorization: Bearer
Content-Type: application/json
When not setup, it will return null in the body for the status.
To enable it
PATCH /api/2.0/workspace-conf
Authorization: Bearer
Content-Type: application/json
{
"enableIpAccessLists": "true"
}
Enabling the IP Access list without adding at least one IP to the list is ignored. So you need to add at least one IP to the list before you can use it.
To add an IP to the list
POST /api/2.0/ip-access-lists
Authorization: Bearer
Content-Type: application/json
{
"label": "My favorite coffee shop",
"list_type": "ALLOW",
"ip_addresses":[
"4.204.224.208"
]
}
To make sure the workspace is accessible, the IP address must be the IP that you are calling the API from otherwise, you can’t access the workspace so it will return an error if you try to add an IP that is not the one you are calling the API from.
Using the IP Access list is demoed in the video below.