Here’s a simple line-by-line summary of the Serverless compute plane networking (08/04/2025):
General idea
- Serverless compute runs in a separate compute plane managed by Databricks.
- You can configure secure connections between this compute plane and your own resources.
- Databricks charges networking costs when serverless connects to your resources.
- Control plane ↔ serverless plane always uses the cloud provider’s private backbone (not public internet).
Serverless egress control (outbound connections)
- Lets you control outbound traffic from serverless compute.
- Benefits:
- Security → prevent data leaks.
- Control → allow only specific storage accounts, domains (FQDNs), or connections.
- Simpler management → define and manage policies in one place.
Network Connectivity Configuration (NCC)
- NCC = an account-level, regional configuration to manage networking for serverless.
- Admins create NCCs in the account console.
- One NCC can be attached to multiple workspaces.
What NCC enables:
- Resource firewalls with service endpoints
- Databricks provides stable service subnets.
- These subnets can be added to your Azure resource firewalls.
- Ensures secure serverless access to storage and other resources.
- Firewall rules get auto-added to workspace storage accounts.
- Private Endpoints
- You can add private endpoints in an NCC.
- Databricks then creates a private endpoint request to your Azure resource.
- Once accepted, the serverless compute plane connects privately (not public).
Extra note
- Databricks may use service endpoints, private IPs, or public IPs depending on resource type/location.
- All methods are supported unless specifically stated otherwise.
👉 In short:
Serverless networking lets you securely connect compute to your Azure resources using firewall rules + private endpoints, while controlling outbound traffic with egress policies.
Category: