This should fail (unauthorized domain)
Who this is for:
Architecture / Concept Overview: This should fail (unauthorized domain)
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Serverless[Serverless Compute] --> Policy[Egress Policy Engine]
Policy --> Allowed[Allowed Destinations]
Policy --> Blocked[Blocked Destinations]
Allowed --> S3[Cloud Storage]
Allowed --> API[Approved APIs]
Blocked --> Exfil[Data Exfiltration]
Blocked --> Unknown[Unknown Endpoints]
Serverless:::processing
Policy:::governance
Allowed:::serving
Blocked:::source
S3:::storage
API:::ingestion
Exfil:::source
Unknown:::source
*Serverless egress control: a policy engine evaluates every outbound connection and blocks unapproved destinations.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
NCC[Network Connectivity Config] --> FW[Firewall Rules]
NCC --> PL[Private Endpoints]
FW --> FQDN[FQDN Allow Rules]
FW --> CIDR[Storage Destinations]
PL --> StoragePL[Storage Private Link]
PL --> ServicePL[Service Private Link]
NCC:::governance
FW:::processing
PL:::storage
FQDN:::ingestion
CIDR:::source
StoragePL:::serving
ServicePL:::serving
*Network Connectivity Configuration (NCC): combines firewall rules for FQDN filtering with private endpoints for storage and service access.*
Key Terms
Prerequisites and Setup
- Databricks account with serverless compute enabled
- Account admin permissions for NCC management
- Inventory of required external endpoints (storage accounts, APIs, package repos)
- Understanding of your data exfiltration risk model
- Cloud storage account details for private endpoint configuration
Step-by-Step Implementation
Configuration Reference
| Rule Type | Scope | Behavior | Use Case |
|---|---|---|---|
| Default Deny | NCC | Blocks all egress not explicitly allowed | Maximum security posture |
| FQDN Allow | NCC | Permits traffic to specified domains | Package repos, APIs |
| Private Endpoint | NCC | Routes traffic privately to cloud resources | Storage, databases |
| Stable IP | NCC | Assigns fixed outbound IPs | IP allowlisting at destination |
| Storage Destination | NCC | Allows access to specific storage accounts | Data lake access |