Configure an Azure network security perimeter for Azure resources

This page describes how to configure Azure Network Security Perimeter (NSP) to control access from serverless compute to your Azure resources using the Azure portal.

Overview of network security perimeter for Azure resources

Azure network security perimeter (NSP) is an Azure-built-in feature that creates a logical isolation boundary for your PaaS resources. By associating resources like storage accounts or databases with an NSP, you can centrally manage network traffic using a simplified rule set. NSP eliminates the need to manually manage complex lists of individual IP addresses or subnet IDs.

NSP supports access from serverless SQL warehouses, jobs, notebooks, Lakeflow Spark Declarative Pipelines, and model serving endpoints.

Key benefits

Using NSP for Azure Databricks serverless outbound traffic improves your security posture while significantly reducing operational overhead:

Benefit Description
Cost savings Traffic sent over service endpoints stays on the Azure backbone and incurs no data processing charges.
Simplified management Azure Databricks recommends using a regional service tag to limit access to a specific region, for example, AzureDatabricksServerless.EastUS2. The tag includes both service endpoint IPs and Azure Databricks NAT IPs, and all communication is routed over the Azure backbone. If you need to allow access across all Azure Databricks regions, use the global tag AzureDatabricksServerless instead. For the complete list of supported Azure regions, see Azure Databricks regions.
Centralized security management Manage security policies across multiple resource types—including storage, key vaults, and databases—within a single NSP profile.

Supported Azure services

The AzureDatabricksServerless service tag is supported for use in NSP inbound access rules for the following Azure services:

  • Azure Storage (including ADLS Gen2)
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Key Vault

Requirements

  • You must be an Azure Databricks account administrator.
  • You must have Contributor or Owner permissions on the Azure resource you want to configure.
  • You must have permission to create network security perimeter resources in your Azure subscription.
  • Your Azure Databricks workspace and Azure resources must be in the same Azure region for optimal performance and to avoid cross-region data transfer charges.

Step 1: Create a network security perimeter and note the profile ID

  1. Sign in to the Azure portal.

  2. In the search box at the top, enter Network security perimeters and select it from the results.

  3. Click + Create.

  4. On the Basics tab, enter the following information:

    • Subscription: Select your Azure subscription.
    • Resource group: Select an existing resource group or create one.
    • Name: Enter a name for your NSP (for example, databricks-nsp).
    • Region: Select the region for your NSP. The region must match your Azure Databricks workspace region and the region of your Azure resources.
    • Profile name: Enter a profile name (for example, databricks-profile).

  5. Click Review + create, then Create.

  6. After the NSP is created, go to it in the Azure portal.

  7. In the left sidebar, go to Settings > Profiles.

  8. Create or select your profile (for example, databricks-profile).

  9. Copy the Resource ID for the profile. You need this ID to associate resources programmatically.

    Tip

    Save the profile ID in a secure location. You must have it available if you want to associate resources using the Azure CLI or API instead of the Azure portal.

Step 2: Associate your resource with NSP in transition mode

You must associate each Azure resource that you want to access from Azure Databricks serverless compute with your NSP profile. This example shows how to associate an Azure Storage account, but the same steps apply to other Azure resources.

  1. Go to your network security perimeter in the Azure portal.
  2. In the left sidebar, go to Resources under Settings.
  3. Click + Add > Associate resources with an existing profile.
  4. Select the profile you created in Step 1 (for example, databricks-profile).
  5. Click Associate.
  6. In the resource selection pane, filter by resource type. For example, to associate an Azure Data Lake Storage Gen2 account, filter by Microsoft.Storage/storageAccounts.
  7. Select your resource(s) from the list.
  8. Click Associate at the bottom of the pane.

Verify transition mode:

  1. In the NSP, go to Settings > Resources (or Associated resources).
  2. Locate your storage account in the list.
  3. Verify that the Access Mode column shows Transition. Transition is the default mode.

Note

Transition mode evaluates NSP rules first. If no NSP rule matches the incoming request, the system falls back to the resource's existing firewall rules. Transition mode lets you test your NSP configuration without disrupting existing traffic patterns.

Step 3: Add an inbound access rule for Azure Databricks serverless compute

You must create an inbound access rule in your NSP profile to allow traffic from Azure Databricks serverless compute to your Azure resources.

  1. Go to your network security perimeter in the Azure portal.
  2. In the left sidebar, go to Settings > Profiles.
  3. Select your profile (for example, databricks-profile).
  4. Under Settings click Inbound access rules.
  5. Click + Add.
  6. Configure the rule:
    • Rule name: Enter a descriptive name (for example, allow-databricks-serverless).
    • Source Type: Select Service Tag.
    • Allowed Sources: Select AzureDatabricksServerless.[your_workspace_region] (for example, AzureDatabricksServerless.EastUS2). Using a regional tag limits access to Azure Databricks IPs in your workspace’s region, which reduces exposure compared to the global tag.
  7. Click Add.

Tip

Databricks recommends using a regional service tag (AzureDatabricksServerless.[your_workspace_region]) for tighter security. If you need to allow access from all Azure Databricks regions—for example, when workspaces span multiple regions—use the global tag AzureDatabricksServerless instead. Both tags update automatically, so you won’t need to manually manage IP addresses or update rules when Azure Databricks adds new IP ranges.

Step 4: Verify the configuration

After configuring your NSP, verify that Azure Databricks serverless compute can access your Azure resource and monitor NSP activity.

Test access from serverless compute

  1. Go to your Azure resource in the Azure portal.

  2. Go to Security + networking > Networking.

  3. Verify that the resource shows an association with your network security perimeter.

  4. Verify that the status shows Transition mode.

  5. View the inbound rules associated with your profile to confirm that the AzureDatabricksServerless rule is listed (either regional or global).

  6. In your Azure Databricks workspace, run a test query to confirm that serverless compute can access your resource. For example, to test access to an ADLS Gen2 storage account:

    SELECT * FROM delta.`abfss://container@storageaccount.dfs.core.windows.net/path/to/data` LIMIT 10;

    If the query succeeds, your NSP configuration is working correctly.

Monitor NSP activity

To monitor connection attempts that NSP rules allow or deny:

  1. Go to your Azure resource in the Azure portal.
  2. Go to Monitoring > Diagnostic settings.
  3. Click + Add diagnostic setting.
  4. Select the log categories you want to monitor. For Azure Storage accounts, select:
    • StorageRead
    • StorageWrite
  5. Select a destination:
    • Log Analytics workspace (recommended for querying and analysis)
    • Storage account (for long-term archival)
    • Event Hub (for streaming to external systems)
  6. Click Save.

Tip

Diagnostic logs show connection attempts matched by NSP rules versus resource firewall rules. These logs help you validate your configuration before moving to enforced mode. In transition mode, the logs indicate whether each request was allowed by an NSP rule or fell back to the resource firewall.

Understanding NSP access modes

NSP supports two access modes: transition mode and enforced mode. Azure Databricks recommends remaining in transition mode indefinitely for most use cases.

Transition mode (recommended):

  • Evaluates NSP rules first, then falls back to resource firewall rules if no NSP rule matches
  • Allows you to use NSP alongside existing network configurations
  • Compatible with service endpoints, classic compute configurations, and public network traffic patterns

Enforced mode (not recommended for most customers):

  • Bypasses resource firewall rules, blocking all traffic that doesn't match an NSP rule. Enforced mode affects not only Azure Databricks but also any other services you've allowed through your resource firewall—those services must have been onboarded to NSP to continue working.
  • Remain in transition mode if you use service endpoints to connect to storage from any Azure Databricks workspaces.

Warning

Remain in transition mode to maintain compatibility with your existing network setup while benefiting from simplified rule management. See Network security perimeter limitations.

Next steps

  • Last updated on