Problem
When you try to use the UI to create and deploy a Databricks Asset Bundle (a bundle) in a VNet-injected Azure Databricks workspace, it fails with the following error.
Unable to download the CLI binary because internet access is not available in this workspace. This may be due to Secure Egress Gateway (SEG) restrictions. Please contact your workspace administrator to review SEG settings.
Cause
Creating and deploying a bundle relies on serverless infrastructure that requires downloading CLI binaries and related dependencies from GitHub and Terraform. Your workspace is configured with outbound network restrictions, blocking these downloads and causing the deployment to fail.
Solution
First, allow access to below listed domains in the serverless network egress rules so the bundle’s create and deploy action can download necessary CLI dependencies. In your account’s network configuration, add the following fully qualified domain names (FQDNs) to the serverless network policy egress rules.
github.comobjects.githubusercontent.comraw.githubusercontent.comregistry.terraform.ioreleases.hashicorp.comcheckpoint-api.hashicorp.com
Then add the network rules using the following steps.
- Login to your Databricks account console. This requires account admin access. If you do not have admin access, contact your admin team.
- Click Cloud resources in the left sidebar.
- Navigate to the Network policies tab.
- Select the appropriate serverless network policy.
- In the Egress rules section, add the FQDNs from the previous step one at a time and click Add destination to save the changes.
The following screenshot shows the result after following these steps and adding all FQDNs. The red boxes highlight where to click and navigate.
For more information, refer to the “Set egress rules” section of the Manage network policies for serverless egress control documentation.
After updating the egress rules, retry the bundle creation and deployment.