Problem
You’re trying to connect to a custom endpoint within the same VPC/VNet as your workspace. The endpoint is hosted on non-standard ports (ports other than HTTP-80 or HTTPS-443). You receive a Connection Refused error during connection attempts.
You notice the issue when working on a standard (formerly shared) access mode cluster on Databricks Runtime 11.3 LTS or below.
Cause
Databricks Runtimes 11.3 LTS and below restrict outbound access to certain ports by default on standard access mode clusters, even within the same VPC/VNet.
Solution
Databricks recommends using Databricks Runtime 12.2 LTS or above with standard access mode.
If you prefer to continue using Databricks Runtime 11.3 LTS or below, use the following cluster-scoped init script to allow access to the custom endpoint. This script continuously ensures that outbound traffic to the specified port and CIDR is allowed from the cluster nodes.
Note
Ensure that the target endpoint falls within the Databricks VPC/VNet CIDR block.
#!/bin/bash
cat << 'EOF' > /tmp/set_rules.sh
#!/bin/bash
set -x
sleep_interval=30s
port="<your-target-port>" ## Change this to your target port
cidr="<your-workspace-VPC-or-VNET-CIDR>" ## Replace with your workspace VPC/VNet CIDR
while true; do
rules=$(iptables -L | grep -i "$port")
if [[ "$rules" != *"dpt:$port"* && $(getent group spark-users) ]]; then
echo "Changing rules at $(date)"
iptables -I OUTPUT 2 -d $cidr -j ACCEPT -p tcp --dport $port
fi
sleep ${sleep_interval}
done
EOF
chmod a+x /tmp/set_rules.sh
/tmp/set_rules.sh >> /tmp/set_rules.log & disown