Skip to content

Azure Databricks workspaces should disable public network access#

Security · Databricks · Rule · 2024_03 · Critical

Azure Databricks workspaces should disable public network access.

Description#

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.

Recommendation#

Consider configuring Databricks workspaces to disable public network access, using private endpoints to control connectivity.

Examples#

Configure with Azure template#

To deploy workspaces that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.Databricks/workspaces",
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
  },
  "properties": {
    "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
    "publicNetworkAccess": "Disabled",
    "parameters": {
      "enableNoPublicIp": {
        "value": true
      }
    }
  }
}

Configure with Bicep#

To deploy workspaces that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Bicep snippet
resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    managedResourceGroupId: managedRg.id
    publicNetworkAccess: 'Disabled'
    parameters: {
      enableNoPublicIp: {
        value: true
      }
    }
  }
}

Comments