Enable secure connectivity for Databricks workspaces#
Security · Databricks · Rule · 2023_09 · Critical
Use Databricks workspaces configured for secure cluster connectivity.
Description#
An Azure Databricks workspace uses one or more runtime clusters to execute data processing workloads.
When configuring Databricks workspaces, runtime clusters can be configured with or without public IP addresses. Secure cluster connectivity is used when a Databricks workspace is deployed without public IP addresses. Use secure cluster connectivity to simplify security and administration of Databricks networking within Azure.
With secure cluster connectivity enabled:
- An outbound connection over HTTPS from the runtime cluster is used to communicate to the control plane.
- No open ports or IP public addressing is required.
Recommendation#
Consider configuring Databricks workspaces to use secure cluster connectivity.
Examples#
Configure with Azure template#
To deploy workspaces that pass this rule:
- Set the
properties.parameters.enableNoPublicIp.valueproperty totrue.
For example:
{
"type": "Microsoft.Databricks/workspaces",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "standard"
},
"properties": {
"managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
"publicNetworkAccess": "Disabled",
"parameters": {
"enableNoPublicIp": {
"value": true
}
}
}
}
Configure with Bicep#
To deploy workspaces that pass this rule:
- Set the
properties.parameters.enableNoPublicIp.valueproperty totrue.
For example:
resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
name: name
location: location
sku: {
name: 'standard'
}
properties: {
managedResourceGroupId: managedRg.id
publicNetworkAccess: 'Disabled'
parameters: {
enableNoPublicIp: {
value: true
}
}
}
}
Links#
- SE:06 Network controls
- Secure cluster connectivity (No Public IP / NPIP)
- Network access
- Azure Databricks architecture overview
- Azure resource deployment