🛡️ Azure Databricks Workspace is not deployed in a customer-managed virtual network (VNet)🟢

Contextual name: 🛡️ Workspace is not deployed in a customer-managed virtual network (VNet)🟢
ID: /ce/ca/azure/databricks/customer-managed-virtual-network
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Databricks Workspace
- 🔌 Azure Databricks Workspace - object.extracts.yaml
- 🧪 test-data.json

Description

Description

Networking for Azure Databricks can be set up in a few different ways. Using a customer-managed Virtual Network (VNet) (also known as VNet Injection) ensures that compute clusters and control planes are securely isolated within the organization’s network boundary. By default, Databricks creates a managed VNet, which provides limited control over network security policies, firewall configurations, and routing.

Rationale

Using a customer-managed VNet ensures better control over network security and aligns with zero-trust architecture principles. It allows for:

Restricted outbound internet access to prevent unauthorized data exfiltration.

Integration with on-premises networks via VPN or ExpressRoute for hybrid connectivity.

Fine-grained NSG policies to restrict access at the subnet level.

Private Link for secure API access, avoiding public internet exposure.

Impact

Requires additional configuration during Databricks workspace deployment.

Might increase operational overhead for network maintenance.

... see more

Remediation

Open File

Remediation

Redeploy Azure Databricks into a Custom VNet with NSGs

This requires recreating the Databricks workspace using VNet injection.

Azure CLI

Create an NSG

az network nsg create \
    --resource-group {{resource-group}} \
    --name {{nsg-name}} \
    --location {{location}}

Create a custom Virtual Network and subnets

az network vnet create \
    --resource-group {{resource-group}} \
    --name {{vnet-name}} \
    --address-prefix {{10.0.0.0/16}} \
    --subnets "[{name:{{private-subnet-name}},address-prefix:{{subnet-prefix}}},{name:{{public-subnet-name}},address-prefix:{{subnet-prefix}} }]" \
    --nsg {{nsg-name}}

Deploy a new Databricks workspace using VNet injection

az databricks workspace create \
    --resource-group {{resource-group}} \
    --name {{workspace-name}} \
    --location {{location}} \
    --sku {{premium}} \
    --vnet {{vnet-name}} \
    --public-subnet {{public-subnet-name}} \

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated)			1		no data
💼 Cloudaware Framework → 💼 Threat Protection			48		no data

Logic​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Redeploy Azure Databricks into a Custom VNet with NSGs​

Azure CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Remediation

Remediation

Redeploy Azure Databricks into a Custom VNet with NSGs

Azure CLI

policy.yaml

Linked Framework Sections