π Azure Databricks Workspace is not deployed in a customer-managed virtual network (VNet) π’
- Contextual name: π Workspace is not deployed in a customer-managed virtual network (VNet) π’
- ID:
/ce/ca/azure/databricks/customer-managed-virtual-network - Located in: π Azure Databricks
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Networking for Azure Databricks can be set up in a few different ways. Using a customer-managed Virtual Network (VNet) (also known as VNet Injection) ensures that compute clusters and control planes are securely isolated within the organizationβs network boundary. By default, Databricks creates a managed VNet, which provides limited control over network security policies, firewall configurations, and routing.
Rationaleβ
Using a customer-managed VNet ensures better control over network security and aligns with zero-trust architecture principles. It allows for:
- Restricted outbound internet access to prevent unauthorized data exfiltration.
- Integration with on-premises networks via VPN or ExpressRoute for hybrid connectivity.
- Fine-grained NSG policies to restrict access at the subnet level.
- Private Link for secure API access, avoiding public internet exposure.
Impactβ
- Requires additional configuration during Databricks workspace deployment.
- Might increase operational overhead for network maintenance.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Delete the existing Databricks workspace (migration required).
- Create a new Databricks workspace with VNet Injection:
- Go to Azure Portal β Create Databricks Workspace.
- Select Advanced Networking.
- Choose Deploy into your own Virtual Network.
- Specify a customer-managed VNet and associated subnets.
- Enable Private Link for secure API access.
From Azure CLIβ
Deploy a new Databricks workspace in a custom VNet:
az databricks workspace create --name <databricks-workspace-name> \
--resource-group <resource-group-name> \
--location <region> \
--managed-resource-group <managed-rg-name> \
--enable-no-public-ip true \
--network-security-group-rule "NoAzureServices" \
--public-network-access Disabled \
--custom-virtual-network-id /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>Ensure NSG Rules are correctly configured:
az network nsg rule create --resource-group <resource-group-name> \
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 3.1.1 Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 27 |