Remediation
From Azure Portalβ
- Delete the existing Databricks workspace (migration required).
- Create a new Databricks workspace with VNet Injection:
- Go to Azure Portal β Create Databricks Workspace.
- Select Advanced Networking.
- Choose Deploy into your own Virtual Network.
- Specify a customer-managed VNet and associated subnets.
- Enable Private Link for secure API access.
From Azure CLIβ
Deploy a new Databricks workspace in a custom VNet:
az databricks workspace create --name <databricks-workspace-name> \
--resource-group <resource-group-name> \
--location <region> \
--managed-resource-group <managed-rg-name> \
--enable-no-public-ip true \
--network-security-group-rule "NoAzureServices" \
--public-network-access Disabled \
--custom-virtual-network-id /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>
Ensure NSG Rules are correctly configured:
az network nsg rule create --resource-group <resource-group-name> \
--nsg-name <nsg-name> \
--name "DenyAllOutbound" \
--direction Outbound \
--access Deny \
--priority 4096
From PowerShellβ
New-AzDatabricksWorkspace -ResourceGroupName <resource-group-name> -Name <databricks-workspace-name> -Location <region> -ManagedResourceGroupName <managed-rg-name> -CustomVirtualNetworkId "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"