Skip to main content

πŸ›‘οΈ Azure Databricks network security groups are not configured🟒βšͺ

  • Contextual name: πŸ›‘οΈ Databricks network security groups are not configured🟒βšͺ
  • ID: /ce/ca/azure/databricks/network-security-groups-for-subnets
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description​

Open File

Description​

Network Security Groups (NSGs) should be implemented to control inbound and outbound traffic to Azure Databricks subnets, ensuring only authorized communication. NSGs should be configured with deny rules to block unwanted traffic and restrict communication to essential sources only.

Rationale​

Impact​

  • NSGs require periodic maintenance to ensure rule accuracy.
  • Misconfigured NSGs could inadvertently block required traffic.

Audit​

From Azure Portal​
  1. Navigate to Virtual Networks > Subnets, and review NSG assignments.
From Azure CLI​
az network nsg list --query "[].{Name:name, Rules:securityRules}"
From PowerShell​
Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group-name>

Default Value​

By default, Databricks subnets do not have NSGs assigned.

References​

  1. https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-databricks-security-baseline
  2. https://learn.microsoft.com/en-us/azure/databricks/security/network/classic/vnet-inject#network-security-group-rules

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Assign NSG to Databricks subnets under Networking > NSG Settings.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 3.1.2 Ensure that network security groups are configured for Databricks subnets (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access55no data