๐ก๏ธ Azure Databricks Workspace network security groups are not configured๐ข
- Contextual name: ๐ก๏ธ Databricks Workspace network security groups are not configured๐ข
- ID:
/ce/ca/azure/databricks/network-security-groups-for-subnets - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Network Security Groups (NSGs) should be applied to Azure Databricks subnets to control both inbound and outbound network traffic and ensure that only authorized communication is permitted. NSGs operate on a rule-based model that supports explicit allow and deny rules, followed by an implicit deny rule at the end of the rule set. As a result, any traffic not explicitly allowed is automatically blocked.
To promote secure and predictable network behavior, NSGs should include explicit deny rules for known unwanted or non-essential traffic in addition to the default implicit deny. This enhances visibility into blocked traffic, improves auditability, and supports enforcement of the principle of least privilege, thereby reducing the risk of unauthorized access to Databricks resources.
Rationaleโ
Implementing NSGs with clearly defined allow and deny rules provides transparency and precise control over permitted and restricted network traffic. Although Azure NSGs implicitly deny traffic that is not explicitly allowed, defining explicit deny rules for known malicious or unnecessary sources improves readability of the security configuration, simplifies troubleshooting, and supports regulatory and compliance audits. This layered defense approach strengthens the overall security posture of Azure Databricks environments by limiting communication strictly to required endpoints.
... see more
Remediationโ
Remediationโ
Assign an NSG to an Existing Databricks Subnetโ
Azure CLIโ
Create an NSG (if one does not already exist)
az network nsg create \
--resource-group {{resource-group}} \
--name {{nsg-name}} \
--location {{location}}Associate the NSG with the Databricks subnet
az network vnet subnet update \
--resource-group {{resource-group}} \
--vnet-name {{vnet-name}} \
--name {{databricks-subnet-name}} \
--network-security-group {{nsg-name}}Repeat this step for both the private and public Databricks subnets, if applicable.
From PowerShellโ
$sampleRule = New-AzNetworkSecurityRuleConfig `
-Name {{rdp-rule}}`
-Description "Allow RDP" `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 100 `
-SourceAddressPrefix Internet `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389
$nsg = New-AzNetworkSecurityGroup `
-Name "{{nsg-name}}" `
-ResourceGroupName "{{resource-group}}" `
... [see more](remediation.md)
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ CIS Azure v5.0.0 โ ๐ผ 2.1.2 Ensure that network security groups are configured for Databricks subnets (Automated) | 1 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ Secure Access | 68 | no data |