📝 Azure Databricks network security groups are not configured 🟢

• Contextual name: 📝 Databricks network security groups are not configured 🟢
• ID: /ce/ca/azure/databricks/network-security-groups-for-subnets
• Located in: 📁 Azure Databricks

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Description

Open File

Description

Network Security Groups (NSGs) should be implemented to control inbound and outbound traffic to Azure Databricks subnets, ensuring only authorized communication. NSGs should be configured with deny rules to block unwanted traffic and restrict communication to essential sources only.

Rationale

Impact

• NSGs require periodic maintenance to ensure rule accuracy.
• Misconfigured NSGs could inadvertently block required traffic.

Audit

From Azure Portal

1. Navigate to Virtual Networks > Subnets, and review NSG assignments.

From Azure CLI

az network nsg list --query "[].{Name:name, Rules:securityRules}"

From PowerShell

Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group-name>

Default Value

By default, Databricks subnets do not have NSGs assigned.

References

1. https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-databricks-security-baseline
2. https://learn.microsoft.com/en-us/azure/databricks/security/network/classic/vnet-inject#network-security-group-rules

Remediation

Open File

Remediation

From Azure Portal

1. Assign NSG to Databricks subnets under Networking > NSG Settings.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v4.0.0 → 💼 3.1.2 Ensure that network security groups are configured for Databricks subnets (Manual)			1
💼 Cloudaware Framework → 💼 Secure Access			53