🛡️ Azure Databricks Workspace Secure Cluster Connectivity is not enabled🟢

• Contextual name: 🛡️ Databricks Workspace Secure Cluster Connectivity is not enabled🟢
• ID: /ce/ca/azure/databricks/no-public-ip
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Databricks Workspace
  • 🔌 Azure Databricks Workspace - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Enable secure cluster connectivity (also known as no public IP) on Azure Databricks workspaces to ensure that clusters do not have public IP addresses and communicate with the control plane over a secure connection.

Rationale

Enabling secure cluster connectivity limits exposure to the public internet, improving security and reducing the risk of external attacks.

Impact

Enabling secure cluster connectivity requires careful network configuration. Before secure cluster connectivity can be enabled, Azure Databricks workspaces must be deployed in a customer-managed virtual network (VNet injection), refer to the policy Azure Databricks Workspace is not deployed in a customer-managed virtual network (VNet).

Audit

This policy flags an Azure Databricks Workspace as INCOMPLAINT if the Parameters JSON field does not contain the enableNoPublicIp parameter set to true.

Default Value

No Public IP is set to Enabled by default.

References

1. https://learn.microsoft.com/en-us/azure/databricks/security/network/classic/secure-cluster-connectivity

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Azure Databricks.
2. Click the name of a workspace.
3. Under Settings, click Networking.
4. Under Network access, next to Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP), click the radio button next to Enabled.
5. Click Save.
6. Repeat steps 1-5 for each workspace requiring remediation.

From Azure CLI

For each workspace requiring remediation, run the following command to set enableNoPublicIp to true:

az databricks workspace update /
    --resource-group {{resource-group}} /
    --name {{workspace}} /
    --enable-no-public-ip true

From PowerShell

For each workspace requiring remediation, run the following command to set EnableNoPublicIP to True:

Update-AzDatabricksWorkspace `
    -ResourceGroupName {{resource-group}} `
    -Name {{workspace}} `
    -EnableNoPublicIP

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.9 Ensure 'No Public IP' is set to 'Enabled' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			110		no data