🛡️ Azure Databricks Workspace does not use private endpoint connections🟢

• Contextual name: 🛡️ Databricks Workspace does not use private endpoint connections🟢
• ID: /ce/ca/azure/databricks/private-endpoint-connection
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Databricks Workspace
  • 🔌 Azure Databricks Workspace - object.extracts.yaml
  • 🔌 Azure Private Endpoint Connection - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Azure Databricks Workspaces that do not utilize private endpoints.

Private endpoints provide secure, private connectivity to Azure Databricks workspaces over an encrypted Azure Private Link. Each service receives an IP address from the associated Virtual Network (VNet), ensuring that network traffic between clients, services, and resources remains private and encrypted. Private endpoints also enable network segmentation, hybrid connectivity through VNet peering or VPN/ExpressRoute, and secure tunneling across public networks, reducing exposure to external threats.

Rationale

Using private endpoints for Azure Databricks workspaces ensures that all communication occurs over a private IP space within a customer-managed VNet, eliminating exposure to the public internet. This approach:

• Minimizes the attack surface and supports Zero Trust principles.
• Enables network segmentation and fine-grained access control.
• Supports hybrid connectivity for accessing on-premises or remote resources securely.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Azure Databricks.
2. Click the name of a workspace.
3. Under Settings, click Networking.
4. Click Private endpoint connections.
5. Click + Private endpoint.
6. Under Project details, select a Subscription and a Resource group.
7. Under Instance details, provide a Name, Network Interface Name, and select a Region.
8. Click Next : Resource }}.
9. Select a Target sub-resource.
10. Click Next : Virtual Network }}.
11. Under Networking, select a Virtual network and a Subnet.
12. Optionally, configure Private IP configuration and Application security group.
13. Click Next : DNS }}.
14. Optionally, configure Private DNS integration.
15. Click Next : Tags }}.
16. Optionally, configure tags.
17. Click Next : Review + create }}.
18. Click Create.
19. Repeat steps 1-18 for each workspace requiring remediation.

From Azure CLI

For each workspace requiring remediation, run the following command to create a private endpoint connection:

az network private-endpoint create /

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.11 Ensure private endpoints are used to access Azure Databricks workspaces (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			67		no data