🛡️ Azure Databricks Workspace Allow Public Network Access is not disabled🟢

• Contextual name: 🛡️ Databricks Workspace Allow Public Network Access is not disabled🟢
• ID: /ce/ca/azure/databricks/public-network-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Databricks Workspace
  • 🔌 Azure Databricks Workspace - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.

Rationale

Disabling public network access improves security by ensuring that Azure Databricks workspaces are not exposed on the public internet.

Impact

NOTE: Prior to disabling public network access, it is strongly recommended that, for each workspace, either:

• virtual network integration is completed as described in "Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)"

OR

• private endpoints/links are set up as described in "Ensure private endpoints are used to access Azure Databricks workspaces."

Disabling public network access restricts access to the service. This enhances security but will require the configuration of a virtual network and/or private endpoints for any services or users needing access within trusted networks.

Before public network access can be disabled, Azure Databricks workspaces must be deployed in a customer-managed virtual network (VNet injection)—refer to the recommendation Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet), and requiredNsgRules must be set to a value other than AllRules.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Azure Databricks.
2. Click the name of a workspace.
3. Under Settings click Networking.
4. Under Network access, next to Allow Public Network Access, click the radio button next to Disabled.
5. Click Save.
6. Repeat steps 1-5 for each workspace requiring remediation.

From Azure CLI

For each workspace requiring remediation, run the following command to set publicNetworkAccess to Disabled:

az databricks workspace update /
    --resource-group {{resource-group}} /
    --name {{workspace}} /
    --public-network-access Disabled 

From PowerShell

For each workspace requiring remediation, run the following command to set PublicNetworkAccess to Disabled:

Update-AzDatabricksWorkspace `
    -ResourceGroupName {{resource-group}} `
    -Name {{workspace}} `
    -PublicNetworkAccess Disabled

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.10 Ensure 'Allow Public Network Access' is set to 'Disabled' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			110		no data